TechSpot

Trojan lop.as

By spensierato
Jan 11, 2007
  1. Hello Folks,
    Last week my AVG antivirus was warning me that I had a Lop.as Trojan and I quarantined every time the massage came up. As a matter of fact the antivirus vault is full logs of the Lop.as Trojan. I spent hours doing research and trying all the suggestions I could find online and in this forum. Now in the last day and half my AVG antivirus is not showing the warning anymore. I am not 100% sure I was able to delete the Trojan. Could someone view my hijackthis log and tell me if my pc is clean? Also, I need to say that my antivirus is a free edition so I am not sure if I should purchase one. Could you suggest any antivirus that would really protect me? I had Norton once and I didn’t like because it was heavy and slowing down my pc dramatically. Thanks in advance.
    spensierato
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with a variety of nasties.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of spensierato only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. spensierato

    spensierato TS Rookie Topic Starter

    Ok. I have followed the directions by the letter. Here are all the reports. Can you please let me know what is the situation. Thanks
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    WindowZones

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    WindowZones Service (WZSvc)

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    WindowZones.sys
    WindowZones.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

    O4 - HKLM\..\Run: [WindowZones] C:\Program Files\WindowZones\WindowZones.exe -startminimize

    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A879A1B-BF21-4DA9-87E7-B03C5ADCB78B}: NameServer = 68.169.224.162,4.2.2.2

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A93A25F0-756E-4494-B704-93C03972F66A}: NameServer = 68.168.224.162,4.2.2.2

    O17 - HKLM\System\CS2\Services\Tcpip\..\{2A879A1B-BF21-4DA9-87E7-B03C5ADCB78B}: NameServer = 68.169.224.162,4.2.2.2

    O17 - HKLM\System\CS3\Services\Tcpip\..\{2A879A1B-BF21-4DA9-87E7-B03C5ADCB78B}: NameServer = 68.169.224.162,4.2.2.2

    Only fix the above 017 entries, if they don`t belong to your ISP.

    18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

    O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: WindowZones Service (WZSvc) - ByteCrusher - C:\Program Files\WindowZones\WindowZones.sys

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\WindowZones

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of spensierato only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. spensierato

    spensierato TS Rookie Topic Starter

    Thanks Howard for replying so quickly. Here is the new log. Hopefully now things will look better. If the pc is clean could you please let me know which antivirus/adware/spyware company I can rely on for good protection? At this point I don’t mind having to pay. As of now I am using AVG free edition and Windows firewall. I deleted WindowsZones. Should I reinstall it or not? Thanks spensierato
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Turn off the AVG Antispyware guard.

    Run AVG Antispyware and click on the resident shield, change it to inactive and close AVG Antispyware.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

    O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Click on the fix checked button.

    Close HJT and reboot your computer. If the above entries are gone, your HJT log is clean, if not post a fresh HJT log.

    I don`t think you should reinstall WindowsZones as I don`t know a great deal about the programme and therefore it might be suspect.

    The AVG free antivirus programme is fine. I don`t recommend you use the Windows firewall as it`s complete crap. The free Zonealarm or Kerio firewall programmes would be a much safer bet.

    Avg Antispyware is very good as are SS&D and Ad-aware se personal. I`d also recommend the use of Spyware Blaster.

    Regards Howard :)

    This thread is for the use of spensierato only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. spensierato

    spensierato TS Rookie Topic Starter

    I should be all set. Thanks for your help and suggestions. spensierato :)))
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Now would be a good time to clear out your old restore points and anything nasty that`s in them.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will create a brand new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of spensierato only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. AllenN

    AllenN TS Rookie

    Hi Howard and Spensierato,

    My name is Allen and I work for the company that developed WindowZones. I'm certainly biased, but I believe WindowZones is a great product for managing administrative rights on Internet-facing applications.

    Spensierato, if you found the product useful I encourage you to reinstall it.

    Howard, I don't want to use this space to make a pitch, but if you have a few minutes I encourage you to check out our website at http://www.bytecrusher.com and learn a bit about WindowZones before recommending people not use it. We really believe it's an innovative application that provides unique protection to Windows users. Anyone who logs into Windows with an administrative account can benefit from using WindowZones.

    I'm happy to discuss the product if someone starts a thread on it. Out of respect to the board, I'm not going to start my own thread on my own product.

    cheers.

    -Allen
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...