TechSpot

trojans, adware, browser hijacker

By steveb123
Apr 24, 2007
Topic Status:
Not open for further replies.
  1. Hello. I've followed your 13 point plan and have the logs attached. Everything looks much better, but there are some odd looking things in HJT report.

    SteveB123

    AVG AntiRoot came up with nothing
  2. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your system is infected with some trojans and lop hijacker.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download LSPFix from http://cexx.org/lspfix.htm
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Restart your computer

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    algs.exe
    lssas.exe
    csrs.exe


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    algs.exe
    csrs.exe
    lssas.exe
    vtssr.dll
    lifnfjjd.dll
    ocfcxmos.dll


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\System32\ocfcxmos.dll (file missing)
    O2 - BHO: (no name) - {3E5C0E58-A991-46D5-8175-35FF9308F878} - C:\WINNT\System32\lifnfjjd.dll (file missing)
    O2 - BHO: (no name) - {5502287F-6BB6-4E04-A469-D578294B50E0} - C:\WINNT\System32\vtssr.dll (file missing)
    O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\System32\csrs.exe
    O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\lssas.exe
    O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINNT\System32\algs.exe
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.
    C:\WINNT\System32\ocfcxmos.dll
    C:\WINNT\System32\lifnfjjd.dll
    C:\WINNT\System32\vtssr.dll
    C:\WINNT\System32\csrs.exe
    C:\WINNT\System32\lssas.exe
    C:\WINNT\System32\algs.exe
    C:\WINNT\system32\pqrqr.bak2
    C:\WINNT\system32\pqrqr.bak1
    C:\WINNT\system32\uvwvw.bak1
    C:\WINNT\system32\jview.exe
    C:\WINNT\system32\uvwvw.ini2
    C:\WINNT\system32\uvwvw.bak2

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)
  3. steveb123

    steveb123 TS Rookie Topic Starter

    re: Your system is infected with some trojans and lop hijacker.

    Hello Momok, and thank you for looking at my problems.

    I followed your directions and have attached a new HJT and AVG Antispyware log.

    Whilst doing the operations, some things were not available to delete, they were:

    algs.exe
    csrs.exe

    when using services.msc;

    algs.exe
    csrs.exe
    vtssr.dll
    lifnfjjd.dll
    ocfcxmos.dll

    when using ctrl, alt and pressing del;

    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

    when using Hijack This;

    and:

    C:\WINNT\System32\ocfcxmos.dll
    C:\WINNT\System32\lifnfjjd.dll
    C:\WINNT\System32\vtssr.dll
    C:\WINNT\System32\csrs.exe
    C:\WINNT\System32\lssas.exe
    C:\WINNT\System32\algs.exe

    when using Windows Explorer

    ....if that makes a difference.

    SteveB123
  4. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your Hijack log looks clean.

    However I noticed that your AVG log displays 'No Action Taken' for all the files detected.

    I suggest you run AVG again and quarantine the files. Pictorial instructions HERE.

    Also, please post a ComboFix log too. (My bad, I left it out in the previous post)


    Regards,
    Your friendly Momok =)
  5. steveb123

    steveb123 TS Rookie Topic Starter

    AvG Spyware and ComboFix logs 26apr07

    Hi Momok:

    I did the action on the AVG Spyware, quarantining, and ran Combofix again.

    thank you, SteveB123
  6. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste the following instructions for later reference.

    Boot into safe mode again and unhide all your system files.

    Find and locate the following files in bold in windows explorer and delete them (if found):
    C:\WINNT\system32\tmp.reg
    C:\WINNT\system32\pqrqr.bak2
    C:\WINNT\system32\pqrqr.bak1
    C:\WINNT\system32\uvwvw.bak1
    C:\WINNT\system32\uvwvw.ini2
    C:\WINNT\system32\uvwvw.bak2

    Reboot into normal mode and rehide your OS files.

    Please visit this link http://virusscan.jotti.org/

    Click the Browse... button and navigate to the following file:
    C:\WINNT\system32\MCCDNSHLP_1-0-0_DSR.dll
    Click Open

    Please let me know the results.


    Regards,
    Your friendly Momok =)
  7. steveb123

    steveb123 TS Rookie Topic Starter

    C:\WINNT\system32\MCCDNSHLP_1-0-0_DSR.dll

    Hi Momok:

    I was able to delete all the files:

    C:\WINNT\system32\tmp.reg
    C:\WINNT\system32\pqrqr.bak2
    C:\WINNT\system32\pqrqr.bak1
    C:\WINNT\system32\uvwvw.bak1
    C:\WINNT\system32\uvwvw.ini2
    C:\WINNT\system32\uvwvw.bak2

    I put C:\WINNT\system32\MCCDNSHLP_1-0-0_DSR.dll

    to test at http://virusscan.jotti.org/ and they result was OK.

    SteveB123
  8. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your system should be clean now.

    Turn off system restore (XP/ME only). Learn how to do that HERE.

    This will remove all the remaining nasties from your old restore points.
    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of steveb123 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. steveb123

    steveb123 TS Rookie Topic Starter

    i think i'm clean

    Thanks for your assistance Momok, I think I've got it straight now. I did read the link on safer surfing, thank you.

    steveb123
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.