TechSpot

Yet another lop.as Logs attached

By Sashley
Jan 8, 2007
  1. Greetings,

    I have followed the instructions given regarding procedure for preliminary removal.

    I am getting a warning from AVG Anti-Virus that "trojan horse lop.as" has been caught. I move it to quarentine, and it happens a second or third time. This happens every couple of hours. I am running AVG antispyware, AVG anti virus, and Spyware bot. All have been updated.

    Attached are the AVG and HijackThis logs.

    Any help will be greatly appreciated.

    Thanks

    Steve
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is heavily infected with a variety of nasties.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    After reading the above, let me know how you wish to proceed.

    Regards Howard :wave: :wave:

    This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Sashley

    Sashley TS Rookie Topic Starter

    I wish to repair the damage without reloading everything if possible.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Let`s see what we can do. I have to tell you, that as of this moment, I don`t know a fix for the trojan lop.AS, which is a new variant of the lop infection.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    SpywareBot<This is a rogue programme and is not to be trusted.

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Mouse Cursor Monitor
    Compaq32 Service Drivers

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    mousecrm.exe
    msconfig32.exe<End all instances found.
    SpywareBot.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

    O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} - C:\WINDOWS\system32\vtuuspn.dll

    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe

    O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

    O4 - HKLM\..\Run: [AntiSpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe

    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

    O20 - Winlogon Notify: vtuuspn - C:\WINDOWS\SYSTEM32\vtuuspn.dll

    O20 - Winlogon Notify: wineaj32 - C:\WINDOWS\SYSTEM32\wineaj32.dll

    O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\mousecrm.exe
    C:\Program Files\SpywareBot<Delete the entire folder.
    msconfig32.exe<Search your system for this file and delete all instances found.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\wineaj32.dll
    C:\WINDOWS\SYSTEM32\vtuuspn.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Sashley

    Sashley TS Rookie Topic Starter

    second time around

    Greetings Howard,

    This has been a most interesting experience. I have attached a fresh HijackThis log for your perusal.

    I completed the process you outlined and generated the requested HijackThis log file. I was reading the log and I noticed that I had aparently forgotten to enter one of the filepaths into the Killbox list, or something. I decided that in order to complete the task for you that I needed to go back through the process and finish the job. So I did. When I generated a second report to send, it contained the entries (referencing the vtuuspn.dll) that I had attempted to remove. Again, I went back the whole process again. This time I got to the part where I entered the filepath in Killbox and pushed the button to reboot and a warning window popped up. The title on the window read "PendingFileRenameOperations", and the message it contained read : Registry Data has been Removed by External Process", and it halted the process.

    Whatever is going on seems to be related to the vtuuspn.dll thing.

    Thanks in advance, once again!
    Steve
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You've done an excellent job so far. However, we need to get rid of the nasty .dll entry.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the file path you need to enter into Vundofix.

    C:\WINDOWS\SYSTEM32\vtuuspn.dll

    Once you`ve done that, please post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Sashley

    Sashley TS Rookie Topic Starter

    Battle won, war goes on

    Greetings once again Howard,

    I have attached the latest log from HiJackThis. Seems that the VundooFix program did it's deed. I have been running (and quite a bit better at that) for several hour now with no sign of the LOP.AS nasty.

    My most sincere thanks to you and everyone that had a hand in this fix. It is nice to know that there are good guys out there.

    Steve
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Have HJT fix this inactive entry.

    O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} - C:\WINDOWS\system32\vtuuspn.dll (file missing)

    Reboot your system and check that the entry has gone.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...