Yet another lop.as Logs attached

Status
Not open for further replies.
S

Sashley

Greetings,

I have followed the instructions given regarding procedure for preliminary removal.

I am getting a warning from AVG Anti-Virus that "trojan horse lop.as" has been caught. I move it to quarentine, and it happens a second or third time. This happens every couple of hours. I am running AVG antispyware, AVG anti virus, and Spyware bot. All have been updated.

Attached are the AVG and HijackThis logs.

Any help will be greatly appreciated.

Thanks

Steve
 
Hello and welcome to Techspot.

Your system is heavily infected with a variety of nasties.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

After reading the above, let me know how you wish to proceed.

Regards Howard :wave: :wave:

This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Let`s see what we can do. I have to tell you, that as of this moment, I don`t know a fix for the trojan lop.AS, which is a new variant of the lop infection.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

SpywareBot<This is a rogue programme and is not to be trusted.

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Mouse Cursor Monitor
Compaq32 Service Drivers

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

mousecrm.exe
msconfig32.exe<End all instances found.
SpywareBot.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} - C:\WINDOWS\system32\vtuuspn.dll

O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe

O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [AntiSpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe

O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

O20 - Winlogon Notify: vtuuspn - C:\WINDOWS\SYSTEM32\vtuuspn.dll

O20 - Winlogon Notify: wineaj32 - C:\WINDOWS\SYSTEM32\wineaj32.dll

O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\mousecrm.exe
C:\Program Files\SpywareBot<Delete the entire folder.
msconfig32.exe<Search your system for this file and delete all instances found.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\SYSTEM32\wineaj32.dll
C:\WINDOWS\SYSTEM32\vtuuspn.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
second time around

Greetings Howard,

This has been a most interesting experience. I have attached a fresh HijackThis log for your perusal.

I completed the process you outlined and generated the requested HijackThis log file. I was reading the log and I noticed that I had aparently forgotten to enter one of the filepaths into the Killbox list, or something. I decided that in order to complete the task for you that I needed to go back through the process and finish the job. So I did. When I generated a second report to send, it contained the entries (referencing the vtuuspn.dll) that I had attempted to remove. Again, I went back the whole process again. This time I got to the part where I entered the filepath in Killbox and pushed the button to reboot and a warning window popped up. The title on the window read "PendingFileRenameOperations", and the message it contained read : Registry Data has been Removed by External Process", and it halted the process.

Whatever is going on seems to be related to the vtuuspn.dll thing.

Thanks in advance, once again!
Steve
 
You've done an excellent job so far. However, we need to get rid of the nasty .dll entry.

Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

This is the file path you need to enter into Vundofix.

C:\WINDOWS\SYSTEM32\vtuuspn.dll

Once you`ve done that, please post a fresh HJT log.

Regards Howard :)

This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Battle won, war goes on

Greetings once again Howard,

I have attached the latest log from HiJackThis. Seems that the VundooFix program did it's deed. I have been running (and quite a bit better at that) for several hour now with no sign of the LOP.AS nasty.

My most sincere thanks to you and everyone that had a hand in this fix. It is nice to know that there are good guys out there.

Steve
 
Your HJT log is now clean.

Have HJT fix this inactive entry.

O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} - C:\WINDOWS\system32\vtuuspn.dll (file missing)

Reboot your system and check that the entry has gone.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of Sashley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

E
  • Locked
Inactive-A Crypt_S Recovery
Replies
12
Views
3K
Broni
Broni
S
Solved Audio ads playing on windows 7 background
2
Replies
47
Views
51K
Broni
Broni
J
  • Locked
Solved DDS not running- 5-step viruses/spyware/malware preliminary removal instructions
2
Replies
33
Views
7K
Bobbye
Bobbye

Latest posts

Back