TechSpot

Yet another Lop.AS trojan horse...

By willydawg
Jan 4, 2007
  1. Hello...
    So i got this trojan horse as well, right after 12am on new year's. I found the posting with Kramer1113 earlier this week. I went through all the steps in your prem removal instructions (twice) and I think i managed to get rid of it. But, when I restart the computer, once it logs in it seems to get stuck before showing me my desktop. The only workaround i've found is to Cntrl+Alt+Delete for task manager, and log off to manually log in. I've ran an HJT Scan and attached the .log file...
    Please let me know if I have anything else to worry about...
    Thanks in advance

    Sorry... here's the AVG logs for the AV & Spyware scans.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    This is a bad infection and I can`t guarantee the following instructions will clean it.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Miramar
    PC MACLAN

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    AppleTalk Messenger

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ATMsg.exe
    Loud pure.exe
    bundle.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home

    O4 - HKLM\..\Run: [SupportCornSaveTrans] C:\Documents and Settings\All Users\Application Data\plus defy support corn\Loud pure.exe

    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Lucas Will\Local Settings\Temp\bundle.exe

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Miramar<Delete the entire folder.
    C:\Documents and Settings\Lucas Will\Local Settings\Temp\bundle.exe
    C:\Documents and Settings\All Users\Application Data\plus defy support corn\Loud pure.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :wave: :wave:

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Thanks!

    Here's a fresh HJT log after doing those steps.
    When I rebooted, It still got hung before the desktop came up. The whole startup after the splash page seems pretty slow. Hitting Cntrl+Alt+Del to open the task manager brought the desktop back up... pretty strange.

    Also, when booting up a message came up saying:
    "The Application has failed to start because sfc_os.dll was not found. Re-Installing the application may fix the problem." It happened many times while trying to start several apps/services: winlogon.exe, vptray, doscan.exe, etc...
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home

    Click on the fix checked button.

    Close HJT and reboot your system.

    Run HJT again and post a fresh log.

    As for your sfc_os.dll problem. sfc_os.dll is part of the Windows file protection.

    Click start/run and type sfc /scannow into the run box and press the enter key. You may be prompted to insert your Windows cd, so you`ll need to have it handy. This will scan your system for any damaged or missing OS file and replace them as necessary.

    Let me know the results please.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    quick question

    Thanks for the quick reply...
    Quick question tho:
    Do I need to boot up in safe mode and all that again?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, just do it all from normal mode.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Here goes...

    Here's the fresh HJT log...

    Thanks again for all your help, this one seems to be a killer!
    You guys are doing a great job attacking this one... we'll get it!
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Did you manage to sort the Windows .dll problem?

    Let me know how your system is running.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Still up

    So everything seems to be working good. Still having that
    startup problem, but that probably has to do with the sfc problem. (i hope)

    I tried that command "sfc /scannow" in the run window but got an error message:
    "sfc.exe - Unable To Locate Component This application has failed to start because sfc_os.dll was not found. Re-installing the application may fix the problem."

    thanks
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, you probably need to run a Windows repair as per this thread HERE. That should replace the missing files etc.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    question

    Thanks Howard...
    Is there a way to use the 'expand' command to replace these files? It looks like bothe the sfc.exe and sfc_no.dll are missing.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m not sure about that to be honest, but as I said in my last post, running a Windows repair should solve the missing system files issue.

    If you can`t do that for some reason, you can always IM me on Yahoo messenger, details in my profile and I`ll gladly send you the missing files.

    Regards Howard :)

    Edit: According to mikedude456 in this thread HERE The free Spysweeper scanner can get rid of the lop.AS infection. Please give it a try and let me know the results please.

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Help Please... my other computer

    Hi Howard,
    So good and bad news... my personal comp at home that was infected with
    the lop.AS is now clear, i think (i'm running spysweeper as i write).
    Plus, i fixed the sfc_os.dll problem @ bootup that i was having. Just for future note, i did the following:

    Put in my WinXP CD that came with the comp,
    opened a command prompt and typed:
    " expand d:\i386\sfc_os.dl_ c:\windows\system32\sfc_os.dll "
    'd' being my cd drive and with no quotes of course...
    Worked great!

    Now, onto the bad news. My office computer was not on the internet the night
    I thought my personal comp was infected. WRONG! I hooked up to the internet and there u go, all over again with the lop.AS plus more alerts. Plus, my internet stopped working. The LAN Connection said limited or no connectivity. To make a long story short, i redownloaded everything i needed plus all the updated and did all the steps of malware removing.
    So here's the hjt log.... Can u please check it for me. It looks like there's a "bundle" that i'm sure doesn't belong... THANKS!!
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    LiveUpdate

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    LiveUpdate

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    bundle.exe
    LUCOMS~1.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DPA.dll (file missing)

    O4 - HKLM\..\Run: [KernelFaultCheck] %SystemRoot%\System32\svchost.exe -k netsvcs

    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\PROGRA~1\Symantec<Delete the entire folder.
    C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log. and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Here It Is

    Here's a fresh HJT Log for my office comp...

    BTW... Spysweeper found a threat:
    "180search assistant/zango HKLM\software\gimmysmileys\ (ID = 1341680)"
    this is on my personal computer, the one we cleaned out yesterday. Unfortunately, Spysweeper wants me to subscribe to get rid of that file, but I alread paid for AVG AS yesterday, any thoughts?

    Again, here's the HJT log from my other comp

    thanks!
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    As regards the gimmysmileys entry, try this.

    Click start/run and type regedit into the run box. Click file/Export and backup the registry. Then, click edit/find and type gimmysmileys See what it comes up with. You can delete the entry, if found in the right hand pane. Then click edit/find next. keep doing this until no more gimmysmileys entries are found.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Thanks!

    Thanks for all your help Howard! My 2 comps are up and running (faster
    I might add)...
    The regedit didn't find those gimmysmileys, but avg hasn't seen it , so it should be ok.

    But just to make sure, can you check this hjt log to make sure it's clean?
    This is for my personal comp that we fixed yesterday.
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That HJT log is clean.

    Just have HJT fix these entries.

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Great....

    Thanks Howard!
    BTW... What were those 2 things you had me fix?
    Just curiousity...
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ was a left over from Norton.

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) Was an inactive entry from SpySweeper.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Thanks!

    Thanks again Howard...
    Just to let you know, Spysweeper crashed my system twice. It shut down once and blue screen of death once. Just an FYI. I've uninstalled it and everything is working fine so far!
    I'll let you know if any more probs come up.
     
  22. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Hope Not Again!

    So my computer has been acting up again, going really slow at times. Especially when i first open firefox, the page takes a looong time to load. Last night the internet stopped working until this afternoon.

    Here is an HJT log for when you get a chance...
    Thanks!
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    However, the left over Norton entry is still there, you can fix it.

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

    Firefox can take quite some time to open the first time you run it after a restart etc. After that, it usually runs quickly.

    Maybe your intenet stopped working because your ISP had a problem in your area? It happens to me from time to time.

    Regards Howard :)

    This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. willydawg

    willydawg TS Rookie Topic Starter Posts: 26

    Thanks

    thank you... I think I'm just being paranoid now, for good reason!
    I fixed that entry w/HJT and it's not there no more...
    Thanks for your help again
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...