Yet another Lop.AS trojan horse...

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/Home

Click on the fix checked button.

Close HJT and reboot your system.

Run HJT again and post a fresh log.

As for your sfc_os.dll problem. sfc_os.dll is part of the Windows file protection.

Click start/run and type sfc /scannow into the run box and press the enter key. You may be prompted to insert your Windows cd, so you`ll need to have it handy. This will scan your system for any damaged or missing OS file and replace them as necessary.

Let me know the results please.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

quick question

Thanks for the quick reply...
Quick question tho:
Do I need to boot up in safe mode and all that again?

No, just do it all from normal mode.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Here goes...

Here's the fresh HJT log...

Thanks again for all your help, this one seems to be a killer!
You guys are doing a great job attacking this one... we'll get it!

Your HJT log is now clean.

Did you manage to sort the Windows .dll problem?

Let me know how your system is running.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Still up

So everything seems to be working good. Still having that
startup problem, but that probably has to do with the sfc problem. (i hope)

I tried that command "sfc /scannow" in the run window but got an error message:
"sfc.exe - Unable To Locate Component This application has failed to start because sfc_os.dll was not found. Re-installing the application may fix the problem."

thanks

Ok, you probably need to run a Windows repair as per this thread HERE. That should replace the missing files etc.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

question

Thanks Howard...
Is there a way to use the 'expand' command to replace these files? It looks like bothe the sfc.exe and sfc_no.dll are missing.

I`m not sure about that to be honest, but as I said in my last post, running a Windows repair should solve the missing system files issue.

If you can`t do that for some reason, you can always IM me on Yahoo messenger, details in my profile and I`ll gladly send you the missing files.

Regards Howard

Edit: According to mikedude456 in this thread HERE The free Spysweeper scanner can get rid of the lop.AS infection. Please give it a try and let me know the results please.

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Help Please... my other computer

Hi Howard,
So good and bad news... my personal comp at home that was infected with
the lop.AS is now clear, i think (i'm running spysweeper as i write).
Plus, i fixed the sfc_os.dll problem @ bootup that i was having. Just for future note, i did the following:

Put in my WinXP CD that came with the comp,
opened a command prompt and typed:
" expand d:\i386\sfc_os.dl_ c:\windows\system32\sfc_os.dll "
'd' being my cd drive and with no quotes of course...
Worked great!

Now, onto the bad news. My office computer was not on the internet the night
I thought my personal comp was infected. WRONG! I hooked up to the internet and there u go, all over again with the lop.AS plus more alerts. Plus, my internet stopped working. The LAN Connection said limited or no connectivity. To make a long story short, i redownloaded everything i needed plus all the updated and did all the steps of malware removing.
So here's the hjt log.... Can u please check it for me. It looks like there's a "bundle" that i'm sure doesn't belong... THANKS!!

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

LiveUpdate

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

LiveUpdate

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

bundle.exe
LUCOMS~1.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DPA.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %SystemRoot%\System32\svchost.exe -k netsvcs

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\Symantec<Delete the entire folder.
C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log. and let me know how your system is running.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Here It Is

Here's a fresh HJT Log for my office comp...

BTW... Spysweeper found a threat:
"180search assistant/zango HKLM\software\gimmysmileys\ (ID = 1341680)"
this is on my personal computer, the one we cleaned out yesterday. Unfortunately, Spysweeper wants me to subscribe to get rid of that file, but I alread paid for AVG AS yesterday, any thoughts?

Again, here's the HJT log from my other comp

thanks!

Your HJT log is clean.

As regards the gimmysmileys entry, try this.

Click start/run and type regedit into the run box. Click file/Export and backup the registry. Then, click edit/find and type gimmysmileys See what it comes up with. You can delete the entry, if found in the right hand pane. Then click edit/find next. keep doing this until no more gimmysmileys entries are found.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Thanks!

Thanks for all your help Howard! My 2 comps are up and running (faster
I might add)...
The regedit didn't find those gimmysmileys, but avg hasn't seen it , so it should be ok.

But just to make sure, can you check this hjt log to make sure it's clean?
This is for my personal comp that we fixed yesterday.

That HJT log is clean.

Just have HJT fix these entries.

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Great....

Thanks Howard!
BTW... What were those 2 things you had me fix?
Just curiousity...

The O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ was a left over from Norton.

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) Was an inactive entry from SpySweeper.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Thanks!

Thanks again Howard...
Just to let you know, Spysweeper crashed my system twice. It shut down once and blue screen of death once. Just an FYI. I've uninstalled it and everything is working fine so far!
I'll let you know if any more probs come up.

Hope Not Again!

So my computer has been acting up again, going really slow at times. Especially when i first open firefox, the page takes a looong time to load. Last night the internet stopped working until this afternoon.

Here is an HJT log for when you get a chance...
Thanks!

Your HJT log is clean.

However, the left over Norton entry is still there, you can fix it.

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

Firefox can take quite some time to open the first time you run it after a restart etc. After that, it usually runs quickly.

Maybe your intenet stopped working because your ISP had a problem in your area? It happens to me from time to time.

Regards Howard

This thread is for the use of willydawg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Thanks

thank you... I think I'm just being paranoid now, for good reason!
I fixed that entry w/HJT and it's not there no more...
Thanks for your help again