trojans, adware, browser hijacker

Hello. I've followed your 13 point plan and have the logs attached. Everything looks much better, but there are some odd looking things in HJT report.

SteveB123

AVG AntiRoot came up with nothing

Hi,

Your system is infected with some trojans and lop hijacker.

You may wish to copy and paste these instructions on notepad for easier reference later.

Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

algs.exe
lssas.exe
csrs.exe

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

algs.exe
csrs.exe
lssas.exe
vtssr.dll
lifnfjjd.dll
ocfcxmos.dll

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\System32\ocfcxmos.dll (file missing)
O2 - BHO: (no name) - {3E5C0E58-A991-46D5-8175-35FF9308F878} - C:\WINNT\System32\lifnfjjd.dll (file missing)
O2 - BHO: (no name) - {5502287F-6BB6-4E04-A469-D578294B50E0} - C:\WINNT\System32\vtssr.dll (file missing)
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\System32\csrs.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\lssas.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINNT\System32\algs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.
C:\WINNT\System32\ocfcxmos.dll
C:\WINNT\System32\lifnfjjd.dll
C:\WINNT\System32\vtssr.dll
C:\WINNT\System32\csrs.exe
C:\WINNT\System32\lssas.exe
C:\WINNT\System32\algs.exe
C:\WINNT\system32\pqrqr.bak2
C:\WINNT\system32\pqrqr.bak1
C:\WINNT\system32\uvwvw.bak1
C:\WINNT\system32\jview.exe
C:\WINNT\system32\uvwvw.ini2
C:\WINNT\system32\uvwvw.bak2

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.


Regards,
Your friendly Momok =)

re: Your system is infected with some trojans and lop hijacker.

Hello Momok, and thank you for looking at my problems.

I followed your directions and have attached a new HJT and AVG Antispyware log.

Whilst doing the operations, some things were not available to delete, they were:

algs.exe
csrs.exe

when using services.msc;

algs.exe
csrs.exe
vtssr.dll
lifnfjjd.dll
ocfcxmos.dll

when using ctrl, alt and pressing del;

O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

when using Hijack This;

and:

C:\WINNT\System32\ocfcxmos.dll
C:\WINNT\System32\lifnfjjd.dll
C:\WINNT\System32\vtssr.dll
C:\WINNT\System32\csrs.exe
C:\WINNT\System32\lssas.exe
C:\WINNT\System32\algs.exe

when using Windows Explorer

....if that makes a difference.

SteveB123