Help, please!! Another Trojan "Lop.aq"

[alexmart]

First, I ask for Excuse, about my English.
I'm from Portugal, and I come this forum because you are de experts, and I love your work.
Well, I've been infected with some malware ( Trojan Lop.aq, Safety Bar, Ismini, Etc. ) and I follow other instructions about de same problem in another thread in this forum (Trojan Pakes and other nasties, preliminary removal instructions ).
So, I after this work, I come back here to post the HJT log and the AVG Antispyware log, and would be thankfull if you help me, the fast you can, and perhaps to save my weekend.
Thank you very much!!!
Alex.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

F2 - REG:system.ini: Shell=

O2 - BHO: (no name) - {36DCB049-C850-0C72-74D2-02554B54920C} - C:\WINDOWS\system32\sydvlsh.dll

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Click on the fix checked button.

Close HJT.

Delete all files in AVG Antispyware quarantine.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\sydvlsh.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :wave: :wave:

This thread is for the use of alexmart only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[alexmart]

First, thanks for the quick help.
I've done all your instructions, and here is the hijackthis.log after
that changes.
I hope I have my computer back to normality!!!
Thanks to you. You are the best!!

Best regards,
Alex

Sorry, I'm back because after two hours with computer on, I decided to do a scan with Avg Antispyware that detected a Malware. So I put here the log and hope you came back with news.
Also, I was lookin at Windows Defender options and saw that is one entry
that refers Update.exe mc-110-12-0000272 ( not yet classified ) located in C:\Programs\Common Files in a folder with a long name that has no files inside.
I ask if I can disable this entry in the Windows Defender.
Thany you for your help!!
Alex

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

B Gone.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [B Gone] D:\Documentos da Familia Martins\Documentos de Alex\Utilitários\bgone\B Gone.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

D:\Documentos da Familia Martins\Documentos de Alex\Utilitários\bgone\B Gone.exe

Delete all files in AVG Antispyware quarantine.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Go HERE and run the four tools as per the instructions. Let me know the results please.

Regards Howard

This thread is for the use of alexmart only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[alexmart]

Hello!!
I'm back again after running the 4 tools you give in the post.
Well, I'm thinking everything is normal now on my pc, because after a couple of hours running no suspect activity was detected.
However, I post here de logs of the tools and the final log of HijackThis.
Hope you give your opinion if you don't mind, or by the opposite I'll assume my problem is finished as I expect.
Anyway, I am very thankful with your help.
God Bless You!!!!

 

[howard_hopkinso]

Your HJT log looks clean now.

Therefore, I think you`re probably good to go.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of alexmart only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.