Lop.AH trojan horse

Status
Not open for further replies.

mandinga

Posts: 15   +0
Hello,

I'm struggling to get rid of this apparant trojan.
AVG Free brought it to light but can't get rid of it by healing or moving it to the vault.

I've scanned my system with pretty much all of the recommended tools, as per pre post instructions, and they don't appear to detect/recognise it.
I didn't have much luck on google either.

Every time I open a new browser an AVG warning pops up "Virus detected", While opening file: C:\\Windows\pghna1.dll, Trojan horse Lop.AH.

HJS did bring up a couple of things which were identified in the "How to remove Begin2Search / CoolWebSearch and other Nasties." guide on this site, these I have fixed and have deleted the majority of.

I'm not sure where I picked this up from at all, unfortunately.

I'm running Windows XP, and and help would obviously be greatly appreciated.

Attached is my HJS log file.

Thanks in advance
Mandinga
 
Hello and welcome to Techspot.

Let`s see if we can get rid of your problem.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Still having problems

Hello Howard,

Thanks for replying.

I have followed your instructions in the guide.
At first the problem seemed to have been cured, as I was no longer getting the warning from AVG antivirus when opening browsers and new pages.

I thought I'd better try a restart before posting a reply. On restart I got a different warning:

Virus detected while opening file: C:\Program Files\Common Files\System\nlC.exe

Trojan Horse Generic2.ASQ

I have posted both logs as requested.
SS&D did pick up something and L2M Destroyer seemed to carry out a fix, I've posted the log for the latter.

By the way, just to confirm, the previous warning didn't reoccur, which must be good.

Dinga
 
Your HJT log is clean.

You`re running a completely unpatched version of Windows. This is a security risk. You should run Windows updates and install at least service pack1 and preferably service pack2.

Check in this location C:\Program Files\Common Files\System\nlC.exe< is this .exe file still there?

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
It is still there

Howard,

It is actually still there, should I try to remove myself?
Sorry if that's a dumb question, normally I'd just do it.

Dinga
 
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

nlC.exe

Close task manager.

Now delete the bold file.

C:\Program Files\Common Files\System\nlC.exe

Reboot your system and see if the file has returned.

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok, let`s try this.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Howard,

I've downoaded and unzipped avenger but it won't seem to run. I click it/run it and nothing seems to happen.
 
Try downloading it again from the link I gave you(fixed now BTW).

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok, forget that and try this instead.

Download the Pocket killbox programme from HERE and Extract it to your desktop.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\Program Files\Common Files\System\nlC.exe

Once your system has rebooted, check to see if the file is still there.

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Still in there

The pesky thing is still in there.

I don't whether this is of any significance at all but I notice that the file name and extension, and likewise all the other .exe files names and extensions in this folder, are coloured green as opposed to black.

Regards Dinga.
 
Ok, lets try this.

Go to the file and right click on it, select properties, under attributes uncheck the read only and hidden boxes if checked.

Click the advanced button and uncheck the compress contents to save disk space box if checked. Click ok/apply/ok.

Now run killbox and see if the file gets deleted.

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Download and run the Unlocker programme. See if that gets rid of it.

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Unlock won't shift it

That doesn't appear to shift it either, it won't unlock it, no unlock handle found, and doesn't delete it after a reboot.

Dinga
 
This is very troublsome.

Try this programme HERE.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run the programme and see if it`ll delete the file.


Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
THIS is the final deletion tool I can think of that might work.

If that doesn`t do it, I`m completely out of ideas.

That means a reformat and reinstall may be the only way of dealing with it.

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi Howard,

The delinvfile didn't work but in looking for the full version, to try and delete after reboot, I saw a thread regarding deleting stubborn files and downloaded jv16 power tools, in an attempt to get rid of it.(On techspot)

It did actually get rid of it. However, I had used the uninstall tool on there to remove some unused and also unknown programs, which had been installed on the day I that the problems appeared to begin, the unused stuff just being some Samsung mp3 software.

The file still didn't delete straight away but the wipe tool got rid of it.
It was still gone after a reboot, hopefully for good. I don't know whether the uninstallations had anything to do with it, I only chanced on that as I was browsing through the program.

AVG does not spit out the virus warnings any longer.

The question I've got though is can I be reasonably confident that my computer is now secure, notwithstanding the fact that I do need to update Windows. There are a bunch of other .exe's still in the folder, I assume these are supposed to be there.


Dinga
 
That`s great news mate, I`m really pleased for you.

As for the .exe files in that folder they are probably safe. However, you could always Google the filenames just to make sure. If you would like to give me a list of the .exe files, I`ll attempt to find out if they are safe or not.

If AVG isn`t giving you any more alerts and your system is running ok, I think we can assume you`re good to go.

I really do recommend you install one of the Windows service packs, preferably service pack2.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of mandinga only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Tip-top

Howard,

Thank you so much for all your help, it's certainly appreciated.

I've attached the list of .exe's from the folder as a .txt file but I will google them myself.

If you're ever planning a trip to South Wales let me know, I think I owe you a few beers.

Many thanks Dinga
 
Status
Not open for further replies.
Back