lop issues - have followed instructions, even reformatted, still there

Status
Not open for further replies.

richardgatti

Posts: 9   +0
Help!
bought a second hand laptop, installed AVG Free and kerio, noticed some virus issues that I couldn't seem to shake. So I reformatted using the supplied Toshiba disk, reinstalled windows, avg etc - all was fine for a couple of days, and then I had the same virus problems. Followed the advice on the forum, again, seemed to shake it for a few days, then, bang, same problem. Seems to be something to do with fuelsys.exe, lop, and telecom.exe. At present, something keeps trying to shut down kerio, I get a lot of internet traffic that is nothign to do with me, AVG picks up the odd virus and after connecting to the internet for more than about 10-15 minutes, strange things start happening (the whole computer slows down, task manager won't open, the internet becomes unresponsive).

I've followed the instructions, logs are attached. Both look to me and Vundo found something and removed it, but already, in typing this something has attacked Kerio...

Hope you can help
r

see attached
 
Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Telecoms Center

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

telcoms.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\telcoms.exe

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\ddcywur.dll
C:\WINDOWS\system32\fccawuu.dll
C:\WINDOWS\system32\fccaxvv.dll

C:\WINDOWS\system32\fccdbcd.dll
C:\WINDOWS\system32\hggebay.dll
C:\WINDOWS\system32\hggebxw.dll

C:\WINDOWS\system32\jkkjgec.dll
C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\mljghgh.dll

C:\WINDOWS\system32\mljjhhe.dll
C:\WINDOWS\system32\mljjhhf.dll
C:\WINDOWS\system32\nnnklij.dll

C:\WINDOWS\system32\rqrrstq.dll
C:\WINDOWS\system32\ssqoolk.dll
C:\WINDOWS\system32\ssqqpom.dll

C:\WINDOWS\system32\urqpmlk.dll
C:\WINDOWS\system32\vtuvuus.dll
C:\WINDOWS\system32\xxyvvtu.dll

C:\WINDOWS\system32\xxyxvsr.dll
C:\WINDOWS\system32\xxyyvwv.dll

Once your system has rebooted, rehide your protected OS files.

Post fresh HJT and AVG Antispyware logs.

Regards Howard :wave: :wave:

This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Delete all files in AVG Antispyware quarantine.

Delete the Killbox backups.

Have HJT fix these inactive entries.

O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\System32\pmnkkih.dll (file missing)

O20 - Winlogon Notify: pmnkkih - pmnkkih.dll (file missing)

Reboot your system.

Turn off system restore.(XP/ME only) See how HERE.

Turn system restore back on again. This will have deleted all your old restore points and anything nasty that`s in them. It will also have created a new, clean restore point.

Other than the above, your system looks clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks!

Cheers Howard, that seems ok for now - If anything happens, i'll come back looking for some help! you're a star.
r
 
it's back. and this time it's personal

hi howard. Thanks for your help before, which I thought had solved the problem. I hadn't used the machine for a week or so, and my wife told me it was 'acting funny'. i tried to access the net this morning to update my adaware files, and couldn't even do that. Something is trying to kill kerio (I ended up with seven or eight status icons for kerio, even after it told me it had been shut down), and running the 'preliminary instructions' found both smitfraud and virtuamundo.

here is my most recent hijack this - seems ok at the moment, but I have a feeling it won't last...
 
You`re right, it is back.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Telecoms Center

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

telcoms.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\telcoms.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
and guess what. it's back

found 27 copies of lop this morning with avg.
my hijack this log shows telecoms.exe again... see attached.
no other symptoms...
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

telcoms.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\telcoms.exe

Reboot into normal mode and rehide your protected OS files.

Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/...pmod;dl=item16

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop.
If not, double click the program again and it will finish.

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

Go HERE and follow the instructions for AVG Antispyware and Combofix.

Post the C:\NoLop.log along with fresh HJT, Combofix and AVG Antispyware logs.

Regards Howard :)

This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Are you using a router and what rules do you have for your firewall?

Go offline until you get it clean and ensure your security measures are active
before you bring it back online.
 
howard,
thanks for this, but I'm not sure this has worked - i didn't find any traces:

so no telecoms.exe in my process list,
no file in my system 32 folder
no instance of telecoms.exe in my hjt log
nolop didn't find anything
combofix has been withdrawn, I get a message saying:
'The tool, ComboFix has been temporarily withdrawn.

The author discovered a rootkit infection that will intefere with ComboFix's running.

This will cause Combofix to be UNSAFE FOR USE on your machine.

Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL

Apologies for any inconvenience caused'
(and incidentally, the link you gave me took me to the preliminary virus removal instructions, and not to combofix).

here are my avg (which finds 2 other infections)and hjt logs.

Jo, I'm using the free version of kerio with the default settings, and a usb adsl modem from d-link (model dsl-200) I'm only really online when i'm trying to fix the virus problems! (and then for as short a time as possible)

regards
richard
 
Combofix was withdrawn for the reasons stated. This was only discovered recently, see HERE for further info.

Your HJT log is clean.

Delete all files In AVG Antispyware quarantine.

I`d like you to download, install and run the AVG Antirootkit programme. Please let me know the results.

Regards Howard :)

This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok, in that case, your system looks clean.

See how it goes and post back if you have any further problems.

Regards Howard :)

This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
well, i hope so, and avg is showing up clean too, but I don't know where it went...
I'll keep you posted.
thanks for all your help.
r
 
Status
Not open for further replies.
Back