Tormented by lop.AS (I think)

Status
Not open for further replies.
M

mrhawk1

Posts: 11   +0
I have been researching/scanning/re-researching and re-rescanning for the past few weeks trying to eradicate this beast. I just ran NoLop after reading another post, but it found no problems.

I get prompted after boot up to work off-line by IE. In addition, a couple of pop-ups occur after getting a " . . . trying to access a protected item" warning.

I have attached my latest logs in a zip.

Ken

Here's the HJT log from the zip . . .
 
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok . . .

I've completed the tasks as described in the Preliminaries. However Look2Me did not restart after 1 minute as described (wait several minutes).

The latest HJT log is attached. Sorry, could get AVG anti-spyware to install (but that's another story).

I still get prompted to start IE on line after boot up. If I start IE, I get couple of pop-ups prompting for passwords. These appear after a warning dialog that a program is trying to access a "protected item". Therefore I only use Firefox for internet access.

Please advise.

Thanks,

Ken
 
I really do need to see an AVG Antispyware log. Please post one in your next reply.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

MySQL
Microsoft authenticate service (MsaSvc)<Disable the service name and/or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msasvc.exe
Program.exe
CFD.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\system32\imtqodk.dll (file missing)

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://198.88.234.4:800/iNotes6.cab

O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A93F75C-FF05-4EEC-836C-9C21A16FA99B}: NameServer = 61.123.225.72

O17 - HKLM\System\CCS\Services\Tcpip\..\{77953F1E-3026-4825-B618-B251D56C8314}: NameServer = 61.123.225.72

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1B0B4B4-637A-428E-AA12-C05B4C8770C3}: NameServer = 61.123.225.72

O17 - HKLM\System\CCS\Services\Tcpip\..\{B842E1C8-B3CB-40AA-811A-06CA1C363A10}: NameServer = 61.123.225.72

Only fix the above 017 entries if they don`t belong to your ISP.

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program.exe
C:\WINDOWS\system32\msasvc.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as an AVG Antispyware log.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I have removed your .doc file as .doc files can carry viruses.

Please follow the instructions in my post above, then post the requested log files.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here we go . ..

Sorry 'bout the doc file. I followed the latest instructions. The HJT log is attached.

I did not find 023 - MsaSvc or 023 - MySQL entries in the HJT dialog when run in safe mode. The c:\program.exe and c:\windows\system32\msasvc.exe files were not found.

I can't install AVG antispyware due to a "licensing conflict" of some sort. I have tried deleting my AVG version and re-installing, but can not delete it. I will need to contact AVG support to get this corrected.

I ran SSD and it came back clean.

Thanks for you help and patience,

Ken
 
Well done, your HJT log is now clean. If and when you get your AVG Antispyware problem sorted out, please post an AVG Antispyware log.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thank you, but I'm still getting the "work offline" and "protected item" pop-ups.

Any idea what could cause these?

Ken
 
Ok, lets see if we can find any other nasties lurking on your system. This is why I wanted to see an AVG Antispyware log.

Download and run the Blacklight programme. follow all the instructions carefully.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Attach the Blacklight and combofix logs.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I ran blbeta and combofix. Blbeta did not produce a log file that I saw. It found 3 hidden items (wav files), but these were old audio files I knew were there.

I have attached the combofix log.

Thanks for your help . . . again,

Ken

p.s. Don't you ever sleep?

Sorry, here's the HJT log after running Blacklight and ComboFix.

Ken
 
Blacklight and Combofix are both telling you, you have a rootkit infection.

Delete the files that Blacklight found as they are infected. If you can`t delete them, run Blacklight again and choose the option to rename them.

Post a fresh Combofix and HJT log after doing that.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Rootkit . . .

I re-ran Blacklight and re-named the 3 .wav files. I have attached fresh logs from HJT and ComboFix (zip).

While scouring the web for references to rootkits, I found a rootkit detection/removal tool from Trend Micro, RootKitBuster v1.6b. I also included a log file from this tool.

Regards,

Ken
 
Your HJT log is clean.

Trend Micro, RootKitBuster v1.6b contains only false positives.

Combofix still finds the presence of a rootkit driver.

Go HERE and follow the instructions. Please post the results. If we can`t get rid of this soon, you may have no other choice other than a reformat. Some rootkits can be impossible to remove.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Your HJT log is still clean.

The AproposFix. Log shows nothing. Did you run the rest of the tools/programmes in the thread? If you did, please let me know the results.

If you didn`t, please do so and let me know the results.

I`d also like you to download and run this tool. Rustock.b-fix

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Go HERE and follow the instructions, just to make sure the Rustock rootkit has gone.

Then, boot into safe mode and do the following.

Delete this bold directory.

C:\Documents and Settings\Dad\My Documents\TechSupport<Delete the entire folder.

Empty your recycle bin.

Let me know the results and how your system is running.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Howare,

I followed the latest instructions using Reanimator and deleted the TechSupport directory. My logs are attached. I believe I still have the infection.

Unless you've got another ace up your sleeve, I'll re-image the drive from a back-up I made on 1/1/07. (Thank goodness for ghost.)

You've been EXTREMELY patient with me. I've learned alot about virus detection and elimination (and how to avoid them).

Thanks again,

Ken
 
Your HJT log is clean. However, Combofix shows your system is riddled with nasty infections..

I think it`s time you considered doing a reformat and reinstall.

Regards Howard :)

This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

midian182
OneDrive users must justify why they are closing the app before exiting (Updated)
Replies
17
Views
537
Nobina
Nobina
Cal Jeffrey
iFixit retracts its iPhone 14's repairability score of 7 and gives it a "4-not recommended"
2
Replies
25
Views
807
Bobbydpue
Bobbydpue
Snir4
  • Locked
Inactive-A I think my PC infected by notepad virus
2
Replies
31
Views
5K
Broni
Broni

Latest posts

Back