Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Problem: "virus Found Lop"


  • This topic is locked This topic is locked
9 replies to this topic

#1 Toastypk

Toastypk

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 17 February 2008 - 04:20 PM

Yesterday I ran into a nasty site, and with the help of AVG and my spyware tools, I managed to get it under control for the most part. But there is one thing that just won't go away. Every hour or so, AVG tells me it found "Virus found Lop". I put it in the virus vault, but later it comes back. Something keeps making these, and I want them taken care of.

Here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:09 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe
C:\Program Files\HijackThis\HijackThis_v2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\fcccaxv.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B628FB95-E936-8B2A-6B72-5EC77461B0B4} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O20 - Winlogon Notify: fcccaxv - C:\WINDOWS\SYSTEM32\fcccaxv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7213 bytes

Anything suspicious?

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:32 PM

Posted 17 February 2008 - 04:30 PM

Hello Toastypk,

Welcome to Bleeping Computer :thumbsup:

Let's just see what we can see :

CiD Help
Download Plugin for Internet Explorer
Zone Media
Netpumper


In case, during the uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. Important!

* Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Toastypk

Toastypk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 17 February 2008 - 05:51 PM

In case, during the uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.

What exactly am I uninstalling? Those four programs? I didn't see them in the log...

Do I uninstall before the Deljob thing?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:32 PM

Posted 17 February 2008 - 08:07 PM

Oh yikes! I'm so sorry!! :thumbsup: Yes, look in Add/Remove Programs for any of those and uninstall them. Reboot. Then run Deljob.

I'm so sorry!

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Toastypk

Toastypk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 17 February 2008 - 10:46 PM

Problem is... I don't see any of those four programs in the add/remove list.

Should I just proceed as normal?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:32 PM

Posted 18 February 2008 - 01:59 AM

Yes, please. :thumbsup: Just follow all the other directions.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Toastypk

Toastypk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 20 February 2008 - 06:02 PM

Here is my Deljob log. I'll do the next step now.

--------------------------------------------------------
No LOP job-files found
--------------------------------------------------------
Files in Windows Tasks folder

Ad-aware 6.job
Disk Cleanup.job
Spybot-S&D (easy mode).job
--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is BCCA-7362

Directory of C:\Documents and Settings\Timothy\Application Data

10/02/2007 07:32 PM <DIR> .
10/02/2007 07:32 PM <DIR> ..
01/04/2008 09:00 PM <DIR> Adobe
06/05/2004 11:30 PM <DIR> ALIENS~1 Alien Skin
06/18/2004 02:19 AM <DIR> Arcsoft
02/16/2008 06:22 PM <DIR> AVG7
01/14/2008 09:37 AM <DIR> Canon
05/23/2005 01:56 PM <DIR> GTek
02/02/2004 05:17 PM <DIR> Help
05/23/2006 04:37 PM <DIR> MACROM~1 Macromedia
07/15/2007 12:33 AM <DIR> MICROS~1 Microsoft
06/06/2003 09:42 PM <DIR> Real
05/17/2007 06:51 AM <DIR> Skype
06/20/2006 12:55 AM <DIR> SmartFTP
10/02/2007 07:32 PM <DIR> Sun
05/27/2003 01:24 PM <DIR> Symantec
01/21/2005 08:54 PM <DIR> Ventrilo
07/27/2007 11:03 PM <DIR> VIEWPO~1 Viewpoint
07/05/2006 02:59 AM <DIR> XnView
0 File(s) 0 bytes
19 Dir(s) 2,571,169,792 bytes free
Volume in drive C has no label.
Volume Serial Number is BCCA-7362

Directory of C:\Documents and Settings\All Users\Application Data

02/16/2008 07:58 PM <DIR> .
02/16/2008 07:58 PM <DIR> ..
02/20/2008 05:55 PM <DIR> avg7
06/05/2005 06:33 PM <DIR> Dell
02/03/2006 06:16 PM <DIR> Grisoft
05/23/2005 01:56 PM <DIR> GTek
06/17/2004 06:52 PM <DIR> Kodak
08/24/2003 06:40 PM <DIR> MACROM~1 Macromedia
04/25/2005 07:06 PM <DIR> MESSEN~1 Messenger Plus!
12/05/2007 09:33 PM <DIR> MICROS~1 Microsoft
06/06/2003 04:30 PM <DIR> MSN6
05/01/2005 01:02 AM <DIR> PopCap
09/05/2003 10:50 PM <DIR> QUICKT~1 QuickTime
05/27/2003 01:17 PM <DIR> SBSI
09/18/2005 11:31 PM <DIR> ScanSoft
02/19/2008 04:34 PM <DIR> SITEGU~1 SITEguard
07/19/2006 03:34 AM <DIR> Skype
04/27/2004 04:08 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
02/20/2008 04:44 PM <DIR> STOPZI~1 STOPzilla!
02/03/2006 05:13 PM <DIR> Symantec
07/27/2007 11:03 PM <DIR> VIEWPO~1 Viewpoint
0 File(s) 0 bytes
21 Dir(s) 2,571,169,792 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
All Users
Family report final.doc
Family report.doc
family[1].doc
In this experiment.doc
prejudicepaper.doc
Timothy
warreportoutline.doc
--------------------------------------------------------



#8 Toastypk

Toastypk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 21 February 2008 - 07:22 PM

Some good and bad news.

The good news is that I ran Combofix, and now I'm not getting the virus anymore.

The bad news is, after it ran the program, it closed out the window and gave one last bit of text, but I didnt see what that text was. I was left with a blue DOS box called kmd.exe, and I had no leads or anything. I knew it said it was going to restart, but I eventually had to restart on my own with nothing else happening.
But when I get back, I notice my computer is set to Military time. I want it to be 7:17 PM again instead of 19:17.
Also, I had combofix on the desktop, but I never got a log. And I'm afraid other settings on my computer may have been affected too. I'm worried... Are they fixable?

Was this because of something I did wrong in combofix?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:32 PM

Posted 21 February 2008 - 11:54 PM

Hello,

If you didn't give it enough time to restart, then that's why your clock is still on military time. We'll fix it. :blink: Please look in the ComboFix folder for a .txt file called ComboFix.txt, and post that report in your reply along with a new HijackThis log, then we'll fix your clock. How is it running? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:32 PM

Posted 03 March 2008 - 06:07 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users