Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Lop.as Infection


  • Please log in to reply
9 replies to this topic

#1 billyj

billyj

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 09:59 AM

AVG detects Trojan horse Lop.AS on my IBM laptop running Win 2000 Pro. I have followed all the recommended removal steps, updated all Windows security files, updated AdAware, Zone Alarm, and of course AVG. The symptoms include, involuntary computer restarts and AVG repeated detections even though I have moved (many times) the Trojan file to the Virus Vault and also to Heal. I have also tried manual removal with Windows Explorer. I ran hijackthis.exe and have the log file posted below. Can you help? Thanks, billyj.

Logfile of HijackThis v1.99.1
Scan saved at 9:32:13 AM, on 1/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\PcNicCtl.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINNT\system32\wltray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis.exe\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O2 - BHO: (no name) - {631BCEAF-1187-4EC3-8920-F070365C5018} - C:\WINNT\system32\geefe.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\urqpqop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINNT\system32\wltray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154195364954
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154404242696
O20 - Winlogon Notify: geefe - C:\WINNT\system32\geefe.dll (file missing)
O20 - Winlogon Notify: urqpqop - C:\WINNT\SYSTEM32\urqpqop.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IntelPcNicCtl - Unknown owner - C:\WINNT\system32\PcNicCtl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

Edited by billyj, 18 January 2007 - 10:08 AM.


BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 10:42 AM

You may have done this but re-download the program

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
==========================

Download Superantispyware

http://www.superantispyware.com/superantis...efreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 billyj

billyj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 11:12 AM

OK rigel, here's the hijackthis log and the vundofix a couple of spaces below:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:18 AM, on 1/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\PcNicCtl.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINNT\system32\wltray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O2 - BHO: (no name) - {631BCEAF-1187-4EC3-8920-F070365C5018} - C:\WINNT\system32\geefe.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\urqpqop.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINNT\system32\wltray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154195364954
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154404242696
O20 - Winlogon Notify: geefe - C:\WINNT\system32\geefe.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IntelPcNicCtl - Unknown owner - C:\WINNT\system32\PcNicCtl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe


VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 10:50:51 AM 1/18/2007

Listing files found while scanning....

C:\WINNT\system32\byxyy.dll
C:\WINNT\system32\efeeg.bak1
C:\WINNT\system32\efeeg.bak2
C:\WINNT\system32\efeeg.ini
C:\WINNT\system32\fcyaw.dll
C:\WINNT\system32\geefe.dll
C:\WINNT\system32\jkhhh.dll
C:\WINNT\system32\khfee.dll
C:\WINNT\system32\pmkig.dll
C:\WINNT\system32\pmkki.dll
C:\WINNT\system32\pmklk.dll
C:\WINNT\system32\qopop.dll
C:\WINNT\system32\rqrpq.dll
C:\WINNT\system32\rqrrq.dll
C:\WINNT\system32\urqpqop.dll
C:\WINNT\system32\vtsrs.dll
C:\WINNT\system32\wvuuu.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\byxyy.dll
C:\WINNT\system32\byxyy.dll Has been deleted!

Attempting to delete C:\WINNT\system32\efeeg.bak1
C:\WINNT\system32\efeeg.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\efeeg.bak2
C:\WINNT\system32\efeeg.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\efeeg.ini
C:\WINNT\system32\efeeg.ini Has been deleted!

Attempting to delete C:\WINNT\system32\fcyaw.dll
C:\WINNT\system32\fcyaw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jkhhh.dll
C:\WINNT\system32\jkhhh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\khfee.dll
C:\WINNT\system32\khfee.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pmkig.dll
C:\WINNT\system32\pmkig.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pmkki.dll
C:\WINNT\system32\pmkki.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pmklk.dll
C:\WINNT\system32\pmklk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qopop.dll
C:\WINNT\system32\qopop.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rqrpq.dll
C:\WINNT\system32\rqrpq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rqrrq.dll
C:\WINNT\system32\rqrrq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\urqpqop.dll
C:\WINNT\system32\urqpqop.dll Has been deleted!

Attempting to delete C:\WINNT\system32\vtsrs.dll
C:\WINNT\system32\vtsrs.dll Has been deleted!

Attempting to delete C:\WINNT\system32\wvuuu.dll
C:\WINNT\system32\wvuuu.dll Has been deleted!

Performing Repairs to the registry.
Done!

#4 billyj

billyj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 01:02 PM

rigel, here's the Super Antispyware log:

SUPERAntiSpyware Scan Log
Generated 01/18/2007 at 12:48 PM

Application Version : 3.5.1016

Core Rules Database Version : 3166
Trace Rules Database Version: 1177

Scan type : Complete Scan
Total Scan Time : 00:34:40

Memory items scanned : 345
Memory threats detected : 0
Registry items scanned : 3244
Registry threats detected : 12
File items scanned : 18322
File threats detected : 12

Browser Hijacker.Internet Explorer Zone Hijack
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\www
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\www#http
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantiviruspro.com
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantiviruspro.com\www
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantiviruspro.com\www#http
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winsoftware.com
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winsoftware.com\download.cdn
HKU\S-1-5-21-527237240-746137067-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winsoftware.com\download.cdn#http

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realtechnetwork[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediabrains[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tracking.foxnews[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 01:13 PM

download http://www.mvps.org/winhelp2002/DelDomains.inf with I.E.

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 billyj

billyj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 01:22 PM

OK, I have completed all your instructions so far including install of DelDomains.inf with IE closed. What do you think now?

#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 01:32 PM

Forgot to post the Hijack instructions

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {631BCEAF-1187-4EC3-8920-F070365C5018} - C:\WINNT\system32\geefe.dll (file missing)

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\urqpqop.dll (file missing)

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)

O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)

O20 - Winlogon Notify: geefe - C:\WINNT\system32\geefe.dll (file missing)

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 billyj

billyj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 18 January 2007 - 01:40 PM

OK, I have to take off a while, will give feeback as soon as possible, thanks for the help. Billyj.

#9 billyj

billyj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 19 January 2007 - 01:55 PM

rigel, the procedures you recommended worked! I have run two AVG complete scans and two SuperAntiSpyware scans since yesterday and no threats were detected. No other spyware or virus symptoms are present. Thanks for you help in getting rid of Trojan horse Lop.AS.

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 19 January 2007 - 02:25 PM

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users