I'm generally a very careful web user, but a few days ago I contracted a trojan. A quick trip over to AVG and my laptop started working again. But since I've deleted the virus, I keep getting AVG alerts. It seems that a virus generator named LOP.AX is still wreaking havoc on my computer. I've googled it and found a lot of people talking about it, but no one offering advice on how to get rid of it.
Formatting my PC is out of the question - I've spent too much time working to customize my pc to have this damn virus ruin it. Not to mention that I have a bunch of programs that I've been writing that span well over 9 gb. Too big for a DVD, and I definitely don't want to lose those.
So, anyone had any experience with this virus? Any ideas?
EDIT: It appears to be fixed, so lets make this a general virus protection thread.
* Save HJTsetup.exe to your desktop.
* Doubleclick on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Continue to follow the rest of the prompts from there.
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* Come back here to this thread and Paste the log in your next reply.
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
================
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
================
What I need:
1)HijackThis log
2)Uninstall list
logreeval
This post has been edited by logreeval: Mar 10 2007, 11:43 AM
Edit: D'oh! Forgot about common courtesy to provide the download link.
Using this, especially in Safe Mode, allows you to see the processes that your computer is automatically processing when it boots up Windows. This includes programs, DLLs, services, and other possible nuisances. So it's very effective for completely cleaning your computer when scanners fail you.
However, it also of course will detect genuine entries that you may want at startup or require for normal functioning. That's why those forums exist, so people can post their logs and have someone else differentiate for them between the good and bad entries.
So if you post your log on here, we should be able to help you find the bad entries. Although really it's just a matter of using Google to find out about suspicious entries and deleting them accordingly.
This must be something new. The only thing I can think of is the old lop.com toolbar malware that used to attach to IE. If there is an anti spyware program out there that can't get rid of that after two years there is something wrong. Start by scanning the hdd with an av from outside the os, like from a bootable os or bootable av cd.
For manual removal of anything, there are only a few places that viruses can be set to start from, but most can start up again if they are 'touched' by the os. You want to remove from services, startup folder, the registry in the hklm and hklu run and run services. You also want to remove it from hooking into IE (manage add-ons), and from hooking to the explorer.exe shell (this can be done from quite a few of spots in the registry but there is a tool you can use called shellexview that can at least grab the ones that hook via the shell).
You could spend hours doing that and still end up frustrated because you miss something somewhere and it comes back. Your best bet, if you absolutely cannot afford to lose that data, is to shut the machine down for a few days until the av companies release a removal tool for it.
Using this, especially in Safe Mode, allows you to see the processes that your computer is automatically processing when it boots up Windows. This includes programs, DLLs, services, and other possible nuisances. So it's very effective for completely cleaning your computer when scanners fail you.
However, it also of course will detect genuine entries that you may want at startup or require for normal functioning. That's why those forums exist, so people can post their logs and have someone else differentiate for them between the good and bad entries.
So if you post your log on here, we should be able to help you find the bad entries. Although really it's just a matter of using Google to find out about suspicious entries and deleting them accordingly.
That sounds perfect. Let me download it real quick and I'll post my log here.
EDIT: My Log:
Logfile of HijackThis v1.99.1
Scan saved at 4:33:19 AM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I can explain some of those. FindXer is a finder clone for windows.
Burn4Free toolbar is my CD burning software.
No clue on the Need2Find, though.
I'm not so sure you need the Burn4Free toolbar, but feel free to keep it. Sorry about the "FindXer" though, I just kinda threw it in there because of it's proximity to Need2Find.
Also, HijackThis is a great way to find old cruft you had no idea was running.
*cleans old cruft*
Yeah, this program seems great, but extremely powerful.
I removed the files and my computer is flying now. I see an immediate speed increase, so hopefully that was what it needed.
What should I do now?
I'd rescan and post your log here. Chances are that if traces remain, they've already begun generating themselves and should show up.
Logfile of HijackThis v1.99.1
Scan saved at 4:53:12 AM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I'd boot into Safe Mode, try to delete that file, and then rescan (while remaining in Safe Mode) and fix those entries if they still exists. I'd also save a copy of your Safe Mode log and post it here, because sometimes "badware" is capable of hiding itself in normal Windows mode and won't show up in HijackThis scans until you're in Safe Mode.
Yes, and it's much more comprehensive as you've probably already guessed. In my limited experience with helping myself and others cleanse their machines, it's usually overkill and a careful look with HijackThis is usually all you need. However, if you're still suspicious, feel free to link to your StartupList log and I could look at that as well.
You could try a free online scan with Kaspersky. It's one of the better AV engines out there, and it's probably a good idea to try it out every now and then just to get a second opinion (especially seeing as AVG is a rather good, but not great AV software).
I'm looking through it and I see several mentions of gebaayv.dll in my startup list. If I right click I can jump to a regedit entry... I haven't used RegEdit since windows 95, so before I begin to get over my head, can you still remove items by adding (rem) prior to their entry in RegEdit XP?
I'm looking through it and I see several mentions of gebaayv.dll in my startup list. If I right click I can jump to a regedit entry... I haven't used RegEdit since windows 95, so before I begin to get over my head, can you still remove items by adding (rem) prior to their entry in RegEdit XP?
I'm honestly not sure about that, but in Windows XP you have the option of right-clicking and picking delete as well. I'm sorry if I've misunderstood something and that's not what you meant.
I'm looking through it and I see several mentions of gebaayv.dll in my startup list. If I right click I can jump to a regedit entry... I haven't used RegEdit since windows 95, so before I begin to get over my head, can you still remove items by adding (rem) prior to their entry in RegEdit XP?
I'm honestly not sure about that, but in Windows XP you have the option of right-clicking and picking delete as well. I'm sorry if I've misunderstood something and that's not what you meant.
Er, yeah, after I typed that I actually launched reg edit and it's vastly different from what I used.
Back in windows 95, RegEdit was basically a glorified text editor, with every registry item being listed in plain text.
It was a good idea not to delete stuff because, should you fuck up and delete the wrong file, you'd want to be able to get it back easily, so rather than deleting entries, you could just add (rem) before the entry. This would basically delete it, but you could bring it back by removing the (rem) entry.
Does the new regedit have anything similar?
Also, kinda funny, but as a side effect of all this microcleaning, Internet Explorer has become squeeky clean. I normally don't use IE (I use either FF or Opera) but every now and then I'd use it, and it was cluttered with shit that I don't need.
I'm looking through it and I see several mentions of gebaayv.dll in my startup list. If I right click I can jump to a regedit entry... I haven't used RegEdit since windows 95, so before I begin to get over my head, can you still remove items by adding (rem) prior to their entry in RegEdit XP?
I'm honestly not sure about that, but in Windows XP you have the option of right-clicking and picking delete as well. I'm sorry if I've misunderstood something and that's not what you meant.
Er, yeah, after I typed that I actually launched reg edit and it's vastly different from what I used.
Back in windows 95, RegEdit was basically a glorified text editor, with every registry item being listed in plain text.
It was a good idea not to delete stuff because, should you fuck up and delete the wrong file, you'd want to be able to get it back easily, so rather than deleting entries, you could just add (rem) before the entry. This would basically delete it, but you could bring it back by removing the (rem) entry.
Does the new regedit have anything similar?
Also, kinda funny, but as a side effect of all this microcleaning, Internet Explorer has become squeeky clean. I normally don't use IE (I use either FF or Opera) but every now and then I'd use it, and it was cluttered with shit that I don't need.
Now it looks like a fresh install.
I know what you speak of, and if you want that kind of functionality I'd just rename the different names of registry entries you wish to render useless. That should have the exact same functionality.
I'm looking through it and I see several mentions of gebaayv.dll in my startup list. If I right click I can jump to a regedit entry... I haven't used RegEdit since windows 95, so before I begin to get over my head, can you still remove items by adding (rem) prior to their entry in RegEdit XP?
I'm honestly not sure about that, but in Windows XP you have the option of right-clicking and picking delete as well. I'm sorry if I've misunderstood something and that's not what you meant.
Er, yeah, after I typed that I actually launched reg edit and it's vastly different from what I used.
Back in windows 95, RegEdit was basically a glorified text editor, with every registry item being listed in plain text.
It was a good idea not to delete stuff because, should you fuck up and delete the wrong file, you'd want to be able to get it back easily, so rather than deleting entries, you could just add (rem) before the entry. This would basically delete it, but you could bring it back by removing the (rem) entry.
Does the new regedit have anything similar?
Also, kinda funny, but as a side effect of all this microcleaning, Internet Explorer has become squeeky clean. I normally don't use IE (I use either FF or Opera) but every now and then I'd use it, and it was cluttered with shit that I don't need.
Now it looks like a fresh install.
I know what you speak of, and if you want that kind of functionality I'd just rename the different names of registry entries you wish to render useless. That should have the exact same functionality.
I'm curious - how does that work the same? Is there a list on my computer somewhere of the names of registry entries it's supposed to load up or something?
I'm curious - how does that work the same? Is there a list on my computer somewhere of the names of registry entries it's supposed to load up or something?
Registry hives are binary blobs, unfortunately. They are located in \WINDOWS\system32\config\
Barrakketh on
Rollers are red, chargers are blue....omae wa mou shindeiru
IF that's your log, you need to make sure to get rid of DSEntry.exe:
C:\WINDOWS\System32\DSentry.exe
That's definitely a worm generator and something you need to rid yourself of ASAP.
If ihe is running a stock install on a Dell, it is likely just the DVD sentry. It is safe to disable, it disables autorun on disc insertion. You can do the same thing with a registry edit or using tweakxp, without the hassle of wasting space and resources for that little app.
So I woke up and the virus scan software linked before returned no viruses.
However, there were also 2 internet explorer popups open when I woke up (I use firefox and opera, so I know they're not legit popups) and HijackThis still shows gebaayv.dll.
Not a specific suggestion, but http://www.hijackthis.de/ is a pretty good HJT analyzer. Just paste your log there and it will tell you what's typically bad.
In addition, following this guide has gotten rid of spyware on every machine I've cleaned (I used to clean machines for monies in college). It's pretty involved, but it's thorough. And thorough is necessary.
Not a specific suggestion, but http://www.hijackthis.de/ is a pretty good HJT analyzer. Just paste your log there and it will tell you what's typically bad.
In addition, following this guide has gotten rid of spyware on every machine I've cleaned (I used to clean machines for monies in college). It's pretty involved, but it's thorough. And thorough is necessary.
Er... not that I don't appreciate this, but you (along with everyone telling me to get rid of DSentry) should read the thread.
We've been working on this for hours and you are just telling me stuff I've already done.
Not a specific suggestion, but http://www.hijackthis.de/ is a pretty good HJT analyzer. Just paste your log there and it will tell you what's typically bad.
In addition, following this guide has gotten rid of spyware on every machine I've cleaned (I used to clean machines for monies in college). It's pretty involved, but it's thorough. And thorough is necessary.
Er... not that I don't appreciate this, but you (along with everyone telling me to get rid of DSentry) should read the thread.
We've been working on this for hours and you are just telling me stuff I've already done.
Hmm... It would still be a good idea to post all of your logs on Major Geeks though, as they probably live for this kinda stuff.
Posts
http://forums.spywareinfo.com/index.php?showtopic=95582
It should help in case anyone wants to look at it. But if that's not yours, would you mind posting it?
C:\WINDOWS\System32\DSentry.exe
That's definitely a worm generator and something you need to rid yourself of ASAP.
Edit: D'oh! Forgot about common courtesy to provide the download link.
http://www.merijn.org/files/hijackthis.zip
Using this, especially in Safe Mode, allows you to see the processes that your computer is automatically processing when it boots up Windows. This includes programs, DLLs, services, and other possible nuisances. So it's very effective for completely cleaning your computer when scanners fail you.
However, it also of course will detect genuine entries that you may want at startup or require for normal functioning. That's why those forums exist, so people can post their logs and have someone else differentiate for them between the good and bad entries.
So if you post your log on here, we should be able to help you find the bad entries. Although really it's just a matter of using Google to find out about suspicious entries and deleting them accordingly.
For manual removal of anything, there are only a few places that viruses can be set to start from, but most can start up again if they are 'touched' by the os. You want to remove from services, startup folder, the registry in the hklm and hklu run and run services. You also want to remove it from hooking into IE (manage add-ons), and from hooking to the explorer.exe shell (this can be done from quite a few of spots in the registry but there is a tool you can use called shellexview that can at least grab the ones that hook via the shell).
You could spend hours doing that and still end up frustrated because you miss something somewhere and it comes back. Your best bet, if you absolutely cannot afford to lose that data, is to shut the machine down for a few days until the av companies release a removal tool for it.
That sounds perfect. Let me download it real quick and I'll post my log here.
EDIT: My Log:
I'll peruse your log and hopefully have some answers soon.
Thanks a ton. At the same time I'm googling every line of my log, starting at the bottom up.
No, I visit a website frequently which explains what processes are, and if you need them.
That's my ATI video card's manager program.
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\system32\gebaayv.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\blafxmbk.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\vourusgx.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Setup Files\FindeXer Nightly V1.1.0.3\FindeXer.dll
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\wexfuijn.dll",setvm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O20 - Winlogon Notify: gebaayv - C:\WINDOWS\SYSTEM32\gebaayv.dll
O20 - Winlogon Notify: gebbc - C:\WINDOWS\system32\gebbc.dll (file missing)
Those should be cleaned ASAP.
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\system32\gebaayv.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\blafxmbk.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\vourusgx.dll (file missing)
Looks like random names - something crapware likes to do to hide itself. Googling the file names finds nothing.
I can explain some of those. FindXer is a finder clone for windows.
Burn4Free toolbar is my CD burning software.
No clue on the Need2Find, though.
*cleans old cruft*
Yeah, this program seems great, but extremely powerful.
I removed the files and my computer is flying now. I see an immediate speed increase, so hopefully that was what it needed.
What should I do now?
O20 - Winlogon Notify: gebaayv - C:\WINDOWS\SYSTEM32\gebaayv.dll
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\system32\gebaayv.dll
I'd boot into Safe Mode, try to delete that file, and then rescan (while remaining in Safe Mode) and fix those entries if they still exists. I'd also save a copy of your Safe Mode log and post it here, because sometimes "badware" is capable of hiding itself in normal Windows mode and won't show up in HijackThis scans until you're in Safe Mode.
Er, yeah, after I typed that I actually launched reg edit and it's vastly different from what I used.
Back in windows 95, RegEdit was basically a glorified text editor, with every registry item being listed in plain text.
It was a good idea not to delete stuff because, should you fuck up and delete the wrong file, you'd want to be able to get it back easily, so rather than deleting entries, you could just add (rem) before the entry. This would basically delete it, but you could bring it back by removing the (rem) entry.
Does the new regedit have anything similar?
Also, kinda funny, but as a side effect of all this microcleaning, Internet Explorer has become squeeky clean. I normally don't use IE (I use either FF or Opera) but every now and then I'd use it, and it was cluttered with shit that I don't need.
Now it looks like a fresh install.
I'm curious - how does that work the same? Is there a list on my computer somewhere of the names of registry entries it's supposed to load up or something?
Registry hives are binary blobs, unfortunately. They are located in \WINDOWS\system32\config\
Well, I just ran the virus scan link someone posted above, but it's gonna take a long while. In the meantime, it's 6:45 am and I need some sleep.
Thanks a ton to everyone for their help, I knew I could count on PA. I'll post the results and some more logfiles when I wake up in the morning-ish.
If ihe is running a stock install on a Dell, it is likely just the DVD sentry. It is safe to disable, it disables autorun on disc insertion. You can do the same thing with a registry edit or using tweakxp, without the hassle of wasting space and resources for that little app.
However, there were also 2 internet explorer popups open when I woke up (I use firefox and opera, so I know they're not legit popups) and HijackThis still shows gebaayv.dll.
Time for round two... Any other suggestions?
In addition, following this guide has gotten rid of spyware on every machine I've cleaned (I used to clean machines for monies in college). It's pretty involved, but it's thorough. And thorough is necessary.
wait. DSentry is evil? i'm reading online that it seems to be installed on many Dell comps.
3DS Friend Code: 2165-6448-8348 www.Twitch.TV/cooljammer00
Battle.Net: JohnDarc#1203 Origin/UPlay: CoolJammer00
Er... not that I don't appreciate this, but you (along with everyone telling me to get rid of DSentry) should read the thread.
We've been working on this for hours and you are just telling me stuff I've already done.
Hmm... It would still be a good idea to post all of your logs on Major Geeks though, as they probably live for this kinda stuff.