I'm generally a very careful web user, but a few days ago I contracted a trojan. A quick trip over to AVG and my laptop started working again. But since I've deleted the virus, I keep getting AVG alerts. It seems that a virus generator named LOP.AX is still wreaking havoc on my computer. I've googled it and found a lot of people talking about it, but no one offering advice on how to get rid of it.
Formatting my PC is out of the question - I've spent too much time working to customize my pc to have this damn virus ruin it. Not to mention that I have a bunch of programs that I've been writing that span well over 9 gb. Too big for a DVD, and I definitely don't want to lose those.
So, anyone had any experience with this virus? Any ideas?
EDIT: It appears to be fixed, so lets make this a general virus protection thread.
Posts
http://forums.spywareinfo.com/index.php?showtopic=95582
It should help in case anyone wants to look at it. But if that's not yours, would you mind posting it?
C:\WINDOWS\System32\DSentry.exe
That's definitely a worm generator and something you need to rid yourself of ASAP.
Edit: D'oh! Forgot about common courtesy to provide the download link.
http://www.merijn.org/files/hijackthis.zip
Using this, especially in Safe Mode, allows you to see the processes that your computer is automatically processing when it boots up Windows. This includes programs, DLLs, services, and other possible nuisances. So it's very effective for completely cleaning your computer when scanners fail you.
However, it also of course will detect genuine entries that you may want at startup or require for normal functioning. That's why those forums exist, so people can post their logs and have someone else differentiate for them between the good and bad entries.
So if you post your log on here, we should be able to help you find the bad entries. Although really it's just a matter of using Google to find out about suspicious entries and deleting them accordingly.
For manual removal of anything, there are only a few places that viruses can be set to start from, but most can start up again if they are 'touched' by the os. You want to remove from services, startup folder, the registry in the hklm and hklu run and run services. You also want to remove it from hooking into IE (manage add-ons), and from hooking to the explorer.exe shell (this can be done from quite a few of spots in the registry but there is a tool you can use called shellexview that can at least grab the ones that hook via the shell).
You could spend hours doing that and still end up frustrated because you miss something somewhere and it comes back. Your best bet, if you absolutely cannot afford to lose that data, is to shut the machine down for a few days until the av companies release a removal tool for it.
That sounds perfect. Let me download it real quick and I'll post my log here.
EDIT: My Log:
I'll peruse your log and hopefully have some answers soon.
Thanks a ton. At the same time I'm googling every line of my log, starting at the bottom up.
No, I visit a website frequently which explains what processes are, and if you need them.
That's my ATI video card's manager program.
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\system32\gebaayv.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\blafxmbk.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\vourusgx.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Setup Files\FindeXer Nightly V1.1.0.3\FindeXer.dll
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\wexfuijn.dll",setvm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O20 - Winlogon Notify: gebaayv - C:\WINDOWS\SYSTEM32\gebaayv.dll
O20 - Winlogon Notify: gebbc - C:\WINDOWS\system32\gebbc.dll (file missing)
Those should be cleaned ASAP.
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\system32\gebaayv.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\blafxmbk.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\vourusgx.dll (file missing)
Looks like random names - something crapware likes to do to hide itself. Googling the file names finds nothing.
I can explain some of those. FindXer is a finder clone for windows.
Burn4Free toolbar is my CD burning software.
No clue on the Need2Find, though.
*cleans old cruft*
Yeah, this program seems great, but extremely powerful.
I removed the files and my computer is flying now. I see an immediate speed increase, so hopefully that was what it needed.
What should I do now?
O20 - Winlogon Notify: gebaayv - C:\WINDOWS\SYSTEM32\gebaayv.dll
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\system32\gebaayv.dll
I'd boot into Safe Mode, try to delete that file, and then rescan (while remaining in Safe Mode) and fix those entries if they still exists. I'd also save a copy of your Safe Mode log and post it here, because sometimes "badware" is capable of hiding itself in normal Windows mode and won't show up in HijackThis scans until you're in Safe Mode.
Er, yeah, after I typed that I actually launched reg edit and it's vastly different from what I used.
Back in windows 95, RegEdit was basically a glorified text editor, with every registry item being listed in plain text.
It was a good idea not to delete stuff because, should you fuck up and delete the wrong file, you'd want to be able to get it back easily, so rather than deleting entries, you could just add (rem) before the entry. This would basically delete it, but you could bring it back by removing the (rem) entry.
Does the new regedit have anything similar?
Also, kinda funny, but as a side effect of all this microcleaning, Internet Explorer has become squeeky clean. I normally don't use IE (I use either FF or Opera) but every now and then I'd use it, and it was cluttered with shit that I don't need.
Now it looks like a fresh install.
I'm curious - how does that work the same? Is there a list on my computer somewhere of the names of registry entries it's supposed to load up or something?
Registry hives are binary blobs, unfortunately. They are located in \WINDOWS\system32\config\
Well, I just ran the virus scan link someone posted above, but it's gonna take a long while. In the meantime, it's 6:45 am and I need some sleep.
Thanks a ton to everyone for their help, I knew I could count on PA. I'll post the results and some more logfiles when I wake up in the morning-ish.
If ihe is running a stock install on a Dell, it is likely just the DVD sentry. It is safe to disable, it disables autorun on disc insertion. You can do the same thing with a registry edit or using tweakxp, without the hassle of wasting space and resources for that little app.
However, there were also 2 internet explorer popups open when I woke up (I use firefox and opera, so I know they're not legit popups) and HijackThis still shows gebaayv.dll.
Time for round two... Any other suggestions?
In addition, following this guide has gotten rid of spyware on every machine I've cleaned (I used to clean machines for monies in college). It's pretty involved, but it's thorough. And thorough is necessary.
wait. DSentry is evil? i'm reading online that it seems to be installed on many Dell comps.
3DS Friend Code: 2165-6448-8348 www.Twitch.TV/cooljammer00
Battle.Net: JohnDarc#1203 Origin/UPlay: CoolJammer00
Er... not that I don't appreciate this, but you (along with everyone telling me to get rid of DSentry) should read the thread.
We've been working on this for hours and you are just telling me stuff I've already done.
Hmm... It would still be a good idea to post all of your logs on Major Geeks though, as they probably live for this kinda stuff.