Trojan.DLoader/LX infection, hijackthis log attatched. Please help

Welcome to Majorgeeks!

Most people are under the very mistaken misconception that HijackThis is a scanning/removal tool. It is not! HijackThis is simply a tool that is used to identify browser hijackers and in some cases it will show entries for some malware that is for instance running at startup. All it does is list a few of the thousands of registry keys that exist, and it makes no inferences to whether anything being shown is good or bad. That decision is left a person with significant Windows and malware cleaning experience. HijackThis does not come close to showing all malware that could be hiding on a PC. Anyone who has an infected computer and is relying on HijackThis without the benefit of running other scans such as Spybot, Windows Defender, BitDefender & Panda, CCleaner, etc. are more than likely still infected. In most cases, where there is one virus/trojan there are more. The goal of this forum is to remove all malware, and this cannot be done properly by just seeing a HijackThis log.

So if you want to be sure to remove all malware from your PC, you will need to run the procedure in this Sticky thread READ & RUN ME FIRST Before Asking for Support and attach all the requested logs. We will not work on a HijackThis log only.

However I will get you started on one specific fix before you do the READ & RUN ME. Run the below and it may help with your visible problem.


I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

How are things working now?

 

You did not answer my question on how things are working!

If you are still having problems, you need to continue onto the below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Okay this infection can be quite annoying to remove and it scatters files with a .t extension all over the place on your PC. We will have to do so work to clean all of the left over ones up. Please follow the steps below exactly as written.

First uninstall the CounterSpy trial. We are finished with it and it could get in our way.

• Now please download and install and get any updates recommend for Prevx1 DO NOT SCAN YET!!!!
• Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

No! I did not realize that they now need the internet connection to remain active. Just leave the cable plugged in and we will see what happens. If you do not have connectivity to the net in safe mode, you may not be able to run that step either. If you cannot do that step, just skip it and attach the results of whatever you were able to do.

 

I'm not sure that particular file is bad. It may be part of Google Earth.

Please try compressing the log into a ZIP file and see if that is small enough to upload. Otherwise I will give you an email address to send it to.

Now run this ViewpointKiller to remove Viewpoint Media software.

Also delete the below two left overs from CounterSpy!
C:\Documents and Settings\Dex\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Make sure viewing of hidden files is enabled (per the READ & RUN ME). You did not follow these directions in step 2 of the READ ME.
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: ASGP32.ASGP - {6944D481-DD3D-4252-8992-EBAC37788EB3} - C:\WINDOWS\system32\asgp32.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

After clicking Fix, exit HJT.
Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Did you run ViewPointKiller?

If not, please run it to remoev Viewpoint Media Player.

If you did already run it then do the below:


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You also forgot to delete the below two folders I requested:
C:\Documents and Settings\Dex\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

You can uninstall Prevx1 now.


Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!