guys please help, I’m absolutely at a loss with this trojan, i’m noone in programming and these logs make me nervous coz i don’t get what it’s all about. how can i get read of trojan and not damage my laptop? and how can make my log files visible here?
Hi eaglewings,
W32/Onlinegames.Lov.PSW is a trojan. The trojan will infect Windows systems.
Upon execution, it drops as amvo.exe, amvo1.dll in the System folder and help[1].exe, ro.dll in the Documents and Settings folder.
The trojan attempts to steal passwords from infected systems.
This trojan first appeared on December 27, 2007.
Manual removal instructions,
Step 1 : Use Windows File Search Tool to Find Trojan-PSW.OnLineGames.bs Path
-
Go to Start > Search > All Files or Folders.
-
In the “All or part of the the file name” section, type in “Trojan-PSW.OnLineGames.bs” file name(s).
-
To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
-
When Windows finishes your search, hover over the “In Folder” of “Trojan-PSW.OnLineGames.bs”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete Trojan-PSW.OnLineGames.bs in the following manual removal steps.
Step 2 : Use Windows Task Manager to Remove Trojan-PSW.OnLineGames.bs Processes -
To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
-
Click on the “Image Name” button to search for “Trojan-PSW.OnLineGames.bs” process by name.
-
Select the “Trojan-PSW.OnLineGames.bs” process and click on the “End Process” button to kill it.
-
Remove the “Trojan-PSW.OnLineGames.bs” processes files:
tlso.exe
Step 3 : Use Windows Command Prompt to Unregister Trojan-PSW.OnLineGames.bs DLL Files -
To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
-
Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the Trojan-PSW.OnLineGames.bs DLL file is located and press the “Enter” button on your keyboard. If you don’t know where Trojan-PSW.OnLineGames.bs DLL file is located, use the “dir” command to display the directory’s contents.
-
To unregister “Trojan-PSW.OnLineGames.bs” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u Trojan-PSW.OnLineGames.bs.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file.
-
Search and unregister “Trojan-PSW.OnLineGames.bs” DLL files:
tlso0.dll
Step 4 : Detect and Delete Other Trojan-PSW.OnLineGames.bs Files -
To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.
-
Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
-
To change directory, type in “cd name_of_the_folder”.
-
Once you have the file you’re looking for type in “del name_of_the_file”.
-
To delete a file in folder, type in “del name_of_the_file”.
-
To delete the entire folder, type in “rmdir /S name_of_the_folder”.
-
Select the “Trojan-PSW.OnLineGames.bs” process and click on the “End Process” button to kill it.
-
Remove the “Trojan-PSW.OnLineGames.bs” processes files:
tlso.exe
tlso0.dll
polonus
Dear POlonus, Thank you very much for this extended reply I really tried to follow it but Im afraid it didn;t do me any good. The search didn’t give results.this is the full name of virus:“Win32:Onlinegames-GAZ[trj]”(but the search doesn’t see even this).here’s an extract from combofix log
C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
F:\Autorun.inf - is here anything like trojan?
please help, my laptop is dying in front of my eyes
p/s I’ve just found that in my folder system 32 all 3 files are with viruses. (the 2nd-4th in the list in my previous post) can i just delete them? or do i have to do anything else?
dank je vel
Hi eaglewings,
Download ComboFix from http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
- Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box. - Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\oufddh.exe
C:\d6fagcs8.cmd
C:\WINDOWS\irg_dial.ini
C:\WINDOWS\system32\sounig.dll
C:\WINDOWS\irg_film.ini
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f7c5bde-5fa1-11dc-9022-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f7c5be0-5fa1-11dc-9022-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e506f07b-5f84-11dc-b4e5-0015c57299b4}]
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
polonus
HI Polonus
thx again for reply
I’ve already downloaded Combofix earlier my log files are attached in my previous post but I’ll do it once again. I don’t really get one thing. what for do i need to drag that file and run combofix again?
Hi eaglewings,
This malware is that stubborn that it needs some form of special script to be removed for good.
So follow up the instructions as I gave them in my former posting to the dot using a new download of combofix, and launch CFSript.txt as demonstrated in the animation, then post another hjt log,
polonus
Dear Polonus, please find in the attachment two combofix logs, one before Script addition and another after. (combo1 and combo2 correspondingly) and a fresh hjt log. you are my last hope:) what else do i have to delete? p.s before finding this forum i tried to delete it with the help of other antiviruses one of those being Norton Antivirus 2004 (the one i could find free on Inet) but it wasn’t well for avast!. a window showed up saying that some screens were switched off because of Norton, they don’t go together well as far as I could see. I deleted Norton and this window doesn’t show any more. how can i now that avast! is working like it should?
thx
Hi eaglewings,
Your hjt log seems normal now. Is your computer running better now? Then you can remove the comboscript tools from your computer, update your software, see to it you have the most recent sun java version running and remove older versions of java manually using start configuration screen add remove programs.
polonus
P.S. Go here to test Avast agains the eicar test virus (it is no real virus, but a test file to see whether an av-program works properly, it is completely and utterly harmless):
http://www.eicar.org/anti_virus_test_file.htm Go there and Avast should alarm on the eicar testfile being downloaded to your machine.
Damian
;D ;D ;D DANK JE VEL!!!THANK YOU VERY MUCH!!!IT’S FINALLY GONE!!!HURRRAYYY!!! AND APPLAUSE TO THE BEST OF THE BEST MALFIGHTER!!! I DOWNLOADED THE TEST FILE AND AVAST STARTED SCREAMING AT ONCE:) LIKE IT DID WHEN TROJAN WAS FOUND. I RESTARTED SYSTEM AND …NOBODY’S THERE!!!IK BEN dolgelukkig:) i hope the horses won’t trouble me for a while but if they do I’ll be back here again. p.s is Damian your real name?