# Removing Win32:Swizzor-gen [Trj]



## tonyohio (Apr 13, 2006)

Please help me move that trojan from my computer.
I ran the HiJackThis and that is the log I received but I don't know which file should I delete.
Logfile of HijackThis v1.99.1
Scan saved at 10:52:28 PM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Common Files\AOL\1105474597\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1105474597\ee\AOLServiceHost.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
c:\program files\common files\aol\1105474597\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1105474597\ee\AOLServiceHost.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sektvdvkmjx.com/7aMakRs4WgaWzIQP2BKeKz1fsho41Uxh5yfkO9FwgE7_aMgr7TRH3LzGDxDDsSgZ.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.giszoalfjhebhfkvrihpsmfh.uk/7aMakRs4Wgb_QFjYxBrnIy14KcPyjk3RKHh8CaxeJJE.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mcafee.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0614881C-D3F7-A5F5-7E80-0C9821CED573} - blank (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {5DD77DBA-4E29-A1AD-28B9-177EE51B4DBF} - C:\DOCUME~1\Nancy\APPLIC~1\ANTEDRV\Curb First.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105474597\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [Bib amok hole chic] C:\Documents and Settings\All Users\Application Data\City delete bib amok\slow mapi.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\c.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [dmzun.exe] C:\WINDOWS\system32\dmzun.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PlatformInside] C:\DOCUME~1\Nader\APPLIC~1\SITEBL~1\itch 4.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\c.bin\mwsoemon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mcafee.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/08094f518d51f2cfcb23/netzip/RdxIE2.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4028.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 852
O17 - HKLM\Software\..\Telephony: DomainName = 852
O17 - HKLM\System\CCS\Services\Tcpip\..\{27BBF612-C9AC-4448-9023-D5608BB2C932}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B550F53-7BA2-45A1-A6B6-28B70A4ED866}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{63A8C598-AA91-4C4A-9720-AE8AA21A8158}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{87302F10-47CD-4527-99A2-7786B45921CF}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{87C22730-E0B3-486C-A053-6D1651C7DBDE}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8323900-5B89-4866-819E-3F3E50F54CD0}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 852
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 852
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome 

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download *FixWareout* from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile *C:\fixwareout\report.txt*, along with a *new Hijack This log*.


----------



## Byteman (Jan 24, 2002)

hi, Please run this online scanner, it by default will try to disinfect anything infected, and as a second fix, it will delete the infected files...you have a LOP infection and a Wareout infection, probably more.

http://www.bitdefender.com/scan8/ie.html

Just leave it all set as it comes> when the download for the control and then the updates finishes, your scan will start, make sure you do the entire drive C: or My Computer....all hard drives....

it will take some time to complete. At the finish you will see a "View the Report" button, hit that, the file will save wherever you wish, the desktop is the best place, the file you have to supply a name, and it will be an .html (webpage) file, leave it that way....then, copy and paste the contents of the lower portion, called Scanned File Results or similar....into a Reply. (You dont have to copy the entire log...just the files found and what it did with them....)

*Next: do these steps>*



Cheeseball81 said:


> You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
> 
> Please download *FixWareout* from one of these sites:
> http://downloads.subratam.org/Fixwareout.exe
> ...


Don't forget the new Hijackthis log....


----------



## tclark118 (Sep 13, 2006)

My computer appears to be infected with the Swizzor-Gen trojan. I have read some on this and already downloaded and used *HijackThis* software and *FixWareOut*. It keeps wanting to Download "*Win32:Swizzor-gen [Trj]*", from the location: *http://bins.dns-look-up.com/bins/int/upAYB.int*.

Although my current AV program, Avast, catches it and stops it, it keeps going back to try over and over again. So... using the computer for gaming, etc., is met with regular interruptions.

What does this trojan do, why does my computer keep trying to download it, and -- is it a mutated form of the old Swizzor-Gen from 2004 ?

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:46:05 AM, on 1/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Azureus\Azureus.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
C:\Documents and Settings\Travis Clark\Desktop\Virus Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\RunServices: [Windows] taskmngr.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [beepsettings] C:\DOCUME~1\TRAVIS~1\APPLIC~1\SOFTIN~1\Dead one.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: Diskeeper 10 Professional Edition Registration.lnk = C:\Program Files\Diskeeper Corporation\Diskeeper\ESIRegister.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.dollarrevenue.com
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrabblecubes/scrabblecubes.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160182037583
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160182312840
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v45/sol/sol.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Please assist me as soon as is humanly possible.


----------



## bocon (Jan 20, 2007)

I have the same probem. My AVG keeps catches the trojan--but i would like some advise to stop it for good. 

also--what does it do ? whats it after ? is it a key logger 

any information gratefully recieved 
thanks


----------



## bocon (Jan 20, 2007)

tclark118 i came across this info in the swizzor trojan--looks like its tied into the gaming industry --i have been getting some of the pop ups mentioned in this list 

Visible Symptoms
A system compromised by this Trojan may have icons created on the desktop that point to Internet websites. The Trojan creates these link files -

Bingo .lnk
Card Games.lnk
Casino Online.lnk
Internet .lnk
Poker .lnk
Printer Cartridges.lnk
Travel .lnk
Website Hosting.lnk

Each link directs the browser either to "search200.com" or other gambling web sites.

Additionally, the Trojan creates at least 148 "favorite" URL links in the browser and stores them as these names, creating groups in the process -

Antivirus.url
Casino Online.url
Computers.url
Games.url
Instant Messaging.url
Internet.url
Movie.url
Web Hosting.url
Computers\Antivirus.url
Computers\Communication Technology.url
Computers\Computer Jobs .url
Computers\Computer Programming.url
Computers\Domain Hosting.url
Computers\Dvd.url
Computers\Hosting.url
Computers\Inkjet Cartridge.url
Computers\Instant Messenger.url
Computers\Internet.url
Computers\Working From Home.url
Computers\Games\Computer game.url
Computers\Games\Gamecube.url
Computers\Games\Microsoft.url
Computers\Games\Playstation.url
Computers\Games\Quake.url
Computers\Games\Sega Dreamcast.url
Computers\Games\Xbox.url
Cool Stuff\Dating.url
Cool Stuff\Descrambler.url
Cool Stuff\Dvd To Cd.url
Cool Stuff\Mp3.url
Cool Stuff\Online Pharmacy.url
Cool Stuff\Pass Drug Test.url
Cool Stuff\Printer Cartridge.url
Cool Stuff\Satellite Television.url
Cool Stuff\Scratch Card.url
Cool Stuff\Video Surveillance.url
Dating\Christian dating.url
Dating\Dating Agency.url
Dating\Dating Service.url
Dating\Internet Dating.url
Dating\Jewish Dating.url
Dating\Online Dating.url
Home\Adjustable Bed.url
Home\Food Nutrition.url
Home\Health Plan.url
Home\Home Equity Loan.url
Home\Home Improvements.url
Home\Home Refinancing.url
Home\Home Security.url
Home\Interior Decorating .url
Home\Office Space.url
Home\Outdoor Cooking.url
Home\Outdoor Furniture.url
Home\Phone System.url
Home\Satellite Television.url
Home\Sleep Aids.url
Home\Timeshare.url
Home\Working From Home.url
Internet\Domain Registrations.url
Internet\Firewall.url
Internet\Flowers.url
Internet\Free Long Distance.url
Internet\Hosting.url
Internet\Internet Business.url
Internet\Investing Money.url
Internet\Jokes.url
Internet\Newsgroup.url
Internet\Online Football Games.url
Internet\Online Gaming.url
Internet\Spyware.url
Internet\Starting A Business.url
Internet\Web Marketing.url
Internet\Education\Adult Education.url
Internet\Education\Book.url
Internet\Education\College.url
Internet\Education\Community.url
Internet\Education\Education.url
Internet\Education\Essay.url
Internet\Education\School.url
Online Gaming\Bingo.url
Online Gaming\Black Jack Poker.url
Online Gaming\Casino Online.url
Online Gaming\Craps.url
Online Gaming\Gamble.url
Online Gaming\Jackpot.url
Online Gaming\Roulette Gambling.url
Online Gaming\Slots.url
Online Gaming\Sport Betting.url
Online Gaming\Sport Book.url
Online Gaming\Time Cards.url
Online Pharmacy\Buy Adipex.url
Online Pharmacy\Buy Celebrex.url
Online Pharmacy\Buy Fidrex.url
Online Pharmacy\Buy Ionamin.url
Online Pharmacy\Buy Meridia .url
Online Pharmacy\Buy Phentermine.url
Online Pharmacy\Buy Propecia.url
Online Pharmacy\Buy Soma.url
Online Pharmacy\Buy Tenuate.url
Online Pharmacy\Buy Ultram Online.url
Online Pharmacy\Buy Viagra.url
Online Pharmacy\Buy Xenical.url
Online Pharmacy\Consumer Consulting.url
Online Pharmacy\Doctor.url
Online Pharmacy\Mexican Pharmacy.url
Online Pharmacy\Pass Drug Test.url
Online Pharmacy\Pet Med.url
Online Pharmacy\Pharmacy Online.url
Shopping Gifts\Birthday Gift.url
Shopping Gifts\Cellular.url
Shopping Gifts\Christmas Gift.url
Shopping Gifts\Corporate Gift.url
Shopping Gifts\Digital Cameras.url
Shopping Gifts\Dress Fashion.url
Shopping Gifts\DVD Players.url
Shopping Gifts\Gift Basket.url
Shopping Gifts\Jewelry.url
Shopping Gifts\Leather Jackets.url
Shopping Gifts\Perfume.url
Shopping Gifts\Sexy Lingerie.url
Shopping Gifts\Shoes.url
Shopping Gifts\Smoke Shop.url
Shopping Gifts\Underwear.url
Shopping Gifts\Video Surveillance.url
Shopping Gifts\Watches.url
Shopping Gifts\Wedding Gifts.url
Shopping Gifts\Wine Gifts.url
Shopping Gifts\Womens Clothing.url
Travel\Air Travel.url
Travel\Cancun vacation.url
Travel\Car Rental.url
Travel\Cruises.url
Travel\Discount Travel.url
Travel\Europe Travel.url
Travel\Family Vacation.url
Travel\Hawaii Travel.url
Travel\Hotels.url
Travel\Las Vegas Hotel.url
Travel\London Hotel.url
Travel\New York.url
Travel\Orlando Hotel.url
Travel\Resort.url
Travel\Skiing.url
Travel\Timeshare.url
Travel\Travel Agent.url
Travel\Travel Insurance.url
Travel\Vacation.url
Travel\World Travel.url

Threat Analysis
This Trojan is 32-bit with an UPC packed file size of 292,695 bytes. If the Trojan is run, it will initiate a hidden Internet Explorer process and inject its code into the running process. The Trojan will retrieve binary files from hard-coded websites.


File Download Routine
The Trojan downloads other UPC packed files from domains that fall in the "lop.com" domain. This Trojan will get the files from

%random%.bins.lop.com/bins/int/

Where %random% is a random string. The Trojan performs a DNS query against the name which resolves to the IP address 66.220.17.158. TCP trace utilities indicate the Trojan makes connections with other similar IP addresses -

66.220.17.154
66.220.17.158
66.220.17.169

The downloaded files are in the form of binary files with ".int" extension, such as -

upAYB.int
dkgen_up.int
tp_map6.int
updbho2.int
upd_admn.int
kr2.int

The downloaded files are written to newly created folders on the system. The Trojan may create strangely named folders such as these -

C:\..\All Users\Application Data\admin title delete defy\
C:\..\%user name%\Application Data\JUMP ROAD NOUN\

In these folders, the Trojan will copy the downloaded files as .EXE files. The names of the files are also strange, such as these -

Close amen remote more.exe
GRIM THE SURF.exe
hope drv readme.exe
Owns This Vc.exe
sjypglqj.exe
Drive bin.exe

Many of the downloaded files are spyware/adware programs.


Loading at Windows startup
The Trojan may register some of the retrieved files to load at Windows startup by adding entries into the registry such as these examples -

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
"thunkburn" = %path%\Owns This Vc.exe

HKEY_CLASSES_ROOT\CLSID\{%unique CLSID%}
"64535DBE" = 2C0411726CB7B446F792

HKEY_CLASSES_ROOT\CLSID\{%unique CLSID%}\InprocServer32\
"(Default)" = %path%\Drive bin.exe
"ThreadingModel" = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"DeleteDefySendRoad" = %path%\Thunkfilm.exe

In one "nice" aspect, at least one of the downloaded files has an uninstall routine which can be accessed by the "Add/Remove Software" applet from the control panel -

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Uninstall\64 slow user\
"DisplayName" = Search Plugin
"UninstallString" = %path%\Owns This Vc.exe -uninstall


Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option


----------



## Byteman (Jan 24, 2002)

Hi, This malware is more commonly known as the Lop malware, it comes these days as part of MessengerPlus!3 and is called the Sponsor software, or similar, and the user who is just installing MSgr+3 can opt out of installing this Lop /sponsor, program.

You can also have Lop installed by these:

Download Plugin for Internet Explorer

Netpumper, Bitroll and Bitgrabber

Look in Add/Remove Programs for any of the above, and also, these:

"Zone Media" or "CiD Help" or "CiD 
Manager"
 *The uninstall usually removes Lop very well, but if you still get popups,
post in the forum and someone will help you...*

That is not to say you could not have picked it up someplace else, just that installing MessengerPlus!3 is well known for producing Lop popups while the Internet is being used. That's what the .URL's and .LNK's you see do.

It's pretty easy to remove, would anyone like a hand with it?

The "Fix Wareout" tool you saw that a couple of us referred to in an old thread is not for Lop infection, it's used for a separate infection called Wareout. If you look back at Cheeseball81"s replies, you will see the Wareout infection which has things like this below:

O17 - HKLM\System\CCS\Services\Tcpip\..\{27BBF612-C9AC-4448-9023-D5608BB2C932}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B550F53-7BA2-45A1-A6B6-28B70A4ED866}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{63A8C598-AA91-4C4A-9720-AE8AA21A8158}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{87302F10-47CD-4527-99A2-7786B45921CF}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{87C22730-E0B3-486C-A053-6D1651C7DBDE}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8323900-5B89-4866-819E-3F3E50F54CD0}: NameServer = 85.255.116.67,85.255.112.90

Those are entries in Hijackthis logs, normally seen with a *Wareout* infection, not with Lop, you could have both at the same time and many many more....it's best to just post your Hijackthis log and let someone qualified help you. Be patient, there are not a lot of us and we are overbooked....

Most often, we are posting steps that are dealing with multiple malwares in any given thread, so you should definitely not use someone elses's instructions as help for yourself, unless you are well educated in malware removal, and you definitely should not attempt to use Hijackthis or other special tools you see given for other people's infections, as there are some that can affect your computer if not used correctly, and some that are specific to win9x and not for winXP. You also should not reopen a very old thread like this, it has not been used since April 06, and things change, we update fixes all the time, so very old help like this may not stand for today's malware.

TSG has qualifications you must meet to be a security responder and to work with Hijackthis or other
special malware tools in these forums.

In this case I can see you are not advising anything wrong, just posting about this specific trojan, and what you have found, and I see that one guy has 5 posts, and one 2, so apparently you were not aware of or have not read our Rules, they are located here:

*http://www.techguy.org/rules.html* Top of every page.

Now, we have a rule also> one customer per malware removal- it gets too complicated for everyone trying to work with more than one poster (the person who posts their log and asks for help).

One person> one type of problem such as trojans, spyware, virus, adware, hijacks, popups, etc all are in the Security forum category. Anyone needing help with Lop or anything else of this nature, or help for using programs that remove malware please> Start your own, New Thread and ask away. I am closing this thread.

Post a new Hijackthis log in your thread in Security forum please.


----------

