Hijack this log help!

convict11 · 06-04-2007, 12:44 AM

Hi I ran hijack this on my computer and have browsed some of the other posts on this forum and used some advice to remove some harmful things from my pc. I was just wondering if someone could look over my log file and see if there is anything else I can do. It has been extremely slow over the past while.

Logfile of HijackThis v1.99.1
Scan saved at 12:41:08 AM, on 04/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ZILLAbar Browser Helper Object - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB(VGA) Camera
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGhlIEJlbm9pdA\command.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

convict11 · 06-06-2007, 01:00 PM

/bump

convict11 · 06-08-2007, 08:48 PM

Did I do something wrong?

Ried · 06-08-2007, 10:08 PM

Hello convict11,

No, you've done nothing wrong--we're simply swamped here with logs and there are only so many of us.

For future reference, please note our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log

Let's get started...

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you which I will need in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Panda results

convict11 · 06-09-2007, 03:55 PM

Alright here are the requested logs.

ComboFix 07-06-09.4 - C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix.exe
"The Benoit" - 2007-06-09 14:32:33 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\asks~1
C:\Program Files\Common Files\{104D1~1
C:\Program Files\Common Files\{104D1~2
C:\Program Files\Common Files\{304D1~1
C:\Program Files\Common Files\{304D1~1\toolbardll.lzma
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~2
C:\Program Files\Common Files\Uninstall Information
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\ymante~1
C:\Program Files\icroso~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pedevice
C:\Program Files\pedevice\communication.xml
C:\Program Files\pedevice\Domain.Watchlist.txt
C:\Program Files\pedevice\Downloader.exe
C:\Program Files\pedevice\pae-options.xml
C:\Program Files\pedevice\pae_url.xml
C:\Program Files\pedevice\pedevPS.dll
C:\Program Files\pedevice\Preparation.dll
C:\Program Files\pedevice\search.watchlist.txt
C:\Program Files\pedevice\statistic.xml
C:\Program Files\pedevice\tmp\tmp.html
C:\Program Files\pedevice\watchlist.xml
C:\Program Files\ppatch~1
C:\Program Files\scurit~1
C:\Program Files\sks~1
C:\Program Files\smante~1
C:\Program Files\sstem~1
C:\Program Files\ymbols~1
C:\Program Files\ystem~1
C:\WINDOWS\asks~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\icroso~1
C:\WINDOWS\sks~1
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mzzsifjw\winlogon.ini
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wnsxs~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

2007-06-09 14:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-03 14:05 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-03 14:01 <DIR> d-------- C:\Program Files\CCleaner
2007-06-03 13:56 <DIR> d-------- C:\Program Files\STOPzilla!
2007-06-03 13:56 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-06-03 13:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-06-03 04:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-02 21:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-02 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-02 20:34 <DIR> d-------- C:\DOCUME~1\THEBEN~1.THE\APPLIC~1\Lavasoft
2007-06-02 20:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-02 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 20:18 1,572,864 --ah----- C:\DOCUME~1\THEBEN~1.THE\NTUSER.DAT
2007-05-25 18:18 200,704 -ra------ C:\WINDOWS\system32\SZBase5.dll
2007-05-25 18:15 294,912 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2007-05-25 18:15 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2007-05-25 18:14 69,632 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2007-05-25 18:14 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2007-05-25 18:13 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2007-05-25 18:13 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2007-05-25 18:13 184,320 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2007-05-25 18:12 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2007-05-25 18:12 626,688 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2007-05-14 16:43 <DIR> d-------- C:\Program Files\psdriver
2007-05-11 06:38 <DIR> d-------- C:\c1ac98294bbd6e86f8bb

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 20:35:18 -------- d-----w C:\Program Files\McAfee.com
2007-06-03 11:15:54 -------- d-----w C:\Program Files\QuickTime
2007-06-03 11:11:04 -------- d-----w C:\Program Files\FinePixViewer
2007-06-03 10:16:39 -------- d-----w C:\Program Files\pasystem
2007-06-03 03:05:36 -------- d-----w C:\Program Files\MyWay
2007-06-03 02:22:14 -------- d-----w C:\Program Files\Lx_cats
2007-05-14 21:05:02 -------- d-----w C:\Program Files\Lexmark 730 Series
2007-05-11 02:44:50 -------- d-----w C:\Program Files\Common Files\SystemDoctor
2007-05-05 19:27:57 -------- d-----w C:\Program Files\Ares
2007-04-29 19:49:31 -------- d-----w C:\Program Files\Ares Lite Edition
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-09 18:17:42 -------- d-----w C:\Program Files\AdSponsorCL
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{1827766B-9F49-4854-8034-F6EE26FCB1EC}=C:\Program Files\STOPzilla!\SZSG.dll [2007-05-25 18:26]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{E3215F20-3212-11D6-9F8B-00D0B743919D}=C:\Program Files\STOPzilla!\SZIEBHO.dll [2007-05-25 18:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-03-07 15:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 06:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:07]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=c:\progra~1\mozill~1\plugins\GetFlash.exe -p

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 08:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoobAim]
C:\DOCUME~1\THEBEN~1\APPLIC~1\BEEPLO~1\pop bib bleh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CampSeekKnobTime]
C:\Documents and Settings\All Users\Application Data\SLOW PLAN CAMP SEEK\style bows.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-05 00:00:01 C:\WINDOWS\tasks\AC3ADC21918953E5.job
2007-05-02 13:17:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 20:10:34 C:\WINDOWS\tasks\McAfee.com Update Check (THE-60D5E2B2614-The Benoit).job
2007-06-04 23:22:26 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 14:41:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-09 14:50:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 14:49

--- E O F ---

And here is the Panda Active scan

Incident Status Location

Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/instafinder Not disinfected Windows Registry
Adware:Adware/Lop Not disinfected C:\Documents and Settings\LocalService\Application Data\beep logo send\pop bib bleh.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\bhegocei.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\gnabkkfg.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\gnwmwfcl.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\gramlovestartblah.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\kbsgezbo.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\lpgxmstv.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\mchvcrtq.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\mttzhnzv.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\munnoklk.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\mwoxczab.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\nakywcia.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\pbwewnht.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\phetkbla.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\qjywjsun.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\xppvmbot.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\xvsrplle.exe
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\0qv82kr6.Default Userhjjdkl\cookies.txt[www48.seeq.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\das922er.ffffff\cookies.txt[.go.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-1.txt[.did-it.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-1.txt[.atwola.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-2.txt[.systemdoctor.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-2.txt[.bravenet.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-3.txt[.did-it.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-3.txt[.atwola.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-4.txt[.did-it.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-4.txt[.atwola.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-5.txt[.systemdoctor.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-5.txt[.apmebf.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\uc740se3.default\cookies.txt[.adultfriendfinder.com/]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c2983293.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c2c501f5.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c301f2ca.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c35d54d4.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\The Benoit\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix.exe[nircmd.exe]
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir
Adware:Adware/DelFinMedia Not disinfected C:\QooBox\Quarantine\C\Program Files\PeDevice\Preparation.dll.vir
Adware:Adware/DeluxeComunications Not disinfected C:\QooBox\Quarantine\catchme2007-06-09_144128.79.zip[core.sys]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Ried · 06-09-2007, 08:32 PM

Hiya,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Altnet
MyWay
MessengerPlus! 3 <-- This program is known to install the LOP infection which is one of the many infections you have on your system. If the program is a must have, reinstall it and decline when asked to install the sponsor's software.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\tasks\AC3ADC21918953E5.job
c:\windows\smdat32m.sys
C:\Documents and Settings\The Benoit\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

Folder::
C:\Program Files\MyWay
c:\program files\altnet
C:\Documents and Settings\LocalService\Application Data\beep logo send
C:\Documents and Settings\All Users\Application Data\SLOW PLAN CAMP SEEK
C:\Program Files\Common Files\CMEII
C:\Program Files\MessengerPlus! 3
C:\WINDOWS\system32\P2P Networking

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoobAim]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CampSeekKnobTime]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

Save this as ComboFix-Do.txt, in the same location as ComboFix.exe

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

I realize that online scans are time consuming, but due to the amount of infections you had on this system I'd like to use a different online scanner in this round and see if it detects any further.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

------------------------------------------------------------------

Download fl.zip

Extract the contents of the fl.zip to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

------------------------------------------------------------------

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here.

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
c:\findlop.txt
uninstall_list.txt

How is your system behaving now?

convict11 · 06-10-2007, 02:50 PM

Alright here are all the logs

ComboFix 07-06-09.4 - C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix.exe
"The Benoit" - 2007-06-10 13:22:18 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users\Application Data\SLOW PLAN CAMP SEEK
C:\Documents and Settings\LocalService\Application Data\beep logo send
C:\Documents and Settings\LocalService\Application Data\beep logo send\pop bib bleh.exe
C:\Documents and Settings\The Benoit\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\Program Files\MyWay
c:\windows\smdat32m.sys
C:\WINDOWS\tasks\AC3ADC21918953E5.job

((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))

2007-06-09 14:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-03 14:05 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-03 14:01 <DIR> d-------- C:\Program Files\CCleaner
2007-06-03 13:56 <DIR> d-------- C:\Program Files\STOPzilla!
2007-06-03 13:56 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-06-03 13:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-06-03 04:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-02 21:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-02 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-02 20:34 <DIR> d-------- C:\DOCUME~1\THEBEN~1.THE\APPLIC~1\Lavasoft
2007-06-02 20:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-02 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 20:18 1,572,864 --ah----- C:\DOCUME~1\THEBEN~1.THE\NTUSER.DAT
2007-05-25 18:18 200,704 -ra------ C:\WINDOWS\system32\SZBase5.dll
2007-05-25 18:15 294,912 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2007-05-25 18:15 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2007-05-25 18:14 69,632 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2007-05-25 18:14 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2007-05-25 18:13 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2007-05-25 18:13 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2007-05-25 18:13 184,320 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2007-05-25 18:12 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2007-05-25 18:12 626,688 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2007-05-14 16:43 <DIR> d-------- C:\Program Files\psdriver
2007-05-11 06:38 <DIR> d-------- C:\c1ac98294bbd6e86f8bb

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 21:37:31 -------- d-----w C:\Program Files\QuickTime
2007-06-09 21:32:27 -------- d-----w C:\Program Files\FinePixViewer
2007-06-03 20:35:18 -------- d-----w C:\Program Files\McAfee.com
2007-06-03 10:16:39 -------- d-----w C:\Program Files\pasystem
2007-06-03 02:22:14 -------- d-----w C:\Program Files\Lx_cats
2007-05-14 21:05:02 -------- d-----w C:\Program Files\Lexmark 730 Series
2007-05-11 02:44:50 -------- d-----w C:\Program Files\Common Files\SystemDoctor
2007-05-05 19:27:57 -------- d-----w C:\Program Files\Ares
2007-04-29 19:49:31 -------- d-----w C:\Program Files\Ares Lite Edition
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{1827766B-9F49-4854-8034-F6EE26FCB1EC}=C:\Program Files\STOPzilla!\SZSG.dll [2007-05-25 18:26]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{E3215F20-3212-11D6-9F8B-00D0B743919D}=C:\Program Files\STOPzilla!\SZIEBHO.dll [2007-05-25 18:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-03-07 15:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 06:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:07]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=c:\progra~1\mozill~1\plugins\GetFlash.exe -p

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 08:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-02 13:17:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-10 19:05:31 C:\WINDOWS\tasks\McAfee.com Update Check (THE-60D5E2B2614-The Benoit).job
2007-06-10 19:23:09 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 13:30:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 13:32:17
C:\ComboFix-quarantined-files.txt ... 2007-06-10 13:32
C:\ComboFix2.txt ... 2007-06-09 14:50

--- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 10, 2007 2:43:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/06/2007
Kaspersky Anti-Virus database records: 342054
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41940
Number of viruses found: 27
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 00:54:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\STOPzilla!\Targets.Db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\STOPzilla!\userdata.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\STOPzilla!\zilla5.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\bhegocei.exe Infected: Trojan-Downloader.Win32.Swizzor.ca skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\gnabkkfg.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\gnwmwfcl.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\gramlovestartblah.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\kbsgezbo.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\lpgxmstv.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\mchvcrtq.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\mttzhnzv.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\munnoklk.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\mwoxczab.exe Infected: Trojan-Downloader.Win32.Swizzor.de skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\nakywcia.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\pbwewnht.exe Infected: Trojan-Downloader.Win32.Swizzor.dh skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\phetkbla.exe Infected: Trojan-Downloader.Win32.Swizzor.dh skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\qjywjsun.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\xppvmbot.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\The Benoit\Application Data\beep logo send\xvsrplle.exe Infected: Trojan-Downloader.Win32.Swizzor.de skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c2983293.exe Infected: Trojan-Downloader.Win32.Swizzor.dr skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c2c501f5.exe Infected: Trojan-Downloader.Win32.Swizzor.dr skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c301f2ca.exe Infected: Trojan-Downloader.Win32.Swizzor.dr skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c35d54d4.exe Infected: Trojan-Downloader.Win32.Swizzor.dj skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Application Data\SITEguard\siteguard.db Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\Application Data\beep logo send\pop bib bleh.exe.vir Infected: Trojan-Downloader.Win32.Swizzor.dg skipped
C:\QooBox\Quarantine\catchme2007-06-09_144128.79.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\QooBox\Quarantine\catchme2007-06-09_144128.79.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029359.exe Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029361.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029361.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029361.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029415.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029427.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029492.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029493.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029496.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029502.exe Infected: Trojan-Downloader.Win32.Swizzor.dj skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029505.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029506.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029508.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029509.exe Infected: Trojan-Downloader.Win32.Swizzor.dg skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029540.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029542.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029544.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029552.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029553.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029554.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029554.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029555.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029559.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029560.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029632.exe Infected: Backdoor.Win32.VB.azy skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029633.exe Infected: Backdoor.Win32.VB.azy skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029634.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029635.exe Infected: Backdoor.Win32.Virkel.b skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029636.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029637.exe Infected: Trojan-Downloader.Win32.Agent.bpi skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029641.dll Infected: not-a-virus:AdWare.Win32.Coupons skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029642.dll Infected: not-a-virus:AdWare.Win32.Coupons skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029644.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029645.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029646.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029647.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029648.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029649.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029649.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029649.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029650.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029651.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029656.exe Infected: IM-Worm.Win32.VB.at skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029767.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029768.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029769.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029770.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP46\A0031109.exe Infected: Trojan-Downloader.Win32.Swizzor.dg skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP46\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{550D9403-9C12-483B-955D-6DF595358951}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Volume in drive C has no label.
Volume Serial Number is 104D-117D

Directory of C:\Documents and Settings\Administrator\Application Data

Volume in drive C has no label.
Volume Serial Number is 104D-117D

Directory of C:\Documents and Settings\All Users\Application Data

24/01/2005 07:34 PM <DIR> Adobe
28/12/2006 08:45 PM <DIR> Apple Computer
25/03/2007 04:16 PM <DIR> Corel
25/01/2005 07:55 AM <DIR> InstallShield
10/06/2007 01:39 PM <DIR> Kaspersky Lab
03/06/2007 01:49 PM <DIR> McAfee.com
29/08/2005 10:14 PM <DIR> Newsoft
28/01/2005 09:42 PM <DIR> pixelStorm
25/04/2007 12:57 PM 1,751 QTSBandwidthCache
24/12/2005 10:25 PM <DIR> QuickTime
03/06/2007 02:43 PM <DIR> Spybot - Search & Destroy
10/06/2007 01:37 PM <DIR> STOPzilla!
05/05/2005 04:47 PM <DIR> Symantec
02/12/2005 06:38 PM <DIR> Windows Genuine Advantage
03/06/2007 02:16 PM <DIR> Yahoo! Companion
1 File(s) 1,751 bytes
14 Dir(s) 511,610,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 104D-117D

Directory of C:\Documents and Settings\The Benoit\Application Data

16/02/2005 06:45 PM <DIR> Adobe
31/08/2006 07:51 PM <DIR> AdobeUM
14/03/2006 02:03 PM <DIR> Apple Computer
26/10/2005 07:15 PM <DIR> beep logo send
25/03/2007 04:18 PM <DIR> Corel
30/09/2006 02:43 PM <DIR> FUJIFILM
04/02/2006 12:56 PM <DIR> Google
21/03/2005 09:55 PM <DIR> Help
24/01/2005 06:06 PM <DIR> Identities
29/08/2005 10:29 PM <DIR> InterTrust
02/06/2007 08:32 PM <DIR> Lavasoft
25/01/2005 08:34 AM <DIR> Leadertech
26/01/2005 03:25 PM <DIR> Macromedia
05/05/2005 06:36 PM <DIR> Mozilla
04/09/2006 05:21 PM <DIR> Sun
24/01/2005 08:08 PM <DIR> Symantec
04/01/2007 02:34 PM <DIR> s?curity
11/01/2007 06:09 PM <DIR> s?mbols
04/02/2007 10:57 AM <DIR> s?stem32
26/10/2005 07:15 PM <DIR> Win Bore Joy
02/10/2006 10:33 PM <DIR> ZangoToolbar
03/06/2007 04:16 AM <DIR> ?racle
21/01/2007 01:10 PM <DIR> ?ystem32
13/02/2007 07:03 PM <DIR> ?ppPatch
0 File(s) 0 bytes
24 Dir(s) 511,610,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 104D-117D

Directory of C:\Documents and Settings\Default User\Application Data

24/01/2005 10:38 AM <DIR> .
24/01/2005 10:38 AM <DIR> ..
24/01/2005 10:38 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 511,610,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 104D-117D

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 104D-117D

Directory of C:\Documents and Settings\NetworkService\Application Data

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AdSponsorCL
Apple Software Update
Ares 2.0.9
AVG Anti-Spyware 7.5
CCleaner (remove only)
Diskeeper Professional Edition
DSC409 Digital Camera
FinePixViewer Ver.4.1
FUJIFILM USB Driver
HijackThis 1.99.1
ImageMixer VCD2 for FinePix
Intel(R) Integrated Performance Primitives RTI 4.0
iPod for Windows 2005-09-06
iTunes
J2SE Runtime Environment 5.0 Update 10
Kaspersky Online Scanner
Lexmark 730 Series
LiveUpdate 2.6 (Symantec Corporation)
McAfee SecurityCenter
Microsoft Office Professional Edition 2003
MicroStaff WINASPI
Mozilla Firefox (1.0.3)
MSN
MSXML 4.0 SP2 (KB927978)
Network Play System (Patching)
Outerinfo
Panda ActiveScan
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SimCity 2000® Special Edition
Spybot - Search & Destroy 1.4
STOPzilla
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
WordPerfect Lightning
Yahoo! Install Manager
Yahoo! Toolbar

Ried · 06-10-2007, 08:20 PM

Hi,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Close any open browsers.

------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Outerinfo

--------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\Documents and Settings\The Benoit\Application Data\Win Bore Joy
C:\Documents and Settings\The Benoit\Application Data\beep logo send
C:\Documents and Settings\The Benoit\Application Data\ZangoToolbar

Save this as ComboFix-Do.txt, in the same location as ComboFix.exe

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Run a new scan with Kaspersky and post the results here along with the C:\ComboFix.txt

convict11 · 06-11-2007, 12:47 PM

System seems to be running a lot better also since we started.
Here are the two updated logs

ComboFix 07-06-09.4 - C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix.exe
"The Benoit" - 2007-06-11 0:56:07 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\The Benoit\Application Data\beep logo send
C:\Documents and Settings\The Benoit\Application Data\ZangoToolbar

((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))

2007-06-10 13:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-10 13:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-09 14:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-03 14:05 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-03 14:01 <DIR> d-------- C:\Program Files\CCleaner
2007-06-03 13:56 <DIR> d-------- C:\Program Files\STOPzilla!
2007-06-03 13:56 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-06-03 13:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-06-03 04:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-02 21:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-02 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-02 20:34 <DIR> d-------- C:\DOCUME~1\THEBEN~1.THE\APPLIC~1\Lavasoft
2007-06-02 20:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-02 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 20:18 1,572,864 --ah----- C:\DOCUME~1\THEBEN~1.THE\NTUSER.DAT
2007-05-25 18:18 200,704 -ra------ C:\WINDOWS\system32\SZBase5.dll
2007-05-25 18:15 294,912 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2007-05-25 18:15 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2007-05-25 18:14 69,632 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2007-05-25 18:14 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2007-05-25 18:13 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2007-05-25 18:13 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2007-05-25 18:13 184,320 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2007-05-25 18:12 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2007-05-25 18:12 626,688 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2007-05-14 16:43 <DIR> d-------- C:\Program Files\psdriver
2007-05-11 06:38 <DIR> d-------- C:\c1ac98294bbd6e86f8bb

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 21:37:31 -------- d-----w C:\Program Files\QuickTime
2007-06-09 21:32:27 -------- d-----w C:\Program Files\FinePixViewer
2007-06-03 20:35:18 -------- d-----w C:\Program Files\McAfee.com
2007-06-03 10:16:39 -------- d-----w C:\Program Files\pasystem
2007-06-03 02:22:14 -------- d-----w C:\Program Files\Lx_cats
2007-05-14 21:05:02 -------- d-----w C:\Program Files\Lexmark 730 Series
2007-05-11 02:44:50 -------- d-----w C:\Program Files\Common Files\SystemDoctor
2007-05-05 19:27:57 -------- d-----w C:\Program Files\Ares
2007-04-29 19:49:31 -------- d-----w C:\Program Files\Ares Lite Edition
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{1827766B-9F49-4854-8034-F6EE26FCB1EC}=C:\Program Files\STOPzilla!\SZSG.dll [2007-05-25 18:26]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{E3215F20-3212-11D6-9F8B-00D0B743919D}=C:\Program Files\STOPzilla!\SZIEBHO.dll [2007-05-25 18:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-03-07 15:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 06:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:07]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=c:\progra~1\mozill~1\plugins\GetFlash.exe -p

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 08:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-02 13:17:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-11 06:53:31 C:\WINDOWS\tasks\McAfee.com Update Check (THE-60D5E2B2614-The Benoit).job
2007-06-10 19:23:09 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 01:02:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [1656]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-11 1:03:57
C:\ComboFix-quarantined-files.txt ... 2007-06-11 01:03
C:\ComboFix2.txt ... 2007-06-10 13:32
C:\ComboFix3.txt ... 2007-06-09 14:50

--- E O F ---

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 11, 2007 12:44:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/06/2007
Kaspersky Anti-Virus database records: 342424
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 42139
Number of viruses found: 27
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 00:52:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c2983293.exe Infected: Trojan-Downloader.Win32.Swizzor.dr skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c2c501f5.exe Infected: Trojan-Downloader.Win32.Swizzor.dr skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c301f2ca.exe Infected: Trojan-Downloader.Win32.Swizzor.dr skipped
C:\Documents and Settings\The Benoit\Local Settings\Temp\c35d54d4.exe Infected: Trojan-Downloader.Win32.Swizzor.dj skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Application Data\SITEguard\siteguard.db Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\The Benoit.THE-60D5E2B2614\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\Application Data\beep logo send\pop bib bleh.exe.vir Infected: Trojan-Downloader.Win32.Swizzor.dg skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\bhegocei.exe Infected: Trojan-Downloader.Win32.Swizzor.ca skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\gnabkkfg.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\gnwmwfcl.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\gramlovestartblah.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\kbsgezbo.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\lpgxmstv.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\mchvcrtq.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\mttzhnzv.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\munnoklk.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\mwoxczab.exe Infected: Trojan-Downloader.Win32.Swizzor.de skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\nakywcia.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\pbwewnht.exe Infected: Trojan-Downloader.Win32.Swizzor.dh skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\phetkbla.exe Infected: Trojan-Downloader.Win32.Swizzor.dh skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\qjywjsun.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\xppvmbot.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\QooBox\Quarantine\C\Documents and Settings\The Benoit\Application Data\beep logo send.vir\xvsrplle.exe Infected: Trojan-Downloader.Win32.Swizzor.de skipped
C:\QooBox\Quarantine\catchme2007-06-09_144128.79.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\QooBox\Quarantine\catchme2007-06-09_144128.79.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029359.exe Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029361.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029361.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP41\A0029361.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029415.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029427.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029492.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029493.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029496.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029502.exe Infected: Trojan-Downloader.Win32.Swizzor.dj skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029505.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029506.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029508.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029509.exe Infected: Trojan-Downloader.Win32.Swizzor.dg skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029540.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029542.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029544.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029552.exe Infected: not-a-virus:AdWare.Win32.Lop.k skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029553.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029554.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029554.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029555.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029559.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP42\A0029560.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029632.exe Infected: Backdoor.Win32.VB.azy skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029633.exe Infected: Backdoor.Win32.VB.azy skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029634.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029635.exe Infected: Backdoor.Win32.Virkel.b skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029636.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029637.exe Infected: Trojan-Downloader.Win32.Agent.bpi skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029641.dll Infected: not-a-virus:AdWare.Win32.Coupons skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029642.dll Infected: not-a-virus:AdWare.Win32.Coupons skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029644.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029645.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029646.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029647.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029648.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029649.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029649.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029649.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029650.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029651.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP43\A0029656.exe Infected: IM-Worm.Win32.VB.at skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029767.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029768.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029769.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP45\A0029770.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP46\A0031109.exe Infected: Trojan-Downloader.Win32.Swizzor.dg skipped
C:\System Volume Information\_restore{E27EFAD6-2BBE-45A6-AEF0-508A6E2432A2}\RP47\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D00446D6-1D05-4A2F-AC49-FF7DAADC8510}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Ried · 06-11-2007, 10:06 PM

Hi,

Delete these files:

C:\Documents and Settings\The Benoit\Local Settings\Temp\c2983293.exe
C:\Documents and Settings\The Benoit\Local Settings\Temp\c2c501f5.exe
C:\Documents and Settings\The Benoit\Local Settings\Temp\c301f2ca.exe
C:\Documents and Settings\The Benoit\Local Settings\Temp\c35d54d4.exe

-----------------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Ensure Windows Auto Update is Enabled
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

Now navigate to C:\ie-spyad. Double click to open it.
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

convict11 · 06-11-2007, 10:50 PM

Thanks a lot for all the help =)

Ried · 06-12-2007, 09:01 AM

You're welcome.

Take care...

06-04-2007, 12:44 AM	#1 (permalink)
convict11 Registered User Join Date: Jun 2006 Posts: 16 OS: winxp	Hijack this log help! Hi I ran hijack this on my computer and have browsed some of the other posts on this forum and used some advice to remove some harmful things from my pc. I was just wondering if someone could look over my log file and see if there is anything else I can do. It has been extremely slow over the past while. Logfile of HijackThis v1.99.1 Scan saved at 12:41:08 AM, on 04/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\STOPzilla!\STOPzilla.exe C:\WINDOWS\VM_STI.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Program Files\HijackThis\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ZILLAbar Browser Helper Object - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB(VGA) Camera O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Exif Launcher.lnk = ? O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGhlIEJlbm9pdA\command.exe (file missing) O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

06-06-2007, 01:00 PM	#2 (permalink)
convict11 Registered User Join Date: Jun 2006 Posts: 16 OS: winxp	Re: Hijack this log help! /bump

06-08-2007, 08:48 PM	#3 (permalink)
convict11 Registered User Join Date: Jun 2006 Posts: 16 OS: winxp	Re: Hijack this log help! Did I do something wrong?

06-08-2007, 10:08 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,895 OS: WinXP and Vista	Re: Hijack this log help! Hello convict11, No, you've done nothing wrong--we're simply swamped here with logs and there are only so many of us. For future reference, please note our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log Let's get started... Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you which I will need in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan** Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Panda results __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-09-2007, 03:55 PM	#5 (permalink)
convict11 Registered User Join Date: Jun 2006 Posts: 16 OS: winxp	Re: Hijack this log help! Alright here are the requested logs. ComboFix 07-06-09.4 - C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix.exe "The Benoit" - 2007-06-09 14:32:33 - Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\asks~1 C:\Program Files\Common Files\{104D1~1 C:\Program Files\Common Files\{104D1~2 C:\Program Files\Common Files\{304D1~1 C:\Program Files\Common Files\{304D1~1\toolbardll.lzma C:\Program Files\Common Files\crosof~1 C:\Program Files\Common Files\dobe~1 C:\Program Files\Common Files\dobe~2 C:\Program Files\Common Files\Uninstall Information C:\Program Files\Common Files\wnsxs~1 C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe C:\Program Files\Common Files\ymante~1 C:\Program Files\icroso~1 C:\Program Files\outerinfo C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\Program Files\pedevice C:\Program Files\pedevice\communication.xml C:\Program Files\pedevice\Domain.Watchlist.txt C:\Program Files\pedevice\Downloader.exe C:\Program Files\pedevice\pae-options.xml C:\Program Files\pedevice\pae_url.xml C:\Program Files\pedevice\pedevPS.dll C:\Program Files\pedevice\Preparation.dll C:\Program Files\pedevice\search.watchlist.txt C:\Program Files\pedevice\statistic.xml C:\Program Files\pedevice\tmp\tmp.html C:\Program Files\pedevice\watchlist.xml C:\Program Files\ppatch~1 C:\Program Files\scurit~1 C:\Program Files\sks~1 C:\Program Files\smante~1 C:\Program Files\sstem~1 C:\Program Files\ymbols~1 C:\Program Files\ystem~1 C:\WINDOWS\asks~1 C:\WINDOWS\crosof~1.net C:\WINDOWS\icroso~1 C:\WINDOWS\sks~1 C:\WINDOWS\system32\asembl~1 C:\WINDOWS\system32\asks~1 C:\WINDOWS\system32\crosof~1 C:\WINDOWS\system32\crosof~1.net C:\WINDOWS\system32\drivers\core.sys C:\WINDOWS\system32\fnts~1 C:\WINDOWS\system32\icroso~1.net C:\WINDOWS\system32\mantec~1 C:\WINDOWS\system32\mcroso~1 C:\WINDOWS\system32\mzzsifjw\winlogon.ini C:\WINDOWS\system32\racle~1 C:\WINDOWS\system32\smbols~1 C:\WINDOWS\system32\sstem~1 C:\WINDOWS\system32\unsvchosts.lzma C:\WINDOWS\system32\wnsxs~1 ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_COM+_MESSAGES -------\LEGACY_CORE -------\LEGACY_NETWORK_MONITOR -------\cmdService -------\core ((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 ))))))))))))))))))))))))))))))) 2007-06-09 14:30 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-03 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-06-03 14:05 <DIR> d-------- C:\Program Files\Yahoo! 2007-06-03 14:01 <DIR> d-------- C:\Program Files\CCleaner 2007-06-03 13:56 <DIR> d-------- C:\Program Files\STOPzilla! 2007-06-03 13:56 <DIR> d-------- C:\Program Files\Common Files\iS3 2007-06-03 13:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla! 2007-06-03 04:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-06-02 21:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-02 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-06-02 20:34 <DIR> d-------- C:\DOCUME~1\THEBEN~1.THE\APPLIC~1\Lavasoft 2007-06-02 20:33 <DIR> d-------- C:\Program Files\Lavasoft 2007-06-02 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-06-02 20:18 1,572,864 --ah----- C:\DOCUME~1\THEBEN~1.THE\NTUSER.DAT 2007-05-25 18:18 200,704 -ra------ C:\WINDOWS\system32\SZBase5.dll 2007-05-25 18:15 294,912 -ra------ C:\WINDOWS\system32\IS3DBA5.dll 2007-05-25 18:15 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll 2007-05-25 18:14 69,632 -ra------ C:\WINDOWS\system32\IS3Hks5.dll 2007-05-25 18:14 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll 2007-05-25 18:13 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll 2007-05-25 18:13 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll 2007-05-25 18:13 184,320 -ra------ C:\WINDOWS\system32\IS3Win325.dll 2007-05-25 18:12 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll 2007-05-25 18:12 626,688 -ra------ C:\WINDOWS\system32\IS3Base5.dll 2007-05-14 16:43 <DIR> d-------- C:\Program Files\psdriver 2007-05-11 06:38 <DIR> d-------- C:\c1ac98294bbd6e86f8bb (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-03 20:35:18 -------- d-----w C:\Program Files\McAfee.com 2007-06-03 11:15:54 -------- d-----w C:\Program Files\QuickTime 2007-06-03 11:11:04 -------- d-----w C:\Program Files\FinePixViewer 2007-06-03 10:16:39 -------- d-----w C:\Program Files\pasystem 2007-06-03 03:05:36 -------- d-----w C:\Program Files\MyWay 2007-06-03 02:22:14 -------- d-----w C:\Program Files\Lx_cats 2007-05-14 21:05:02 -------- d-----w C:\Program Files\Lexmark 730 Series 2007-05-11 02:44:50 -------- d-----w C:\Program Files\Common Files\SystemDoctor 2007-05-05 19:27:57 -------- d-----w C:\Program Files\Ares 2007-04-29 19:49:31 -------- d-----w C:\Program Files\Ares Lite Edition 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-09 18:17:42 -------- d-----w C:\Program Files\AdSponsorCL 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39] {1827766B-9F49-4854-8034-F6EE26FCB1EC}=C:\Program Files\STOPzilla!\SZSG.dll [2007-05-25 18:26] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21] {E3215F20-3212-11D6-9F8B-00D0B743919D}=C:\Program Files\STOPzilla!\SZIEBHO.dll [2007-05-25 18:26] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-03-07 15:07] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 06:20] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:07] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "FlashPlayerUpdate"=c:\progra~1\mozill~1\plugins\GetFlash.exe -p [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 08:13] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoobAim] C:\DOCUME~1\THEBEN~1\APPLIC~1\BEEPLO~1\pop bib bleh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CampSeekKnobTime] C:\Documents and Settings\All Users\Application Data\SLOW PLAN CAMP SEEK\style bows.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs Contents of the 'Scheduled Tasks' folder 2007-06-05 00:00:01 C:\WINDOWS\tasks\AC3ADC21918953E5.job 2007-05-02 13:17:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-06-09 20:10:34 C:\WINDOWS\tasks\McAfee.com Update Check (THE-60D5E2B2614-The Benoit).job 2007-06-04 23:22:26 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-09 14:41:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ Completion time: 2007-06-09 14:50:03 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-09 14:49 --- E O F --- And here is the Panda Active scan Incident Status Location Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay Adware:adware/instafinder Not disinfected Windows Registry Adware:Adware/Lop Not disinfected C:\Documents and Settings\LocalService\Application Data\beep logo send\pop bib bleh.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\bhegocei.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\gnabkkfg.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\gnwmwfcl.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\gramlovestartblah.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\kbsgezbo.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\lpgxmstv.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\mchvcrtq.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\mttzhnzv.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\munnoklk.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\mwoxczab.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\nakywcia.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\pbwewnht.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\phetkbla.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\qjywjsun.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\xppvmbot.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Application Data\beep logo send\xvsrplle.exe Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\0qv82kr6.Default Userhjjdkl\cookies.txt[www48.seeq.com/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\das922er.ffffff\cookies.txt[.go.com/] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-1.txt[.did-it.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-1.txt[.atwola.com/] Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-2.txt[.systemdoctor.com/] Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-2.txt[.bravenet.com/] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-3.txt[.did-it.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-3.txt[.atwola.com/] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-4.txt[.did-it.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-4.txt[.atwola.com/] Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-5.txt[.systemdoctor.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\ojgmlc9n.dfgghhsert\cookies-5.txt[.apmebf.com/] Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\The Benoit\Application Data\Mozilla\Firefox\Profiles\uc740se3.default\cookies.txt[.adultfriendfinder.com/] Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c2983293.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c2c501f5.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c301f2ca.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\The Benoit\Local Settings\Temp\c35d54d4.exe Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\The Benoit\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\The Benoit.THE-60D5E2B2614\Desktop\ComboFix.exe[nircmd.exe] Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir Adware:Adware/DelFinMedia Not disinfected C:\QooBox\Quarantine\C\Program Files\PeDevice\Preparation.dll.vir Adware:Adware/DeluxeComunications Not disinfected C:\QooBox\Quarantine\catchme2007-06-09_144128.79.zip[core.sys] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

06-11-2007, 10:06 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,895 OS: WinXP and Vista	Re: Hijack this log help! Hi, Delete these files: C:\Documents and Settings\The Benoit\Local Settings\Temp\c2983293.exe C:\Documents and Settings\The Benoit\Local Settings\Temp\c2c501f5.exe C:\Documents and Settings\The Benoit\Local Settings\Temp\c301f2ca.exe C:\Documents and Settings\The Benoit\Local Settings\Temp\c35d54d4.exe ----------------------------------------------------------- Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Ensure Windows Auto Update is Enabled Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Spyware Guard to catch and block spyware before it can execute. IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) Now navigate to C:\ie-spyad. Double click to open it. From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-11-2007, 10:50 PM	#11 (permalink)
convict11 Registered User Join Date: Jun 2006 Posts: 16 OS: winxp	Re: Hijack this log help! Thanks a lot for all the help =)

06-12-2007, 09:01 AM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,895 OS: WinXP and Vista	Re: Hijack this log help! You're welcome. Take care... __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."