Member Avatar for Mishoboy

Hello Team,

Now that ComboFix is offline I am in need of assistance. I am infected with a rootkit and I do not know how to remove it. No antispyware software can be installed or run. Can you please help me? Here's the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86  
Run by Nicolas at 21:33:53.90 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.503.151 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\AOL\1137453934\ee\AOLSoftware.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\wjfry.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\wjfry.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\CrossLoop\CrossLoopConnect.exe
C:\Program Files\CrossLoop\winvnc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\tryvnbnjqjrogvop.exe
C:\Documents and Settings\Nicolas\Desktop\tool.exe.exe
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\is-2A962.tmp\tool.exe.tmp
C:\Documents and Settings\Nicolas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://google.icq.com/search/search_frame.php
mStart Page = hxxp://www.att.net
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*[url]http://www.yahoo.com/search/ie.html[/url]
uInternet Connection Wizard,ShellNext = hxxp://ciscdb.sel.sony.com/perl/modelpage.pl?mdl=VGCRB30
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = 
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ohjboxevxlo] hjuvrjzzkhtuqjglxefo.exe
uRun: [jzynxdhv] c:\docume~1\nicolas\locals~1\temp\wzlnkduvhfsurljpckmwu.exe
uRunOnce: [lfibpzhzcrvo] uvffargfplwwrjfjuaa.exe .
uRunOnce: [arrhszett] c:\docume~1\nicolas\locals~1\temp\azhfynaxfzigzpjlu.exe .
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SBC Yahoo! Connection Manager] "c:\program files\sbc yahoo!\connection manager\ConnectionManager.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IPInSightMonitor 01] "c:\program files\sbc yahoo!\connection manager\ip insight\IPMon32.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HostManager] c:\program files\common files\aol\1137453934\ee\AOLSoftware.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: ["c:\program files\sbc yahoo!\connection manager\ConnectionManager] SBC Yahoo! Connection Manager
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [jzynxdhv] tryvnbnjqjrogvop.exe
mRun: [lhmhxjtnsjpkan] c:\docume~1\nicolas\locals~1\temp\jjsrlbpnwrbaulgjty.exe
mRunOnce: [arrhszett] hjuvrjzzkhtuqjglxefo.exe .
mRunOnce: [kfjdsdmfjzeyn] c:\docume~1\nicolas\locals~1\temp\hjuvrjzzkhtuqjglxefo.exe .
mExplorerRun: [tlmdpxdtuh] uvffargfplwwrjfjuaa.exe
mExplorerRun: [ujhvejm] c:\docume~1\nicolas\locals~1\temp\tryvnbnjqjrogvop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: EnableVirtualization = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213205373640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup160.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R2 WENCRNT4;WENCRNT4;c:\windows\system32\drivers\WENCRNT4.sys [2007-6-2 114944]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-20 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

=============== Created Last 30 ================

2009-12-16 01:43:45 811 --sh--r-    C:\autorun.inf
2009-12-16 01:01:05 0   d-----w-    c:\program files\CrossLoop
2009-12-15 18:42:36 0   d-----w-    c:\program files\CA Yahoo! Anti-Spy
2009-12-15 15:01:09 788 ---h--w-    c:\windows\system32\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
2009-12-15 15:01:09 788 ---h--w-    c:\windows\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
2009-12-15 15:01:09 316 ---h--w-    c:\windows\system32\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
2009-12-15 15:01:09 316 ---h--w-    c:\windows\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
2009-12-15 15:01:09 2408    ---h--w-    c:\windows\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
2009-12-15 15:01:09 2408    ---h--w-    c:\windows\system32\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
2009-11-30 23:25:53 0   d-sh--w-    c:\documents and settings\nicolas\IECompatCache

==================== Find3M  ====================

2009-12-16 02:33:56 272 ---h--w-    c:\program files\xfwdfdzfwzryazcnfszorn.brx
2009-12-16 02:33:56 2408    ---h--w-    c:\program files\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
2009-12-16 02:33:21 316 ---h--w-    c:\program files\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
2009-12-16 02:33:02 512000  --sh--r-    c:\windows\wzlnkduvhfsurljpckmwu.exe
2009-12-16 02:33:02 512000  --sh--r-    c:\windows\uvffargfplwwrjfjuaa.exe
2009-12-16 02:33:02 512000  --sh--r-    c:\windows\tryvnbnjqjrogvop.exe
2009-12-16 02:33:02 512000  --sh--r-    c:\windows\nrehfzrtgftwupovjsvgfx.exe
2009-12-16 02:33:02 512000  --sh--r-    c:\windows\jjsrlbpnwrbaulgjty.exe
2009-12-16 02:33:02 512000  --sh--r-    c:\windows\hjuvrjzzkhtuqjglxefo.exe
2009-12-16 02:33:02 512000  --sh--r-    c:\windows\azhfynaxfzigzpjlu.exe
2009-12-16 01:43:02 512000  --sh--r-    c:\windows\system32\uvffargfplwwrjfjuaa.exe
2009-12-16 01:43:02 512000  --sh--r-    c:\windows\system32\nrehfzrtgftwupovjsvgfx.exe
2009-12-16 01:43:02 512000  --sh--r-    c:\windows\system32\hjuvrjzzkhtuqjglxefo.exe
2009-12-16 01:43:01 512000  --sh--r-    c:\windows\system32\jjsrlbpnwrbaulgjty.exe
2009-12-16 01:43:00 512000  --sh--r-    c:\windows\system32\tryvnbnjqjrogvop.exe
2009-12-16 01:43:00 512000  --sh--r-    c:\windows\system32\azhfynaxfzigzpjlu.exe
2009-12-15 23:38:58 512000  --sh--r-    c:\windows\system32\wzlnkduvhfsurljpckmwu.exe
2009-12-15 23:38:54 788 ---h--w-    c:\program files\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
2009-12-15 15:00:55 4088    ---h--w-    c:\program files\ohjboxevxlogtdrnqoggubdlmdwyqdmtk.adv
2009-10-29 07:45:38 916480  ----a-w-    c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776   ----a-w-    c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088   ----a-w-    c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728  ----a-w-    c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336  ----a-w-    c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504  ----a-w-    c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872   ----a-w-    c:\windows\system32\raschap.dll
2008-11-17 17:51:56 32768   --sha-w-    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111720081118\index.dat

============= FINISH: 21:34:24.18 ===============





"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Search Protection" = "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" ["Yahoo! Inc"]
"YSearchProtection" = "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" ["Yahoo! Inc"]
"ohjboxevxlo" = "tryvnbnjqjrogvop.exe" [null data]
"jzynxdhv" = "C:\DOCUME~1\Nicolas\LOCALS~1\Temp\azhfynaxfzigzpjlu.exe" [null data]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"lfibpzhzcrvo" = "azhfynaxfzigzpjlu.exe ." [null data]
"arrhszett" = "C:\DOCUME~1\Nicolas\LOCALS~1\Temp\jjsrlbpnwrbaulgjty.exe ." [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"tlmdpxdtuh" = "hjuvrjzzkhtuqjglxefo.exe" [null data]
"ujhvejm" = "C:\DOCUME~1\Nicolas\LOCALS~1\Temp\tryvnbnjqjrogvop.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"VAIO Recovery" = "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SBC Yahoo! Connection Manager" = ""C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"" [file not found]
"PaperPort PTD" = "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"IPInSightMonitor 01" = ""C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPMon32.exe"" [file not found]
"IndexSearch" = "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"HostManager" = "C:\Program Files\Common Files\AOL\1137453934\ee\AOLSoftware.exe" ["America Online, Inc."]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
""C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager" = "SBC Yahoo! Connection Manager" [file not found]
"SetDefPrt" = "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"YSearchProtection" = ""C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"" ["Yahoo! Inc"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"jzynxdhv" = "jjsrlbpnwrbaulgjty.exe" [null data]
"lhmhxjtnsjpkan" = "C:\DOCUME~1\Nicolas\LOCALS~1\Temp\azhfynaxfzigzpjlu.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"arrhszett" = "hjuvrjzzkhtuqjglxefo.exe ." [null data]
"kfjdsdmfjzeyn" = "C:\DOCUME~1\Nicolas\LOCALS~1\Temp\jjsrlbpnwrbaulgjty.exe ." [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
  -> {HKLM...CLSID} = "Adobe PDF Link Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Java(tm) Plug-In SSV Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
                   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll" ["Google Inc."]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
  -> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SingleInstance Class"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll" ["Yahoo! Inc"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
  -> {HKLM...CLSID} = "RecordNow! SendToExt"
                   \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
  -> {HKLM...CLSID} = "YMailShellExt Class"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
  -> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{25336920-03f9-11cf-8fd0-00aa00686f13}" = "HTML Document"
  -> {HKLM...CLSID} = "HTML Document"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mshtml.dll" [MS]
"{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}" = "MSHTML Document"
  -> {HKLM...CLSID} = "MHTML Document"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mshtml.dll" [MS]
"{8856f961-340a-11d0-a96b-00c04fd705a2}" = "Microsoft Web Browser"
  -> {HKLM...CLSID} = "Microsoft Web Browser"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
  -> {HKLM...CLSID} = "SABShellExecuteHook Class"
                   \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
  -> {HKLM...CLSID} = "YMailShellExt Class"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000001
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

"EnableLUA" = (REG_DWORD) hex:0x00000000
{User Account Control: Run All Administrators In Admin Approval Mode}

"DisableRegistryTools" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ConsentPromptBehaviorAdmin" = (REG_DWORD) hex:0x00000000
{User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) hex:0x00000000
{User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) hex:0x00000000
{User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableSecureUIAPaths" = (REG_DWORD) hex:0x00000000
{User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) hex:0x00000000
{User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) hex:0x00000000
{User Account Conrol: Switch to the secure desktop when prompting for elevation}

"FilterAdministratorToken" = (REG_DWORD) hex:0x00000000
{User Account Control: Admin Approval Mode for the Built-in Administrator Account}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\VAIO Structure Wallpaper TrueColor 1280x1024.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\VAIO Structure Wallpaper TrueColor 1280x1024.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

C:\
<<!>> C:\AUTORUN.INF -> "open=ohjboxevxlo.bat" [null data]


Startup items in "Nicolas" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Status Monitor" -> shortcut to: "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe Brother MFC-620CN /STARTUP" ["Brother Industries, Ltd."]


Enabled Scheduled Tasks:
------------------------

"GoogleUpdateTaskMachineCore" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskMachineUA" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]
"Registration reminder 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {HKLM...CLSID} = "Google Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
  -> {HKLM...CLSID} = "AOL Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" [file not found]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = (no title provided)
  -> {HKLM...CLSID} = "AOL Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" [file not found]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "&Yahoo! Messenger"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "&Yahoo! Messenger"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Real.com"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{32004B8A-44A9-43E7-84E9-808838809519}\(Default) = "Google Side Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
"CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
  -> {HKLM...CLSID} = "AOL Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" [file not found]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
  -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.sony.com/vaiopeople
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
Brother Popup Suspend service for Resource manager, brmfrmps, ""C:\WINDOWS\system32\Brmfrmps.exe" -service " ["Brother Industries, Ltd."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
VAIO Entertainment Database Service, VzCdbSvc, ""C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe"" ["Sony Corporation"]
VAIO Entertainment File Import Service, VzFw, "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe" ["Sony Corporation"]
VAIO Entertainment UPnP Client Adapter, Vcsw, "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM" ["Sony Corporation"]
WinEncrypt service, wencrservice, "wentxp.exe" ["WinEncrypt"]
Yahoo! Updater, YahooAUService, ""C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe"" ["Yahoo! Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2009-12-15 20:54:43)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 45 seconds, including 5 seconds for message boxes)
Edited by Nick Evan because: Fixed formatting
  • 2 Contributors
  • 13 Replies
  • 292 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by crunchie
Member Avatar for crunchie

You are loaded.


Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Select the "Save" option.
* When the panel pops up to ask you where you wish to save the file, before choosing where, rename the file. I chose "bambam"
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

Post new DDS log.

Edited by crunchie because: n/a
Member Avatar for Mishoboy

Crunchie,

Thank You for the quick reply. I truly appreciate your help. I can not install malwarebytes at all. I tried renaming it, I tried installing it in different directory but I can't, the moment the setup loads it closes. My browser won't let me open any online scanners such as trendmicro, fsecure etc... I can not restart in safe mode either. It won't let me as it gives me an error and it restarts by itself in normal mode. Any other ideas?

You are loaded.


Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Select the "Save" option.
* When the panel pops up to ask you where you wish to save the file, before choosing where, rename the file. I chose "bambam"
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

Post new DDS log.

Edited by Mishoboy because: n/a
Member Avatar for crunchie

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

Member Avatar for Mishoboy

I found a way to fix it. While I do not know the exact rootkit name/infection I had, I found a tool called UnHackMe. It is not the most user friendly tool I've seen but it work good enough to clean few suspicious files, which allowed me to install and run Malwarebytes. Malwarebytes cleaned the rest and now my PC runs as new again.
I personally will not recommend the UnHackMe tool as it also finds legit files and if a user doesn't know what he/she is doing they might end up deleting a program file or else.
I wish the ComboFix tool was active - it would have saved me lots of time.
Crunchie, thank you for your help. It is much appreciated.

Member Avatar for crunchie

I hope for your sake that all the nasties I can see in the DDS log were taken care of :).
Would be nice to see the MBA-M log and then a DDS log taken after.

Member Avatar for Mishoboy

There You go:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Nicolas at 4:45:18.93 on Wed 12/16/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.198 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\AOL\1137453934\ee\AOLSoftware.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\Nicolas\Local Settings\Temporary Internet Files\Content.IE5\GXNI8YE6\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/
uInternet Connection Wizard,ShellNext = hxxp://ciscdb.sel.sony.com/perl/modelpage.pl?mdl=VGCRB30
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SBC Yahoo! Connection Manager] "c:\program files\sbc yahoo!\connection manager\ConnectionManager.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IPInSightMonitor 01] "c:\program files\sbc yahoo!\connection manager\ip insight\IPMon32.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HostManager] c:\program files\common files\aol\1137453934\ee\AOLSoftware.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: ["c:\program files\sbc yahoo!\connection manager\ConnectionManager] SBC Yahoo! Connection Manager
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [ohjboxevxlo] hjuvrjzzkhtuqjglxefo.exe
dRun: [jzynxdhv] c:\windows\temp\wzlnkduvhfsurljpckmwu.exe
dRunOnce: [lfibpzhzcrvo] wzlnkduvhfsurljpckmwu.exe .
dRunOnce: [arrhszett] c:\windows\temp\azhfynaxfzigzpjlu.exe .
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: EnableVirtualization = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213205373640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup160.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-12-15 47640]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-26 38224]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-16 138680]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-20 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-16 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-16 352920]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-16 08:25:16 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-12-16 08:11:50 0 d-----w- c:\program files\LSI SoftModem
2009-12-16 08:04:49 0 d-----w- c:\windows\system32\XPSViewer
2009-12-16 08:03:47 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-16 08:03:47 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-16 08:03:47 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-16 08:03:47 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-16 08:03:47 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-16 08:03:46 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-16 08:03:46 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-16 08:03:44 0 d-----w- C:\ea20c77e20268430995549
2009-12-16 07:56:49 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-16 07:31:54 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-12-16 07:08:52 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-16 06:15:25 2 --shatr- c:\windows\winstart.bat
2009-12-16 05:23:47 0 ----a-w- c:\windows\system32\SBRC.dat
2009-12-16 05:23:47 0 ----a-w- c:\windows\system32\SBFC.dat
2009-12-16 04:32:57 0 d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-12-16 04:32:18 0 d-----w- c:\program files\PCPitstop
2009-12-16 04:04:43 4716 ----a-w- c:\windows\system32\tmp.reg
2009-12-16 03:30:54 512000 --sh--r- c:\windows\wzlnkduvhfsurljpckmwu.exe
2009-12-16 03:30:54 512000 --sh--r- c:\windows\uvffargfplwwrjfjuaa.exe
2009-12-16 03:30:54 512000 --sh--r- c:\windows\nrehfzrtgftwupovjsvgfx.exe
2009-12-16 03:30:54 512000 --sh--r- c:\windows\hjuvrjzzkhtuqjglxefo.exe
2009-12-16 02:57:20 0 d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn
2009-12-16 02:57:15 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-12-16 02:57:15 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-12-16 02:57:15 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-12-16 02:57:04 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-12-16 02:56:48 0 d-----w- c:\program files\LogMeIn
2009-12-16 01:01:05 0 d-----w- c:\program files\CrossLoop
2009-12-15 15:01:09 788 ---h--w- c:\windows\system32\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
2009-12-15 15:01:09 788 ---h--w- c:\windows\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
2009-12-15 15:01:09 316 ---h--w- c:\windows\system32\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
2009-12-15 15:01:09 316 ---h--w- c:\windows\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
2009-12-15 15:01:09 2408 ---h--w- c:\windows\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
2009-12-15 15:01:09 2408 ---h--w- c:\windows\system32\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
2009-12-15 15:00:55 4088 ---h--w- c:\windows\system32\ohjboxevxlogtdrnqoggubdlmdwyqdmtk.adv
2009-12-15 15:00:55 4088 ---h--w- c:\windows\ohjboxevxlogtdrnqoggubdlmdwyqdmtk.adv
2009-12-15 15:00:55 272 ---h--w- c:\windows\xfwdfdzfwzryazcnfszorn.brx
2009-12-15 15:00:55 272 ---h--w- c:\windows\system32\xfwdfdzfwzryazcnfszorn.brx
2009-12-15 15:00:43 512000 --sh--r- c:\windows\jjsrlbpnwrbaulgjty.exe
2009-12-15 15:00:42 512000 --sh--r- c:\windows\tryvnbnjqjrogvop.exe
2009-12-15 15:00:42 512000 --sh--r- c:\windows\system32\wzlnkduvhfsurljpckmwu.exe
2009-12-15 15:00:42 512000 --sh--r- c:\windows\system32\tryvnbnjqjrogvop.exe
2009-12-15 15:00:42 512000 --sh--r- c:\windows\system32\nrehfzrtgftwupovjsvgfx.exe
2009-12-15 15:00:42 512000 --sh--r- c:\windows\azhfynaxfzigzpjlu.exe
2009-11-30 23:25:53 0 d-sh--w- c:\documents and settings\nicolas\IECompatCache

==================== Find3M ====================

2009-12-16 06:33:07 316 ---h--w- c:\program files\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
2009-12-16 06:33:06 272 ---h--w- c:\program files\xfwdfdzfwzryazcnfszorn.brx
2009-12-16 06:33:06 2408 ---h--w- c:\program files\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
2009-12-15 23:38:54 788 ---h--w- c:\program files\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
2009-12-15 15:00:55 4088 ---h--w- c:\program files\ohjboxevxlogtdrnqoggubdlmdwyqdmtk.adv
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2008-11-17 17:51:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111720081118\index.dat

============= FINISH: 4:46:23.87 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/30/2005 3:31:46 AM
System Uptime: 12/16/2009 4:35:40 AM (0 hours ago)

Motherboard: Intel Corporation | | D915GRO
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | J2E1 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 180 GiB total, 167.503 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP4: 12/16/2009 1:37:24 AM - System Checkpoint
RP5: 12/16/2009 1:39:00 AM - RegRun Virus Scan
RP6: 12/16/2009 2:00:20 AM - Installed Windows Defender
RP7: 12/16/2009 2:05:31 AM - Removed SUPERAntiSpyware Free Edition
RP8: 12/16/2009 2:08:35 AM - Software Distribution Service 3.0
RP9: 12/16/2009 2:17:51 AM - Installed Java(TM) 6 Update 17
RP10: 12/16/2009 2:35:47 AM - Removed Rhapsody Player Engine
RP11: 12/16/2009 2:57:06 AM - Software Distribution Service 3.0
RP12: 12/16/2009 4:07:39 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9.2
Agere Systems PCI Soft Modem
AOL Setup
AOL Uninstaller
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Autodesk WHIP! (Release 4.0-102)
avast! Antivirus
Brother MFL-Pro Suite
Click to DVD 2.0.02 Menu Data
Click to DVD 2.2.10
Critical Update for Windows Media Player 11 (KB959772)
CrossLoop 2.60
DVgate Plus
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections Drivers
InterVideo WinDVD 5 for VAIO
InterVideo WinDVDX
ISScript
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 17
Learn2 Player (Uninstall Only)
LogMeIn
LSI PCI Soft Modem
Malwarebytes' Anti-Malware
Memory Stick Formatter
Micro Webcam
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Excel 2000 Beginning
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MoodLogic
OpenMG Limited Patch 4.0-04-08-02-01
OpenMG Secure Module 4.0.00
PaperPort
PictureGear Studio 2.0
Pure Networks Port Magic
Quicken 2005
QuickTime
Realtek High Definition Audio Driver
SA Dictionary 2002
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skypeâ„¢ 4.1
Sonic RecordNow!
SonicStage 2.1.02
SonicStage Mastering Studio Audio Filter Custom Preset
Sony Certificate PCH
Sony Video Shared Library
Spelling Dictionaries Support For Adobe Reader 9
TrueSwitch Wizard SBC
Ulead Photo Explorer 6.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VAIO Control Center
VAIO Entertainment Platform
VAIO Help and Support
VAIO Launcher
VAIO Media 3.1
VAIO Media Integrated Server 3.1
VAIO Media Redistribution 3.1
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Scene HD Normal Contents
VAIO Registration
VAIO Structure Wallpaper
VAIO Survey Standalone
VAIO Update 2
VAIO Zone
Viewpoint Media Player
WebFldrs XP
Welcome to VAIO life
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Browser Services
Yahoo! BrowserPlus
Yahoo! Install Manager
Yahoo! Mail
Yahoo! Photos Easy Upload Tool 1v7
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/16/2009 3:38:42 AM, error: Service Control Manager [7000] - The F-Secure BlackLight Engine Driver service failed to start due to the following error: A device attached to the system is not functioning.
12/16/2009 2:57:19 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800f020b: Brother Industries, ltd. - Storage - Brother MFC-620CN USB Printer.
12/16/2009 2:05:42 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
12/16/2009 2:05:36 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
12/16/2009 1:43:06 AM, error: Service Control Manager [7023] - The WinEncrypt service service terminated with the following error: A device attached to the system is not functioning.
12/15/2009 9:33:56 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
12/15/2009 10:37:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
12/15/2009 10:37:39 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/15/2009 10:20:00 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The class is configured to run as a security id different from the caller
12/15/2009 10:19:52 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/15/2009 10:18:08 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IGLGBYGKKWEN service to connect.
12/15/2009 10:18:08 PM, error: Service Control Manager [7000] - The IGLGBYGKKWEN service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/15/2009 10:09:25 PM, error: System Error [1003] - Error code 0000007f, parameter1 00000000, parameter2 00000000, parameter3 00000000, parameter4 00000000.

==== End Of File ===========================

Malwarebytes' Anti-Malware 1.42
Database version: 3372
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/16/2009 4:48:10 AM
mbam-log-2009-12-16 (04-48-10).txt

Scan type: Quick Scan
Objects scanned: 115423
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Member Avatar for crunchie

All of the following need looking in to to determine if they are still there and if they are a threat.

c:\windows\temp\wzlnkduvhfsurljpckmwu.exe
c:\windows\temp\azhfynaxfzigzpjlu.exe
c:\windows\wzlnkduvhfsurljpckmwu.exe
c:\windows\uvffargfplwwrjfjuaa.exe
c:\windows\nrehfzrtgftwupovjsvgfx.exe
c:\windows\hjuvrjzzkhtuqjglxefo.exe
c:\windows\system32\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
c:\windows\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
c:\windows\system32\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
c:\windows\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
c:\windows\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
c:\windows\system32\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
c:\windows\system32\ohjboxevxlogtdrnqoggubdlmdwyqdmtk.adv
c:\windows\ohjboxevxlogtdrnqoggubdlmdwyqdmtk.adv
c:\windows\xfwdfdzfwzryazcnfszorn.brx
c:\windows\system32\xfwdfdzfwzryazcnfszorn.brx
c:\windows\jjsrlbpnwrbaulgjty.exe
c:\windows\tryvnbnjqjrogvop.exe
c:\windows\system32\wzlnkduvhfsurljpckmwu.exe
c:\windows\system32\tryvnbnjqjrogvop.exe
c:\windows\system32\nrehfzrtgftwupovjsvgfx.exe
c:\windows\azhfynaxfzigzpjlu.exe
c:\program files\kfjdsdmfjzeynzpnssmoenrbexswqfqzswm.lam
c:\program files\xfwdfdzfwzryazcnfszorn.brx
c:\program files\tlmdpxdtuhjamvidfctsflmttjbctfnt.kxz
c:\program files\lhmhxjtnsjpkanedjkfizjozdxtytjvfzevb.mzq
c:\program files\ohjboxevxlogtdrnqoggubdlmdwyqdmtk.adv

http://virusscan.jotti.org/ or http://www.virustotal.com/en/virustotalf.html

Member Avatar for Mishoboy

Is it wise to use KillBox to delete them or would you suggest other tool/method?

Thank You so much for helping me out!

Member Avatar for crunchie

I would determine what they are first :).

Member Avatar for Mishoboy

Determining what they are is beyond my skills and knowleadge. I suspect they are files created by the logmein application, but I might be wrong.
Perhaps you could give me few tips on how to determine what they are?
I will follow up tomorrow. Thank YOU again for all your help.

Member Avatar for crunchie

I gave you two links already where you can get those files scanned. All you need do is upload them one at a time.

Member Avatar for Mishoboy

All looks good. No threats found. Thank you once again for all your help.

Member Avatar for crunchie

No worries.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.