Options

IE Pop-ups while running Firefox

Hey, so i've had this problem for about a month and i've been trying to fix it myself, but so far everything i've done hasn't had any effect. So yeah, i get pop ups from various sites including some blank ones with the header Powered by Zedo. Any help would be appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:29 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\llass.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {4947B574-5B3A-4720-B48B-9B631A152EB0} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {57C2F6D2-7AFA-488C-7090-94AB3D458B37} - C:\Program Files\MSN Gaming Zone\qufax122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\System32\yayvuvs.dll (file missing)
O2 - BHO: (no name) - {b6fa7c08-6978-49fb-be36-5a33b3f62819} - C:\WINDOWS\System32\diombwy.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {FF944266-E0BD-4457-8032-0E61251754F6} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MircoSoftSN] llass.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [MircoSoftSN] llass.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S79.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-21-436374069-362288127-725345543-1003\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S79.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-436374069-362288127-725345543-1003\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-362288127-725345543-1003\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe (User '?') O4 - HKUS\S-1-5-21-436374069-362288127-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-362288127-725345543-1003\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User '?')
O4 - S-1-5-21-436374069-362288127-725345543-1003 Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe (User '?')
O4 - S-1-5-21-436374069-362288127-725345543-1003 Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User '?') O4 - S-1-5-21-436374069-362288127-725345543-1003 Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User '?')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200871025000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200873267515
O20 - Winlogon Notify: axixhgnz - axixhgnz.dll (file missing)
O20 - Winlogon Notify: yayvuvs - yayvuvs.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 8768 bytes

Comments

  • VekaVeka Finland
    edited April 2008
    Hi AyoMangocat, and welcome to the forums.

    I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

    Step 1:

    Please download MBAM and ComboFix to your desktop

    Step 2:

    Run Malwarebytes' Anti-Malware

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

    Step 3:

    Run ComboFix

    Warning: You should not use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could render your system/pc inoperable.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  • edited April 2008
    vekarppe wrote:
    Hi AyoMangocat, and welcome to the forums.

    I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

    Step 1:

    Please download MBAM and ComboFix to your desktop

    Step 2:

    Run Malwarebytes' Anti-Malware

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

    Step 3:

    Run ComboFix

    Warning: You should not use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could render your system/pc inoperable.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.


    Thanks for helping me so far, I followed your carefully, here are the results:

    Combofix:

    ComboFix 08-04-08.4 - Owner 2008-04-08 15:26:44.1 - NTFSx86
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
    C:\Documents and Settings\Owner\My Documents\ASEMBL~1
    C:\temp\tn3
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\_000004_.tmp.dll
    C:\WINDOWS\system32\_000005_.tmp.dll
    C:\WINDOWS\system32\_000006_.tmp.dll
    C:\WINDOWS\system32\_000007_.tmp.dll
    C:\WINDOWS\system32\_000008_.tmp.dll
    C:\WINDOWS\system32\_000009_.tmp.dll
    C:\WINDOWS\system32\_000010_.tmp.dll
    C:\WINDOWS\system32\_000011_.tmp.dll
    C:\WINDOWS\system32\_000012_.tmp.dll
    C:\WINDOWS\system32\bmthuaut.dll
    C:\WINDOWS\system32\dqdycivb.dll
    C:\WINDOWS\system32\drivers\core.cache(2).dsk
    C:\WINDOWS\system32\drivers\core.cache(3).dsk
    C:\WINDOWS\system32\drivers\core.cache(4).dsk
    C:\WINDOWS\system32\drivers\core.cache(5).dsk
    C:\WINDOWS\system32\drivers\fad.sys
    C:\WINDOWS\system32\kjpyeldo.dll
    C:\WINDOWS\system32\knnmp.ini
    C:\WINDOWS\system32\knnmp.ini2
    C:\WINDOWS\system32\ndacodpa.ini
    C:\WINDOWS\system32\nmllm.ini
    C:\WINDOWS\system32\nmllm.ini2
    C:\WINDOWS\system32\owytjadc.dll
    C:\WINDOWS\system32\oyetbqtx.dll
    C:\WINDOWS\system32\ubrrlifk.dll
    C:\WINDOWS\system32\ulgngggq.dll
    C:\WINDOWS\system32\whmxectw.dll
    C:\WINDOWS\system32\whrfednr.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    \Legacy_CMDSERVICE
    \Legacy_DOMAINSERVICE
    \Legacy_NETWORK_MONITOR


    ((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
    .
    2008-04-08 15:03 . 2008-04-08 15:03 d
    C:\Documents and Settings\Owner\Application Data\Malwarebytes
    2008-04-08 15:02 . 2008-04-08 15:02 d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-08 15:02 . 2008-04-08 15:02 d
    C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-06 21:29 . 2008-04-06 21:29 d
    C:\Program Files\SpywareBlaster
    2008-04-06 21:29 . 2008-04-06 21:33 d-a
    C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-06 21:29 . 2005-08-25 18:18 118,784 --a
    C:\WINDOWS\system32\MSSTDFMT.DLL
    2008-04-06 19:25 . 2008-04-06 19:25 230 --a
    C:\WINDOWS\system32\spupdsvc.inf
    2008-04-06 19:08 . 2008-04-06 19:08 d
    C:\Documents and Settings\Owner\dwhelper
    2008-04-06 14:21 . 2008-04-07 15:38 69 --a
    C:\WINDOWS\NeroDigital.ini
    2008-04-02 04:08 . 2008-04-02 04:08 d
    C:\Program Files\MSXML 4.0
    2008-03-31 18:58 . 2008-03-31 18:58 d
    C:\Program Files\NeroInstall.bak
    2008-03-31 18:52 . 2008-03-31 18:52 d
    C:\Documents and Settings\Owner\Application Data\Nero
    2008-03-31 18:42 . 2008-03-31 18:42 d
    C:\Program Files\Nero
    2008-03-31 18:42 . 2008-03-31 18:47 d
    C:\Program Files\Common Files\Nero
    2008-03-31 18:42 . 2008-03-31 18:42 d
    C:\Documents and Settings\All Users\Application Data\Nero
    2008-03-30 22:07 . 2008-03-30 22:10 115,844 --a
    C:\iphonecover.png
    2008-03-20 01:30 . 2008-03-20 01:30 31,304 --ah
    C:\WINDOWS\system32\mlfcache.dat
    2008-03-16 18:08 . 2008-03-16 20:10 d
    C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-16 17:50 . 2008-03-16 17:50 d
    C:\Program Files\Common Files\iS3
    2008-03-16 17:50 . 2008-03-18 15:34 d
    C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-13 17:05 . 2004-08-04 01:56 221,184 --a
    C:\WINDOWS\system32\wmpns.dll
    2008-03-13 04:13 . 2008-03-13 04:13 71,745 --a
    C:\WINDOWS\system32\MRT.INI
    2008-03-09 15:10 . 2008-03-09 15:09 869,336 --a
    C:\WINDOWS\unins000.exe
    2008-03-09 15:10 . 2008-03-09 15:10 2,547 --a
    C:\WINDOWS\unins000.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) .
    2008-04-08 19:35 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
    2008-04-08 19:35 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
    2008-04-08 19:00
    d
    w C:\Documents and Settings\Owner\Application Data\uTorrent
    2008-04-08 01:01
    d
    w C:\Documents and Settings\Owner\Application Data\MP3Rocket
    2008-04-08 00:43
    d
    w C:\Program Files\mIRC
    2008-04-07 19:47
    d
    w C:\Program Files\Steam
    2008-04-03 12:11
    d
    w C:\Program Files\Trend Micro
    2008-03-18 21:34
    d
    w C:\Program Files\Java
    2008-03-15 17:11
    d
    w C:\Program Files\AIM
    2008-03-13 21:03
    d
    w C:\Program Files\Windows Media Connect 2
    2008-03-13 13:22
    d--h--w C:\Documents and Settings\Owner\Application Data\ijjigame
    2008-03-13 12:14
    d
    w C:\Program Files\DivX
    2008-03-13 12:14
    d
    w C:\Program Files\DirectX
    2008-03-13 12:14
    d
    w C:\Program Files\Common Files\logishrd
    2008-03-13 12:14
    d
    w C:\Program Files\Bonjour
    2008-03-13 12:14
    d
    w C:\Program Files\Apple Software Update
    2008-03-13 12:14
    d
    w C:\Program Files\AOD
    2008-03-13 12:13
    d
    w C:\Program Files\GoldWave
    2008-03-13 12:13
    d
    w C:\Program Files\Folders
    2008-03-13 12:12
    d
    w C:\Program Files\uTorrent
    2008-03-13 12:12
    d
    w C:\Program Files\Spybot - Search & Destroy
    2008-03-13 12:12
    d
    w C:\Program Files\Rainlendar2
    2008-03-13 12:12
    d
    w C:\Program Files\MP3 Rocket
    2008-03-13 12:12
    d
    w C:\Program Files\Last.fm
    2008-03-13 12:12
    d
    w C:\Program Files\iTunes
    2008-03-09 19:14
    d
    w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-03-07 16:45
    d
    w C:\Program Files\Illustrate
    2008-03-05 12:00
    d
    w C:\Documents and Settings\Owner\Application Data\Aim
    2008-03-04 21:12
    d
    w C:\Program Files\Styler
    2008-02-28 22:38 1,152,478 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
    2008-02-26 21:14 1,152,476 ----a-w C:\WINDOWS\UNRecode.exe
    2008-02-18 21:21 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
    2008-02-18 21:21 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
    2008-02-08 15:36
    d
    w C:\Program Files\Common Files\Java
    2008-02-08 15:34
    d
    w C:\Program Files\AskSBar
    2007-06-13 10:23 1,569,246 --sh--r C:\WINDOWS\system32\llass.exe
    .
    ----a-w         1,582,556 2008-01-21 18:03:19  C:\Program Files\Analog Devices\Core\smax4pnp .exe
    ----a-w           444,890 2008-01-22 20:41:21  C:\Program Files\iTunes\iTunesHelper .exe
    ----a-w         1,543,136 2008-01-23 22:21:15  C:\Program Files\Rainlendar2\Rainlendar2 .exe
    ----a-w           325,088 2008-01-21 18:03:20  C:\Program Files\Razer\Diamondback\razerhid .exe
    ----a-w         1,638,364 2008-01-21 18:03:31  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
    ----a-w           192,988 2008-01-23 22:21:32  C:\WINDOWS\system32\ctfmon .exe
    ----a-w           356,826 2008-01-21 18:03:20  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICEA .EXE
    
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4947B574-5B3A-4720-B48B-9B631A152EB0}] C:\WINDOWS\system32\pmnnk.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C2F6D2-7AFA-488C-7090-94AB3D458B37}] C:\Program Files\MSN Gaming Zone\qufax122.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6fa7c08-6978-49fb-be36-5a33b3f62819}] C:\WINDOWS\System32\diombwy.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] 2008-02-08 11:34 262144 --a
    C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-02-08 11:34 262144]
    [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-02-08 11:34 262144]
    [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus CX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe" [ ]
    "Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 06:23 1543136]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 2008538]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MircoSoftSN"="llass.exe" [2007-06-13 06:23 1569246 C:\WINDOWS\system32\llass.exe]
    "POINTER"="point32.exe" []
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [ ]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 16:16 5058560]
    "nwiz"="nwiz.exe" [2003-10-06 16:16 919006 C:\WINDOWS\system32\nwiz.exe]
    "Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [ ]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2401750]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "MircoSoftSN"="llass.exe" [2007-06-13 06:23 1569246 C:\WINDOWS\system32\llass.exe]
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-21 15:42:20 106496]
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-01-21 16:19:52 3450608]
    Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 18:34:48 3925466]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\axixhgnz]
    axixhgnz.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvuvs]
    yayvuvs.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
    C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    C:\WINDOWS\System32\mllmn.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MircoSoftSN]
    -r-hs---- 2007-06-13 06:23 1569246 C:\WINDOWS\system32\llass.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a
    2008-02-28 10:59 751074 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    -rahs---- 2008-01-28 12:43 2275286 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Steam\\steamapps\\dei2wizzl3\\counter-strike\\hl.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\ijji\\ENGLISH\\u_gbound.exe"=
    "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
    "C:\\Program Files\\mIRC\\mirc.exe"=
    "C:\\WINDOWS\\system32\\llass.exe"=
    "C:\\Program Files\\AIM\\aim.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "C:\\WINDOWS\\explorer.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=


    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-06 02:13:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-04-08 19:38:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-08 15:37:37 Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Other Running Processes
    .
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    C:\WINDOWS\system32\cscript.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-08 15:43:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-08 19:43:00
    Pre-Run: 5,547,413,504 bytes free
    Post-Run: 5,462,945,792 bytes free
    .
    2008-04-06 19:51:10 --- E O F ---


    HT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:45:54 PM, on 4/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\llass.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\Program Files\Last.fm\LastFMHelper.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: (no name) - {4947B574-5B3A-4720-B48B-9B631A152EB0} - C:\WINDOWS\system32\pmnnk.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: 0 - {57C2F6D2-7AFA-488C-7090-94AB3D458B37} - C:\Program Files\MSN Gaming Zone\qufax122.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {b6fa7c08-6978-49fb-be36-5a33b3f62819} - C:\WINDOWS\System32\diombwy.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [MircoSoftSN] llass.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\RunServices: [MircoSoftSN] llass.exe
    O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S79.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200871025000
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200873267515
    O20 - Winlogon Notify: axixhgnz - axixhgnz.dll (file missing)
    O20 - Winlogon Notify: yayvuvs - yayvuvs.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

    --
    End of file - 7091 bytes
  • VekaVeka Finland
    edited April 2008
    Hi, I don't see the MBAM's log. paranoid.gif

    Post the log if you have it, otherwise, please follow the new instructions


    Please do the following....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    File::
    C:\WINDOWS\system32\drivers\lvuvc.hs
    C:\WINDOWS\system32\drivers\logiflt.iad
    C:\WINDOWS\system32\llass.exe
    C:\WINDOWS\System32\mllmn.exe
    
    RenV::
    C:\Program Files\Analog Devices\Core\smax4pnp .exe
    C:\Program Files\iTunes\iTunesHelper .exe
    C:\Program Files\Rainlendar2\Rainlendar2 .exe
    C:\Program Files\Razer\Diamondback\razerhid .exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICEA .EXE
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4947B574-5B3A-4720-B48B-9B631A152EB0}] 
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C2F6D2-7AFA-488C-7090-94AB3D458B37}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6fa7c08-6978-49fb-be36-5a33b3f62819}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MircoSoftSN"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 
    "MircoSoftSN"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\axixhgnz]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvuvs]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MircoSoftSN]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\WINDOWS\system32\llass.exe"=-
    
    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    CFScript.gif


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  • edited April 2008
    vekarppe wrote:
    Hi, I don't see the MBAM's log. paranoid.gif

    Post the log if you have it, otherwise, please follow the new instructions


    Please do the following....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    File::
    C:\WINDOWS\system32\drivers\lvuvc.hs
    C:\WINDOWS\system32\drivers\logiflt.iad
    C:\WINDOWS\system32\llass.exe
    C:\WINDOWS\System32\mllmn.exe
    
    RenV::
    C:\Program Files\Analog Devices\Core\smax4pnp .exe
    C:\Program Files\iTunes\iTunesHelper .exe
    C:\Program Files\Rainlendar2\Rainlendar2 .exe
    C:\Program Files\Razer\Diamondback\razerhid .exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICEA .EXE
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4947B574-5B3A-4720-B48B-9B631A152EB0}] 
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C2F6D2-7AFA-488C-7090-94AB3D458B37}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6fa7c08-6978-49fb-be36-5a33b3f62819}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MircoSoftSN"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 
    "MircoSoftSN"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\axixhgnz]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvuvs]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MircoSoftSN]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\WINDOWS\system32\llass.exe"=-
    
    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    CFScript.gif


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.


    Whoops, forgot about the MBAM log, sorry :p The IE pop ups have disappeared, thanks alot!

    Here are the updated Logs:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:22:50 PM, on 4/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\llass.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\Program Files\Last.fm\LastFMHelper.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Last.fm\LastFM.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: (no name) - {4947B574-5B3A-4720-B48B-9B631A152EB0} - C:\WINDOWS\system32\pmnnk.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: 0 - {57C2F6D2-7AFA-488C-7090-94AB3D458B37} - C:\Program Files\MSN Gaming Zone\qufax122.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {b6fa7c08-6978-49fb-be36-5a33b3f62819} - C:\WINDOWS\System32\diombwy.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [MircoSoftSN] llass.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\RunServices: [MircoSoftSN] llass.exe
    O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S79.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200871025000
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200873267515
    O20 - Winlogon Notify: axixhgnz - axixhgnz.dll (file missing)
    O20 - Winlogon Notify: yayvuvs - yayvuvs.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

    --
    End of file - 7162 bytes


    ComboFix 08-04-08.4 - Owner 2008-04-08 20:11:38.2 - NTFSx86
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
    .

    2008-04-08 17:43 . 2008-04-08 20:13 d
    C:\WINDOWS\LastGood
    2008-04-08 15:03 . 2008-04-08 15:03 d
    C:\Documents and Settings\Owner\Application Data\Malwarebytes
    2008-04-08 15:02 . 2008-04-08 15:02 d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-08 15:02 . 2008-04-08 15:02 d
    C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-07 15:16 . 2008-04-07 15:16 d
    C:\Program Files\RAR Password Cracker
    2008-04-06 21:29 . 2008-04-06 21:29 d
    C:\Program Files\SpywareBlaster
    2008-04-06 21:29 . 2008-04-06 21:33 d-a
    C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-06 21:29 . 2005-08-25 18:18 118,784 --a
    C:\WINDOWS\system32\MSSTDFMT.DLL
    2008-04-06 19:25 . 2008-04-06 19:25 230 --a
    C:\WINDOWS\system32\spupdsvc.inf
    2008-04-06 19:08 . 2008-04-06 19:08 d
    C:\Documents and Settings\Owner\dwhelper
    2008-04-06 14:21 . 2008-04-07 15:38 69 --a
    C:\WINDOWS\NeroDigital.ini
    2008-04-02 04:08 . 2008-04-02 04:08 d
    C:\Program Files\MSXML 4.0
    2008-03-31 18:58 . 2008-03-31 18:58 d
    C:\Program Files\NeroInstall.bak
    2008-03-31 18:52 . 2008-03-31 18:52 d
    C:\Documents and Settings\Owner\Application Data\Nero
    2008-03-31 18:42 . 2008-03-31 18:42 d
    C:\Program Files\Nero
    2008-03-31 18:42 . 2008-03-31 18:47 d
    C:\Program Files\Common Files\Nero
    2008-03-31 18:42 . 2008-03-31 18:42 d
    C:\Documents and Settings\All Users\Application Data\Nero
    2008-03-30 22:07 . 2008-03-30 22:10 115,844 --a
    C:\iphonecover.png
    2008-03-20 01:30 . 2008-03-20 01:30 31,304 --ah
    C:\WINDOWS\system32\mlfcache.dat
    2008-03-16 18:08 . 2008-03-16 20:10 d
    C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-16 17:50 . 2008-03-16 17:50 d
    C:\Program Files\Common Files\iS3
    2008-03-16 17:50 . 2008-03-18 15:34 d
    C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-13 17:05 . 2004-08-04 01:56 221,184 --a
    C:\WINDOWS\system32\wmpns.dll
    2008-03-13 04:13 . 2008-03-13 04:13 71,745 --a
    C:\WINDOWS\system32\MRT.INI
    2008-03-09 15:10 . 2008-03-09 15:09 869,336 --a
    C:\WINDOWS\unins000.exe
    2008-03-09 15:10 . 2008-03-09 15:10 2,547 --a
    C:\WINDOWS\unins000.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-08 21:07
    d
    w C:\Program Files\Steam
    2008-04-08 19:35 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
    2008-04-08 19:35 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
    2008-04-08 19:00
    d
    w C:\Documents and Settings\Owner\Application Data\uTorrent
    2008-04-08 01:01
    d
    w C:\Documents and Settings\Owner\Application Data\MP3Rocket
    2008-04-08 00:43
    d
    w C:\Program Files\mIRC
    2008-04-03 12:11
    d
    w C:\Program Files\Trend Micro
    2008-03-18 21:34
    d
    w C:\Program Files\Java
    2008-03-15 17:11
    d
    w C:\Program Files\AIM
    2008-03-13 21:03
    d
    w C:\Program Files\Windows
    Media Connect 2 2008-03-13 13:22
    d--h--w C:\Documents and Settings\Owner\Application Data\ijjigame
    2008-03-13 12:14
    d
    w C:\Program Files\DivX
    2008-03-13 12:14
    d
    w C:\Program Files\DirectX
    2008-03-13 12:14
    d
    w C:\Program Files\Common Files\logishrd
    2008-03-13 12:14
    d
    w C:\Program Files\Bonjour
    2008-03-13 12:14
    d
    w C:\Program Files\Apple Software Update
    2008-03-13 12:14
    d
    w C:\Program Files\AOD
    2008-03-13 12:13
    d
    w C:\Program Files\GoldWave
    2008-03-13 12:13
    d
    w C:\Program Files\Folders
    2008-03-13 12:12
    d
    w C:\Program Files\uTorrent
    2008-03-13 12:12
    d
    w C:\Program Files\Spybot - Search & Destroy
    2008-03-13 12:12
    d
    w C:\Program Files\Rainlendar2
    2008-03-13 12:12
    d
    w C:\Program Files\MP3 Rocket
    2008-03-13 12:12
    d
    w C:\Program Files\Last.fm
    2008-03-13 12:12
    d
    w C:\Program Files\iTunes
    2008-03-09 19:14
    d
    w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-03-07 16:45 345,558 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
    2008-03-07 16:45
    d
    w C:\Program Files\Illustrate
    2008-03-05 12:00
    d
    w C:\Documents and Settings\Owner\Application Data\Aim
    2008-03-04 21:12
    d
    w C:\Program Files\Styler
    2008-02-28 22:38 1,152,478 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
    2008-02-26 21:14 1,152,476 ----a-w C:\WINDOWS\UNRecode.exe
    2008-02-18 21:21 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
    2008-02-18 21:21 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
    2008-02-18 21:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
    2008-01-31 14:21 95,296 ----a-w C:\WINDOWS\system32\ssgcwnoq.dll
    2008-01-23 22:21 192,988 ----a-w C:\WINDOWS\system32\ctfmon .exe
    2008-01-20 21:33 558,142 ----a-w C:\WINDOWS\java\Packages\KPVHR771.ZIP
    2008-01-20 21:33 155,995 ----a-w C:\WINDOWS\java\Packages\RXJZLNR3.ZIP
    2008-01-16 23:25 857,568 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
    2007-06-13 10:23 1,569,246 --sh--r C:\WINDOWS\system32\llass.exe
    .
    ----a-w         1,582,556 2008-01-21 18:03:19  C:\Program Files\Analog Devices\Core\smax4pnp .exe
    ----a-w           444,890 2008-01-22 20:41:21  C:\Program Files\iTunes\iTunesHelper .exe
    ----a-w         1,543,136 2008-01-23 22:21:15  C:\Program Files\Rainlendar2\Rainlendar2 .exe
    ----a-w           325,088 2008-01-21 18:03:20  C:\Program Files\Razer\Diamondback\razerhid .exe
    ----a-w         1,638,364 2008-01-21 18:03:31  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
    ----a-w           192,988 2008-01-23 22:21:32  C:\WINDOWS\system32\ctfmon .exe
    ----a-w           356,826 2008-01-21 18:03:20  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICEA .EXE
    
    ((((((((((((((((((((((((((((( snapshot@2008-04-08_15.42.23.06 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    + 2005-10-21 00:02:28 340,954 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    - 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
    + 2000-08-31 12:00:00 251,360 ----a-w C:\WINDOWS\fdsv.exe
    - 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
    + 2000-08-31 12:00:00 258,520 ----a-w C:\WINDOWS\grep.exe
    + 2004-08-04 05:56:48 361,438 ----a-w C:\WINDOWS\LastGood\system32\accwiz.exe
    + 2004-08-04 05:56:48 188,894 ----a-w C:\WINDOWS\LastGood\system32\atmadm.exe
    + 2004-08-04 05:56:48 183,254 ----a-w C:\WINDOWS\LastGood\system32\cisvc.exe
    + 2004-08-04 05:56:48 280,540 ----a-w C:\WINDOWS\LastGood\system32\clipbrd.exe
    + 2004-08-04 05:56:50 205,270 ----a-w C:\WINDOWS\LastGood\system32\conime.exe
    + 2004-08-04 05:56:50 202,716 ----a-w C:\WINDOWS\LastGood\system32\defrag.exe
    + 2004-08-04 05:56:50 193,496 ----a-w C:\WINDOWS\LastGood\system32\dmremote.exe
    + 2004-08-04 05:56:50 188,370 ----a-w C:\WINDOWS\LastGood\system32\dumprep.exe
    + 2004-08-04 05:56:50 223,192 ----a-w C:\WINDOWS\LastGood\system32\extrac32.exe
    + 2004-08-04 05:56:50 198,612 ----a-w C:\WINDOWS\LastGood\system32\fontview.exe
    + 2004-08-04 05:56:52 211,926 ----a-w C:\WINDOWS\LastGood\system32\ie4uinit.exe
    + 2004-08-04 05:56:52 201,178 ----a-w C:\WINDOWS\LastGood\system32\ipxroute.exe
    + 2004-08-04 05:56:52 252,886 ----a-w C:\WINDOWS\LastGood\system32\locator.exe
    + 2004-08-04 05:56:52 250,326 ----a-w C:\WINDOWS\LastGood\system32\magnify.exe
    + 2004-08-04 05:56:54 183,772 ----a-w C:\WINDOWS\LastGood\system32\msdtc.exe
    + 2004-08-04 05:56:54 189,920 ----a-w C:\WINDOWS\LastGood\system32\mstinit.exe
    + 2004-08-04 05:56:56 263,644 ----a-w C:\WINDOWS\LastGood\system32\netsh.exe
    + 2004-08-04 05:56:56 210,396 ----a-w C:\WINDOWS\LastGood\system32\odbcad32.exe
    + 2004-08-04 05:56:56 228,826 ----a-w C:\WINDOWS\LastGood\system32\oobe\oobebaln.exe
    + 2004-08-04 05:56:56 193,494 ----a-w C:\WINDOWS\LastGood\system32\perfmon.exe
    + 2004-08-04 05:56:56 198,102 ----a-w C:\WINDOWS\LastGood\system32\qprocess.exe
    + 2004-08-04 05:56:56 227,798 ----a-w C:\WINDOWS\LastGood\system32\reg.exe
    + 2004-08-04 05:56:56 192,478 ----a-w C:\WINDOWS\LastGood\system32\rsh.exe
    + 2004-08-04 05:56:56 191,962 ----a-w C:\WINDOWS\LastGood\system32\runonce.exe
    + 2004-08-04 05:56:58 220,124 ----a-w C:\WINDOWS\LastGood\system32\shmgrate.exe
    + 2004-08-04 05:56:58 185,814 ----a-w C:\WINDOWS\LastGood\system32\smbinst.exe
    + 2004-08-04 05:56:58 189,406 ----a-w C:\WINDOWS\LastGood\system32\spnpinst.exe
    + 2004-08-04 05:56:58 787,930 ----a-w C:\WINDOWS\LastGood\system32\sspipes.scr
    + 2004-08-04 05:56:58 283,612 ----a-w C:\WINDOWS\LastGood\system32\sysocmgr.exe
    + 2005-05-10 23:45:48 253,406 ----a-w C:\WINDOWS\LastGood\system32\telnet.exe
    + 2004-08-04 05:56:58 194,528 ----a-w C:\WINDOWS\LastGood\system32\upnpcont.exe
    + 2004-08-04 05:56:52 281,046 ----a-w C:\WINDOWS\LastGood\system32\usmt\migload.exe
    + 2004-08-04 05:56:58 467,420 ----a-w C:\WINDOWS\LastGood\system32\vssvc.exe
    + 2004-08-04 05:56:58 183,252 ----a-w C:\WINDOWS\LastGood\system32\winver.exe
    + 2004-08-04 05:56:58 209,884 ----a-w C:\WINDOWS\LastGood\system32\wpabaln.exe
    + 2004-08-04 05:56:58 208,338 ----a-w C:\WINDOWS\LastGood\system32\xcopy.exe
    - 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
    + 2000-08-31 12:00:00 276,446 ----a-w C:\WINDOWS\sed.exe
    - 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
    + 2000-08-31 12:00:00 314,330 ----a-w C:\WINDOWS\swsc.exe
    - 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
    + 2000-08-31 12:00:00 390,106 ----a-w C:\WINDOWS\swxcacls.exe
    - 2008-04-08 19:25:17 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-04-08 19:43:09 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-04-08 19:25:17 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-04-08 19:43:09 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
    + 2000-08-31 12:00:00 226,778 ----a-w C:\WINDOWS\VFind.exe
    - 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
    + 2000-08-31 12:00:00 245,718 ----a-w C:\WINDOWS\zip.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4947B574-5B3A-4720-B48B-9B631A152EB0}] C:\WINDOWS\system32\pmnnk.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C2F6D2-7AFA-488C-7090-94AB3D458B37}] C:\Program Files\MSN Gaming Zone\qufax122.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6fa7c08-6978-49fb-be36-5a33b3f62819}] C:\WINDOWS\System32\diombwy.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] 2008-02-08 11:34 262144 --a
    C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-02-08 11:34 262144]
    [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-02-08 11:34 262144]
    [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus CX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe" [ ]
    "Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 06:23 1543136]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 2008538]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MircoSoftSN"="llass.exe" [2007-06-13 06:23 1569246 C:\WINDOWS\system32\llass.exe]
    "POINTER"="point32.exe" []
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [ ]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 16:16 5058560]
    "nwiz"="nwiz.exe" [2003-10-06 16:16 919006 C:\WINDOWS\system32\nwiz.exe]
    "Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [ ]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2401750]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "MircoSoftSN"="llass.exe" [2007-06-13 06:23 1569246 C:\WINDOWS\system32\llass.exe]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-21 15:42:20 106496]
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-01-21 16:19:52 3450608] Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 18:34:48 3925466]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\axixhgnz]
    axixhgnz.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvuvs]
    yayvuvs.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
    C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    C:\WINDOWS\System32\mllmn.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MircoSoftSN]
    -r-hs---- 2007-06-13 06:23 1569246 C:\WINDOWS\system32\llass.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a
    2008-02-28 10:59 751074 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    -rahs---- 2008-01-28 12:43 2275286 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Steam\\steamapps\\dei2wizzl3\\counter-strike\\hl.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\ijji\\ENGLISH\\u_gbound.exe"=
    "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
    "C:\\Program Files\\mIRC\\mirc.exe"=
    "C:\\WINDOWS\\system32\\llass.exe"=
    "C:\\Program Files\\AIM\\aim.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "C:\\WINDOWS\\explorer.exe"=
    "C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

    R3 Razerlow;Razerlow USB Filter
    Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 23:43]
    S1 videoprtt;videoprtt;C:\WINDOWS\system32\drivers\videoprtt.sys []
    S3 Revolution1;Revolution1;C:\Documents and Settings\Owner\Desktop\GB\Revolution_Engine_8.3_ShaK3\SHAK3.sys []

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-06 02:13:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-04-08 19:38:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-08 20:17:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    DLLs Loaded Under Running Processes

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
    .
    Completion time: 2008-04-08 20:20:47
    ComboFix-quarantined-files.txt 2008-04-09 00:20:36
    ComboFix2.txt 2008-04-08 19:43:07
    Pre-Run: 5,386,596,352 bytes free
    Post-Run: 5,374,009,344 bytes free
    .
    2008-04-08 19:45:27 --- E O F ---
  • VekaVeka Finland
    edited April 2008
    Hi. You didn't do it as I asked. Please make sure you read the instructions carefully and follow them exactly.


    Please do the following....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    File::
    C:\WINDOWS\system32\drivers\lvuvc.hs
    C:\WINDOWS\system32\drivers\logiflt.iad
    C:\WINDOWS\system32\llass.exe
    C:\WINDOWS\System32\mllmn.exe
    
    RenV::
    C:\Program Files\Analog Devices\Core\smax4pnp .exe
    C:\Program Files\iTunes\iTunesHelper .exe
    C:\Program Files\Rainlendar2\Rainlendar2 .exe
    C:\Program Files\Razer\Diamondback\razerhid .exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICEA .EXE
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4947B574-5B3A-4720-B48B-9B631A152EB0}] 
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C2F6D2-7AFA-488C-7090-94AB3D458B37}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6fa7c08-6978-49fb-be36-5a33b3f62819}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MircoSoftSN"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 
    "MircoSoftSN"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\axixhgnz]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvuvs]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MircoSoftSN]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\WINDOWS\system32\llass.exe"=-
    
    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    CFScript.gif


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  • VekaVeka Finland
    edited April 2008
    This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

    If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

    If you are not the user who started this thread, you must start your own Thread instead :)
Sign In or Register to comment.