 |  |  |  |  |  |  |  |
New Malware, Help!!
 |
I have trend micro on my machine up to date but it missed this malware that I am now infected with.
Symptoms:
Can't run malwarebytes/spybot/windows removal tool/other antimw
changed my dns servers to others that sent me to spam (corrected)
cd/dvd burner not recognized anymore
running slow
internet slow
internet does not work (not even a 404 or error, just blank white) until I end the process welik.exe
I can't run malwarebytes in safemode either, someone reccomended burning an avira rescue cd so I did, but it would not load for some reason (hardware not compatible perhaps). Anyone have any reccomendations?
After deleting C:\windows\welik.exe it hasnt started again and my internet works but my computer still behaves weirdly, such as my back button on my browser jumps back two pages and what I described above
Here is my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:25:22 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroDist.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll50.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Nod32 Runtime] welik.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\RunServices: [Nod32 Runtime] welik.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{390B0ACA-70B1-419C-BAD8-CA17314D23FE}: NameServer = 216.228.160.3,216.228.160.4
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
Symptoms:
Can't run malwarebytes/spybot/windows removal tool/other antimw
changed my dns servers to others that sent me to spam (corrected)
cd/dvd burner not recognized anymore
running slow
internet slow
internet does not work (not even a 404 or error, just blank white) until I end the process welik.exe
I can't run malwarebytes in safemode either, someone reccomended burning an avira rescue cd so I did, but it would not load for some reason (hardware not compatible perhaps). Anyone have any reccomendations?
After deleting C:\windows\welik.exe it hasnt started again and my internet works but my computer still behaves weirdly, such as my back button on my browser jumps back two pages and what I described above
Here is my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:25:22 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroDist.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll50.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Nod32 Runtime] welik.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\RunServices: [Nod32 Runtime] welik.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{390B0ACA-70B1-419C-BAD8-CA17314D23FE}: NameServer = 216.228.160.3,216.228.160.4
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
dude u try from this..........
or
i hope your problme will be resolved
take care
http://download.chip.eu/en/Malwarebytes_-Anti-Malware_3662215.html
or
http://www.kaspersky.com/removaltools
i hope your problme will be resolved
take care
Like I said, I can't run MBA-M and I haven't identified what I have so those tools are worthless. Did you even read my post?
Change the name of Malwarebytes.exe to something else such as timmy.exe and run it then. Good chance it will work.
•
•
Join Date: Feb 2004
Posts: 10,016
Reputation: 
Solved Threads: 759
If that does not work, change the file name before you download it.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
right clicked, save target as, saved mbam-setup.exe as fdsafds.exe. Ran it, changed install folder, install name, all that. Then didnt check the boxes to run and update, then went to install directory, changed mbam.exe to sfadsafds.exe. Ran it. Same problem as a normal mbam install, it just doesn't do anything. Please, help! I'm getting desperate. I can usually solve computer problems and find it a fun challenge but this piece of malware is causing me some trouble.
•
•
Join Date: Feb 2004
Posts: 10,016
Reputation:
Solved Threads: 759
Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.
==
Reboot and try again if the above was found.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.
==
Reboot and try again if the above was found.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
I had found that on another site but I don't have that entry in my device manager (TDSSserv). I set mbam to run in compatibility mode for windows 2000 and it worked. I ran and removed all. The computer now seems to work fine, although it seems to left a few things not working. Do you think I could still have other malware that mbam missed? Is there another program I could run? Spybot S&D won't run but I think it might have something to do with it not working with trend micro. If I am wrong, then this is a problem.
Cd/dvd burner now recognized.
Still cannot print.
Browser still jumps two pages using forward and back buttons or backspace. Jumps the 1 correct page when using alt+left/right.
Spybot does not run.
Thanks for all your time and keeping me motivated. What is my next step?
Cd/dvd burner now recognized.
Still cannot print.
Browser still jumps two pages using forward and back buttons or backspace. Jumps the 1 correct page when using alt+left/right.
Spybot does not run.
Thanks for all your time and keeping me motivated. What is my next step?
•
•
Join Date: Feb 2004
Posts: 10,016
Reputation:
Solved Threads: 759
Please download ComboFix by sUBs from HERE or HERE
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Run Combofix ONCE only!!
- You must download it to and run it from your Desktop
- Physically disconnect from the internet.
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click combofix.exe & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
- Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Run Combofix ONCE only!!
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Heres the combofix, after it ran only the basic proccesses were running, so I will restart and then run hjt and post that next.
ComboFix 09-05-04.A3 - erik 05/05/2009 7:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.690 [GMT -7:00]
Running from: c:\documents and settings\erik\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\gxvxcetpsodkjapptdmxgdispvqlppxxlnroy.sys
c:\windows\system32\drivers\gxvxciojnliagevpjfscaerqviwcqkygtuwnd.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\gxvxcwstvuvybttxhyjmvsueqyujepnpkliow.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
d:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
d:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com
f:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
f:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gxvxcserv.sys
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.
2009-05-05 04:19 . 2009-05-05 04:19 -------- d-----w c:\documents and settings\erik\Application Data\Malwarebytes
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 22:29 . 2009-05-03 22:29 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 17:22 . 2009-05-03 17:22 -------- d-----w C:\Malwarebytes' Anti-Malware
2009-05-02 20:13 . 2009-05-02 20:13 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Ahead
2009-05-02 20:12 . 2009-05-02 20:14 -------- d-----w c:\documents and settings\erik\Application Data\Ahead
2009-05-02 20:11 . 2009-05-02 20:11 -------- d-----w c:\program files\Nero
2009-05-02 20:11 . 2009-05-02 20:13 -------- d-----w c:\program files\Common Files\Ahead
2009-05-02 19:52 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 19:52 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 19:52 . 2009-05-02 20:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware1
2009-05-02 19:14 . 2009-05-02 19:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-02 08:21 . 2009-05-02 08:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 08:21 . 2009-05-04 22:41 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 22:12 . 2009-05-01 22:12 233472 ----a-w c:\windows\system32\REX Shared Library.dll
2009-05-01 22:12 . 2009-05-01 22:12 368640 ----a-w c:\windows\system32\ReWire.dll
2009-05-01 22:06 . 2008-02-22 11:30 334792 ----a-w c:\windows\system32\_AxShlEx.dll
2009-05-01 21:57 . 2009-05-05 05:06 -------- d-----w c:\program files\Autorun Eater
2009-05-01 21:51 . 2009-05-01 21:51 -------- d-----w c:\program files\Alcohol Soft
2009-05-01 21:41 . 2009-05-01 21:41 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-01 19:27 . 2009-05-01 19:27 -------- d-----w c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-05-01 19:27 . 2009-05-01 22:12 -------- d-----w c:\documents and settings\erik\Application Data\Propellerhead Software
2009-05-01 19:23 . 2009-05-01 19:23 -------- d-----w c:\program files\Propellerhead
2009-04-28 06:16 . 2009-04-28 06:16 -------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-04-28 05:17 . 2003-06-19 00:31 17920 ----a-w c:\windows\system32\mdimon.dll
2009-04-28 05:16 . 2009-04-28 05:16 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-28 05:15 . 2009-04-28 05:16 -------- d-----w c:\windows\SHELLNEW
2009-04-23 20:44 . 2009-05-05 04:46 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2009-04-23 20:44 . 2009-04-23 20:44 -------- d-----w c:\program files\Orb Networks
2009-04-21 17:43 . 2009-04-21 17:43 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-15 15:45 . 2008-04-14 07:15 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-04-15 02:51 . 2009-04-15 02:52 -------- d-----w c:\documents and settings\erik\Application Data\vlc
2009-04-14 06:22 . 2009-04-14 06:22 -------- d-----w c:\windows\system32\LogFiles
2009-04-14 03:39 . 2009-04-14 03:39 13616 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-14 03:38 . 2008-11-20 19:19 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-14 03:38 . 2008-11-20 19:19 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Google
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\program files\Google
2009-04-13 19:51 . 2009-04-13 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-13 07:48 . 2009-04-13 07:48 -------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-04-13 07:39 . 2008-04-07 12:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll
2009-04-13 07:39 . 2008-04-07 12:38 45392 ----a-r c:\windows\system32\AdobePDF.dll
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Adobe Media Player
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-13 07:22 . 2009-04-14 05:04 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Adobe
2009-04-13 07:22 . 2009-04-13 07:22 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-13 07:17 . 2009-04-28 05:58 20720 ----a-w c:\documents and settings\erik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 07:17 . 2009-04-21 17:43 -------- d-----w c:\program files\Common Files\Adobe
2009-04-12 22:10 . 2001-08-18 05:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-12 22:10 . 2008-04-14 12:42 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-12 22:10 . 2008-04-14 07:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-12 22:10 . 2008-04-14 07:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-12 21:45 . 2009-04-25 01:54 -------- d-----w c:\documents and settings\erik\Application Data\Apple Computer
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\program files\Apple Software Update
2009-04-12 21:41 . 2009-03-26 22:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-04-12 21:41 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-04-12 21:41 . 2009-04-12 21:44 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\program files\VideoLAN
2009-04-12 21:40 . 2009-04-12 21:44 -------- d-----w c:\program files\Common Files\Apple
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-12 21:40 . 2009-05-05 05:06 -------- d-----w c:\program files\Steam
2009-04-12 21:40 . 2009-04-12 21:45 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple Computer
2009-04-12 21:36 . 2009-04-12 21:36 -------- d-----w c:\program files\uTorrent
2009-04-12 21:36 . 2009-05-05 05:29 -------- d-----w c:\documents and settings\erik\Application Data\uTorrent
2009-04-12 21:26 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Identities
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-12 21:25 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-12 21:24 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-12 21:24 . 2009-04-12 21:38 -------- d-----w c:\program files\Trend Micro
2009-04-12 21:19 . 2009-04-12 21:19 -------- d-----w C:\NVIDIAo
2009-04-12 21:02 . 2009-04-12 21:02 664 ----a-w c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iTunes
2009-04-12 21:44 . 2009-04-12 20:06 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iPod
2009-04-12 21:43 . 2009-04-12 21:43 -------- d-----w c:\program files\Bonjour
2009-04-12 21:42 . 2009-04-12 21:42 -------- d-----w c:\program files\QuickTime
2009-04-12 21:42 . 2009-04-12 21:42 0 ----a-w c:\windows\nsreg.dat
2009-04-12 20:35 . 2009-04-12 20:07 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-12 20:13 . 2009-04-12 20:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-12 20:08 . 2009-04-12 20:08 -------- d-----w c:\program files\microsoft frontpage
2009-04-12 20:07 . 2008-04-14 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-12 20:06 . 2009-04-12 20:06 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-12 20:04 . 2009-04-12 20:04 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-27 17:03 . 2009-04-12 20:21 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-27 15:14 . 2009-04-12 20:13 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-19 23:32 . 2009-04-12 21:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 02:17 . 2009-04-09 20:15 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-03 23:12 . 2009-04-09 20:15 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-04-12 272176]
"Steam"="c:\program files\Steam\Steam.exe" [2009-04-12 1410296]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-03-17 510416]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-05-01 4608]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-22 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-09 497008]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Hotfix-KB5504305 REG_SZ c:\windows\system32\rundll50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"DEFG®,‘|ä,‘|Q-‘|X-‘|>"= DEFG®,‘|ä,‘|Q-‘|X-‘|>:Nod32 Runtime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/12/2009 2:25 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [4/9/2009 1:15 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/12/2009 2:25 PM 677128]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Nod32 Runtime - welik.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {390B0ACA-70B1-419C-BAD8-CA17314D23FE} = 216.228.160.3,216.228.160.4
FF - ProfilePath - c:\documents and settings\erik\Application Data\Mozilla\Firefox\Profiles\qbafkf25.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 07:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-05 7:49
ComboFix-quarantined-files.txt 2009-05-05 14:49
Pre-Run: 52,124,041,216 bytes free
Post-Run: 52,760,903,680 bytes free
224
Computer seems to be working much better, see anything that needs to be done?
ComboFix 09-05-04.A3 - erik 05/05/2009 7:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.690 [GMT -7:00]
Running from: c:\documents and settings\erik\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\gxvxcetpsodkjapptdmxgdispvqlppxxlnroy.sys
c:\windows\system32\drivers\gxvxciojnliagevpjfscaerqviwcqkygtuwnd.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\gxvxcwstvuvybttxhyjmvsueqyujepnpkliow.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
d:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
d:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com
f:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
f:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gxvxcserv.sys
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.
2009-05-05 04:19 . 2009-05-05 04:19 -------- d-----w c:\documents and settings\erik\Application Data\Malwarebytes
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 22:29 . 2009-05-03 22:29 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 17:22 . 2009-05-03 17:22 -------- d-----w C:\Malwarebytes' Anti-Malware
2009-05-02 20:13 . 2009-05-02 20:13 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Ahead
2009-05-02 20:12 . 2009-05-02 20:14 -------- d-----w c:\documents and settings\erik\Application Data\Ahead
2009-05-02 20:11 . 2009-05-02 20:11 -------- d-----w c:\program files\Nero
2009-05-02 20:11 . 2009-05-02 20:13 -------- d-----w c:\program files\Common Files\Ahead
2009-05-02 19:52 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 19:52 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 19:52 . 2009-05-02 20:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware1
2009-05-02 19:14 . 2009-05-02 19:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-02 08:21 . 2009-05-02 08:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 08:21 . 2009-05-04 22:41 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 22:12 . 2009-05-01 22:12 233472 ----a-w c:\windows\system32\REX Shared Library.dll
2009-05-01 22:12 . 2009-05-01 22:12 368640 ----a-w c:\windows\system32\ReWire.dll
2009-05-01 22:06 . 2008-02-22 11:30 334792 ----a-w c:\windows\system32\_AxShlEx.dll
2009-05-01 21:57 . 2009-05-05 05:06 -------- d-----w c:\program files\Autorun Eater
2009-05-01 21:51 . 2009-05-01 21:51 -------- d-----w c:\program files\Alcohol Soft
2009-05-01 21:41 . 2009-05-01 21:41 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-01 19:27 . 2009-05-01 19:27 -------- d-----w c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-05-01 19:27 . 2009-05-01 22:12 -------- d-----w c:\documents and settings\erik\Application Data\Propellerhead Software
2009-05-01 19:23 . 2009-05-01 19:23 -------- d-----w c:\program files\Propellerhead
2009-04-28 06:16 . 2009-04-28 06:16 -------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-04-28 05:17 . 2003-06-19 00:31 17920 ----a-w c:\windows\system32\mdimon.dll
2009-04-28 05:16 . 2009-04-28 05:16 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-28 05:15 . 2009-04-28 05:16 -------- d-----w c:\windows\SHELLNEW
2009-04-23 20:44 . 2009-05-05 04:46 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2009-04-23 20:44 . 2009-04-23 20:44 -------- d-----w c:\program files\Orb Networks
2009-04-21 17:43 . 2009-04-21 17:43 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-15 15:45 . 2008-04-14 07:15 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-04-15 02:51 . 2009-04-15 02:52 -------- d-----w c:\documents and settings\erik\Application Data\vlc
2009-04-14 06:22 . 2009-04-14 06:22 -------- d-----w c:\windows\system32\LogFiles
2009-04-14 03:39 . 2009-04-14 03:39 13616 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-14 03:38 . 2008-11-20 19:19 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-14 03:38 . 2008-11-20 19:19 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Google
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\program files\Google
2009-04-13 19:51 . 2009-04-13 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-13 07:48 . 2009-04-13 07:48 -------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-04-13 07:39 . 2008-04-07 12:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll
2009-04-13 07:39 . 2008-04-07 12:38 45392 ----a-r c:\windows\system32\AdobePDF.dll
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Adobe Media Player
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-13 07:22 . 2009-04-14 05:04 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Adobe
2009-04-13 07:22 . 2009-04-13 07:22 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-13 07:17 . 2009-04-28 05:58 20720 ----a-w c:\documents and settings\erik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 07:17 . 2009-04-21 17:43 -------- d-----w c:\program files\Common Files\Adobe
2009-04-12 22:10 . 2001-08-18 05:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-12 22:10 . 2008-04-14 12:42 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-12 22:10 . 2008-04-14 07:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-12 22:10 . 2008-04-14 07:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-12 21:45 . 2009-04-25 01:54 -------- d-----w c:\documents and settings\erik\Application Data\Apple Computer
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\program files\Apple Software Update
2009-04-12 21:41 . 2009-03-26 22:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-04-12 21:41 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-04-12 21:41 . 2009-04-12 21:44 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\program files\VideoLAN
2009-04-12 21:40 . 2009-04-12 21:44 -------- d-----w c:\program files\Common Files\Apple
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-12 21:40 . 2009-05-05 05:06 -------- d-----w c:\program files\Steam
2009-04-12 21:40 . 2009-04-12 21:45 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple Computer
2009-04-12 21:36 . 2009-04-12 21:36 -------- d-----w c:\program files\uTorrent
2009-04-12 21:36 . 2009-05-05 05:29 -------- d-----w c:\documents and settings\erik\Application Data\uTorrent
2009-04-12 21:26 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Identities
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-12 21:25 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-12 21:24 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-12 21:24 . 2009-04-12 21:38 -------- d-----w c:\program files\Trend Micro
2009-04-12 21:19 . 2009-04-12 21:19 -------- d-----w C:\NVIDIAo
2009-04-12 21:02 . 2009-04-12 21:02 664 ----a-w c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iTunes
2009-04-12 21:44 . 2009-04-12 20:06 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iPod
2009-04-12 21:43 . 2009-04-12 21:43 -------- d-----w c:\program files\Bonjour
2009-04-12 21:42 . 2009-04-12 21:42 -------- d-----w c:\program files\QuickTime
2009-04-12 21:42 . 2009-04-12 21:42 0 ----a-w c:\windows\nsreg.dat
2009-04-12 20:35 . 2009-04-12 20:07 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-12 20:13 . 2009-04-12 20:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-12 20:08 . 2009-04-12 20:08 -------- d-----w c:\program files\microsoft frontpage
2009-04-12 20:07 . 2008-04-14 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-12 20:06 . 2009-04-12 20:06 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-12 20:04 . 2009-04-12 20:04 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-27 17:03 . 2009-04-12 20:21 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-27 15:14 . 2009-04-12 20:13 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-19 23:32 . 2009-04-12 21:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 02:17 . 2009-04-09 20:15 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-03 23:12 . 2009-04-09 20:15 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-04-12 272176]
"Steam"="c:\program files\Steam\Steam.exe" [2009-04-12 1410296]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-03-17 510416]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-05-01 4608]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-22 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-09 497008]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Hotfix-KB5504305 REG_SZ c:\windows\system32\rundll50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"DEFG®,‘|ä,‘|Q-‘|X-‘|>"= DEFG®,‘|ä,‘|Q-‘|X-‘|>:Nod32 Runtime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/12/2009 2:25 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [4/9/2009 1:15 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/12/2009 2:25 PM 677128]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Nod32 Runtime - welik.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {390B0ACA-70B1-419C-BAD8-CA17314D23FE} = 216.228.160.3,216.228.160.4
FF - ProfilePath - c:\documents and settings\erik\Application Data\Mozilla\Firefox\Profiles\qbafkf25.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 07:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-05 7:49
ComboFix-quarantined-files.txt 2009-05-05 14:49
Pre-Run: 52,124,041,216 bytes free
Post-Run: 52,760,903,680 bytes free
224
Computer seems to be working much better, see anything that needs to be done?
|
Similar Threads
- Help w/ Malware "http://127.0.0.1:8080/ proxyconf" (Viruses, Spyware and other Nasties)
- malware (DaniWeb Community Feedback)
- malware (Viruses, Spyware and other Nasties)
- whats malware (Viruses, Spyware and other Nasties)
- So pissed at lame Malware (Viruses, Spyware and other Nasties)
- TCP/IP stack whacked by malware; no DNS resolution (Windows NT / 2000 / XP)
- can't get rid of malware (HijackThis log inside) (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Svchost.exe 100%
- Next Thread: Virus help
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet china commercials conficker connect control crosssitescripting cyber cyberwarfare ddos domains e-mafia education email europe exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
