944,008 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > New Malware, Help!!
Ad:
You are currently viewing page 1 of this multi-page discussion thread
Permalink
May 3rd, 2009
0

New Malware, Help!!

Expand Post »
I have trend micro on my machine up to date but it missed this malware that I am now infected with.

Symptoms:
Can't run malwarebytes/spybot/windows removal tool/other antimw
changed my dns servers to others that sent me to spam (corrected)
cd/dvd burner not recognized anymore
running slow
internet slow


internet does not work (not even a 404 or error, just blank white) until I end the process welik.exe

I can't run malwarebytes in safemode either, someone reccomended burning an avira rescue cd so I did, but it would not load for some reason (hardware not compatible perhaps). Anyone have any reccomendations?

After deleting C:\windows\welik.exe it hasnt started again and my internet works but my computer still behaves weirdly, such as my back button on my browser jumps back two pages and what I described above

Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:22 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroDist.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll50.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Nod32 Runtime] welik.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\RunServices: [Nod32 Runtime] welik.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{390B0ACA-70B1-419C-BAD8-CA17314D23FE}: NameServer = 216.228.160.3,216.228.160.4
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
airy52 is offline Offline
9 posts
since May 2009
Permalink
May 4th, 2009
0

Re: New Malware, Help!!

dude u try from this..........

http://download.chip.eu/en/Malwarebytes_-Anti-Malware_3662215.html


or

http://www.kaspersky.com/removaltools

i hope your problme will be resolved

take care
Reputation Points: 10
Solved Threads: 1
Newbie Poster
m54071 is offline Offline
6 posts
since May 2009
Permalink
May 4th, 2009
0

Re: New Malware, Help!!

Like I said, I can't run MBA-M and I haven't identified what I have so those tools are worthless. Did you even read my post?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
airy52 is offline Offline
9 posts
since May 2009
Permalink
May 4th, 2009
0

Re: New Malware, Help!!

Change the name of Malwarebytes.exe to something else such as timmy.exe and run it then. Good chance it will work.
Reputation Points: 10
Solved Threads: 1
Junior Poster in Training
Leo G is offline Offline
54 posts
since Jul 2005
Permalink
May 4th, 2009
0

Re: New Malware, Help!!

If that does not work, change the file name before you download it.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,165 posts
since Feb 2004
Permalink
May 5th, 2009
0

Re: New Malware, Help!!

right clicked, save target as, saved mbam-setup.exe as fdsafds.exe. Ran it, changed install folder, install name, all that. Then didnt check the boxes to run and update, then went to install directory, changed mbam.exe to sfadsafds.exe. Ran it. Same problem as a normal mbam install, it just doesn't do anything. Please, help! I'm getting desperate. I can usually solve computer problems and find it a fun challenge but this piece of malware is causing me some trouble.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
airy52 is offline Offline
9 posts
since May 2009
Permalink
May 5th, 2009
0

Re: New Malware, Help!!

Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.

==

Reboot and try again if the above was found.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,165 posts
since Feb 2004
Permalink
May 5th, 2009
0

Re: New Malware, Help!!

I had found that on another site but I don't have that entry in my device manager (TDSSserv). I set mbam to run in compatibility mode for windows 2000 and it worked. I ran and removed all. The computer now seems to work fine, although it seems to left a few things not working. Do you think I could still have other malware that mbam missed? Is there another program I could run? Spybot S&D won't run but I think it might have something to do with it not working with trend micro. If I am wrong, then this is a problem.

Cd/dvd burner now recognized.
Still cannot print.
Browser still jumps two pages using forward and back buttons or backspace. Jumps the 1 correct page when using alt+left/right.
Spybot does not run.

Thanks for all your time and keeping me motivated. What is my next step?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
airy52 is offline Offline
9 posts
since May 2009
Permalink
May 5th, 2009
0

Re: New Malware, Help!!

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,165 posts
since Feb 2004
Permalink
May 5th, 2009
0

Re: New Malware, Help!!

Heres the combofix, after it ran only the basic proccesses were running, so I will restart and then run hjt and post that next.

ComboFix 09-05-04.A3 - erik 05/05/2009 7:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.690 [GMT -7:00]
Running from: c:\documents and settings\erik\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\gxvxcetpsodkjapptdmxgdispvqlppxxlnroy.sys
c:\windows\system32\drivers\gxvxciojnliagevpjfscaerqviwcqkygtuwnd.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\gxvxcwstvuvybttxhyjmvsueqyujepnpkliow.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
d:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
d:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com
f:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
f:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 04:19 . 2009-05-05 04:19 -------- d-----w c:\documents and settings\erik\Application Data\Malwarebytes
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 22:29 . 2009-05-03 22:29 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 17:22 . 2009-05-03 17:22 -------- d-----w C:\Malwarebytes' Anti-Malware
2009-05-02 20:13 . 2009-05-02 20:13 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Ahead
2009-05-02 20:12 . 2009-05-02 20:14 -------- d-----w c:\documents and settings\erik\Application Data\Ahead
2009-05-02 20:11 . 2009-05-02 20:11 -------- d-----w c:\program files\Nero
2009-05-02 20:11 . 2009-05-02 20:13 -------- d-----w c:\program files\Common Files\Ahead
2009-05-02 19:52 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 19:52 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 19:52 . 2009-05-02 20:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware1
2009-05-02 19:14 . 2009-05-02 19:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-02 08:21 . 2009-05-02 08:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 08:21 . 2009-05-04 22:41 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 22:12 . 2009-05-01 22:12 233472 ----a-w c:\windows\system32\REX Shared Library.dll
2009-05-01 22:12 . 2009-05-01 22:12 368640 ----a-w c:\windows\system32\ReWire.dll
2009-05-01 22:06 . 2008-02-22 11:30 334792 ----a-w c:\windows\system32\_AxShlEx.dll
2009-05-01 21:57 . 2009-05-05 05:06 -------- d-----w c:\program files\Autorun Eater
2009-05-01 21:51 . 2009-05-01 21:51 -------- d-----w c:\program files\Alcohol Soft
2009-05-01 21:41 . 2009-05-01 21:41 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-01 19:27 . 2009-05-01 19:27 -------- d-----w c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-05-01 19:27 . 2009-05-01 22:12 -------- d-----w c:\documents and settings\erik\Application Data\Propellerhead Software
2009-05-01 19:23 . 2009-05-01 19:23 -------- d-----w c:\program files\Propellerhead
2009-04-28 06:16 . 2009-04-28 06:16 -------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-04-28 05:17 . 2003-06-19 00:31 17920 ----a-w c:\windows\system32\mdimon.dll
2009-04-28 05:16 . 2009-04-28 05:16 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-28 05:15 . 2009-04-28 05:16 -------- d-----w c:\windows\SHELLNEW
2009-04-23 20:44 . 2009-05-05 04:46 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2009-04-23 20:44 . 2009-04-23 20:44 -------- d-----w c:\program files\Orb Networks
2009-04-21 17:43 . 2009-04-21 17:43 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-15 15:45 . 2008-04-14 07:15 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-04-15 02:51 . 2009-04-15 02:52 -------- d-----w c:\documents and settings\erik\Application Data\vlc
2009-04-14 06:22 . 2009-04-14 06:22 -------- d-----w c:\windows\system32\LogFiles
2009-04-14 03:39 . 2009-04-14 03:39 13616 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-14 03:38 . 2008-11-20 19:19 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-14 03:38 . 2008-11-20 19:19 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Google
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\program files\Google
2009-04-13 19:51 . 2009-04-13 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-13 07:48 . 2009-04-13 07:48 -------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-04-13 07:39 . 2008-04-07 12:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll
2009-04-13 07:39 . 2008-04-07 12:38 45392 ----a-r c:\windows\system32\AdobePDF.dll
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Adobe Media Player
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-13 07:22 . 2009-04-14 05:04 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Adobe
2009-04-13 07:22 . 2009-04-13 07:22 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-13 07:17 . 2009-04-28 05:58 20720 ----a-w c:\documents and settings\erik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 07:17 . 2009-04-21 17:43 -------- d-----w c:\program files\Common Files\Adobe
2009-04-12 22:10 . 2001-08-18 05:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-12 22:10 . 2008-04-14 12:42 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-12 22:10 . 2008-04-14 07:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-12 22:10 . 2008-04-14 07:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-12 21:45 . 2009-04-25 01:54 -------- d-----w c:\documents and settings\erik\Application Data\Apple Computer
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\program files\Apple Software Update
2009-04-12 21:41 . 2009-03-26 22:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-04-12 21:41 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-04-12 21:41 . 2009-04-12 21:44 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\program files\VideoLAN
2009-04-12 21:40 . 2009-04-12 21:44 -------- d-----w c:\program files\Common Files\Apple
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-12 21:40 . 2009-05-05 05:06 -------- d-----w c:\program files\Steam
2009-04-12 21:40 . 2009-04-12 21:45 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple Computer
2009-04-12 21:36 . 2009-04-12 21:36 -------- d-----w c:\program files\uTorrent
2009-04-12 21:36 . 2009-05-05 05:29 -------- d-----w c:\documents and settings\erik\Application Data\uTorrent
2009-04-12 21:26 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Identities
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-12 21:25 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-12 21:24 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-12 21:24 . 2009-04-12 21:38 -------- d-----w c:\program files\Trend Micro
2009-04-12 21:19 . 2009-04-12 21:19 -------- d-----w C:\NVIDIAo
2009-04-12 21:02 . 2009-04-12 21:02 664 ----a-w c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iTunes
2009-04-12 21:44 . 2009-04-12 20:06 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iPod
2009-04-12 21:43 . 2009-04-12 21:43 -------- d-----w c:\program files\Bonjour
2009-04-12 21:42 . 2009-04-12 21:42 -------- d-----w c:\program files\QuickTime
2009-04-12 21:42 . 2009-04-12 21:42 0 ----a-w c:\windows\nsreg.dat
2009-04-12 20:35 . 2009-04-12 20:07 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-12 20:13 . 2009-04-12 20:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-12 20:08 . 2009-04-12 20:08 -------- d-----w c:\program files\microsoft frontpage
2009-04-12 20:07 . 2008-04-14 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-12 20:06 . 2009-04-12 20:06 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-12 20:04 . 2009-04-12 20:04 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-27 17:03 . 2009-04-12 20:21 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-27 15:14 . 2009-04-12 20:13 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-19 23:32 . 2009-04-12 21:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 02:17 . 2009-04-09 20:15 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-03 23:12 . 2009-04-09 20:15 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-04-12 272176]
"Steam"="c:\program files\Steam\Steam.exe" [2009-04-12 1410296]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-03-17 510416]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-05-01 4608]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-22 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-09 497008]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Hotfix-KB5504305 REG_SZ c:\windows\system32\rundll50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"DEFG®,‘|ä,‘|Q-‘|X-‘|>"= DEFG®,‘|ä,‘|Q-‘|X-‘|>:Nod32 Runtime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/12/2009 2:25 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [4/9/2009 1:15 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/12/2009 2:25 PM 677128]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Nod32 Runtime - welik.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {390B0ACA-70B1-419C-BAD8-CA17314D23FE} = 216.228.160.3,216.228.160.4
FF - ProfilePath - c:\documents and settings\erik\Application Data\Mozilla\Firefox\Profiles\qbafkf25.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 07:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-05 7:49
ComboFix-quarantined-files.txt 2009-05-05 14:49

Pre-Run: 52,124,041,216 bytes free
Post-Run: 52,760,903,680 bytes free

224


Computer seems to be working much better, see anything that needs to be done?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
airy52 is offline Offline
9 posts
since May 2009

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Svchost.exe 100%
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Virus help





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC