New Malware, Help!!

Question

airy52 0 Newbie Poster

15 Years Ago

I have trend micro on my machine up to date but it missed this malware that I am now infected with.

Symptoms:
Can't run malwarebytes/spybot/windows removal tool/other antimw
changed my dns servers to others that sent me to spam (corrected)
cd/dvd burner not recognized anymore
running slow
internet slow

internet does not work (not even a 404 or error, just blank white) until I end the process welik.exe

I can't run malwarebytes in safemode either, someone reccomended burning an avira rescue cd so I did, but it would not load for some reason (hardware not compatible perhaps). Anyone have any reccomendations?

After deleting C:\windows\welik.exe it hasnt started again and my internet works but my computer still behaves weirdly, such as my back button on my browser jumps back two pages and what I described above

Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:22 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroDist.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll50.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Nod32 Runtime] welik.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKLM\..\RunServices: [Nod32 Runtime] welik.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunServices: [Hotfix-KB5504305] C:\WINDOWS\system32\rundll50.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{390B0ACA-70B1-419C-BAD8-CA17314D23FE}: NameServer = 216.228.160.3,216.228.160.4
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

windows-virus

5 Contributors
14 Replies
353 Views
1 Week Discussion Span
Latest Post 15 Years Ago Latest Post by crunchie

m54071 0 Newbie Poster

15 Years Ago

dude u try from this..........

http://download.chip.eu/en/Malwarebytes_-Anti-Malware_3662215.html

or

http://www.kaspersky.com/removaltools

i hope your problme will be resolved

take care

Leo G 0 Junior Poster in Training

15 Years Ago

Change the name of Malwarebytes.exe to something else such as timmy.exe and run it then. Good chance it will work.

crunchie 990 Most Valuable Poster

15 Years Ago

If that does not work, change the file name before you download it.

crunchie 990 Most Valuable Poster

15 Years Ago

Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.

==

Reboot and try again if the above was found.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

airy52 0 Newbie Poster · Answer 1 · 2009-05-05T05:54:15+00:00

Like I said, I can't run MBA-M and I haven't identified what I have so those tools are worthless. Did you even read my post?

airy52 0 Newbie Poster · Answer 2 · 2009-05-05T09:42:10+00:00

right clicked, save target as, saved mbam-setup.exe as fdsafds.exe. Ran it, changed install folder, install name, all that. Then didnt check the boxes to run and update, then went to install directory, changed mbam.exe to sfadsafds.exe. Ran it. Same problem as a normal mbam install, it just doesn't do anything. Please, help! I'm getting desperate. I can usually solve computer problems and find it a fun challenge but this piece of malware is causing me some trouble.

airy52 0 Newbie Poster · Answer 3 · 2009-05-05T11:12:36+00:00

I had found that on another site but I don't have that entry in my device manager (TDSSserv). I set mbam to run in compatibility mode for windows 2000 and it worked. I ran and removed all. The computer now seems to work fine, although it seems to left a few things not working. Do you think I could still have other malware that mbam missed? Is there another program I could run? Spybot S&D won't run but I think it might have something to do with it not working with trend micro. If I am wrong, then this is a problem.

Cd/dvd burner now recognized.
Still cannot print.
Browser still jumps two pages using forward and back buttons or backspace. Jumps the 1 correct page when using alt+left/right.
Spybot does not run.

Thanks for all your time and keeping me motivated. What is my next step?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2009-05-05T11:55:15+00:00

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

airy52 0 Newbie Poster · Answer 5 · 2009-05-05T21:40:55+00:00

Heres the combofix, after it ran only the basic proccesses were running, so I will restart and then run hjt and post that next.

ComboFix 09-05-04.A3 - erik 05/05/2009 7:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.690 [GMT -7:00]
Running from: c:\documents and settings\erik\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\gxvxcetpsodkjapptdmxgdispvqlppxxlnroy.sys
c:\windows\system32\drivers\gxvxciojnliagevpjfscaerqviwcqkygtuwnd.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\gxvxcwstvuvybttxhyjmvsueqyujepnpkliow.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
d:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
d:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com
f:\recycler\S-2-1-12-100026165-100010272-100009460-9355.com
f:\recycler\S-7-4-13-100002836-100017221-100007023-4375.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 04:19 . 2009-05-05 04:19 -------- d-----w c:\documents and settings\erik\Application Data\Malwarebytes
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 01:12 . 2009-05-04 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 22:29 . 2009-05-03 22:29 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 17:22 . 2009-05-03 17:22 -------- d-----w C:\Malwarebytes' Anti-Malware
2009-05-02 20:13 . 2009-05-02 20:13 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Ahead
2009-05-02 20:12 . 2009-05-02 20:14 -------- d-----w c:\documents and settings\erik\Application Data\Ahead
2009-05-02 20:11 . 2009-05-02 20:11 -------- d-----w c:\program files\Nero
2009-05-02 20:11 . 2009-05-02 20:13 -------- d-----w c:\program files\Common Files\Ahead
2009-05-02 19:52 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 19:52 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 19:52 . 2009-05-02 20:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware1
2009-05-02 19:14 . 2009-05-02 19:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-02 08:21 . 2009-05-02 08:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 08:21 . 2009-05-04 22:41 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 22:12 . 2009-05-01 22:12 233472 ----a-w c:\windows\system32\REX Shared Library.dll
2009-05-01 22:12 . 2009-05-01 22:12 368640 ----a-w c:\windows\system32\ReWire.dll
2009-05-01 22:06 . 2008-02-22 11:30 334792 ----a-w c:\windows\system32\_AxShlEx.dll
2009-05-01 21:57 . 2009-05-05 05:06 -------- d-----w c:\program files\Autorun Eater
2009-05-01 21:51 . 2009-05-01 21:51 -------- d-----w c:\program files\Alcohol Soft
2009-05-01 21:41 . 2009-05-01 21:41 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-01 19:27 . 2009-05-01 19:27 -------- d-----w c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-05-01 19:27 . 2009-05-01 22:12 -------- d-----w c:\documents and settings\erik\Application Data\Propellerhead Software
2009-05-01 19:23 . 2009-05-01 19:23 -------- d-----w c:\program files\Propellerhead
2009-04-28 06:16 . 2009-04-28 06:16 -------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-04-28 05:17 . 2003-06-19 00:31 17920 ----a-w c:\windows\system32\mdimon.dll
2009-04-28 05:16 . 2009-04-28 05:16 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-28 05:15 . 2009-04-28 05:16 -------- d-----w c:\windows\SHELLNEW
2009-04-23 20:44 . 2009-05-05 04:46 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2009-04-23 20:44 . 2009-04-23 20:44 -------- d-----w c:\program files\Orb Networks
2009-04-21 17:43 . 2009-04-21 17:43 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-15 15:45 . 2008-04-14 07:15 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-04-15 02:51 . 2009-04-15 02:52 -------- d-----w c:\documents and settings\erik\Application Data\vlc
2009-04-14 06:22 . 2009-04-14 06:22 -------- d-----w c:\windows\system32\LogFiles
2009-04-14 03:39 . 2009-04-14 03:39 13616 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-14 03:38 . 2008-11-20 19:19 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-14 03:38 . 2008-11-20 19:19 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Google
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-14 03:38 . 2009-04-14 03:38 -------- d-----w c:\program files\Google
2009-04-13 19:51 . 2009-04-13 19:51 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-13 07:48 . 2009-04-13 07:48 -------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-04-13 07:39 . 2008-04-07 12:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll
2009-04-13 07:39 . 2008-04-07 12:38 45392 ----a-r c:\windows\system32\AdobePDF.dll
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Adobe Media Player
2009-04-13 07:31 . 2009-04-13 07:31 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-13 07:22 . 2009-04-14 05:04 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Adobe
2009-04-13 07:22 . 2009-04-13 07:22 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-13 07:17 . 2009-04-28 05:58 20720 ----a-w c:\documents and settings\erik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 07:17 . 2009-04-21 17:43 -------- d-----w c:\program files\Common Files\Adobe
2009-04-12 22:10 . 2001-08-18 05:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-12 22:10 . 2008-04-14 12:42 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-12 22:10 . 2008-04-14 07:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-12 22:10 . 2008-04-14 07:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-12 21:45 . 2009-04-25 01:54 -------- d-----w c:\documents and settings\erik\Application Data\Apple Computer
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple
2009-04-12 21:41 . 2009-04-12 21:41 -------- d-----w c:\program files\Apple Software Update
2009-04-12 21:41 . 2009-03-26 22:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-04-12 21:41 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-04-12 21:41 . 2009-04-12 21:44 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\program files\VideoLAN
2009-04-12 21:40 . 2009-04-12 21:44 -------- d-----w c:\program files\Common Files\Apple
2009-04-12 21:40 . 2009-04-12 21:40 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-12 21:40 . 2009-05-05 05:06 -------- d-----w c:\program files\Steam
2009-04-12 21:40 . 2009-04-12 21:45 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Apple Computer
2009-04-12 21:36 . 2009-04-12 21:36 -------- d-----w c:\program files\uTorrent
2009-04-12 21:36 . 2009-05-05 05:29 -------- d-----w c:\documents and settings\erik\Application Data\uTorrent
2009-04-12 21:26 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\erik\Local Settings\Application Data\Identities
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-12 21:25 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-12 21:25 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-12 21:24 . 2009-04-12 21:26 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-12 21:24 . 2009-04-12 21:38 -------- d-----w c:\program files\Trend Micro
2009-04-12 21:19 . 2009-04-12 21:19 -------- d-----w C:\NVIDIAo
2009-04-12 21:02 . 2009-04-12 21:02 664 ----a-w c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iTunes
2009-04-12 21:44 . 2009-04-12 20:06 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-12 21:44 . 2009-04-12 21:44 -------- d-----w c:\program files\iPod
2009-04-12 21:43 . 2009-04-12 21:43 -------- d-----w c:\program files\Bonjour
2009-04-12 21:42 . 2009-04-12 21:42 -------- d-----w c:\program files\QuickTime
2009-04-12 21:42 . 2009-04-12 21:42 0 ----a-w c:\windows\nsreg.dat
2009-04-12 20:35 . 2009-04-12 20:07 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-12 20:13 . 2009-04-12 20:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-12 20:08 . 2009-04-12 20:08 -------- d-----w c:\program files\microsoft frontpage
2009-04-12 20:07 . 2008-04-14 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-12 20:06 . 2009-04-12 20:06 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-12 20:04 . 2009-04-12 20:04 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-27 17:03 . 2009-04-12 20:21 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-27 15:14 . 2009-04-12 20:13 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-19 23:32 . 2009-04-12 21:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 02:17 . 2009-04-09 20:15 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2009-04-09 20:15 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-03 23:12 . 2009-04-09 20:15 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-04-12 272176]
"Steam"="c:\program files\Steam\Steam.exe" [2009-04-12 1410296]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-03-17 510416]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-05-01 4608]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-22 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-09 497008]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Hotfix-KB5504305 REG_SZ c:\windows\system32\rundll50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"DEFG®,‘|ä,‘|Q-‘|X-‘|>"= DEFG®,‘|ä,‘|Q-‘|X-‘|>:Nod32 Runtime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/12/2009 2:25 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [4/9/2009 1:15 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/12/2009 2:25 PM 677128]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Nod32 Runtime - welik.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {390B0ACA-70B1-419C-BAD8-CA17314D23FE} = 216.228.160.3,216.228.160.4
FF - ProfilePath - c:\documents and settings\erik\Application Data\Mozilla\Firefox\Profiles\qbafkf25.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 07:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-05 7:49
ComboFix-quarantined-files.txt 2009-05-05 14:49

Pre-Run: 52,124,041,216 bytes free
Post-Run: 52,760,903,680 bytes free

224

Computer seems to be working much better, see anything that needs to be done?

airy52 0 Newbie Poster · Answer 6 · 2009-05-05T23:03:49+00:00

Heres hjt, see post above for combofix and my comments

Logfile of HijackThis v1.99.1
Scan saved at 10:03:05 AM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{390B0ACA-70B1-419C-BAD8-CA17314D23FE}: NameServer = 216.228.160.3,216.228.160.4
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2009-05-06T00:29:29+00:00

You are running a very old version of HiJackThis. Uninstall this old version and download this new version HiJackThis version 2.0.2 to the desktop and run a new Full System scan with it and then post that new log back here.

airy52 0 Newbie Poster · Answer 8 · 2009-05-06T06:27:11+00:00

Thanks, here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:59 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Orb Networks\Orb\bin\xmltv.exe
C:\DOCUME~1\erik\LOCALS~1\Temp\par-erik\cache-a8e9363710108ed5bfb0727bb03a8316eb7fcb84\xmltv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\erik\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{390B0ACA-70B1-419C-BAD8-CA17314D23FE}: NameServer = 216.228.160.3,216.228.160.4
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7732 bytes

airy52 0 Newbie Poster · Answer 9 · 2009-05-11T07:55:58+00:00

This forum is not as helpful as it seems, just a warning to anyone considering joining.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 10 · 2009-05-11T10:37:37+00:00

This forum is not as helpful as it seems, just a warning to anyone considering joining.

No worries then. We all have real lives the same as you do and volunteer any spare time we have to help out.
Your pc is clean, yet you complain?

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.