Jump to content

HELP! Memorywatcher in PC?


Gemma
 Share

Recommended Posts

Hi

I've noticed my PC running slow for the last few weeks and there are alot (30+) processes listed as running in task manager but I haven't been able to find the problem until now (I think).

I run Windows XP Home Edition with SP3. I use ZoneAlarm Internet Security Suite and Malwarebytes PRO (I upgraded to this about a week ago) and Spybot. Running a deep scan 2 weeks ago ZoneAlarm found Trojan.Downloader.WMA.Wimad.N which was quarantined and I deleted. Malwarebytes runs sometimes, sometimes it updates, sometimes it doesn't. Spybot doesn't find anything. I also installed Super AntiSpyware and it has only found some tracking cookies.

I tried to run dds.scr but can't. I have been looking through the registry entries and I found HKEY_CLASSES_ROOT\vbRad.TrayIcon. When googled I found it is a memorywatcher but I don't know how to get rid of it.

Please help!

Gemma

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:18:38 PM, on 17/11/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17103)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\SUPERAntiSpyware\SASCORE.EXE

H:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

H:\Program Files\Bonjour\mDNSResponder.exe

H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

H:\WINDOWS\system32\nvsvc32.exe

H:\WINDOWS\system32\HPZipm12.exe

H:\WINDOWS\system32\svchost.exe

H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\RTHDCPL.EXE

H:\Program Files\HP\HP Software Update\HPWuSchd2.exe

H:\Program Files\DivX\DivX Update\DivXUpdate.exe

H:\Program Files\iTunes\iTunesHelper.exe

H:\WINDOWS\system32\RunDLL32.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

H:\Program Files\iPod\bin\iPodService.exe

H:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Program Files\CheckPoint\ZoneAlarm\zatray.exe

H:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

H:\PROGRA~1\CHECKP~1\ZONEAL~1\MAILFR~1\mantispm.exe

H:\WINDOWS\system32\taskmgr.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\WINDOWS\system32\msiexec.exe

H:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.76.23.165:80

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - H:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - H:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll

O2 - BHO: (no name) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - (no file)

O2 - BHO: (no name) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "H:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [DivXUpdate] "H:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [APSDaemon] "H:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] H:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [ZoneAlarm] "H:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [spybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1645522239-1993962763-839522115-1008\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281791927703

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS\system32\browseui.dll

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - H:\Program Files\SUPERAntiSpyware\SASCORE.EXE

O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - H:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - H:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

--

End of file - 9229 bytes

Link to post
Share on other sites

Hello Gemma! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Step 1

Open Notepad, copy and paste everything from the Quote box into Notepad:

REGEDIT4 

[-HKEY_CLASSES_ROOT\VBRAD.TRAYICON]

Make sure there are NO blank lines before REGEDIT4

Make sure there IS one blank line at the end of the file.

Go to File => Save As...

Save File name as Fix.reg

Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.

Step 2

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

  1. To get an Uninstall List from HijackThis:
  2. Open HijackThis, click Config, click Misc Tools
  3. Click "Open Uninstall Manager"
  4. Click "Save List" (generates uninstall_list.txt)
  5. Click Save, copy and paste the results in your next post.

Step 3

  1. Download aswMBR.exe (1870KB) to your desktop.
  2. Double click the aswMBR.exe to run it
    aswMBR1.png
  3. Click the [scan] button to start scan
    aswMBR2.png
  4. On completion of the scan click [save log], save it to your desktop and post in your next reply.

In your next reply, please post the following log files:

  • aswMBR log
  • Add or Remove Programs list

Link to post
Share on other sites

Hi Maniac! Thank you so much for offering to help - I do really appreciate it!

I followed all steps provided and below are the aswMBR log and the Add or Remove Programs list. When I ran aswMBR.exe my ZoneAlarm warned me that avast! was trying to get access to system processes. I allowed it and then a box appeared asking if I wanted to download and scan with avast! free antivirus software. You hadn't mentioned this as a step to do so I clicked no. I hope that was ok.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-18 20:42:31

-----------------------------

20:42:31.500 OS Version: Windows 5.1.2600 Service Pack 3

20:42:31.500 Number of processors: 4 586 0x1707

20:42:31.500 ComputerName: TONKA UserName: Gemma

20:43:41.109 Initialize success

20:44:18.875 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6

20:44:18.875 Disk 0 Vendor: ST3500418AS CC38 Size: 476940MB BusType: 3

20:44:18.875 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19

20:44:18.875 Disk 1 Vendor: WDC_WD10EARS-00MVWB0 50.0AB50 Size: 953869MB BusType: 3

20:44:18.875 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS b8391f26

20:44:22.890 Disk 6 MBR read successfully

20:44:22.890 Disk 6 MBR scan

20:44:22.890 Disk 6 Windows XP default MBR code

20:44:22.890 Disk 6 MBR hidden

20:44:22.921 Disk 6 scanning H:\WINDOWS\system32\drivers

20:44:30.890 Service scanning

20:44:31.906 Modules scanning

20:44:34.234 Disk 6 trace - called modules:

20:44:34.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll

20:44:34.234 1 nt!IofCallDriver -> \Device\Harddisk6\DR8[0x8a1bd170]

20:44:34.234 Scan finished successfully

20:45:13.046 Disk 6 MBR has been saved successfully to "H:\Documents and Settings\Gemma\Desktop\MBR.dat"

20:45:13.046 The log file has been saved successfully to "H:\Documents and Settings\Gemma\Desktop\aswMBR.txt"

AC3Filter 1.63b

Adobe Reader 9.4.4

Adobe Shockwave Player 11.5

Alt.Binz 0.25.0

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AUSkey software 1.4.0.3

AUSkey software 1.4.0.6

Bonjour

Common-Use Signing Interface

Compatibility Pack for the 2007 Office system

CutePDF Writer 2.8

Direct WAV MP3 Splitter version 2.6.0.21

DivX Setup

DVD Flick 1.3.0.7

e-tax 2010

e-tax 2011

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB981793)

HP Document Viewer 5.3

HP Extended Capabilities 5.3

HP Image Zone 5.3

HP Image Zone Express

HP Imaging Device Functions 5.3

HP Product Assistant

HP PSC & OfficeJet 5.3.A

HP Solution Center & Imaging Support Tools 5.3

HP Update

InstantShareAlert

iTunes

Malwarebytes' Anti-Malware version 1.51.2.1300

Medieval CUE Splitter

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2572067)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile

Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office File Validation Add-In

Microsoft Office Standard Edition 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

MSVC80_x86_v2

MSVC90_x86

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MYOB AccountRight Plus v19

MYOB BusinessBasics v1

MYOB ODBC Direct v10 AUS

NVIDIA Display Control Panel

NVIDIA Drivers

NVIDIA ForceWare Network Access Manager

NVIDIA ForceWare Network Access Manager

NVIDIA Graphics Driver 275.33

NVIDIA nView 135.85

NVIDIA nView Desktop Manager

NVIDIA PhysX

NVIDIA Update 1.3.5

oggcodecs 0.71.0946

PC Connectivity Solution

QuickTime

Realtek High Definition Audio Driver

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2497640)

Security Update for Windows Internet Explorer 7 (KB2530548)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2559049)

Security Update for Windows Internet Explorer 7 (KB2586448)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Spybot - Search & Destroy

SUPERAntiSpyware

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC 9.0 Runtime

VC80CRTRedist - 8.0.50727.4053

Windows Easy Transfer for Windows 7

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

XP Codec Pack

Xvid 1.1.3 final uninstall

ZoneAlarm Antivirus

ZoneAlarm Firewall

ZoneAlarm Internet Security Suite

ZoneAlarm Security

Link to post
Share on other sites

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

  1. Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
  2. Tick the box next to YES, I accept the Terms of Use
  3. Click Start
  4. When asked, allow the ActiveX control to install
  5. Click Start
  6. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  7. Click Scan (This scan can take several hours, so please be patient)
  8. Once the scan is completed, you may close the window
  9. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  10. Copy and paste that log as a reply to this topic

In your next reply, please post the following log files:

  • Malwarebytes' Anti-Malware log
  • ESET Online Scanner log
  • a new fresh HiJackThis log

Link to post
Share on other sites

Hi Maniac, just a few things - when I disabled Teatimer.exe I didn't get a pop up asking me to confirm the change however after rebooting I checked and the boxes remained unchecked so I then reset the file as advised by you.

Also when I tried to follow step 2 MBAM would not open so I rebooted in safe mode with networking and was able to update however under the protection tab it said my PC was unprotected. I tried ticking the box to protect but it just gave me the following message: [startService] Failed to perform desired action. Error Code: 1084. I ran the quick scan in safe mode and it worked. I then rebooted normally and tried opening MBAM. It worked this time so I also ran a scan and I have included both scan results below.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8192

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

19/11/2011 6:07:48 PM

mbam-log-2011-11-19 (18-07-48).txt

Scan type: Quick scan

Objects scanned: 207498

Time elapsed: 2 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8192

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

19/11/2011 8:22:28 PM

mbam-log-2011-11-19 (20-22-28).txt

Scan type: Quick scan

Objects scanned: 208792

Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17103 (vista_gdr.110816-1000)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=f8c9279cb670004abf3dc74c32052c3c

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-11-19 12:00:12

# local_time=2011-11-19 11:00:12 (+1000, AUS Eastern Daylight Time)

# country="Australia"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16776533 100 13 31945 339394 0 0

# scanned=99293

# found=3

# cleaned=3

# scan_time=7573

M:\itunes music\Madonna\Hard Candy\08 Madonna - Beat Goes On [Ft. Kanye West].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

M:\itunes music\Rihanna\Disturbia [Remixes] (Promo CDM)\08-rihanna-disturbia__craig_cs_disturbstramental_mix_.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

M:\itunes music\Timbaland\Remix & Soundtrack Collection\15 Ice Box (Remix) feat Omarion, Usher, Fabolous & Busta Rhymes.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:59:42 AM, on 20/11/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17103)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\SUPERAntiSpyware\SASCORE.EXE

H:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

H:\Program Files\Bonjour\mDNSResponder.exe

H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

H:\WINDOWS\system32\nvsvc32.exe

H:\WINDOWS\system32\svchost.exe

H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\RTHDCPL.EXE

H:\Program Files\HP\HP Software Update\HPWuSchd2.exe

H:\Program Files\DivX\DivX Update\DivXUpdate.exe

H:\Program Files\iTunes\iTunesHelper.exe

H:\WINDOWS\system32\RunDLL32.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

H:\Program Files\CheckPoint\ZoneAlarm\zatray.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\iPod\bin\iPodService.exe

H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

H:\PROGRA~1\CHECKP~1\ZONEAL~1\MAILFR~1\mantispm.exe

H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

H:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

H:\WINDOWS\System32\svchost.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

H:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.76.23.165:80

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - H:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll

O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - H:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll

O2 - BHO: (no name) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - (no file)

O2 - BHO: (no name) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "H:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [DivXUpdate] "H:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [APSDaemon] "H:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] H:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [ZoneAlarm] "H:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "H:\Documents and Settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [sUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1645522239-1993962763-839522115-1008\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281791927703

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS\system32\browseui.dll

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - H:\Program Files\SUPERAntiSpyware\SASCORE.EXE

O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - H:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - H:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

--

End of file - 8744 bytes

Link to post
Share on other sites

Hi Maniac,

I followed the instructions at bleepingcomputer and ran combofix. I started the program 4 1/2 hours ago and it is still showing the first screen cap - "scanning for infected files". There were no instructions on what to do if if freezes so I tried to exit the software and then my pc froze for about 10 minutes. The combofix box is still onscreen but I have connected to the internet to post this message.

What should I do now?

Thanks again for your help, Gemma

Link to post
Share on other sites

Ok, my pc would not restart or shutdown so I cut the power (I know this isn't the best thing to do) but I waited a few minutes & booted up again. I followed the instructions as soon as the pc had loaded and Combofix worked, rebooting my pc as part of the process. Below is the log. After rebooting my ZoneAlarm software has started up again with a popup saying "Suspicious Behaviour Handle viewer is trying to install a driver and gain full access to OS" I have the option to allow or deny. When I select more information it says the application: H:\ComboFix\handle.3XE

What should I do?

Link to post
Share on other sites

ComboFix 11-11-19.04 - Gemma 20/11/2011 15:07:43.1.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2618 [GMT 11:00]

Running from: h:\documents and settings\Gemma\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

h:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

h:\windows\jestertb.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_COMSYSAPP

-------\Service_COMSysApp

.

.

((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))

.

.

2011-11-19 09:47 . 2011-11-19 09:47 -------- d-----w- h:\program files\ESET

2011-11-17 10:18 . 2011-11-17 10:18 388096 ----a-r- h:\documents and settings\Gemma\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-11-17 10:18 . 2011-11-17 10:18 -------- d-----w- h:\program files\Trend Micro

2011-11-15 11:37 . 2011-11-15 11:37 -------- d-----w- h:\program files\Conduit

2011-11-15 10:30 . 2011-11-15 10:30 -------- d-----w- h:\documents and settings\Gemma\Application Data\Malwarebytes

2011-11-15 10:29 . 2011-11-15 10:29 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-15 10:29 . 2011-11-15 10:29 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

2011-11-15 10:29 . 2011-08-31 06:00 22216 ----a-w- h:\windows\system32\drivers\mbam.sys

2011-11-14 05:24 . 2011-11-14 05:24 -------- d-----w- h:\documents and settings\UpdatusUser

2011-11-14 05:24 . 2011-11-14 05:24 -------- d-----w- h:\documents and settings\All Users\Application Data\NVIDIA

2011-11-14 05:24 . 2011-05-20 19:01 543336 ----a-w- h:\windows\system32\easyupdatusapiu.dll

2011-11-14 04:50 . 2011-11-14 04:50 -------- d-----w- h:\program files\Microsoft.NET

2011-11-13 11:05 . 2011-11-13 11:05 -------- d-----w- h:\documents and settings\Gemma\Application Data\SUPERAntiSpyware.com

2011-11-13 11:05 . 2011-11-13 11:05 -------- d-----w- h:\program files\SUPERAntiSpyware

2011-11-13 11:05 . 2011-11-13 11:05 -------- d-----w- h:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-11-03 10:33 . 2011-11-03 10:33 -------- d-----w- h:\documents and settings\LocalService\Application Data\Malwarebytes

2011-10-26 08:43 . 2011-10-26 08:43 -------- d-----w- h:\program files\iPod

2011-10-26 08:43 . 2011-10-26 08:43 -------- d-----w- h:\program files\iTunes

2011-10-26 08:38 . 2011-10-26 08:38 -------- d-----w- h:\program files\Bonjour

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-10 14:22 . 2010-08-07 07:12 692736 ----a-w- h:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- h:\windows\system32\crypt32.dll

2011-09-26 00:41 . 2008-07-29 09:59 611328 ----a-w- h:\windows\system32\uiautomationcore.dll

2011-09-26 00:41 . 2004-08-04 12:00 220160 ----a-w- h:\windows\system32\oleacc.dll

2011-09-26 00:41 . 2004-08-04 12:00 20480 ----a-w- h:\windows\system32\oleaccrc.dll

2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- h:\windows\system32\win32k.sys

2011-08-30 12:05 . 2011-08-30 12:05 83816 ----a-w- h:\windows\system32\dns-sd.exe

2011-08-30 12:05 . 2011-08-30 12:05 73064 ----a-w- h:\windows\system32\dnssd.dll

2011-08-30 12:05 . 2011-08-30 12:05 50536 ----a-w- h:\windows\system32\jdns_sd.dll

2011-08-30 12:05 . 2011-08-30 12:05 178536 ----a-w- h:\windows\system32\dnssdX.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-02 18085888]

"HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]

"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="h:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

"DivXUpdate"="h:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"AppleSyncNotifier"="h:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"APSDaemon"="h:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]

"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

"NvMediaCenter"="NvMCTray.dll" [2011-05-20 111208]

"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2011-05-20 13895272]

"nwiz"="h:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]

"Malwarebytes' Anti-Malware"="h:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"ZoneAlarm"="h:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-09 73360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

h:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

HP Image Zone Fast Start.lnk - h:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"h:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"h:\\Program Files\\iTunes\\iTunes.exe"=

"h:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

.

R1 kl2;kl2;h:\windows\system32\drivers\kl2.sys [14/10/2010 5:08 PM 11352]

R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 3:27 AM 12880]

R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 8:55 AM 67664]

R2 !SASCORE;SAS Core Service;h:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 10:38 AM 116608]

R2 MBAMService;MBAMService;h:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [15/11/2011 9:29 PM 366152]

R2 nvUpdatusService;NVIDIA Update Service Daemon;h:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [14/11/2011 4:24 PM 2214504]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [15/11/2011 9:29 PM 22216]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]

S3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [6/05/2008 4:06 PM 11520]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-14 h:\windows\Tasks\AppleSoftwareUpdate.job

- h:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 07:57]

.

2011-11-01 h:\windows\Tasks\Disk Cleanup.job

- h:\windows\system32\cleanmgr.exe [2004-08-04 00:12]

.

2011-11-07 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004Core.job

- h:\documents and settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 10:57]

.

2011-11-19 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1004UA.job

- h:\documents and settings\Gemma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 10:57]

.

2011-11-12 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005Core.job

- h:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 04:56]

.

2011-11-19 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1993962763-839522115-1005UA.job

- h:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 04:56]

.

2011-10-23 h:\windows\Tasks\Malwarebytes' Anti-Malware.job

- h:\progra~1\MALWAR~1\mbam.exe [2011-11-15 06:01]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Settings,ProxyOverride = <local>;*.local

uInternet Settings,ProxyServer = 200.76.23.165:80

IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.1.1.1

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)

AddRemove-NVIDIA Display Control Panel - h:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-20 15:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1645522239-1993962763-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{35FF3DB5-B1F9-448B-3FC7-6CED177A7C9C}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oagpihefnphanpfngepnpkplhbkhlj"=hex:64,61,67,6e,69,6e,62,61,00,84

"oakolcohlajajeehcenikdpffabegp"=hex:6a,61,6c,6e,70,6c,66,64,6e,68,6b,67,67,6d,

69,68,69,70,67,68,00,02

"naibbchnamilgnjlfiodjaoenkna"=hex:6a,61,67,6e,6e,6e,6c,63,61,69,62,67,6d,6c,

64,70,68,70,6e,69,00,02

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(724)

h:\program files\SUPERAntiSpyware\SASWINLO.DLL

h:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(3888)

h:\windows\system32\WININET.dll

h:\progra~1\CHECKP~1\ZONEAL~1\MAILFR~1\mlfhook.dll

h:\windows\system32\ieframe.dll

h:\windows\system32\WPDShServiceObj.dll

h:\windows\system32\PortableDeviceTypes.dll

h:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

h:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

h:\program files\Bonjour\mDNSResponder.exe

h:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

h:\windows\system32\nvsvc32.exe

h:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

h:\windows\RTHDCPL.EXE

h:\windows\system32\RunDLL32.exe

h:\program files\iPod\bin\iPodService.exe

h:\program files\HP\Digital Imaging\bin\hpqimzone.exe

h:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

h:\progra~1\CHECKP~1\ZONEAL~1\MAILFR~1\mantispm.exe

.

**************************************************************************

.

Completion time: 2011-11-20 15:18:32 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-20 04:18

.

Pre-Run: 465,173,950,464 bytes free

Post-Run: 465,053,671,424 bytes free

.

- - End Of File - - 1D45384C8B75C8B3FDA5AFC35DC91036

Link to post
Share on other sites

Please locate and manually delete the following folder:

h:\program files\Conduit

Next:

Please click here to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says Autoscan.
  • Under Autoscan make sure these are checked.


  • System Memory
  • Hidden startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)

After that click on Recommended to the right of Security level then choose settings then click on the tab that says Additional then under Rootkit scan choose Deep scan then choose OK.

  • Then click on Start Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then choose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
    Note: This Tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

Ok, I downloaded and ran the AVP Tool. It didn't find anything. There was only one report to save, automatic scan report. I have ADSL2+ internet speed so it's usually fast but it took well over an hour to download the AVP file averaging 13kb/sec!!

Could ComboFix have changed my internet settings because since I have run it, I now have an IE shortcut on my desktop and Chrome is no longer my default browser? I also wasn't able to download AVP Tool via Chrome. When I clicked on download I kept getting 404 error not found. When I opened IE and tried the page loaded right away.

Also, with my previous post below. Yesterday I stupidly disconnected the internet and then ended the top 2 processes and was worried about the number of processes running. I intended to keep my pc on until I heard from you however by doing that I shut down both MBAM and ZAlarm which meant handle.3XE started to run so I stopped that process too as I had no idea if it was ligit or not. I have since checked and there is no file H:\ComboFix\handle.3XE on the H drive!

Ok, my pc would not restart or shutdown so I cut the power (I know this isn't the best thing to do) but I waited a few minutes & booted up again. I followed the instructions as soon as the pc had loaded and Combofix worked, rebooting my pc as part of the process. Below is the log. After rebooting my ZoneAlarm software has started up again with a popup saying "Suspicious Behaviour Handle viewer is trying to install a driver and gain full access to OS" I have the option to allow or deny. When I select more information it says the application: H:\ComboFix\handle.3XE

What should I do?

Link to post
Share on other sites

This process is legitimate, it is hidden and part of ComboFix. Don't worry!

Going to Control Panel > Network Connections. Right click on Network icon in the notification area in the lower right corner of Desktop & select "Repair". Reboot your computer.

Let me know.

Link to post
Share on other sites

Hi Maniac, yes I think everything is ok! Thank you so much for helping me. I really do appreciate it. I will be making a donation via paypal. I hope it goes to you!

Do I now delete all the files and applications you asked me to download and keep on my desktop?

Link to post
Share on other sites

Sorry for delay! :(

I have good news for you => You're system is clean! :thumbsup:

Here are some tips to prevent future malware problems:

You need to ensure that you have the latest version of Adobe Reader. Before you download and install the latest version is important to uninstall it, so for this purpose: Click Start => Control Panel => Add or Remove Programs highlight them and click on Remove button. Next, click on each of the programs to download it:

Slowly and carefully install the application and then restart your computer.

Let the cleaning tools we use. First get rid of ComboFix:

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

At this stage, you don't need the online scanner, so:

To remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet from Control Panel, select the ESET Online Scanner entry and click Remove. A restart may be required to complete uninstallation.

Please manually delete aswMBR and Kaspersky AVP Tool.

Some quick tips:

  1. Alternative browser - Due to the large market share of Internet Explorer, it is a top target of the writers of malware, so we recommend using an alternative browser. There are many better alternatives to Internet Explorer regarding security, features and speed such as:

[*]Program updates - Updating the software is really important for the productivity, but also for their security. Here is an application that will help in checking the new versions and updates for your programs. It is called FileHippo Update Checker and you can download it from here.

[*]Clear old system restore points - Once your system is infected as a result there will be infected restore points that need to be cleaned.

  1. Open Start => All Programs => Accessories => System tools => Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C:\
  3. Click OK.
  4. The System will do some calculation and display a dialogue box with TABS.
  5. Select the More Options tab.
  6. At the bottom will be a system restore box with a CLEANUP button. Click on it.
  7. Accept the Warning and select OK again, the program will close and you are done.

[*]Create a new system restore point - Now that everything is fine, it is necessary to create a new restore point to restore your system to an earlier stage in case you get a problem. Do the following:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

Safe surfing! ;)

Link to post
Share on other sites

Hi Maniac, I have been following your instructions and I am up to clearing the system restore points & creating new ones.

I have done scans with both MBAM and ZoneAlarm and both come back clean but I noticed that when I run a quick scan in MBAM 209,840 files were checked but in ZA a quick scan is only scanning 7,349 files. Tonight ZA has given me pop ups every hour to say the "security scan completed" even though the software is set to scan only once a day.

I was looking at the logs in ZoneAlarm just now and note that under OSFirewall there are several entries being blocked. The filename is H:\Windows\system32\svchost.exe. When I select more info it says "Generic Host Process for Win32 Services is trying to delete a value in the registry." but that my PC is safe. Should I be concerned about this?

Finally, while cleaning up tonight I found details of a pop up that appeared last month and I noted down at the time but forgot about until now "Access violation at address 7E429486 in module USER32.dll. Read of address 0020006C."

I probably sound paranoid but I just want to make sure nothing nasty is left behind :unsure:

Oh, also, is it ok to re-able teatimer now?

Thanks again for your help! I really do appreciate it.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.