Jump to content

Wincodecpro malware


Recommended Posts

I have caught the malware called wincodecpro. It disables all sound. My desktop is white and says

"Warning All media systems on your computer have crashed! To resolve this issue and restore your system, update your media codec."

I have run the updated malware bytes and it does not kill the malware. I cannot post the log because notepad will not open. I also ran Avira Antivirus and it did not kill it. I ran Hijack this but the notepad will not open so I can't give you those results either.

The taskbar shows a redcircle with an X in the middle that pops up an error message trying to get me to by wincodecpro. It says " Warning!!! Windows System error! Possible reasons: Media system crash, unable to play media files."

This one is insidious. It seems to get stronger as the days go on. lol. I have been fighting this one for two days and no luck.

Any ideas? Thanks for any help.

Link to post
Share on other sites

  • Root Admin

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Ron,

Thanks for the reply. After the combo-fix I was able to save the malware log and the hijackthis log you will find below. Hopefully the info will help stop this malware returning. I have followed these steps from prior advice on this page and the malware returned within hours. Here is the info you requested. I uploaded the malware but it seems to not accept the highjack this. I will copy the text below and the malware.txt below that incase the upload version did not come across.

Mark

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:36:15, on 10/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [trtrCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://onecare.live.com

O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/...can8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187959235221

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218429358078

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://www.wizard101.com/static/themes/wiz...ameLauncher.CAB

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe

O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--

End of file - 5549 bytes

--------------------------------------------------------------------------------------------------------

ComboFix 09-10-30.01 - Lee 10/30/2009 22:28.6.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -4:00]

Running from: c:\documents and settings\Lee\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\tmp.reg

.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))

.

2009-10-30 07:51 . 2009-10-30 07:09 15880 ----a-w- c:\windows\system32\lsdelete.exe

2009-10-30 07:14 . 2009-10-30 07:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-30 07:09 . 2009-10-30 07:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-10-30 07:04 . 2009-10-30 07:04 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Temp

2009-10-30 07:04 . 2009-10-30 07:04 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2009-10-30 06:50 . 2009-10-30 06:50 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Threat Expert

2009-10-29 08:44 . 2009-10-29 08:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2009-10-29 08:44 . 2009-10-29 08:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2009-10-29 08:34 . 2009-10-30 06:51 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-10-29 08:02 . 2009-10-29 08:02 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache

2009-10-29 03:48 . 2009-10-29 03:48 -------- d-----w- c:\program files\Trend Micro

2009-10-29 02:39 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-28 09:25 . 2009-10-28 09:25 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2009-10-28 09:25 . 2009-10-28 09:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-10-28 08:26 . 2009-10-28 08:26 -------- d-----w- c:\documents and settings\Lee\Application Data\Uniblue

2009-10-28 06:43 . 2009-10-28 06:44 -------- d-----w- C:\DECCHECK

2009-10-27 11:19 . 2009-10-27 11:19 -------- d-----w- c:\program files\Interbank FX Trader 4

2009-10-21 00:45 . 2009-10-21 00:45 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache

2009-10-21 00:45 . 2009-10-21 00:45 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Turbine,_Inc

2009-10-21 00:42 . 2009-10-21 00:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Turbine

2009-10-17 03:39 . 2008-10-15 04:26 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-10-16 07:20 . 2009-10-16 07:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files

2009-10-16 06:04 . 2009-10-29 02:22 -------- d-----w- c:\program files\Turbine

2009-10-16 00:54 . 2009-10-31 02:19 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\PMB Files

2009-10-16 00:54 . 2009-10-16 04:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PMB Files

2009-10-16 00:54 . 2009-10-16 00:54 -------- d-----w- c:\program files\Pando Networks

2009-10-13 06:11 . 2009-10-13 06:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-10-13 06:11 . 2009-10-13 06:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-03 05:52 . 2009-10-03 05:52 -------- d-----w- c:\program files\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-30 07:05 . 2005-04-17 07:40 -------- d-----w- c:\program files\Google

2009-10-30 06:21 . 2005-02-11 13:26 -------- d-----w- c:\program files\City of Heroes

2009-10-29 23:28 . 2008-05-10 07:56 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-29 02:28 . 2008-06-07 04:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-05 02:35 . 2005-02-04 08:12 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-04 10:13 . 2009-08-20 07:16 -------- d-----w- c:\program files\GStudio7

2009-10-04 09:58 . 2008-03-03 17:47 -------- d-----w- c:\program files\Konami

2009-09-27 05:45 . 2007-03-25 11:12 -------- d--h--w- c:\documents and settings\Lee\Application Data\Move Networks

2009-09-25 06:13 . 2009-08-18 09:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-13 05:46 . 2009-09-13 05:46 18185 ----a-w- c:\program files\Common Files\bahibuliga.lib

2009-09-11 14:18 . 2004-08-12 14:01 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 18:54 . 2009-08-18 09:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-08-18 09:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-09 06:25 . 2008-08-15 05:56 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-08 23:59 . 2009-09-08 23:59 -------- d-----w- c:\program files\Common Files\INCA Shared

2009-09-08 19:07 . 2007-03-19 16:17 -------- d-----w- c:\documents and settings\Lee\Application Data\IGN_DLM

2009-09-08 15:48 . 2008-05-11 04:02 -------- d-----w- c:\program files\Download Manager

2009-09-04 21:03 . 2004-08-12 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-04 03:15 . 2006-07-15 14:13 24736 -c--a-w- c:\documents and settings\Lee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-04 03:14 . 2009-09-04 03:14 -------- d-----w- c:\program files\MSECache

2009-08-29 08:08 . 2004-08-12 14:09 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-12 14:06 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-23 16:25 . 2009-08-23 16:25 18546 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\umufakite.dat

2009-08-23 16:25 . 2009-08-23 16:25 17044 ----a-w- c:\windows\system32\uryp.sys

2009-08-23 16:25 . 2009-08-23 16:25 15828 ----a-w- c:\program files\Common Files\iwakopa.lib

2009-08-23 16:25 . 2009-08-23 16:25 10766 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\digav.sys

2009-08-23 06:33 . 2009-08-23 06:33 3026 ----a-w- c:\windows\system32\drivers\hwinterface.sys

2009-08-20 07:15 . 2009-08-20 07:15 17408 ----a-w- C:\psapi.dll

2009-08-18 09:07 . 2009-08-18 09:07 19932 ----a-w- c:\program files\Common Files\zytym.lib

2009-08-18 09:07 . 2009-08-18 09:07 15781 ----a-w- c:\windows\tafezup.bin

2009-08-18 09:07 . 2009-08-18 09:07 14729 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\uxileqe.sys

2009-08-18 09:07 . 2009-08-18 09:07 13742 ----a-w- c:\program files\Common Files\fojynulo.bin

2009-08-18 09:07 . 2009-08-18 09:07 12699 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\lojo.bin

2009-08-18 09:07 . 2009-08-18 09:07 10863 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\qacihuho.exe

2009-08-18 07:59 . 2009-08-18 07:59 18163 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\inaro.scr

2009-08-18 07:59 . 2009-08-18 07:59 15145 ----a-w- c:\windows\system32\cyfyto.exe

2009-08-18 07:59 . 2009-08-18 07:59 14810 ----a-w- c:\program files\Common Files\wyvufowo.lib

2009-08-18 07:59 . 2009-08-18 07:59 13681 ----a-w- c:\program files\Common Files\towegyh.dll

2009-08-18 07:59 . 2009-08-18 07:59 11468 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\yqexu.bin

2009-08-18 07:59 . 2009-08-18 07:59 11126 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\dukuzeqo.scr

2009-08-18 07:59 . 2009-08-18 07:59 19517 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\xeqav.pif

2009-08-18 07:48 . 2009-08-18 07:48 19241 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\rabubix.com

2009-08-18 07:48 . 2009-08-18 07:48 17920 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\boworida.com

2009-08-18 07:48 . 2009-08-18 07:48 17320 ----a-w- c:\windows\ypip.bin

2009-08-18 07:48 . 2009-08-18 07:48 16823 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\ruqom.com

2009-08-18 07:48 . 2009-08-18 07:48 16454 ----a-w- c:\windows\system32\xyveluhy.sys

2009-08-18 07:48 . 2009-08-18 07:48 16067 ----a-w- c:\windows\system32\igyko.exe

2009-08-18 07:48 . 2009-08-18 07:48 12865 ----a-w- c:\windows\myqom.pif

2009-08-18 07:48 . 2009-08-18 07:48 11915 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\eqanenagup.bin

2009-08-18 07:48 . 2009-08-18 07:48 11006 ----a-w- c:\documents and settings\Lee\Application Data\uricogikyr.com

2009-08-18 07:48 . 2009-08-18 07:48 10392 ----a-w- c:\program files\Common Files\alyponatap._dl

2009-08-18 07:48 . 2009-08-18 07:48 10350 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\uwowufuty.scr

2009-08-18 07:45 . 2009-08-18 07:45 19415 ----a-w- c:\program files\Common Files\ykanifafo.dat

2009-08-18 07:45 . 2009-08-18 07:45 18998 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\igyde.sys

2009-08-18 07:45 . 2009-08-18 07:45 18953 ----a-w- c:\program files\Common Files\nacidufy.pif

2009-08-18 07:45 . 2009-08-18 07:45 18565 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\iwaduv.pif

2009-08-18 07:45 . 2009-08-18 07:45 17169 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\bavodudij.dll

2009-08-18 07:45 . 2009-08-18 07:45 17045 ----a-w- c:\documents and settings\Lee\Application Data\olec.dat

2009-08-18 07:45 . 2009-08-18 07:45 16257 ----a-w- c:\program files\Common Files\unusu.lib

2009-08-18 07:45 . 2009-08-18 07:45 14596 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\nuje.sys

2009-08-18 07:45 . 2009-08-18 07:45 14383 ----a-w- c:\documents and settings\Lee\Application Data\agadatysab.bin

2009-08-18 07:45 . 2009-08-18 07:45 10076 ----a-w- c:\windows\teso.pif

2009-08-16 15:08 . 2009-09-15 09:40 178176 ----a-w- c:\windows\system32\unrar.dll

2009-08-06 23:24 . 2006-07-15 13:50 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2006-07-15 13:50 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2006-07-15 13:50 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2006-07-15 13:50 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-12 13:56 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2006-07-15 13:50 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2008-08-12 04:55 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-06 23:23 . 2006-07-15 13:50 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2004-08-12 14:02 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"trtrCLIStart"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe" [2009-10-28 38912]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-8-6 745472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lee^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]

backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"FastUserSwitchingCompatibility"=3 (0x3)

"RasMan"=3 (0x3)

"wuauserv"=2 (0x2)

"WZCSVC"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"McNASvc"=2 (0x2)

"mcmscsvc"=2 (0x2)

"Lavasoft Ad-Aware Service"=2 (0x2)

"gupdate1c9875074bdd0a0"=2 (0x2)

"getPlus® Helper"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\City of Heroes\\CovUpdater.exe"=

"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\NAMCO BANDAI Games\\Warhammer Battle March\\Warhammer.exe"=

"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"58584:TCP"= 58584:TCP:Pando Media Booster

"58584:UDP"= 58584:UDP:Pando Media Booster

R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [8/23/2009 2:33 AM 3026]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\SYSTEM32\DRIVERS\EAPPkt.sys [8/6/2009 3:49 AM 66048]

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [8/6/2009 3:13 AM 167808]

S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]

S3 bfastfao;bfastfao;\??\c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys [?]

S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [10/20/2009 8:42 PM 267760]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [10/20/2009 8:42 PM 218608]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SjyPkt;SjyPkt;c:\windows\SYSTEM32\DRIVERS\SjyPkt.sys [8/6/2009 3:49 AM 13532]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [10/1/2006 2:37 PM 26624]

S4 gupdate1c9875074bdd0a0;Google Update Service (gupdate1c9875074bdd0a0);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 1:13 AM 133104]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1179232]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:07]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca584a85e68342.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 05:13]

2008-03-15 c:\windows\Tasks\McDefragTask.job

- c:\windows\system32\defrag.exe [2004-08-12 00:12]

.

.

------- Supplementary Scan -------

.

Trusted Zone: live.com\onecare

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://www.wizard101.com/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

FF - ProfilePath - c:\documents and settings\Lee\Application Data\Mozilla\Firefox\Profiles\2f0vdxnv.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-30 22:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1606980848-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:2d,23,b2,e0,34,81,9f,d0,3d,81,0c,6f,bf,37,ac,8a,43,a5,70,12,a5,c2,65,

f6,c6,e2,66,c2,e6,62,86,2b,7b,1b,61,8b,40,fa,2c,34,26,b6,c3,a5,10,0c,49,44,\

"??"=hex:27,95,0a,24,59,5d,d9,80,26,8f,b1,e7,65,bc,b3,84

[HKEY_USERS\S-1-5-21-1060284298-1606980848-682003330-1004\Software\SecuROM\License information*]

"datasecu"=hex:cd,ce,46,e6,99,15,80,16,49,78,87,3a,f7,8e,4b,aa,f9,d9,0d,ae,b9,

de,17,30,44,b6,23,0f,e8,6a,0c,10,ed,b8,90,d7,ed,09,30,20,f4,09,63,2f,94,0c,\

"rkeysecu"=hex:3c,3b,fd,e7,4b,a5,35,1d,4a,02,50,73,8f,9e,7c,31

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-10-31 22:35

ComboFix-quarantined-files.txt 2009-10-31 02:35

ComboFix2.txt 2009-10-29 08:01

ComboFix3.txt 2009-10-29 01:34

ComboFix4.txt 2009-10-28 08:02

ComboFix5.txt 2009-10-31 02:27

Pre-Run: 77,043,744,768 bytes free

Post-Run: 77,136,052,224 bytes free

- - End Of File - - 1355B0D757A2B917607DE2DA4B0A9DDF

ComboFix.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
bfastfao
File::
c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

  • Root Admin

Please click on START - RUN and type in MSCONFIG and go to the Services tab and ENABLE ALL and reboot.

Then do it again and go to General and set to Normal Startup and reboot.

If any issues doing that please let me know.

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

nod32scanner.jpg

Please temporarily
disable
your current Anti-Virus in order to run this Online Scanner.

Using Internet Explorer:

  • Vista and Windows 7
    users need to right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select
    "Run as Administrator"
    from the context menu.

  • Click
    here
    to run the Eset Online Scanner using Internet Explorer.

  • Click on the
    ESET Online Scanner
    button.

  • Click on the checkbox
    Yes, I accpet the Terms of Use
    and click on the Start button.

  • By default the ActiveX installer will be blocked by Internet Explorer. You should see a yellow banner at the top of the Window.

  • Click the top of the Window and select "Run ActiveX
    C
    ontrol" and then click the
    Run
    button on the next dialog box.

  • Click the
    Retry
    button if prompted to resend the request to load and run the ActiveX control from ESET

  • Make sure you
    Uncheck
    the
    Remove found threats
    checkbox in case we need you to submit a copy of any files found.

  • Click on the
    Advanced settings
    selection in the middle and place a checkmark on the following items

  • Scan for potentially unwanted applications

  • Scan for potentially unsafe applications

  • Enable Anti-Stealth technology

  • Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory

  • Then click on the Start button and it will start downloading signature database files to update the program
  • Once the database files are downloaded it should automatically start scanning your system for threats.
  • When the scanner is done please click on the List of found threats and click on Export to text file...
  • Save the file as NOD32_SCAN.TXT to your Desktop
  • Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
  • The next screen is advertisement to purchase the product. You can just close that window for now.
  • If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
  • Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply

Using Another Browser

  • Please click
    here
    to launch the application which installs and launches ESET Online Scanner in a separate window.

  • You will first need to save the file to your Desktop and double-click on it to run it.
    Vista and Windows 7
    users need to right-click and choose
    "Run as Administrator"

  • You will should be prompted with "
    Do you want to run this file?
    ", click on the Run button.

  • Click on the checkbox
    Yes, I accpet the Terms of Use
    and click on the Start button.

  • The program will download further files to use with the scanner and allow you to change options.

  • Make sure you
    Uncheck
    the
    Remove found threats
    checkbox in case we need you to submit a copy of any files found.

  • Click on the
    Advanced settings
    selection in the middle and place a checkmark on the following items

  • Scan for potentially unwanted applications

  • Scan for potentially unsafe applications

  • Enable Anti-Stealth technology

  • Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory

  • Then click on the Start button and it will start downloading signature database files to update the program
  • Once the database files are downloaded it should automatically start scanning your system for threats.
  • When the scanner is done please click on the List of found threats and click on Export to text file...
  • Save the file as NOD32_SCAN.TXT to your Desktop
  • Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
  • The next screen is advertisement to purchase the product. You can just close that window for now.
  • If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
  • Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply

Link to post
Share on other sites

I ran the msconfig in services tab and general tab. I can't run the other two utilities. Wincodecpro still has control of notepad and stops most programs from running at all. I think we need to start all over. It seems when I run combofix it lasts a few hours and wincodecpro is back as strong as ever. Am I toast? Reinstall windows and format harddrive time?

Here is the Eset scan. Copied it in because notepad doesn't work. I have added the last combofix and mbam logs as uploaded files.

C:\Documents and Settings\Lee\Application Data\Sun\Java\Deployment\cache\6.0\61\59ef027d-7053989f a variant of Win32/Kryptik.AZA trojan

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe a variant of Win32/Kryptik.AZA trojan

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP102\A0106957.exe Win32/Shutdown.NAA application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP102\A0106960.exe Win32/PrcView application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP103\A0107336.exe Win32/Shutdown.NAA application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP103\A0107339.exe Win32/PrcView application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108204.exe multiple threats

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108218.exe Win32/PrcView application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108221.exe Win32/Shutdown.NAA application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0057145.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058276.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058277.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058278.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0059351.exe probably unknown NewHeur_PE virus

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060535.exe probably unknown NewHeur_PE virus

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060543.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060544.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060545.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060546.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060547.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP94\A0102421.exe probably unknown NewHeur_PE virus

C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP97\A0106011.exe Win32/PrcView application

Operating memory a variant of Win32/Kryptik.AZA trojan

ComboFix.txt

mbam_log_2009_11_02__04_20_50_.txt

Link to post
Share on other sites

  • Root Admin

Well first off you don't have any Anti-Virus installed and running. You NEED to install, update and run an Anti-Virus program

If you don't have one then I recommend Avira AV at least for now.

http://www.free-av.com/en/download/1/avira..._antivirus.html

STEP 00

Please download and run the following program to see if it can restore your notepad file associations

http://www.dougknox.com/xp/fileassoc/xp_txt_fix.zip

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
File::
c:\documents and settings\All Users.WINDOWS\Application Data\umufakite.dat
c:\windows\system32\uryp.sys
c:\program files\Common Files\iwakopa.lib
c:\documents and settings\All Users.WINDOWS\Application Data\digav.sys
c:\program files\Common Files\zytym.lib
c:\windows\tafezup.bin
c:\documents and settings\Lee\Local Settings\Application Data\uxileqe.sys
c:\program files\Common Files\fojynulo.bin
c:\documents and settings\All Users.WINDOWS\Application Data\lojo.bin
c:\documents and settings\Lee\Local Settings\Application Data\qacihuho.exe
c:\documents and settings\Lee\Local Settings\Application Data\inaro.scr
c:\windows\system32\cyfyto.exe
c:\program files\Common Files\wyvufowo.lib
c:\program files\Common Files\towegyh.dll
c:\documents and settings\Lee\Local Settings\Application Data\yqexu.bin
c:\documents and settings\Lee\Local Settings\Application Data\dukuzeqo.scr
c:\documents and settings\All Users.WINDOWS\Application Data\xeqav.pif
c:\documents and settings\All Users.WINDOWS\Application Data\rabubix.com
c:\documents and settings\Lee\Local Settings\Application Data\boworida.com
c:\windows\ypip.bin
c:\documents and settings\Lee\Local Settings\Application Data\ruqom.com
c:\windows\system32\xyveluhy.sys
c:\windows\system32\igyko.exe
c:\windows\myqom.pif
c:\documents and settings\Lee\Local Settings\Application Data\eqanenagup.bin
c:\documents and settings\Lee\Application Data\uricogikyr.com
c:\program files\Common Files\alyponatap._dl
c:\documents and settings\Lee\Local Settings\Application Data\uwowufuty.scr
c:\program files\Common Files\ykanifafo.dat
c:\documents and settings\All Users.WINDOWS\Application Data\igyde.sys
c:\program files\Common Files\nacidufy.pif
c:\documents and settings\Lee\Local Settings\Application Data\iwaduv.pif
c:\documents and settings\All Users.WINDOWS\Application Data\bavodudij.dll
c:\documents and settings\All Users.WINDOWS\Application Data\nuje.sys
c:\documents and settings\Lee\Application Data\agadatysab.bin
c:\windows\teso.pif

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

STEP 03

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 04

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup225_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 05

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 06

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 07

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C netsh winsock reset catalog

Link to post
Share on other sites

Hey Ron,

I believe I completed all the steps successfully. Every time I reboot the wincodecpro thing comes back. It has kept notepad unusable. Here are the logs you requested as attachments.

I am still infected with no sound, no notepad, and limited application usage. This thing is insidious.

Mark

ComboFix.txt

mbam_log_2009_11_03__04_03_47_.txt

javaralog.txt

Link to post
Share on other sites

  • Root Admin

Okay, I need to get more information as to what's going on.

1. Your Avira AV shows that it is outdated. So #1 you MUST update it and do a FULL SYSTEM scan and then post back the log it returns.

2. Is notepad still physically there or was it deleted?

3. How do you know you have wincodecpro still? What do you see or what indicates you have it ?

4. I am still infected with no sound, no notepad, and limited application usage (What do you mean by limited application usage?) Are you getting errors or they won't launch, please provide more details as I'm not there to see what you're seeing. Do you get ACCESS DENIED errors or some other error?

Please edit your CFSCRIPT.TXT file and remove what is there now and replace it with this and run Combofix again using this updated CFSCRIPT.TXT file.

KILLALL::
Driver::
gupdate1c9875074bdd0a0
File::
c:\program files\Common Files\bahibuliga.lib
c:\documents and settings\Lee\Application Data\olec.dat
c:\program files\Common Files\unusu.lib
c:\docume~1\Lee\LOCALS~1\Temp\Perflib_Perfdata_da8.dat
c:\docume~1\Lee\LOCALS~1\Temp\~DF8F89.tmp
Folder::
c:\Program Files\MediaSystem
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
[-HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia]

Link to post
Share on other sites

Thanks for your patience. I did a manual update and was finally able to run a full Antivir system scan. It helped alot. I had been getting the white desktop saying buy wincodec pro and the popup in the taskbar urging me to purchase. It is all gone now. My notepad wasn't able to open at all. It would flash on the page and go away. It works now. I wasn't able to run any videos, movies, or games because wincodec would pop up and close them immediately. That has gone away as well.

The only issue now is no sound. I'll run your latest combofix and send the mbam, combofix, antivir and hijack this logs.

hijackthis.txt

mbam_log_2009_11_03__22_15_48_.txt

combofix.txt

antivirscan.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

Please download Lop S&D

Double-click on Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

STEP 02

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

We are on the homestretch. I can't thank you enough for all of your help. A little sound and we are done!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

"midimapper"="midimap.dll"

"msacm.imaadpcm"="imaadp32.acm"

"msacm.msadpcm"="msadp32.acm"

"msacm.msg711"="msg711.acm"

"msacm.msgsm610"="msgsm32.acm"

"msacm.trspch"="tssoft32.acm"

"vidc.cvid"="iccvid.dll"

"vidc.I420"="msh263.drv"

"vidc.iv31"="ir32_32.dll"

"vidc.iv32"="ir32_32.dll"

"vidc.iv41"="ir41_32.ax"

"vidc.iyuv"="iyuv_32.dll"

"vidc.mrle"="msrle32.dll"

"vidc.msvc"="msvidc32.dll"

"vidc.uyvy"="msyuv.dll"

"vidc.yuy2"="msyuv.dll"

"vidc.yvu9"="tsbyuv.dll"

"vidc.yvyu"="msyuv.dll"

"wavemapper"="msacm32.drv"

"msacm.msg723"="msg723.acm"

"vidc.M263"="msh263.drv"

"vidc.M261"="msh261.drv"

"msacm.msaudio1"="msaud32.acm"

"msacm.sl_anet"="sl_anet.acm"

"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"

"vidc.iv50"="ir50_32.dll"

"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"

"msacm.lhacm"="lhacm.acm"

"vidc.DIVX"="DivX.dll"

"vidc.yv12"="DivX.dll"

"wave"="serwvdrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]

"wave"="rdpsnd.dll"

"mixer"="rdpsnd.dll"

"MaxBandwidth"=dword:000056b9

"wavemapper"="msacm32.drv"

"EnableMP3Codec"=dword:00000001

"midimapper"="midimap.dll"

Link to post
Share on other sites

  • Root Admin

I'm not saying this is the issue but notice the line: "wave"="serwvdrv.dll"

That file is a Microsoft file: Unimodem Serial Wave driver

However most systems seem to use this one, including my system: "wave"="wdmaud.drv"

Try changing that one in the Registry to use wdmaud.drv and rebooting and see if it works or not.

Go into the Control Panel and make sure you check all the Audio settings and speaker connections

Also, please run this:

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

Link to post
Share on other sites

No luck. I changed to wdmaud.drv. I successfully ran fix polices.

No luck with the Varestorespolicies. I click that inf file and there is no install choice. It opens up some text in notepad.

In my control panel audio settings alot of that stuff is totally greyed out. No way to check the boxes.

Weird one eh?

Link to post
Share on other sites

  • Root Admin

There is no installer - when you RIGHT CLICK you should see an option for INSTALL

Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

Well at this point I don't think it is infected anymore and is probably just related to damage from the infection.

Please open a new post in the PC Help forum and see if they can assist you in getting the Audio working again.

Thanks.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.