Jump to content

Malwarebytes

Wincodecpro malware

- - - - -
Started by Beachtrader, Oct 29 2009 05:05 AM

21 replies to this topic

#1
Beachtrader
Posted 29 October 2009 - 05:05 AM

    New Member

  • Members
  • Pip
  • 16 posts
I have caught the malware called wincodecpro. It disables all sound. My desktop is white and says
"Warning All media systems on your computer have crashed! To resolve this issue and restore your system, update your media codec."

I have run the updated malware bytes and it does not kill the malware. I cannot post the log because notepad will not open. I also ran Avira Antivirus and it did not kill it. I ran Hijack this but the notepad will not open so I can't give you those results either.

The taskbar shows a redcircle with an X in the middle that pops up an error message trying to get me to by wincodecpro. It says " Warning!!! Windows System error! Possible reasons: Media system crash, unable to play media files."

This one is insidious. It seems to get stronger as the days go on. lol. I have been fighting this one for two days and no luck.

Any ideas? Thanks for any help.

#2
AdvancedSetup
Posted 30 October 2009 - 08:22 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image


  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#3
Beachtrader
Posted 31 October 2009 - 03:44 AM

    New Member

  • Members
  • Pip
  • 16 posts
Ron,

Thanks for the reply. After the combo-fix I was able to save the malware log and the hijackthis log you will find below. Hopefully the info will help stop this malware returning. I have followed these steps from prior advice on this page and the malware returned within hours. Here is the info you requested. I uploaded the malware but it seems to not accept the highjack this. I will copy the text below and the malware.txt below that incase the upload version did not come across.

Mark

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:36:15, on 10/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [trtrCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.9.113.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187959235221
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218429358078
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://www.wizard101.com/static/themes/wiz...ameLauncher.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--
End of file - 5549 bytes

--------------------------------------------------------------------------------------------------------

ComboFix 09-10-30.01 - Lee 10/30/2009 22:28.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -4:00]
Running from: c:\documents and settings\Lee\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-30 07:51 . 2009-10-30 07:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-30 07:14 . 2009-10-30 07:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-30 07:09 . 2009-10-30 07:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-30 07:04 . 2009-10-30 07:04 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Temp
2009-10-30 07:04 . 2009-10-30 07:04 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-30 06:50 . 2009-10-30 06:50 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Threat Expert
2009-10-29 08:44 . 2009-10-29 08:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-10-29 08:44 . 2009-10-29 08:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-10-29 08:34 . 2009-10-30 06:51 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-10-29 08:02 . 2009-10-29 08:02 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-10-29 03:48 . 2009-10-29 03:48 -------- d-----w- c:\program files\Trend Micro
2009-10-29 02:39 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-28 09:25 . 2009-10-28 09:25 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-28 09:25 . 2009-10-28 09:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-28 08:26 . 2009-10-28 08:26 -------- d-----w- c:\documents and settings\Lee\Application Data\Uniblue
2009-10-28 06:43 . 2009-10-28 06:44 -------- d-----w- C:\DECCHECK
2009-10-27 11:19 . 2009-10-27 11:19 -------- d-----w- c:\program files\Interbank FX Trader 4
2009-10-21 00:45 . 2009-10-21 00:45 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-10-21 00:45 . 2009-10-21 00:45 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Turbine,_Inc
2009-10-21 00:42 . 2009-10-21 00:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Turbine
2009-10-17 03:39 . 2008-10-15 04:26 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 07:20 . 2009-10-16 07:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2009-10-16 06:04 . 2009-10-29 02:22 -------- d-----w- c:\program files\Turbine
2009-10-16 00:54 . 2009-10-31 02:19 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\PMB Files
2009-10-16 00:54 . 2009-10-16 04:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PMB Files
2009-10-16 00:54 . 2009-10-16 00:54 -------- d-----w- c:\program files\Pando Networks
2009-10-13 06:11 . 2009-10-13 06:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-13 06:11 . 2009-10-13 06:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-03 05:52 . 2009-10-03 05:52 -------- d-----w- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 07:05 . 2005-04-17 07:40 -------- d-----w- c:\program files\Google
2009-10-30 06:21 . 2005-02-11 13:26 -------- d-----w- c:\program files\City of Heroes
2009-10-29 23:28 . 2008-05-10 07:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-29 02:28 . 2008-06-07 04:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-05 02:35 . 2005-02-04 08:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-04 10:13 . 2009-08-20 07:16 -------- d-----w- c:\program files\GStudio7
2009-10-04 09:58 . 2008-03-03 17:47 -------- d-----w- c:\program files\Konami
2009-09-27 05:45 . 2007-03-25 11:12 -------- d--h--w- c:\documents and settings\Lee\Application Data\Move Networks
2009-09-25 06:13 . 2009-08-18 09:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 05:46 . 2009-09-13 05:46 18185 ----a-w- c:\program files\Common Files\bahibuliga.lib
2009-09-11 14:18 . 2004-08-12 14:01 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-08-18 09:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-18 09:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 06:25 . 2008-08-15 05:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 23:59 . 2009-09-08 23:59 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-09-08 19:07 . 2007-03-19 16:17 -------- d-----w- c:\documents and settings\Lee\Application Data\IGN_DLM
2009-09-08 15:48 . 2008-05-11 04:02 -------- d-----w- c:\program files\Download Manager
2009-09-04 21:03 . 2004-08-12 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 03:15 . 2006-07-15 14:13 24736 -c--a-w- c:\documents and settings\Lee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 03:14 . 2009-09-04 03:14 -------- d-----w- c:\program files\MSECache
2009-08-29 08:08 . 2004-08-12 14:09 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 14:06 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 16:25 . 2009-08-23 16:25 18546 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\umufakite.dat
2009-08-23 16:25 . 2009-08-23 16:25 17044 ----a-w- c:\windows\system32\uryp.sys
2009-08-23 16:25 . 2009-08-23 16:25 15828 ----a-w- c:\program files\Common Files\iwakopa.lib
2009-08-23 16:25 . 2009-08-23 16:25 10766 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\digav.sys
2009-08-23 06:33 . 2009-08-23 06:33 3026 ----a-w- c:\windows\system32\drivers\hwinterface.sys
2009-08-20 07:15 . 2009-08-20 07:15 17408 ----a-w- C:\psapi.dll
2009-08-18 09:07 . 2009-08-18 09:07 19932 ----a-w- c:\program files\Common Files\zytym.lib
2009-08-18 09:07 . 2009-08-18 09:07 15781 ----a-w- c:\windows\tafezup.bin
2009-08-18 09:07 . 2009-08-18 09:07 14729 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\uxileqe.sys
2009-08-18 09:07 . 2009-08-18 09:07 13742 ----a-w- c:\program files\Common Files\fojynulo.bin
2009-08-18 09:07 . 2009-08-18 09:07 12699 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\lojo.bin
2009-08-18 09:07 . 2009-08-18 09:07 10863 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\qacihuho.exe
2009-08-18 07:59 . 2009-08-18 07:59 18163 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\inaro.scr
2009-08-18 07:59 . 2009-08-18 07:59 15145 ----a-w- c:\windows\system32\cyfyto.exe
2009-08-18 07:59 . 2009-08-18 07:59 14810 ----a-w- c:\program files\Common Files\wyvufowo.lib
2009-08-18 07:59 . 2009-08-18 07:59 13681 ----a-w- c:\program files\Common Files\towegyh.dll
2009-08-18 07:59 . 2009-08-18 07:59 11468 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\yqexu.bin
2009-08-18 07:59 . 2009-08-18 07:59 11126 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\dukuzeqo.scr
2009-08-18 07:59 . 2009-08-18 07:59 19517 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\xeqav.pif
2009-08-18 07:48 . 2009-08-18 07:48 19241 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\rabubix.com
2009-08-18 07:48 . 2009-08-18 07:48 17920 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\boworida.com
2009-08-18 07:48 . 2009-08-18 07:48 17320 ----a-w- c:\windows\ypip.bin
2009-08-18 07:48 . 2009-08-18 07:48 16823 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\ruqom.com
2009-08-18 07:48 . 2009-08-18 07:48 16454 ----a-w- c:\windows\system32\xyveluhy.sys
2009-08-18 07:48 . 2009-08-18 07:48 16067 ----a-w- c:\windows\system32\igyko.exe
2009-08-18 07:48 . 2009-08-18 07:48 12865 ----a-w- c:\windows\myqom.pif
2009-08-18 07:48 . 2009-08-18 07:48 11915 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\eqanenagup.bin
2009-08-18 07:48 . 2009-08-18 07:48 11006 ----a-w- c:\documents and settings\Lee\Application Data\uricogikyr.com
2009-08-18 07:48 . 2009-08-18 07:48 10392 ----a-w- c:\program files\Common Files\alyponatap._dl
2009-08-18 07:48 . 2009-08-18 07:48 10350 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\uwowufuty.scr
2009-08-18 07:45 . 2009-08-18 07:45 19415 ----a-w- c:\program files\Common Files\ykanifafo.dat
2009-08-18 07:45 . 2009-08-18 07:45 18998 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\igyde.sys
2009-08-18 07:45 . 2009-08-18 07:45 18953 ----a-w- c:\program files\Common Files\nacidufy.pif
2009-08-18 07:45 . 2009-08-18 07:45 18565 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\iwaduv.pif
2009-08-18 07:45 . 2009-08-18 07:45 17169 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\bavodudij.dll
2009-08-18 07:45 . 2009-08-18 07:45 17045 ----a-w- c:\documents and settings\Lee\Application Data\olec.dat
2009-08-18 07:45 . 2009-08-18 07:45 16257 ----a-w- c:\program files\Common Files\unusu.lib
2009-08-18 07:45 . 2009-08-18 07:45 14596 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\nuje.sys
2009-08-18 07:45 . 2009-08-18 07:45 14383 ----a-w- c:\documents and settings\Lee\Application Data\agadatysab.bin
2009-08-18 07:45 . 2009-08-18 07:45 10076 ----a-w- c:\windows\teso.pif
2009-08-16 15:08 . 2009-09-15 09:40 178176 ----a-w- c:\windows\system32\unrar.dll
2009-08-06 23:24 . 2006-07-15 13:50 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-07-15 13:50 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-07-15 13:50 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-07-15 13:50 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-12 13:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-07-15 13:50 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-08-12 04:55 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2006-07-15 13:50 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-12 14:02 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"trtrCLIStart"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe" [2009-10-28 38912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-8-6 745472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lee^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FastUserSwitchingCompatibility"=3 (0x3)
"RasMan"=3 (0x3)
"wuauserv"=2 (0x2)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"gupdate1c9875074bdd0a0"=2 (0x2)
"getPlus® Helper"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\City of Heroes\\CovUpdater.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\NAMCO BANDAI Games\\Warhammer Battle March\\Warhammer.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"58584:TCP"= 58584:TCP:Pando Media Booster
"58584:UDP"= 58584:UDP:Pando Media Booster

R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [8/23/2009 2:33 AM 3026]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\SYSTEM32\DRIVERS\EAPPkt.sys [8/6/2009 3:49 AM 66048]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [8/6/2009 3:13 AM 167808]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S3 bfastfao;bfastfao;\??\c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys [?]
S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [10/20/2009 8:42 PM 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [10/20/2009 8:42 PM 218608]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SjyPkt;SjyPkt;c:\windows\SYSTEM32\DRIVERS\SjyPkt.sys [8/6/2009 3:49 AM 13532]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [10/1/2006 2:37 PM 26624]
S4 gupdate1c9875074bdd0a0;Google Update Service (gupdate1c9875074bdd0a0);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 1:13 AM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1179232]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:07]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca584a85e68342.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 05:13]

2008-03-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-12 00:12]
.
.
------- Supplementary Scan -------
.
Trusted Zone: live.com\onecare
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://www.wizard101.com/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
FF - ProfilePath - c:\documents and settings\Lee\Application Data\Mozilla\Firefox\Profiles\2f0vdxnv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 22:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1606980848-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:2d,23,b2,e0,34,81,9f,d0,3d,81,0c,6f,bf,37,ac,8a,43,a5,70,12,a5,c2,65,
f6,c6,e2,66,c2,e6,62,86,2b,7b,1b,61,8b,40,fa,2c,34,26,b6,c3,a5,10,0c,49,44,\
"??"=hex:27,95,0a,24,59,5d,d9,80,26,8f,b1,e7,65,bc,b3,84

[HKEY_USERS\S-1-5-21-1060284298-1606980848-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:cd,ce,46,e6,99,15,80,16,49,78,87,3a,f7,8e,4b,aa,f9,d9,0d,ae,b9,
de,17,30,44,b6,23,0f,e8,6a,0c,10,ed,b8,90,d7,ed,09,30,20,f4,09,63,2f,94,0c,\
"rkeysecu"=hex:3c,3b,fd,e7,4b,a5,35,1d,4a,02,50,73,8f,9e,7c,31
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-31 22:35
ComboFix-quarantined-files.txt 2009-10-31 02:35
ComboFix2.txt 2009-10-29 08:01
ComboFix3.txt 2009-10-29 01:34
ComboFix4.txt 2009-10-28 08:02
ComboFix5.txt 2009-10-31 02:27

Pre-Run: 77,043,744,768 bytes free
Post-Run: 77,136,052,224 bytes free

- - End Of File - - 1355B0D757A2B917607DE2DA4B0A9DDF

Attached Files


#4
AdvancedSetup
Posted 31 October 2009 - 06:02 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::
Driver::
bfastfao
File::
c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log and a new Hijackthis log.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#5
Beachtrader
Posted 31 October 2009 - 10:48 AM

    New Member

  • Members
  • Pip
  • 16 posts
Well.

The first combofix seemed to have fixed the issue except for having no sound. This latest combo fix brought it all back.
I cannot open notepad anymore. I was able to get the combofix log but cant open notepad to send it so I am trying to send it as an attachment. Any ideas?

Mark

Attached Files


#6
Beachtrader
Posted 31 October 2009 - 10:53 AM

    New Member

  • Members
  • Pip
  • 16 posts
Using your directions here is the last MBAM log as well. Uploaded since I can't get into notepad.

Attached Files


#7
Beachtrader
Posted 02 November 2009 - 07:53 AM

    New Member

  • Members
  • Pip
  • 16 posts
I think my second post messed up your post count. That probably got me lost in the shuffle.

Nothing to add here just checking in and hopefully this fixes my post count and gets me back in the queue.

#8
AdvancedSetup
Posted 02 November 2009 - 08:20 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
Please click on START - RUN and type in MSCONFIG and go to the Services tab and ENABLE ALL and reboot.
Then do it again and go to General and set to Normal Startup and reboot.

If any issues doing that please let me know.

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.
    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.




[indent]Posted Image[/indent][indent]Please temporarily disable your current Anti-Virus in order to run this Online Scanner.
Using Internet Explorer:[indent]
  • Vista and Windows 7 users need to right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
  • Click here to run the Eset Online Scanner using Internet Explorer.
  • Click on the ESET Online Scanner button.
  • Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
  • By default the ActiveX installer will be blocked by Internet Explorer. You should see a yellow banner at the top of the Window.
  • Click the top of the Window and select "Run ActiveX Control" and then click the Run button on the next dialog box.
  • Click the Retry button if prompted to resend the request to load and run the ActiveX control from ESET
  • Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
  • Click on the Advanced settings selection in the middle and place a checkmark on the following items
[indent]
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory
[/indent]
  • Then click on the Start button and it will start downloading signature database files to update the program
  • Once the database files are downloaded it should automatically start scanning your system for threats.
  • When the scanner is done please click on the List of found threats and click on Export to text file...
  • Save the file as NOD32_SCAN.TXT to your Desktop
  • Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
  • The next screen is advertisement to purchase the product. You can just close that window for now.
  • If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
  • Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply
[/indent]
Using Another Browser[indent]
  • Please click here to launch the application which installs and launches ESET Online Scanner in a separate window.
  • You will first need to save the file to your Desktop and double-click on it to run it. Vista and Windows 7 users need to right-click and choose "Run as Administrator"
  • You will should be prompted with "Do you want to run this file?", click on the Run button.
  • Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
  • The program will download further files to use with the scanner and allow you to change options.
  • Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
  • Click on the Advanced settings selection in the middle and place a checkmark on the following items
[indent]
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory
[/indent]
  • Then click on the Start button and it will start downloading signature database files to update the program
  • Once the database files are downloaded it should automatically start scanning your system for threats.
  • When the scanner is done please click on the List of found threats and click on Export to text file...
  • Save the file as NOD32_SCAN.TXT to your Desktop
  • Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
  • The next screen is advertisement to purchase the product. You can just close that window for now.
  • If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
  • Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply
[/indent][/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#9
Beachtrader
Posted 02 November 2009 - 10:22 AM

    New Member

  • Members
  • Pip
  • 16 posts
I ran the msconfig in services tab and general tab. I can't run the other two utilities. Wincodecpro still has control of notepad and stops most programs from running at all. I think we need to start all over. It seems when I run combofix it lasts a few hours and wincodecpro is back as strong as ever. Am I toast? Reinstall windows and format harddrive time?

Here is the Eset scan. Copied it in because notepad doesn't work. I have added the last combofix and mbam logs as uploaded files.

C:\Documents and Settings\Lee\Application Data\Sun\Java\Deployment\cache\6.0\61\59ef027d-7053989f a variant of Win32/Kryptik.AZA trojan
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe a variant of Win32/Kryptik.AZA trojan
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP102\A0106957.exe Win32/Shutdown.NAA application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP102\A0106960.exe Win32/PrcView application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP103\A0107336.exe Win32/Shutdown.NAA application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP103\A0107339.exe Win32/PrcView application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108204.exe multiple threats
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108218.exe Win32/PrcView application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108221.exe Win32/Shutdown.NAA application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0057145.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058276.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058277.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058278.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0059351.exe probably unknown NewHeur_PE virus
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060535.exe probably unknown NewHeur_PE virus
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060543.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060544.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060545.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060546.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060547.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP94\A0102421.exe probably unknown NewHeur_PE virus
C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP97\A0106011.exe Win32/PrcView application
Operating memory a variant of Win32/Kryptik.AZA trojan

Attached Files


#10
AdvancedSetup
Posted 03 November 2009 - 06:18 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
Well first off you don't have any Anti-Virus installed and running. You NEED to install, update and run an Anti-Virus program
If you don't have one then I recommend Avira AV at least for now.
http://www.free-av.com/en/download/1/avira..._antivirus.html


STEP 00
Please download and run the following program to see if it can restore your notepad file associations
http://www.dougknox..../xp_txt_fix.zip

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::
File::
c:\documents and settings\All Users.WINDOWS\Application Data\umufakite.dat
c:\windows\system32\uryp.sys
c:\program files\Common Files\iwakopa.lib
c:\documents and settings\All Users.WINDOWS\Application Data\digav.sys
c:\program files\Common Files\zytym.lib
c:\windows\tafezup.bin
c:\documents and settings\Lee\Local Settings\Application Data\uxileqe.sys
c:\program files\Common Files\fojynulo.bin
c:\documents and settings\All Users.WINDOWS\Application Data\lojo.bin
c:\documents and settings\Lee\Local Settings\Application Data\qacihuho.exe
c:\documents and settings\Lee\Local Settings\Application Data\inaro.scr
c:\windows\system32\cyfyto.exe
c:\program files\Common Files\wyvufowo.lib
c:\program files\Common Files\towegyh.dll
c:\documents and settings\Lee\Local Settings\Application Data\yqexu.bin
c:\documents and settings\Lee\Local Settings\Application Data\dukuzeqo.scr
c:\documents and settings\All Users.WINDOWS\Application Data\xeqav.pif
c:\documents and settings\All Users.WINDOWS\Application Data\rabubix.com
c:\documents and settings\Lee\Local Settings\Application Data\boworida.com
c:\windows\ypip.bin
c:\documents and settings\Lee\Local Settings\Application Data\ruqom.com
c:\windows\system32\xyveluhy.sys
c:\windows\system32\igyko.exe
c:\windows\myqom.pif
c:\documents and settings\Lee\Local Settings\Application Data\eqanenagup.bin
c:\documents and settings\Lee\Application Data\uricogikyr.com
c:\program files\Common Files\alyponatap._dl
c:\documents and settings\Lee\Local Settings\Application Data\uwowufuty.scr
c:\program files\Common Files\ykanifafo.dat
c:\documents and settings\All Users.WINDOWS\Application Data\igyde.sys
c:\program files\Common Files\nacidufy.pif
c:\documents and settings\Lee\Local Settings\Application Data\iwaduv.pif
c:\documents and settings\All Users.WINDOWS\Application Data\bavodudij.dll
c:\documents and settings\All Users.WINDOWS\Application Data\nuje.sys
c:\documents and settings\Lee\Application Data\agadatysab.bin
c:\windows\teso.pif

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log

STEP 03
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java


STEP 04
    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup225_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 05
You may have corrupted files on your disk. Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK
CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 06
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.
  • Go to http://java.sun.com/...loads/index.jsp
  • Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 07
Click on START - RUN and copy / paste the entry below into the run line and click OK
CMD /C NETSH FIREWALL RESET
Click on START - RUN and copy / paste the entry below into the run line and click OK
CMD /C NETSH int ip reset c:\resetlog.txt
Click on START - RUN and copy / paste the entry below into the run line and click OK
CMD /C netsh winsock reset catalog

Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#11
Beachtrader
Posted 03 November 2009 - 10:47 AM

    New Member

  • Members
  • Pip
  • 16 posts
Hey Ron,

I believe I completed all the steps successfully. Every time I reboot the wincodecpro thing comes back. It has kept notepad unusable. Here are the logs you requested as attachments.
I am still infected with no sound, no notepad, and limited application usage. This thing is insidious.

Mark

Attached Files


#12
AdvancedSetup
Posted 03 November 2009 - 09:44 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
Okay, I need to get more information as to what's going on.

1. Your Avira AV shows that it is outdated. So #1 you MUST update it and do a FULL SYSTEM scan and then post back the log it returns.
2. Is notepad still physically there or was it deleted?
3. How do you know you have wincodecpro still? What do you see or what indicates you have it ?
4. I am still infected with no sound, no notepad, and limited application usage (What do you mean by limited application usage?) Are you getting errors or they won't launch, please provide more details as I'm not there to see what you're seeing. Do you get ACCESS DENIED errors or some other error?

Please edit your CFSCRIPT.TXT file and remove what is there now and replace it with this and run Combofix again using this updated CFSCRIPT.TXT file.
KILLALL::
Driver::
gupdate1c9875074bdd0a0
File::
c:\program files\Common Files\bahibuliga.lib
c:\documents and settings\Lee\Application Data\olec.dat
c:\program files\Common Files\unusu.lib
c:\docume~1\Lee\LOCALS~1\Temp\Perflib_Perfdata_da8.dat
c:\docume~1\Lee\LOCALS~1\Temp\~DF8F89.tmp
Folder::
c:\Program Files\MediaSystem
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
[-HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia]

Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#13
Beachtrader
Posted 04 November 2009 - 04:18 AM

    New Member

  • Members
  • Pip
  • 16 posts
Thanks for your patience. I did a manual update and was finally able to run a full Antivir system scan. It helped alot. I had been getting the white desktop saying buy wincodec pro and the popup in the taskbar urging me to purchase. It is all gone now. My notepad wasn't able to open at all. It would flash on the page and go away. It works now. I wasn't able to run any videos, movies, or games because wincodec would pop up and close them immediately. That has gone away as well.

The only issue now is no sound. I'll run your latest combofix and send the mbam, combofix, antivir and hijack this logs.

Attached Files


#14
AdvancedSetup
Posted 04 November 2009 - 05:15 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
STEP 01
Please download Lop S&D
Double-click on Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

STEP 02
    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
     
    If you're already running inside Windows you can enable it the following way.
     
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • NOTE: If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
  • NOTE: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

STEP 03
RootRepeal - Rootkit Detector
[indent]
    Close ALL applications and as many items in the task tray that will stop and exit.
  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#15
Beachtrader
Posted 04 November 2009 - 10:17 AM

    New Member

  • Members
  • Pip
  • 16 posts
That all worked fine. Attached you will find all of the files requested.

Attached Files


#16
Beachtrader
Posted 05 November 2009 - 04:20 AM

    New Member

  • Members
  • Pip
  • 16 posts
I think you have to start your own thread. They go by threadcounts in here and if they see your reply they think they have replied to me. Hopefully this post will put the count back in place so they know it's their turn to respond.

This one is a tough one though. Good luck!

#17
AdvancedSetup
Posted 05 November 2009 - 06:46 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
Please start Regedit and browse to this location and export the key and post back the results please.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#18
Beachtrader
Posted 05 November 2009 - 07:50 AM

    New Member

  • Members
  • Pip
  • 16 posts
We are on the homestretch. I can't thank you enough for all of your help. A little sound and we are done!


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"msacm.lhacm"="lhacm.acm"
"vidc.DIVX"="DivX.dll"
"vidc.yv12"="DivX.dll"
"wave"="serwvdrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

#19
AdvancedSetup
Posted 05 November 2009 - 09:18 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,519 posts
  • Gender:Male
  • Location:US
I'm not saying this is the issue but notice the line: "wave"="serwvdrv.dll"
That file is a Microsoft file: Unimodem Serial Wave driver
However most systems seem to use this one, including my system: "wave"="wdmaud.drv"
Try changing that one in the Registry to use wdmaud.drv and rebooting and see if it works or not.
Go into the Control Panel and make sure you check all the Audio settings and speaker connections

Also, please run this:
Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.
    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#20
Beachtrader
Posted 05 November 2009 - 12:15 PM

    New Member

  • Members
  • Pip
  • 16 posts
No luck. I changed to wdmaud.drv. I successfully ran fix polices.
No luck with the Varestorespolicies. I click that inf file and there is no install choice. It opens up some text in notepad.
In my control panel audio settings alot of that stuff is totally greyed out. No way to check the boxes.
Weird one eh?
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us