GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Wincodec trojan Hijack this file - Solved by Belahzur

View previous topic View next topic Go down

Wincodec trojan Hijack this file

Post by bigwaves on Thu Nov 05, 2009 12:41 am

Vista Home Premium

All the same symptoms as everyone else with this. I've run Malwarebyte, Spyware Dr. and Smitfraud. Seems Firefox is hijacked as well.
I have removed all java and reinstalled. Red circle with white x, screen goes to 16 colors etc...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:52:51, on 11/4/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 78.159.125.51 us.search.yahoo.com
O1 - Hosts: 78.159.125.51 uk.search.yahoo.com
O1 - Hosts: 78.159.125.51 search.yahoo.com
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51 [You must be registered and logged in to see this link.]
O1 - Hosts: 78.159.125.51
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [trechnologies\ATI.ACE\Core-Static\trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [NBKeyScan] ; "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] ; "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] ; "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\Steve\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.] Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - absoƖute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12771 bytes


Thanks in advance for the assistance.
Bigwaves


Last edited by bigwaves on Thu Nov 05, 2009 12:55 am; edited 1 time in total

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by Belahzur on Thu Nov 05, 2009 12:50 am

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS\system32\drivers\etc\hosts

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Thu Nov 05, 2009 1:09 am

Thanks for assisting.

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\drivers\etc\hosts" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by Belahzur on Thu Nov 05, 2009 1:19 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Thu Nov 05, 2009 1:40 am

Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 6.0.6001 Service Pack 1

11/4/2009 19:39:38
mbam-log-2009-11-04 (19-39-38).txt

Scan type: Quick Scan
Objects scanned: 101011
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

red circle x still present. Fatal codec error popup in tray

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Thu Nov 05, 2009 1:14 pm

New Hijackthis after Avenger and Malwarebytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:09:20, on 11/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [trechnologies\ATI.ACE\Core-Static\trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [NBKeyScan] ; "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] ; "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] ; "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\Steve\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.] Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - absoƖute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11578 bytes

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by Belahzur on Thu Nov 05, 2009 10:03 pm

Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight BitComet
  • Click on the Uninstall/Change button at the top.

Next,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [trechnologies\ATI.ACE\Core-Static\trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe


  • Press "Fix Checked"
  • Close Hijack This.

Any effect? do the alerts stop?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Fri Nov 06, 2009 12:03 am

Did as instructed above. Upon restart, no red circle with x.
After 5 min, screen went to 16 colors. Ran MAlwarebytes and found 2 registry entries infected and repaired.

Log here.

Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 6.0.6001 Service Pack 1

11/5/2009 17:55:12
mbam-log-2009-11-05 (17-55-12).txt

Scan type: Quick Scan
Objects scanned: 100821
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-----------------------------------------------------
Restart. FATAL CODEC ERROR returns

Run Hijackthis

Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:01:46, on 11/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [NBKeyScan] ; "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] ; "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [trechnologies\ATI.ACE\Core-Static\trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] ; "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\Steve\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.] Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - absoƖute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10894 bytes

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by Origin on Fri Nov 06, 2009 1:48 am

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Sat Nov 07, 2009 1:05 am

Blue screen after combofix (svchost.exe) started to run. Booting to safe mode to try.

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Sat Nov 07, 2009 1:46 am

Ok, it rebooted while combofix (svchost.exe) was in action. New stuff is popping up,

here is a new malware file.

Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 6.0.6001 Service Pack 1

11/6/2009 19:30:32
mbam-log-2009-11-06 (19-30-32).txt

Scan type: Quick Scan
Objects scanned: 101918
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\wujohewa.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\nupuzidu.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\fuyubefo.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamatavosa (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger (Trojan.WinCodecPro) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\wujohewa.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\nupuzidu.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\fuyubefo.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\caonima1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fiyahena.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Users\Steve\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Sat Nov 07, 2009 2:20 am

and a new hijack file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:03, on 11/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [NBKeyScan] ; "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] ; "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [52944428] C:\ProgramData\52944428\52944428.exe
O4 - HKLM\..\Run: [trechnologies\ATI.ACE\Core-Static\trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] ; "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\Steve\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.] Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - AppInit_DLLs: wujohewa.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - absoƖute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9888 bytes

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Sat Nov 07, 2009 4:02 am

And a new malware file...

Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 6.0.6001 Service Pack 1

11/6/2009 22:00:26
mbam-log-2009-11-06 (22-00-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 319869
Time elapsed: 1 hour(s), 33 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\wInOptiMIz3R504\AshampooWinOptimizerPlatinumKeygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Sat Nov 07, 2009 7:20 pm

I manually deleted this whole folder
C:\Program Files\Mozilla Firefox\wInOptiMIz3R504\
in safe mode. Ran Malwarebytes and it found the Trojan.WinCodec again and cleaned. Reboot to normal mode, and run Malware again, Trojan.WinCodec is found again. Clean again.

New Malware log and hijack log

Malwarebytes' Anti-Malware 1.41
Database version: 3118
Windows 6.0.6001 Service Pack 1

11/7/2009 13:14:44
mbam-log-2009-11-07 (13-14-44).txt

Scan type: Quick Scan
Objects scanned: 101718
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger (Trojan.WinCodecPro) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

****************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:16:47, on 11/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {18c1d25e-f107-495a-b115-c671bf90162a} - fuyubefo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe" /runcleanupscript
O4 - HKLM\..\Run: [NBKeyScan] ; "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] ; "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [trechnologies\ATI.ACE\Core-Static\trCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] ; "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\Steve\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.] Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - [You must be registered and logged in to see this link.] Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - AppInit_DLLs: wujohewa.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - absoƖute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11005 bytes


Last edited by bigwaves on Mon Nov 09, 2009 11:38 pm; edited 1 time in total

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Sat Nov 07, 2009 8:36 pm

I finally got Combofix (scvhost) to made it through the whole scan and it deleted a handful of files, went through reboot and was attempting to create log file when BSoD showed up. Never created logfile

Turn off, reboot and BSOD again.

Reboot, computer went into repair mode.

Now back to where I was. Still Wincodec circle in tray and screen to 16 colors after a few mins.

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Mon Nov 09, 2009 10:54 pm

bump.

I promise to follow instruction.

Combofix never made it all the way through to create log file.

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by Belahzur on Tue Nov 10, 2009 5:28 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {18c1d25e-f107-495a-b115-c671bf90162a} - fuyubefo.dll (file missing)
    O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
    O20 - AppInit_DLLs: wujohewa.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Tue Nov 10, 2009 11:20 pm

Thank you Belahzur.

Reboot was nessesary after MBAM
Updated MBAM file attached:

Malwarebytes' Anti-Malware 1.41
Database version: 3142
Windows 6.0.6001 Service Pack 1

11/10/2009 17:16:48
mbam-log-2009-11-10 (17-16-48).txt

Scan type: Quick Scan
Objects scanned: 101554
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trclistart (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trechnologies\ati.ace\core-static\trclistart (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger (Trojan.WinCodecPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malwarebytes anti-malware (reboot) (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


Last edited by bigwaves on Tue Nov 10, 2009 11:31 pm; edited 1 time in total (Reason for editing : Reboot was nessesary after MBAM)

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by Belahzur on Wed Nov 11, 2009 12:41 am

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Wed Nov 11, 2009 1:06 am

DDS (Ver_09-10-26.01) - NTFSx86
Run by Steve at 19:01:05.43 on Tue 11/10/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2429.1402 [GMT -6:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k nȯne
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.7.2.11\IPSBHO.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] ; "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-

39A1E5104020
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] \HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ftpqueue] c:\program files\ws_ftp pro\ftpqueue.exe -tray
mRun: [QuickTime Task] ; "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] ; "c:\program files\itunes\iTunesHelper.exe"
mRun: [NBKeyScan] ; "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [WinampAgent] ; "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
StartupFolder: c:\users\steve\appdata\roaming\micros~1\windows\startm~1\programs\startup\mru-blaster scheduler.lnk - c:\program files\mru-

blaster\scheduler.exe
StartupFolder: c:\users\steve\appdata\roaming\micros~1\windows\startm~1\programs\startup\mru-blaster silent clean.lnk - c:\program files\mru-

blaster\mrublaster.exe
StartupFolder: c:\users\steve\appdata\roaming\micros~1\windows\startm~1\programs\startup\palm registration.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\users\steve\appdata\roaming\micros~1\windows\startm~1\programs\startup\pmcremotelauncher.lnk -

c:\users\steve\appdata\local\pinnacle\tvc\tools\PMCRemoteCtrl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dataviz inc messenger.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsync manager.lnk - c:\program files\palmone\Hotsync.exe
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office11\EXCEL.EXE/3000
IE: LastPass - [You must be registered and logged in to see this link.] files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - [You must be registered and logged in to see this link.] files\lastpass\context.html?cmd=fillforms
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
LSA: Notification Packages = scecli nupuzidu.dll wujohewa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\steve\appdata\roaming\mozilla\firefox\profiles\tqbpkpwt.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\tqbpkpwt.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - component: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\tqbpkpwt.default\extensions\support@lastpass.com\platform\winnt_x86-

msvc\components\lpxpcom.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\tqbpkpwt.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\steve\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1007020.00b\SymEFA.sys [2009-8-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1007020.00b\BHDrvx86.sys [2009-8-31 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1007020.00b\cchpx86.sys [2009-8-31 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091105.001\IDSvix86.sys [2009-11-6 343088]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-5-6 20352]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-10 124832]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.7.2.11\ccSvcHst.exe [2009-8-31 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-26 1153368]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-10 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nav\1007020.00b\symndisv.sys [2009-8-31 48688]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-5-6 937984]

=============== Created Last 30 ================

2009-11-11 00:43:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-11 00:42:41 0 d-----w- c:\program files\Synaptics
2009-11-11 00:02:08 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-11 00:02:00 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 00:01:21 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-07 20:43:56 0 d-----r- c:\program files\Norton Support
2009-11-07 20:27:31 524288 --sha-w- c:\users\steve\ntuser.dat{be4a8391-cbdb-11de-9cfe-001eec3885c5}.TMContainer00000000000000000002.regtrans-ms
2009-11-07 20:27:30 65536 --sha-w- c:\users\steve\ntuser.dat{be4a8391-cbdb-11de-9cfe-001eec3885c5}.TM.blf
2009-11-07 20:27:30 524288 --sha-w- c:\users\steve\ntuser.dat{be4a8391-cbdb-11de-9cfe-001eec3885c5}.TMContainer00000000000000000001.regtrans-ms
2009-11-07 19:24:52 0 d-----w- C:\ComboFix(272)
2009-11-07 17:18:59 79360 ----a-w- c:\windows\system32\swxcacls.exe
2009-11-07 17:18:59 135168 ----a-w- c:\windows\system32\swreg.exe
2009-11-07 01:11:35 98816 ----a-w- c:\windows\sed.exe
2009-11-07 01:11:35 77312 ----a-w- c:\windows\MBR.exe
2009-11-07 01:11:35 267264 ----a-w- c:\windows\PEV.exe
2009-11-07 01:11:35 161792 ----a-w- c:\windows\SWREG.exe
2009-11-07 01:11:23 0 d-s---w- C:\ComboFix
2009-11-07 01:05:56 65536 --sha-w- c:\users\steve\NTUSER.DAT{3a539870-6a70-11db-887c-d362bd253390}.TxR.blf
2009-11-07 01:05:56 1048576 --sha-w- c:\users\steve\NTUSER.DAT{3a539870-6a70-11db-887c-d362bd253390}.TxR.2.regtrans-ms
2009-11-07 01:05:56 1048576 --sha-w- c:\users\steve\NTUSER.DAT{3a539870-6a70-11db-887c-d362bd253390}.TxR.1.regtrans-ms
2009-11-07 01:05:56 1048576 --sha-w- c:\users\steve\NTUSER.DAT{3a539870-6a70-11db-887c-d362bd253390}.TxR.0.regtrans-ms
2009-11-06 00:57:39 0 d-----w- c:\windows\system32\wbem\repository
2009-11-06 00:56:50 0 d-----w- c:\windows\registration
2009-11-05 00:11:40 0 d-----w- c:\programdata\McAfee
2009-11-05 00:07:07 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-11-05 00:07:07 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-11-04 23:42:29 0 d-----w- c:\program files\Trend Micro
2009-11-04 23:03:06 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-11-04 22:50:40 691 ----a-w- c:\users\steve\appdata\roaming\GetValue.vbs
2009-11-04 22:50:40 35 ----a-w- c:\users\steve\appdata\roaming\SetValue.bat
2009-11-04 22:50:39 6588 ----a-w- c:\windows\system32\tmp.reg
2009-11-04 22:48:57 87552 ----a-w- c:\windows\system32\VACFix.exe
2009-11-04 22:48:57 82944 ----a-w- c:\windows\system32\IEDFix.exe
2009-11-04 22:48:57 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2009-11-04 22:48:57 82432 ----a-w- c:\windows\system32\404Fix.exe
2009-11-04 22:48:57 80384 ----a-w- c:\windows\system32\o4Patch.exe
2009-11-04 22:48:57 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2009-11-04 22:48:57 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2009-11-04 22:48:57 53248 ----a-w- c:\windows\system32\Process.exe
2009-11-04 22:48:57 51200 ----a-w- c:\windows\system32\dumphive.exe
2009-11-04 22:48:57 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2009-11-04 22:48:57 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2009-11-04 22:22:22 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-10-31 16:21:22 0 d-----w- c:\users\steve\appdata\roaming\Ashampoo
2009-10-28 15:28:59 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 15:28:55 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-21 06:59:17 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-21 06:58:27 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-21 06:57:57 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-21 06:57:57 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-14 04:08:51 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 04:07:45 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 04:07:44 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 04:07:07 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-10-14 04:07:06 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-14 04:07:04 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-14 04:07:04 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-14 04:07:04 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2009-10-14 04:03:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 04:03:17 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 04:03:12 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

==================== Find3M ====================

2009-11-11 00:43:25 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-11 00:43:25 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-11 00:43:24 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-05 00:13:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-26 22:55:14 4637952 ----a-w- c:\program files\common files\lpuninstall.exe
2009-08-14 16:29:41 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 16:29:41 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 14:16:55 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16:55 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16:52 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16:51 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16:50 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16:49 10240 ----a-w- c:\windows\system32\finger.exe
2008-06-11 22:24:24 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-08-06 15:52:09 2713 --sha-w- c:\windows\system32\lizuzuke.dll
2009-08-06 15:52:08 2713 --sha-w- c:\windows\system32\yadoyiyo.dll
2008-06-06 22:07:47 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2008-06-06 22:07:47 4 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 19:01:46.12 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/6/2008 03:17:36
System Uptime: 11/10/2009 18:45:57 (1 hours ago)

Motherboard: TOSHIBA | | IALAA
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-57 | Socket M2/S1G1 |

1900/200mhz

==== Disk Partitions =========================

C: is fȋxed (NTFS) - 148 GiB total, 45.169 GiB free.
D: is CDROM ()
Y: is NetworkDisk (NTFS) - 298 GiB total, 48.185 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP208: 9/11/2009 03:00:11 - Windows Update
RP209: 10/14/2009 03:00:30 - Windows Update
RP210: 10/21/2009 01:57:25 - Windows Update
RP211: 10/27/2009 03:00:14 - Windows Update
RP212: 10/29/2009 03:00:15 - Windows Update
RP213: 11/3/2009 23:02:17 - Restore Operation
RP228: 11/5/2009 19:45:05 - Restore Operation
RP231: 11/7/2009 12:29:32 - Restore Operation
RP232: 11/10/2009 18:02:13 - Windows Update
RP233: 11/10/2009 18:37:14 - Windows Update

==== Installed Programs ======================

AAC Decoder
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Photoshop Elements 6.0
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Ashampoo Music Studio 3
Ashampoo WinOptimizer 5.04
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
ATI Catalyst Install Manager
AutoUpdate
Bluetooth Stack for Windows by Toshiba
Bonjour
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CD/DVD Drive Acoustic Silencer
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Documents To Go
DVD MovieFactory for TOSHIBA
Garmin Communicator Plugin
Garmin POI Loader
Garmin USB Drivers
GearDrvs
Google Earth
Google Updater
GrabIt 1.7.2 Beta 3 (build 996)
GSAK 7.5.1.28 (Final)
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotspot Shield 1.06
Image Resizer Powertoy Clone for Windows
Incomedia WebSite X5 v8 - Evolution
Ipswitch WS_FTP Pro Uninstall
IrfanView (remove only)
iTunes
Java(TM) 6 Update 17
K-Lite Codec Pack 4.9.5 (Standard)
LastPass (uninstall only)
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select North America v7
Master Blues Piano Solos Volume 1
Master Flatpick Guitar Volume 1
Master Jazz Guitar Solos SuperPAK
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MKV Splitter
Mozilla Firefox (3.5.4)
Mp3/Tag Studio 3.5 (beta 20)
MpcStar 4.0
MRU-Blaster v1.5 (Database 3/28/2004)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MVision
Nero 8
neroxml
Norton 360
Norton AntiVirus
ooVoo
OpenOffice.org 2.4
Paint.NET v3.36
Palm
PG Music DirectX Plugins 1.3.4.1
Picasa 2
Pinnacle PCTV MCE
Pinnacle VideoSpin
PurgeFox - 4.01
QuickPar 0.9
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Security Update for Windows Media Encoder (KB954156)
Skins
Skype™ 4.1
Spybot - Search & Destroy
Synaptics Pointing Device Driver
TablEdit 2.65
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Games
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Utility Common Driver
VC80CRTRedist - 8.0.50727.762
Virtual Sound Canvas DXi
Winamp
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - Pinnacle Systems PCTV 100e/320e Audio (08/03/2007

5.7.0803.0)
Windows Driver Package - Pinnacle Systems PCTV 100i,110i,300i,310i, MCE (11/22/2006

1.3.3.5)
Windows Driver Package - Pinnacle Systems PCTV 310ix, 710ix, 3010ix, 7010ix

(07/17/2007 1.0.4.1)
Windows Driver Package - Pinnacle Systems PCTV 340e(SE), PCTV 801e(SE) (03/25/2008

2.3.3.26)
Windows Driver Package - Pinnacle Systems PCTV

70e/100e/160e/170e/320e/330e/800e/880e (08/03/2007 5.7.0803.0)
Windows Driver Package - Pinnacle Systems PCTV 71e (09/28/2006 6.9.28.4)
Windows Driver Package - Pinnacle Systems PCTV 800i (04/29/2008 3.1.1.49)
Windows Driver Package - Pinnacle Systems PCTV Stick (06/14/2007 1.0.0.0)
Windows Driver Package - Pinnacle Systems Pinnacle Systems PCTV 310c (03/21/2007

3.1.1.24)
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinRAR archiver

==== Event Viewer Messages From Past Week ========

11/7/2009 14:26:31, Error: Service Control Manager [7034] - The Hotspot Shield

Service service terminated unexpectedly. It has done this 1 time(s).
11/7/2009 14:23:04, Error: Service Control Manager [7034] - The Process Monitor

service terminated unexpectedly. It has done this 1 time(s).
11/7/2009 13:47:00, Error: Service Control Manager [7026] - The following boot-

start or system-start driver(s) failed to load: BHDrvx86 ccHP eeCtrl IDSVix86 spldr

SRTSPX SYMTDI Tosrfcom Wanarpv6
11/6/2009 20:18:04, Error: EventLog [6008] - The previous system shutdown at

7:16:17 PM on 11/6/2009 was unexpected.
11/6/2009 20:11:42, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1084" attempting to start the service VSS with arguments "" in order to run

the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
11/6/2009 20:05:27, Error: EventLog [6008] - The previous system shutdown at

7:01:56 PM on 11/6/2009 was unexpected.
11/6/2009 19:13:56, Error: EventLog [6008] - The previous system shutdown at

6:11:21 PM on 11/6/2009 was unexpected.
11/6/2009 18:34:11, Error: EventLog [6008] - The previous system shutdown at

11:32:57 AM on 11/6/2009 was unexpected.
11/5/2009 20:03:21, Error: Service Control Manager [7009] - A timeout was reached

(30000 milliseconds) while waiting for the SBSD Security Center Service service to

connect.
11/5/2009 20:03:21, Error: Service Control Manager [7000] - The SBSD Security

Center Service service failed to start due to the following error: The service did

not respond to the start or control request in a timely fashion.
11/4/2009 19:52:38, Error: Service Control Manager [7022] - The KtmRm for

Distributed Transaction Coordinator service hung on starting.
11/4/2009 19:49:06, Error: Service Control Manager [7009] - A timeout was reached

(30000 milliseconds) while waiting for the Windows Media Player Network Sharing

Service service to connect.
11/4/2009 19:49:06, Error: Service Control Manager [7000] - The Windows Media

Player Network Sharing Service service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.
11/4/2009 19:46:32, Error: EventLog [6008] - The previous system shutdown at

6:17:17 PM on 11/4/2009 was unexpected.
11/4/2009 19:02:21, Error: Service Control Manager [7009] - A timeout was reached

(30000 milliseconds) while waiting for the Windows Search service to connect.
11/4/2009 19:02:21, Error: Service Control Manager [7000] - The Windows Search

service failed to start due to the following error: The service did not respond to

the start or control request in a timely fashion.
11/4/2009 19:02:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1053" attempting to start the service WSearch with arguments "" in order to

run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/4/2009 17:39:15, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1084" attempting to start the service WSearch with arguments "" in order to

run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/4/2009 17:38:40, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1068" attempting to start the service netprofm with arguments "" in order to

run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
11/4/2009 17:38:40, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1068" attempting to start the service netman with arguments "" in order to

run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/4/2009 17:38:40, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1068" attempting to start the service fdPHost with arguments "" in order to

run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
11/4/2009 17:38:37, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1084" attempting to start the service EventSystem with arguments "" in order

to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/4/2009 17:38:25, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got

error "1084" attempting to start the service ShellHWDetection with arguments "" in

order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/4/2009 17:24:10, Error: Service Control Manager [7026] - The following boot-

start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP DfsC eeCtrl

IDSVix86 jswpslwf NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr SRTSPX SymIM

SYMTDI tdx Tosrfcom Wanarpv6
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The Workstation service

depends on the Network Store Interface Service service which failed to start because

of the following error: The dependency service or group failed to start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The WebDav Client

Redirector Driver service depends on the Redirected Buffering Sub Sysytem service

which failed to start because of the following error: A device attached to the

system is not functioning.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The WebClient service

depends on the WebDav Client Redirector Driver service which failed to start because

of the following error: The dependency service or group failed to start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The TCP/IP NetBIOS

Helper service depends on the Ancilliary Function Driver for Winsock service which

failed to start because of the following error: A device attached to the system is

not functioning.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The SMB MiniRedirector

Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service

which failed to start because of the following error: A device attached to the

system is not functioning.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The SMB 2.0

MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service

which failed to start because of the following error: The dependency service or

group failed to start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The SMB 1.x

MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service

which failed to start because of the following error: The dependency service or

group failed to start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The Network Store

Interface Service service depends on the NSI proxy service service which failed to

start because of the following error: A device attached to the system is not

functioning.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The Network Location

Awareness service depends on the Network Store Interface Service service which

failed to start because of the following error: The dependency service or group

failed to start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The Network List

Service service depends on the Network Location Awareness service which failed to

start because of the following error: The dependency service or group failed to

start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The IP Helper service

depends on the Network Store Interface Service service which failed to start because

of the following error: The dependency service or group failed to start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The Hotspot Shield

Service service depends on the DHCP Client service which failed to start because of

the following error: The dependency service or group failed to start.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The DNS Client service

depends on the NetIO Legacy TDI Support Driver service which failed to start because

of the following error: A device attached to the system is not functioning.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The DHCP Client service

depends on the Ancilliary Function Driver for Winsock service which failed to start

because of the following error: A device attached to the system is not functioning.
11/4/2009 17:24:10, Error: Service Control Manager [7001] - The Computer Browser

service depends on the Server service which failed to start because of the following

error: The dependency service or group failed to start.
11/3/2009 18:10:06, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address

lease 192.168.1.8 for the Network Card with network address 001B9EF272A3 has been

denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/3/2009 08:10:47, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address

lease 192.168.1.3 for the Network Card with network address 001B9EF272A3 has been

denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/3/2009 00:01:38, Error: Service Control Manager [7000] - The Parallel port

driver service failed to start due to the following error: The service cannot be

started, either because it is disabled or because it has no enabled devices

associated with it.
11/3/2009 00:00:25, Error: volmgr [45] - The system could not sucessfully load the

crash dump driver.

==== End Of File ===========================

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by Belahzur on Wed Nov 11, 2009 1:25 am

Hello.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Wincodec trojan Hijack this file - Solved by Belahzur

Post by bigwaves on Wed Nov 11, 2009 2:39 am

Belahzur, although I am nervous as per what I have been through for a week before I found this site, the system 'looks' good. No popups or security warnings or browser hijacks. I have audio and video.

MBAM came up empty this time!

I will keep my eyes on the situation and be wary for sure.

I want to extend my gratitude and some money for the time I have saved and could have spent. Cheers Mate


Donation made!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!

bigwaves
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-11-04
OS : Vista

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum