Urgent Help Needed - WinCoDecPRO Trojan...

[Robert09]

After going to a website I received a Trojan virus called WinCoDecPRO.

This left my computer display all wrong and now I am unable to access the Task Manager.

I ran CCleaner, Malwarebytes, and Spyware Terminator. I deleted all threats found by I still cannot access Task Manager.
There is also a red X icon near the clock on the lower right part of my screen.

I searched for it on a search engine, but everything is trying to charge me to install a removal tool to remove the threat. I have also found a how-to to remove it but it warns me that by performing the removal it can permanently damage my PC.


My question is how do I get rid of this and if anyone can give some good advice on what to do about this.

From what I understand this virus is pretty serious and needs to be removed ASAP.



Your help is urgently needed!!!!

 

[johnb35]

Download and run combofix and post the log that it creates at the end.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions carefully. Afterwards, run a hijackthis scan and post the logfile as well.

 

[Robert09]

johnb35 -

Here is a log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:14 PM, on 10/13/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\mnmsrvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\dejusched.exe
C:\Program Files\Common Files\AOL\1255452910\ee\AOLSoftware.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = r1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [dejusched] C:\Program Files\Java\jre6\bin\dejusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1255452910\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINNT\TEMP\E_SCAD.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: MIW Deployment - https://wil.radnetonline.com/downloads/MIWDeploy.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwic.ops.placeware.com/etc/place/INDIA/SCIpws-c2/5.1.7.413/lib/quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RobertsonDX.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RobertsonDX.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RobertsonDX.com
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSII1s.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 6835 bytes



Do you need the Combofix log as well? I looked at the link and it seems complicating to this computer noob and I don't want my PC to have any unnecessary damage. But I will try it if you need it and if you think it will help.

Thanks John.

 

[ignys]

Hello,

not sure about this one:
C:\Program Files\Java\jre6\bin\dejusched.exe

Usually, there is a Java process called jusched.exe but not dejusched.exe. This one looks suspicious to me. Download Fix Task Manager freeware tool and re-enable Task Manager. Then open Task manager and terminate dejusched.exe. Download Spyware Doctor from Google Pack (free version) and scan your computer. It will remove found infections for free. As for WinCoDecPRO, more info can be found here:
http://www.2-spyware.com/remove-wincodecpro.html
http://www.bleepingcomputer.com/virus-removal/remove-wincodecpro-trojan

Good luck!

 

[johnb35]

Do you need the Combofix log as well? I looked at the link and it seems complicating to this computer noob and I don't want my PC to have any unnecessary damage. But I will try it if you need it and if you think it will help.

Thanks John.

Yes, please provide the combofix log.

 

[Robert09]

johnb35 - I tried running combofix however when I did it asked me if I wanted to update. I clicked yes however my PC then froze for 15 minutes and I had to manually shut down my PC using the power button.
What do you think I should do?

 

[Robert09]

johnb35 - I was able to get a log from ComboFix:


ComboFix 09-10-14.06 - Administrator 10/14/2009 20:43.1.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.735.463 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Downloaded Program Files\hotbar.inf
c:\winnt\system32\jgaw400.dll
c:\winnt\Web\default.htt

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 03:42 . 2009-10-15 03:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3c4.dat
2009-10-14 22:37 . 2009-10-14 22:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-10-14 09:05 . 2009-10-14 09:05 -------- d-----w- C:\unzipped
2009-10-14 09:00 . 2009-10-14 09:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WinZip
2009-10-14 07:58 . 2009-10-14 07:58 -------- d-----w- c:\program files\TVUPlayer
2009-10-14 05:44 . 2009-10-14 05:44 -------- d-----w- c:\program files\Trend Micro
2009-10-14 03:24 . 2009-10-14 03:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-14 00:47 . 2009-10-14 00:48 -------- d-----w- c:\program files\Enigma Software Group
2009-10-13 23:43 . 2009-10-14 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-10-13 23:43 . 2009-10-13 23:43 142592 ----a-w- c:\winnt\system32\drivers\sp_rsdrv2.sys
2009-10-13 23:43 . 2009-10-14 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-10-13 23:43 . 2009-10-14 01:17 -------- d---a-w- c:\program files\Spyware Terminator
2009-10-13 23:34 . 2009-10-13 23:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Antispyware
2009-10-13 16:57 . 2009-10-13 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-10-13 16:57 . 2009-10-13 16:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2009-10-13 16:56 . 2002-12-12 00:34 82432 -c--a-w- c:\winnt\system32\dllcache\drmstor.dll
2009-10-13 16:56 . 2002-12-12 00:34 82432 ----a-w- c:\winnt\system32\drmstor.dll
2009-10-13 16:56 . 2002-12-12 01:50 301712 -c--a-w- c:\winnt\system32\dllcache\drmclien.dll
2009-10-13 16:56 . 2002-12-12 01:50 301712 ----a-w- c:\winnt\system32\drmclien.dll
2009-10-13 16:56 . 2002-12-12 00:34 9728 -c--a-w- c:\winnt\system32\dllcache\npwmsdrm.dll
2009-10-13 16:56 . 2009-10-13 16:56 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-10-13 16:55 . 2009-10-13 16:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-13 16:55 . 2009-10-13 16:55 -------- d-----w- c:\winnt\aolshare
2009-10-13 16:55 . 2009-10-14 18:34 -------- d-----w- c:\program files\AOL 9.1
2009-10-12 16:20 . 2009-10-12 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-10-10 23:01 . 2009-10-10 23:01 -------- d-----w- c:\program files\SopCast
2009-10-09 04:43 . 2009-10-09 04:43 -------- d-----w- c:\program files\MSECache
2009-10-06 20:54 . 2009-10-06 20:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Participatory Culture Foundation
2009-10-06 20:53 . 2009-10-06 20:53 -------- d-----w- c:\program files\Participatory Culture Foundation
2009-10-04 19:40 . 2009-10-04 19:40 -------- d-----w- c:\program files\CCleaner
2009-10-01 20:15 . 2009-10-01 20:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-01 04:50 . 2009-10-01 04:50 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3a8.dat
2009-10-01 03:04 . 2009-10-01 03:04 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_24c.dat
2009-09-30 22:31 . 2009-09-30 22:31 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3b4.dat
2009-09-30 19:24 . 2009-09-30 19:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 19:24 . 2009-09-10 21:54 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-30 19:24 . 2009-09-30 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 19:24 . 2009-09-30 19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 19:24 . 2009-09-10 21:53 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 03:40 . 2008-02-11 23:53 -------- d---a-w- c:\program files\Symantec AntiVirus
2009-10-14 22:45 . 2004-05-11 18:29 -------- d---a-w- c:\program files\Common Files\Adobe
2009-10-14 09:06 . 2004-09-15 21:43 -------- d---a-w- c:\program files\Java
2009-10-14 09:00 . 2008-04-17 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-14 08:54 . 2009-05-04 19:44 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-10-13 16:57 . 2008-03-29 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-13 16:57 . 2004-05-05 23:18 -------- d---a-w- c:\program files\Common Files\AOL
2009-10-13 16:56 . 2008-03-28 08:53 -------- d---a-w- c:\program files\Common Files\aolshare
2009-10-12 17:58 . 2008-03-28 06:37 -------- d---a-w- c:\program files\America Online 8.0
2009-10-08 11:22 . 2004-05-01 21:16 -------- d---a-w- c:\program files\Microsoft Works
2009-10-07 19:08 . 2005-04-20 15:04 4489 -c--a-w- c:\winnt\mozver.dat
2009-10-07 08:24 . 2008-03-29 03:08 -------- d---a-w- c:\program files\TaxCut07
2009-10-06 21:21 . 2008-06-24 20:01 -------- d-----w- c:\program files\Incomplete
2009-10-06 20:57 . 2004-07-26 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-06 20:51 . 2008-04-17 00:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-10-06 20:48 . 2008-04-17 00:29 -------- d-----w- c:\program files\LimeWire
2009-10-01 09:20 . 2008-06-06 03:44 -------- d-----w- c:\program files\Canon
2009-10-01 09:19 . 2004-05-01 20:23 -------- d---a-w- c:\program files\Common Files\Symantec Shared
2009-10-01 08:31 . 2008-10-21 22:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2009-09-30 22:15 . 2008-06-06 04:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2009-09-25 03:26 . 2005-05-16 15:03 -------- d---a-w- c:\program files\Google
2009-09-24 18:50 . 2009-03-27 05:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcSoft
2009-08-25 21:58 . 2009-08-25 02:56 -------- d-----w- c:\program files\IrfanView
2009-08-07 02:24 . 2009-01-28 20:01 327896 ----a-w- c:\winnt\system32\wucltui.dll
2009-08-07 02:24 . 2009-01-28 20:01 209632 ----a-w- c:\winnt\system32\wuweb.dll
2009-08-07 02:24 . 2009-01-28 20:01 44768 ----a-w- c:\winnt\system32\wups2.dll
2009-08-07 02:24 . 2009-01-28 20:01 35552 ----a-w- c:\winnt\system32\wups.dll
2009-08-07 02:24 . 2004-05-01 20:05 53472 ----a-w- c:\winnt\system32\wuauclt.exe
2009-08-07 02:24 . 2003-07-14 12:00 96480 ----a-w- c:\winnt\system32\cdm.dll
2009-08-07 02:23 . 2009-01-28 20:01 575704 ----a-w- c:\winnt\system32\wuapi.dll
2009-08-07 02:23 . 2009-06-13 01:06 274288 ----a-w- c:\winnt\system32\mucltui.dll
2009-08-07 02:23 . 2009-06-13 01:06 215920 ----a-w- c:\winnt\system32\muweb.dll
2009-08-07 02:23 . 2004-05-01 20:05 1929952 ----a-w- c:\winnt\system32\wuaueng.dll
2009-02-15 00:24 . 2009-02-15 00:24 336 ----a-w- c:\program files\temp995.bat
2004-09-21 20:32 . 2004-09-21 20:34 104595 -c--a-w- c:\program files\AutoConnDriv_Win98SE.exe
2004-05-01 20:06 . 2004-05-01 20:06 21952 -c-ha-w- c:\program files\folder.htt
2002-05-10 19:59 . 2004-09-21 20:34 25431 -c--a-w- c:\program files\AutoConnectDriverforWin98SEInstructions.PDF
2001-08-07 07:36 . 2004-09-21 20:34 9504 -c--a-r- c:\program files\Install.ini
2001-08-03 18:29 . 2004-09-21 20:34 71168 -c--a-r- c:\program files\INSTALL.EXE
2001-08-03 17:38 . 2004-09-21 20:34 83968 -c--a-r- c:\program files\UNINSTAL.EXE
2001-08-02 22:28 . 2004-09-21 20:34 917 -c--a-r- c:\program files\UNINSTAL.INI
2001-05-31 16:56 . 2004-09-21 20:34 25876 -c--a-r- c:\program files\OLPUBKCR.SYS
2000-09-28 04:11 . 2004-09-21 20:34 1198 -c--a-r- c:\program files\OLPUBKCR.INF
2000-07-17 22:09 . 2004-09-21 20:34 822 -c--a-r- c:\program files\OLPUSBCR.INF
2000-07-14 01:45 . 2004-09-21 20:34 11052 -c--a-r- c:\program files\MUSBPORT.PDR
2008-12-17 21:59 . 2009-10-04 03:08 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 . 2009-10-04 03:08 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 . 2009-10-04 03:08 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 . 2009-10-04 03:08 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 . 2009-10-04 03:08 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-06-11 00:03 . 2008-06-11 00:03 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-06-11 00:03 . 2008-06-11 00:03 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-06-11 00:03 . 2008-06-11 00:03 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2002-11-27 02:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\progra~1\AIM95\aim.exe" [2002-05-22 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-06 185632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"dejusched"="c:\program files\Java\jre6\bin\dejusched.exe" [2009-10-13 84480]
"HostManager"="c:\program files\Common Files\AOL\1255452910\ee\AOLSoftware.exe" [2007-05-25 42032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-14 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-07-14 111376]
"VTPreset"="VTPreset.exe" - c:\winnt\system32\VTPreset.exe [2004-02-25 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-07-14 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-25 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 LxrSII1d;Secure II Driver;c:\winnt\system32\drivers\LxrSII1d.sys [1/31/2007 12:02 PM 70016]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [5/1/2004 5:58 AM 49776]
S0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS --> c:\winnt\system32\DRIVERS\SONYPVM1.SYS [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 8:36 PM 173392]
S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [5/1/2004 1:14 PM 9038]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyServer = r1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
DPF: MIW Deployment - hxxps://wil.radnetonline.com/downloads/MIWDeploy.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwic.ops.placeware.com/etc/place/INDIA/SCIpws-c2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\33k9j29p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 20:52
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(172)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-10-15 20:53
ComboFix-quarantined-files.txt 2009-10-15 03:53

Pre-Run: 67,671,175,168 bytes free
Post-Run: 68,454,715,392 bytes free

194 --- E O F --- 2009-10-08 11:38

 

[Robert09]

On a side note, my sound is no longer working.

Any further assistance is greatly appreciated.

 

[johnb35]

It looks like combofix deleted a sound card driver dll for some reason. You can reinstall the driver software for the sound.

Can you please post the malwarebytes log?

 

[Robert09]

How do I reinstall the driver?

Here is the log btw:


alwarebytes' Anti-Malware 1.41
Database version: 2956
Windows 5.0.2195 Service Pack 4

10/15/2009 3:09:52 PM
mbam-log-2009-10-15 (15-09-52).txt

Scan type: Quick Scan
Objects scanned: 113864
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[johnb35]

What computer system do you have, or is it a custom built system? Need the brand and model number of the computer or the model of the motherboard if its a custom built.

 

[Robert09]

I actually was given this PC 2 years ago.
I am not able to find what type of PC it is as there are no labels stating such. Is there any other way I can check to provide you this information?


When I go to System Properties, this is what it tells me:


Computer:
Intel(R) Pentium
(R) 4 CPU 2.40 GHz
AT/AT COMPATIBLE
753,138 KB RAM

 

[johnb35]

There isn't a model number on the front or back of the case or anything?

Look in device manager for any items with a yellow exclamation point, let me know if there is. Also what is listed under sound, video and game controllers?

 

[Robert09]

No model number that I can find.

For sound, video and game controllers:

Audio Codecs
Legacy Audio Drivers
Legacy Vidoe Capture Devices
Media Control Devices
MPU-401 Compatible MIDI Device
Standard Game Port
Video Codecs
Vinyl AC'97 Codec Combo Driver (WDM)