WiredWX Hobby Weather ToolsLog in

 


WinCoDecPRO Removal Needed - Hijackthis log included

3 posters

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyWinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
I have a virus/spyware called WinCoDecPRO on my PC that I need help removing.
There is a red icon with an X on my taskbar saying several things when the pop-up comes up. It is saying my codecs are corrupted etc.
When I click on the icon it takes me to a website to purchase a program that will fix my media codecs.

How do I get rid of this entirely?

Any help is greatly appreciated.


Here is a log using HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:46 AM, on 10/14/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\mnmsrvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1255452910\ee\AOLSoftware.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = r1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [dejusched] C:\Program Files\Java\jre6\bin\dejusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1255452910\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINNT\TEMP\E_SCAD.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: MIW Deployment - https://wil.radnetonline.com/downloads/MIWDeploy.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwic.ops.placeware.com/etc/place/INDIA/SCIpws-c2/5.1.7.413/lib/quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RobertsonDX.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RobertsonDX.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RobertsonDX.com
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSII1s.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 6749 bytes

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Malwarebytes' Anti-Malware 1.41
Database version: 2956
Windows 5.0.2195 Service Pack 4

10/14/2009 12:55:20 PM
mbam-log-2009-10-14 (12-55-20).txt

Scan type: Quick Scan
Objects scanned: 144167
Time elapsed: 14 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Also, on a side not, my sound has completely stopped working.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Hello.
Do you have the latest sound card drivers installed?

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Belahzur - I am not sure. How do I check on that?

Also, what else can I do regarding the virus/spyware issue I am having?
The AntiMalware report came back clean as I posted the log, however I am still infected.
Also I should mention, before I registered here I ran the scan and it came up with 2 threats however I deleted those threats. Not sure if that was any help though.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Hello.
We'll deal with sounds soon, just answer this for me.

Are you still getting fake popups? the log looks okay, I don't see anything loading up your startup, or other loading points that just stands out at me.

Are the popups happening on a certain website? or just randomly?

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Thanks for your help my friend.

Actually the only pop-ups I have are on my task bar that contains a red circle with a white X in the middle saying such things as
“WARNING
Fatal Error: Windows can’t play the following media formats: AVI; ASF; WMV; AVS; FLV; MKV; MOV; 3GP; MP4; MPG; MPEG; MP3; AAC; WAV; WMA; CDA; FLAC; M4A; MID. Update your video codec to resolve the issue.”

Everything that comes up says something similar like "Corrupt Media Codecs", "System Failure" etc.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Also, I can access websites just fine. But my sound isn't working and when I try to open important documents in Word 2003 I just get a page full of funny characters that I can't interpret.
Not sure if that has anything to do with the virus/spyware though.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Hello.
Lets see about that codec error, we'll instsll VLC player.

Download and install VLC Player 1.0.1

Hopefully that takes care of the codec problem, now for the sound.
Is this a laptop, if so, what's the company name it's got on it? Dell, Acer, etc.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Belahzur - I don't think I have any problems with my codecs. The pop-ups from the spyware/virus are saying I do so I can buy their product which promises to solve the issue. If you do a google search for WinCodedPRO it will tell you all about it.
But do you think I should install VLC anyway?

Also, I am actually using a PC not a laptop.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
This is a new one of me then, something else must be going on, because a guide I found shows two specific run values for this infection, but your HJT log/MBAM log both say it's okay.

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    WinCoDecPRO Removal Needed - Hijackthis log included CF_download_FF

    WinCoDecPRO Removal Needed - Hijackthis log included CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    WinCoDecPRO Removal Needed - Hijackthis log included Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    WinCoDecPRO Removal Needed - Hijackthis log included Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
ComboFix 09-10-14.06 - Administrator 10/14/2009 20:43.1.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.735.463 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Downloaded Program Files\hotbar.inf
c:\winnt\system32\jgaw400.dll
c:\winnt\Web\default.htt

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 03:42 . 2009-10-15 03:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3c4.dat
2009-10-14 22:37 . 2009-10-14 22:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-10-14 09:05 . 2009-10-14 09:05 -------- d-----w- C:\unzipped
2009-10-14 09:00 . 2009-10-14 09:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WinZip
2009-10-14 07:58 . 2009-10-14 07:58 -------- d-----w- c:\program files\TVUPlayer
2009-10-14 05:44 . 2009-10-14 05:44 -------- d-----w- c:\program files\Trend Micro
2009-10-14 03:24 . 2009-10-14 03:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-14 00:47 . 2009-10-14 00:48 -------- d-----w- c:\program files\Enigma Software Group
2009-10-13 23:43 . 2009-10-14 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-10-13 23:43 . 2009-10-13 23:43 142592 ----a-w- c:\winnt\system32\drivers\sp_rsdrv2.sys
2009-10-13 23:43 . 2009-10-14 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-10-13 23:43 . 2009-10-14 01:17 -------- d---a-w- c:\program files\Spyware Terminator
2009-10-13 23:34 . 2009-10-13 23:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Antispyware
2009-10-13 16:57 . 2009-10-13 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-10-13 16:57 . 2009-10-13 16:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2009-10-13 16:56 . 2002-12-12 00:34 82432 -c--a-w- c:\winnt\system32\dllcache\drmstor.dll
2009-10-13 16:56 . 2002-12-12 00:34 82432 ----a-w- c:\winnt\system32\drmstor.dll
2009-10-13 16:56 . 2002-12-12 01:50 301712 -c--a-w- c:\winnt\system32\dllcache\drmclien.dll
2009-10-13 16:56 . 2002-12-12 01:50 301712 ----a-w- c:\winnt\system32\drmclien.dll
2009-10-13 16:56 . 2002-12-12 00:34 9728 -c--a-w- c:\winnt\system32\dllcache\npwmsdrm.dll
2009-10-13 16:56 . 2009-10-13 16:56 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-10-13 16:55 . 2009-10-13 16:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-13 16:55 . 2009-10-13 16:55 -------- d-----w- c:\winnt\aolshare
2009-10-13 16:55 . 2009-10-14 18:34 -------- d-----w- c:\program files\AOL 9.1
2009-10-12 16:20 . 2009-10-12 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-10-10 23:01 . 2009-10-10 23:01 -------- d-----w- c:\program files\SopCast
2009-10-09 04:43 . 2009-10-09 04:43 -------- d-----w- c:\program files\MSECache
2009-10-06 20:54 . 2009-10-06 20:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Participatory Culture Foundation
2009-10-06 20:53 . 2009-10-06 20:53 -------- d-----w- c:\program files\Participatory Culture Foundation
2009-10-04 19:40 . 2009-10-04 19:40 -------- d-----w- c:\program files\CCleaner
2009-10-01 20:15 . 2009-10-01 20:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-01 04:50 . 2009-10-01 04:50 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3a8.dat
2009-10-01 03:04 . 2009-10-01 03:04 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_24c.dat
2009-09-30 22:31 . 2009-09-30 22:31 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3b4.dat
2009-09-30 19:24 . 2009-09-30 19:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 19:24 . 2009-09-10 21:54 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-30 19:24 . 2009-09-30 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 19:24 . 2009-09-30 19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 19:24 . 2009-09-10 21:53 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-15 03:40 . 2008-02-11 23:53 -------- d---a-w- c:\program files\Symantec AntiVirus
2009-10-14 22:45 . 2004-05-11 18:29 -------- d---a-w- c:\program files\Common Files\Adobe
2009-10-14 09:06 . 2004-09-15 21:43 -------- d---a-w- c:\program files\Java
2009-10-14 09:00 . 2008-04-17 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-14 08:54 . 2009-05-04 19:44 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-10-13 16:57 . 2008-03-29 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-13 16:57 . 2004-05-05 23:18 -------- d---a-w- c:\program files\Common Files\AOL
2009-10-13 16:56 . 2008-03-28 08:53 -------- d---a-w- c:\program files\Common Files\aolshare
2009-10-12 17:58 . 2008-03-28 06:37 -------- d---a-w- c:\program files\America Online 8.0
2009-10-08 11:22 . 2004-05-01 21:16 -------- d---a-w- c:\program files\Microsoft Works
2009-10-07 19:08 . 2005-04-20 15:04 4489 -c--a-w- c:\winnt\mozver.dat
2009-10-07 08:24 . 2008-03-29 03:08 -------- d---a-w- c:\program files\TaxCut07
2009-10-06 21:21 . 2008-06-24 20:01 -------- d-----w- c:\program files\Incomplete
2009-10-06 20:57 . 2004-07-26 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-06 20:51 . 2008-04-17 00:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-10-06 20:48 . 2008-04-17 00:29 -------- d-----w- c:\program files\LimeWire
2009-10-01 09:20 . 2008-06-06 03:44 -------- d-----w- c:\program files\Canon
2009-10-01 09:19 . 2004-05-01 20:23 -------- d---a-w- c:\program files\Common Files\Symantec Shared
2009-10-01 08:31 . 2008-10-21 22:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2009-09-30 22:15 . 2008-06-06 04:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2009-09-25 03:26 . 2005-05-16 15:03 -------- d---a-w- c:\program files\Google
2009-09-24 18:50 . 2009-03-27 05:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcSoft
2009-08-25 21:58 . 2009-08-25 02:56 -------- d-----w- c:\program files\IrfanView
2009-08-07 02:24 . 2009-01-28 20:01 327896 ----a-w- c:\winnt\system32\wucltui.dll
2009-08-07 02:24 . 2009-01-28 20:01 209632 ----a-w- c:\winnt\system32\wuweb.dll
2009-08-07 02:24 . 2009-01-28 20:01 44768 ----a-w- c:\winnt\system32\wups2.dll
2009-08-07 02:24 . 2009-01-28 20:01 35552 ----a-w- c:\winnt\system32\wups.dll
2009-08-07 02:24 . 2004-05-01 20:05 53472 ----a-w- c:\winnt\system32\wuauclt.exe
2009-08-07 02:24 . 2003-07-14 12:00 96480 ----a-w- c:\winnt\system32\cdm.dll
2009-08-07 02:23 . 2009-01-28 20:01 575704 ----a-w- c:\winnt\system32\wuapi.dll
2009-08-07 02:23 . 2009-06-13 01:06 274288 ----a-w- c:\winnt\system32\mucltui.dll
2009-08-07 02:23 . 2009-06-13 01:06 215920 ----a-w- c:\winnt\system32\muweb.dll
2009-08-07 02:23 . 2004-05-01 20:05 1929952 ----a-w- c:\winnt\system32\wuaueng.dll
2009-02-15 00:24 . 2009-02-15 00:24 336 ----a-w- c:\program files\temp995.bat
2004-09-21 20:32 . 2004-09-21 20:34 104595 -c--a-w- c:\program files\AutoConnDriv_Win98SE.exe
2004-05-01 20:06 . 2004-05-01 20:06 21952 -c-ha-w- c:\program files\folder.htt
2002-05-10 19:59 . 2004-09-21 20:34 25431 -c--a-w- c:\program files\AutoConnectDriverforWin98SEInstructions.PDF
2001-08-07 07:36 . 2004-09-21 20:34 9504 -c--a-r- c:\program files\Install.ini
2001-08-03 18:29 . 2004-09-21 20:34 71168 -c--a-r- c:\program files\INSTALL.EXE
2001-08-03 17:38 . 2004-09-21 20:34 83968 -c--a-r- c:\program files\UNINSTAL.EXE
2001-08-02 22:28 . 2004-09-21 20:34 917 -c--a-r- c:\program files\UNINSTAL.INI
2001-05-31 16:56 . 2004-09-21 20:34 25876 -c--a-r- c:\program files\OLPUBKCR.SYS
2000-09-28 04:11 . 2004-09-21 20:34 1198 -c--a-r- c:\program files\OLPUBKCR.INF
2000-07-17 22:09 . 2004-09-21 20:34 822 -c--a-r- c:\program files\OLPUSBCR.INF
2000-07-14 01:45 . 2004-09-21 20:34 11052 -c--a-r- c:\program files\MUSBPORT.PDR
2008-12-17 21:59 . 2009-10-04 03:08 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 . 2009-10-04 03:08 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 . 2009-10-04 03:08 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 . 2009-10-04 03:08 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 . 2009-10-04 03:08 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-06-11 00:03 . 2008-06-11 00:03 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-06-11 00:03 . 2008-06-11 00:03 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-06-11 00:03 . 2008-06-11 00:03 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2002-11-27 02:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="c:\progra~1\AIM95\aim.exe" [2002-05-22 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-06 185632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"dejusched"="c:\program files\Java\jre6\bin\dejusched.exe" [2009-10-13 84480]
"HostManager"="c:\program files\Common Files\AOL\1255452910\ee\AOLSoftware.exe" [2007-05-25 42032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-14 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-07-14 111376]
"VTPreset"="VTPreset.exe" - c:\winnt\system32\VTPreset.exe [2004-02-25 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-07-14 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-25 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 LxrSII1d;Secure II Driver;c:\winnt\system32\drivers\LxrSII1d.sys [1/31/2007 12:02 PM 70016]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [5/1/2004 5:58 AM 49776]
S0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM 1.SYS --> c:\winnt\system32\DRIVERS\SONYPVM1.SYS [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 8:36 PM 173392]
S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [5/1/2004 1:14 PM 9038]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyServer = r1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
DPF: MIW Deployment - hxxps://wil.radnetonline.com/downloads/MIWDeploy.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwic.ops.placeware.com/etc/place/INDIA/SCIpws-c2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\33k9j29p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 20:52
Windows 5.0.2195 Service Pack 4 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(172)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-10-15 20:53
ComboFix-quarantined-files.txt 2009-10-15 03:53

Pre-Run: 67,671,175,168 bytes free
Post-Run: 68,454,715,392 bytes free

194 --- E O F --- 2009-10-08 11:38

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    mspmsnsv.dll
    comres.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
I tried to click both links but the 'Save File' won't allow me to click it to save to my PC.

descriptionWinCoDecPRO Removal Needed - Hijackthis log included EmptyRe: WinCoDecPRO Removal Needed - Hijackthis log included

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum