Suspected Trojan Herocodec - Blue Error Screen

Question

I did an idiotic thing and accidently downloaded a file that I think was infected with a Trojan/virus. I believe if was something called Herocodec or similar. It shut down my computer and refuses to let me reboot in Normal Mode - everytime I try, I am shown the Blue Error Screen of death. I can only operate with limited function in Safe Mode (with networking). I have tried to Restore System Settings, but it fails every time. I have tried many anti-virus software to no avail. McAfee has been disabled and unable to fix problems. Along with my windows security. I am DESPERATE! I have a 3month old XPS M1330 operating on Vista Home Edition and here is my HijackThis log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:55:53 AM, on 27/04/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18226)Boot mode: Safe mode with network support Running processes:C:\Windows\Explorer.EXEC:\Program Files\Windows Media Player\wmpnscfg.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Windows Live\Contacts\wlcomm.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by DellR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exeO4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.6.0\bin\jusched.exe'O4 - HKLM\..\Run: [DELL Webcam Manager] 'C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe' /sO4 - HKLM\..\Run: [PSQLLauncher] 'C:\Program Files\Fingerprint Reader Suite\launcher.exe' /startupO4 - HKLM\..\Run: [dscactivate] 'C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe'O4 - HKLM\..\Run: [PCMService] 'C:\Program Files\Dell\MediaDirect\PCMService.exe'O4 - HKLM\..\Run: [mcagent_exe] 'C:\Program Files\McAfee.com\Agent\mcagent.exe' /runkeyO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\QTTask.exe' -atboottimeO4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] 'C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe'O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -sO4 - HKCU\..\Run: [msnmsgr] 'C:\Program Files\Windows Live\Messenger\msnmsgr.exe' /backgroundO4 - HKCU\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimizedO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO13 - Gopher Prefix: O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-au.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{4443A5F1-008E-4ACA-BCA1-6C32C9995CE5}: NameServer = 85.255.112.200,85.255.112.182O17 - HKLM\System\CCS\Services\Tcpip\..\{81A98201-32C1-4CAD-87D7-A966C5FD32EB}: NameServer = 85.255.112.200,85.255.112.182O17 - HKLM\System\CCS\Services\Tcpip\..\{89FD2979-8570-4C24-8B14-E57CD03601BE}: NameServer = 85.255.112.200,85.255.112.182O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.200,85.255.112.182O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.200,85.255.112.182O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe --

bamajim · Answer

jo_schmo123

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

jo_schmo123 · Answer

I was already in Safe Mode (I can't use my computer in Normal mode) but as per your instructions, I rebooted. Ran MalwareBytes. Still won't run. McAfee is already disabled. I didn't disable it, it just won't let me enable any of my protections.

So yeah, still no go...

jo_schmo123 · Answer

I had downloaded said Malwarebytes' program before posting here...it doesn't work for some reason. I uninstalled it and reinstalled it again after you asked me to, and still it doesn't work. I install it, but it fails to launch the program. Even when I go via Windows explorer to open it, it fails to launch.

bamajim · Answer

jo_schmo123

Do this

1. Reboot into Safe Mode and Run MalwareBytes in Safe Mode.
If it still won't run, Then disable McAfee and make sure it's not interfering.

If still no go then reply, and we will do it another way

sjcmac · Answer

what ever you downloaded is blocking acces to your antivirus program. i just downloaded the same herocodec and have ran into the same problem.

solution to accessing malwarebytes antimalware is enter C:/ drive then program files then search for file with name malwarebytes antimalware.exe it will have the mbam logo and rename it to newtool.exe double click the new file titled newtool.exe and run a quick scan hopefully malware bytes finds and removes the trojan im currently running same process ill post back if it succesfully removes herocodec. so far it is scanning

jo_schmo123 · Answer

Ok after changing the name of the Malwarebytes, I ran the scan as per your instructions bamajim. I removed all the selected things but I still have the same problems as I did before...

here is the log :

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1

28/04/2009 12:37:25 AM
mbam-log-2009-04-28 (00-37-25).txt

Scan type: Quick Scan
Objects scanned: 65952
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4443a5f1-008e-4aca-bca1-6c32c9995ce5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4443a5f1-008e-4aca-bca1-6c32c9995ce5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{81a98201-32c1-4cad-87d7-a966c5fd32eb}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{81a98201-32c1-4cad-87d7-a966c5fd32eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89fd2979-8570-4c24-8b14-e57cd03601be}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4443a5f1-008e-4aca-bca1-6c32c9995ce5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4443a5f1-008e-4aca-bca1-6c32c9995ce5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81a98201-32c1-4cad-87d7-a966c5fd32eb}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81a98201-32c1-4cad-87d7-a966c5fd32eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{89fd2979-8570-4c24-8b14-e57cd03601be}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.200,85.255.112.182 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-7-0-53-100016057-100007656-100017134-1919.com (Trojan.Agent) -> Quarantined and deleted successfully.

sjcmac · Answer

Youre very welcome. just finished my scan with mbam and everything has returned back to normal. Hopefully you have similar results. If not i have one final sugestion

jo_schmo123 · Answer

I did a second malwarebytes scan after updating...and still nothing's changed...

2nd Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2051
Windows 6.0.6001 Service Pack 1

28/04/2009 12:54:45 AM
mbam-log-2009-04-28 (00-54-45).txt

Scan type: Quick Scan
Objects scanned: 71938
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\HeroCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

bamajim · Answer

jo_schmo123 Youu said 'nothings changed'. Nothing has changed since you did the second scan, or your PC is still doing the same thing?

sjcmac · Answer

nvmd

jo_schmo123 · Answer

My PC is still doing the same thing.

In fact, it's gotten worse to the point where I am no longer using the infected PC...it seems to be getting worse, crashing within shorter and shorter periods of time.

bamajim · Answer

jo_schmo123 Your problem is not entirely malware related, but system related as well. See if you can do this Using Windows explorer, see if you find c:\windows
tbtlog.txt - If it exists, delete the file. Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok Click on the boot.ini tab and check the box that says /BOOTLOG Click Apply & Ok and reboot the PC (may take a bit longer to boot) Using Windows Explorer, locate c:\windows
tbtlog.txt and post the content of the file. If you are unable to do this, you may have to do a repair install

Virus & Spyware

Was this post helpful?