Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Media-Codec


  • Please log in to reply
23 replies to this topic

#1 Dando

Dando

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 14 December 2008 - 04:59 PM

Hi

I scanned my computer today as I do regularly. Super Antispyware came up showing that I had Trojan Media-Codec as a threat. This threat is new. I scanned last week and nothing was picked up. Once the scan had finished it asked me to "quarantine" the virus and then "re-boot" my system to get rid of the virus. I did this and then rescanned with Super Anti Spyware. Nothing came up. I then scanned with Spybot S&D and nothing showed. Can I be sure that this virus has gone? I had no idea I had it til I did the scan. I don't go on dodgy sites (honestly!) but recently when I logged on I received off line MSN messages from a friend with links "look at my party" or something. I didn't click on the links (or at least I dont think I did) but wonder if they contained a virus? My concern is: has it gone? I've had a Trojan virus before and with the help of people here on BC I got rid of it so I hope my scanning has got rid of it this time. Thanks for your time and help.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:09 PM

Posted 14 December 2008 - 06:58 PM

Let's see if MBAM will find anything...
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Dando

Dando
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 15 December 2008 - 01:20 PM

Hi, I appreciate your response and time.

I'm a thickie so before I proceed with your instructions, I note this line "Please disable such programs until disinfection is complete or permit them to allow the changes". Yes I have Spybot S&D and I think that has the Teatimer thing. Teatimer used to drive me mad popping up all the time so I've made it so it can't do that. How do I permit it to allow whatever changes that MBAM thing might want to make or is the Teatimer going to drive me batty again once this is finished? Sorry to ask but I'm a novice at this. I'm happy to install and run MBAM and do what you suggest but I just don't want it to 'upset' the status quo on here or at least, if it does, how to get things back to normal! Dando

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:09 PM

Posted 15 December 2008 - 03:35 PM

Credit to: Katana - BC HJT Team member...

Disable Teatimer
First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Try the steps listed above. That should disable teatimer allowing malwarebytes to run correctly. Also, don't worry about asking questions - that is what we are here for :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Dando

Dando
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 15 December 2008 - 05:04 PM

Oh dear, I can't find this bit below:

"Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident"

What the hell is the System tray? I can't find anything that looks like a blue/white calendar with a padlock. I can however, find Resident Protection - a red sheild when I click on the Tools option on the left hand menu at the bottom of the screen. That bit belongs to Step 2. God knows where the Spybot Icon in the System Tray is tho.

I've run another Super Antispyware check and nothing came up.

Yours stupidly
Dando.

PS have not run the MBAM thing because I didn't see the point until I had theTea Timer thing worked out :thumbsup:

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:09 PM

Posted 15 December 2008 - 10:03 PM

What the hell is the System tray?


That is the area on the bottom right side of the screen next to your clock. An example of this can be found here - toward the bottom

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Dando

Dando
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 16 December 2008 - 01:23 PM

Oh dear I'm close to giving up here.

I've found the System Tray and right clicked it and unchecked Resident Protection but the icon doesn't become colourless. No matter what I do, it doesn't become colourless. I can get into Spybot and find Mode, Advanced Mode and uncheck the Tea timer protection box in there but that's about it. I haven't run the MBAM thing either.

Do I need to uncheck the Resident Protection in the System Trayand then reboot the computer to get it to go colourless. Jeez, I can't believe its so difficult to do this!

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:09 PM

Posted 16 December 2008 - 01:28 PM

Go ahead and try Malwarebytes... hopefully we have it disabled :thumbsup:

Don't give up the ship!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 Dando

Dando
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 16 December 2008 - 04:06 PM

Hi Rigel!

Well Whoo Hoo, I ran the scan and the result is below.

I will re-set the Spybot Tea Timer thing. Hopefully it won't start popping up everytime I log on or open a new page in Internet. If it does I'll be back to ask more questions!

Also:
I have Smit Fix on my PC which I downloaded with help from BC over a year ago when I had a different Trojan virus. Can I delete this program from my PC

Should I delete MBAM from my PC now we've run the scan? Or do I need to keep it on my PC and use it regularly along with SpyBot and Super Antispyware?

Here are the results and I look forward to your response!

Please let me know if I should or shouldn't be doing anything else to protect my PC and as ever, I am grateful for your time, expertise and patience especially over such a long distance



Malwarebytes' Anti-Malware 1.31
Database version: 1507
Windows 5.1.2600 Service Pack 2

16/12/2008 21:01:38
mbam-log-2008-12-16 (21-01-38).txt

Scan type: Quick Scan
Objects scanned: 85791
Time elapsed: 22 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ab3dfa03-f743-4302-81dd-c370bffeca23} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e550dc77-ef3b-474f-b59c-b3e2aa1fa6a5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:09 PM

Posted 16 December 2008 - 07:09 PM

Well done! :thumbsup:

Let's update and rerun Malwarebytes (MBAM). Post a fresh log. You mentioned having SuperAntiSpyware (SAS). Please update that program and run a scan with it using the following procedure.

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.
  • Open SAS.
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Dando

Dando
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 17 December 2008 - 05:32 PM

Good evening Rigel

Boy, that was quite a task you set me. I took a half day off work today and have spent most of it following your instructions above.

This is what I've done:

Downloaded ATF Cleaner and saved to desktop
Opened SAS and made the alterations you wanted to the "configuration and preferences" menu
Went into Safe Mode and ran ATF Cleaner
Then I scanned with SAS - it took 3 hours!!! That's the longest its EVER taken. It scanned nearly 90000 files! It revealed 2 x Trojan. Unknown Origin but nothing else. How come it detected them when it didn't detect them last night and MBAM didn't detect it either? The results are below. At the end of the scan it told me to re-boot immediately to get rid of the threats, so I did that.

I logged in again and went to do another scan with MBAM but got a message saying it couldn't find the file and did I want to download from internet? I said yes. It tried to download but couldn't. I tried again. Same thing.
I then went into SAS and re-set the Preferences back to what they were before.
I then went to MBAM and double clicked. It asked me if I wanted to download from internet. I said Yes and it immediately downloaded the latest version.
I did another MBAM scan. The results are below.

So the PC has had three scans: ATF Cleaner, SAS (both done in Safe Mode) and MBAM once I rebooted.

I hope I've done this right. Also am I ok to have re-set the SAS back the way it was?
I look forward to your response and hope I've done okay. Please let me know if I need to alter any of the preferences or anything in case I've left my PC vulnerable. I think I've re-checked (or ticked as we say in the UK) all the options back to what they were.

Thanks as ever and I look forward to hearing from you
Dando :thumbsup:

Here is the SAS Scan which took 3 hours

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/17/2008 at 08:01 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 02:56:39

Memory items scanned : 155
Memory threats detected : 0
Registry items scanned : 6467
Registry threats detected : 0
File items scanned : 93415
File threats detected : 2

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\MAXINE PEARSON\LOCAL SETTINGS\TEMP\TEMP.FR8BA3\OT.ICO
C:\DOCUMENTS AND SETTINGS\MAXINE PEARSON\LOCAL SETTINGS\TEMP\TEMP.FR8BA3\TS.ICO


Here is the MBAM log from today:
Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 2

17/12/2008 21:34:52
mbam-log-2008-12-17 (21-34-52).txt

Scan type: Quick Scan
Objects scanned: 80183
Time elapsed: 23 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:09 PM

Posted 17 December 2008 - 08:59 PM

I hope I've done this right. Also am I ok to have re-set the SAS back the way it was?
I look forward to your response and hope I've done okay

You did fine :thumbsup:

We are almost done...
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 Dando

Dando
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 18 December 2008 - 03:03 PM

Hi,

Sorry need some help with this. When I try and Run F-Secure, I get a message flash up about not having rights. I think its got something to do with my IE security settings (when I look at their FAQ).

In my IE security settings I have ActiveX Controls and Plug Ins
Allow previously unused ActiveX controls to run without prior prompt - I have Disabled this. I did this on the advice of BC during a previous Trojan problem. It was explained that ActiveX is often used to bring in viruses.

Now should I "enable" this and then try and run the programme?

I don't want to mess things up
Cheers
Dando

#14 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:09 PM

Posted 18 December 2008 - 04:06 PM

Yes please... enable it for this test. You can disable it again afterward.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#15 Dando

Dando
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 19 December 2008 - 12:08 PM

Hi Rigel

Well I "enabled" the ActiveX bit of my IE Security the bit that said "Allow previously unused ActiveX controls to run without prior prompt" Then I tried to download F-Secure and I got a message telling me I had Insufficient Rights to allow F-Secure to run "Please check your user rights and IE Security Settings". I don't know what to do now. My IE custom security settings are medium-high as advised by BC. Most of the ActiveX settings are either disabled or on "prompt" as per instructions from previous issues. In fact I don't allow ActiveX on the PC because I think that's how I got Trojan Zlob last time. ERm, sorry to be dense but what do I do now?

Thanks as ever for your time and patience
Dando




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users