Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"trace.directory.zcodec" What Is It?


  • Please log in to reply
10 replies to this topic

#1 Eagle7

Eagle7

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 14 September 2006 - 11:56 PM

Hello all,

A squared found one trace of "Trace.Directory.zCodec" tonight. Considered a medium risk problem, even their website didn't have info on it. I've Googled and ran various searches and am coming up empty. I put it in quarantine, until I can find out more about it and the best way to handle it. Any ideas on this one? Sure appreciate your help. Thanks.

Eagle7

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:46 PM

Posted 15 September 2006 - 08:04 AM

What OS (Win XP/2000, etc) are you using? What type of anti-virus are you using and when was the last time you ran a scan? Are you getting any strange popup alerts or browser redirects? Did you recently have and remove any major infections from your computer?

Zcodec.exe = Trojan.Emcodec.E which drops and executes a copy of Trojan.Zlob. The Trojan masquerades as an installer for Media Codec 4.0. and IntCodec 6.0. There are several variants and some can be removed via Add/Remove in Control Panel so check there first and investigate anything that does not look familar.

Since this is smitfraud related, you may have other malware that A squared did not find. So if your using Win XP or 2000, do this.

First, print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Then please download, install and update Ewido Anti-Spyware v4.0. DO NOT perform a scan yet.
Print out the Ewido Install and Scan Instructions.

Go here and follow the instructions for using SmitfraudFix. Read "How to create/extract a ZIP File in Win ME/XP/2003" or "How to create/extract a ZIP File in Win 9x/2000" if your not sure how to do this.

After using the tool reboot again in "SAFE MODE" and Clean out your Temporary Internet files as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click "Delete Files" under Temporary Internet Files.
  • In the Delete Files dialog box, tick the "Delete all offline content check box", and then click "OK".
  • On the General tab, click "Delete Cookies" under Temporary Internet Files, and then click "OK".
  • Click on the Programs tab then click the Reset Web Settings button. Click "Apply" then "OK".
  • Click "OK".
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Then scan with Ewido per the instructions you printed out and reboot back to normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 15 September 2006 - 04:08 PM

Thanks Quietman7 for your response.

Been a while since I've posted, so forgot to include the basic info that you asked for. I'm running Win XP Home on an HP Compac Presario, two years old. No strange pop-ups or browser redirects. My box was running 'normally', as far as I knew. I am most vigilant about scanning every few days with the following:

A Squared (Personal/Free vs)
AdAware (Personal/Free vs)
Spysweeper 5.0 (run most of the shields, have trouble with some clogging up my machine, etc)
Spybot S & D (Personal/Free vs)
Spyware Blaster (free)
My ISP provides a filter called "Netsweeper"
I also use McAfee Site Advisor
I do not share files, do gaming or any other use that would be a common place to 'pick up' these problems.

I also use AVG A/V + Firewall, and scan faithfully every morning first thing. Every daily scan for the last 2+ months has shown no problems. I also did scans with the other anti-spyware programs about yesterday, they were all clean, and usually are.

While I've not had what I'd call a major (relative term?) spyware problem, I have had my share of pests every few months. Had a problem with the "About:" a few months ago. The only other problem I have is my "helpsvcs.exe" has gone amuck several times a week and clogs up my CPU to 100%. I understand this to be "a bug" that I need to contact M$ about. Do you have any other suggestions to that issue?

I'm still pretty 'green' behind the ears, only been using a home computer for two years now. Sure would appreciate any help/info you might have in locking this box down any better than it already is (supposedly). I deleted HP's Backweb Lite months ago. Have also disabled several Window's services that assist in file sharing, etc. I'm on dial up currently, DSL not available here yet. Sure would like to know that my box is more secure before I try DSL.

For the moment tho, I'll follow your directions precisely, starting with the install and scan from Ewido. I'll report back on my progress later in the day. Again, thanks so much for your help.

Eagle7

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:46 PM

Posted 15 September 2006 - 04:21 PM

Glad to assist and good luck. In case you would like more info on zCodec, there is some discussion here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 15 September 2006 - 05:29 PM

Hey Quietman7,

I just had a "V-8 moment". I was starting to read the info from the link you provided re: this pest, when it hit me - I did recently install a program called "XviD 1.1" to facilitate being able to read a video tutorial about Ubuntu Linux. In my Add/Remove Programs, it is listed as "XviD 1.1 finaluninstal". For some reason, the desktop icon has disappeared, so I'd forgotten about it. Hope this sheds some additional light on my problem for you. If so, and I need to proceed any differently, please advise. Thanks.

Eagle7

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:46 PM

Posted 16 September 2006 - 07:09 AM

Not all codecs are bad. You only have to worry about the fake ones so continue with the instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 September 2006 - 09:57 AM

Thanks Quietman7,

I've already done the Ewido install/update/print directions and same for smitfraud. I'll begin the clean up process now and will report back. Thanks.

Eagle7

#8 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 September 2006 - 02:34 PM

Hi Quietman7,

Getting back to you re: the clean up process you outlined above. The Smitfraud tool came up clean, no problems with that apparently. Ewido also reported: "Scan completed. Nothing found." This was done in Safe Mode. There were no reports to save.

While still in Safe Mode, I ran another A Squared Deep Clean Scan to see what it thought, since that's the one that initially found the Codec problem. The only thing it showed were 2 traces of the RiskTool, which I saw were nothing to worry about (fr Ewido directions).

I use WinPatrol, and upon rebooting it detected a change to my Start Page to microsoft..., which I'm assuming happened while I was in Internet Options? Oh, by the way, the didn't click the Reset Web Settings while there per your instructions as I was just too confused about that. I browse with Firefox, so it didn't make any sense to me. However, if I do need to go back and do that step, just let me know. Anyway, I clicked on "No" to reset my Start Page to Christianityonline.com, my ISP start page. Then a new window came up announcing a change had been made to my background page displayed on my desktop. It stated that my new page is "blank" nothing there. If this is OK, then click Yes or press Enter. Click NO and we'll restore your page to the default "About:Home". Hmm, I wondered, does this mean that my computer still has traces of that nasty that plagued me a few months back? What are your thoughts on this? Of course, I clicked on Yes, wanting to avoid anything related to the "About" bug. I also went into Display and changed my Desktop back to the Ripple design I'd had before.

Where to go from here? Thanks for your help.

Eagle7

P.S. Should I go ahead and delete this program "XviD" that this bug rode in on?

Edited by Eagle7, 16 September 2006 - 02:38 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:46 PM

Posted 16 September 2006 - 03:23 PM

Some smitfraud variants can affect web settings so resetting them is a standard instruction I included. If your not having problems then it was ok to say no and ok to keep your ISP start page. In Internet Explorer Tools > Internet Options there are three settings for your home page: use Current, use Default and use Blank (about:blank). This is not the same as the CWS about:blank infection that you were referring to. Setting the home page to IE's blank allows it to open faster since its not loading anything like images and text.

As I said, not all codecs are bad and I have not found any information indicating Xvid is something to be concerned about. However, if your not using it then go ahead and remove (uninstall) it.

If all your scans are now coming up clean and your showing no signs of any problems then it sounds like your good to go. If that is the case then the last thing you need to do is SET A NEW RESTORE POINT to prevent reinfection from an old restore point. Any malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to set a new RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Eagle7

Eagle7
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 September 2006 - 06:17 PM

Thanks for all your help, Quietman7. I've learned so much from this issue: what about:blank is, I'll be taking a second look at keeping Ewido, how/why to set a new Restore Point as well as clean out the previous ones. I wondered about that previously.

I went ahead and deleted XviD just to be sure while I was in in Cleanmgr/more options. Afterwards, I checked my Add/Remove List, noticed it was still there. I've run into that before, so attempted to remove it from the list when I received the following message: "Uninstaller Error - You do not have sufficient access to remove XviD final uninstall from the Add/Remove Programs List. Please contact your system administrator." So, what was that all about?

Eagle7

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:46 PM

Posted 17 September 2006 - 07:22 AM

Sometimes when you select to remove the application, you will see an "Uninstaller Error" dialog saying:

"An error occurred while trying to remove...the program."
"It may have already been uninstalled. Would you like to remove...the program...from the Add or Remove program list?"

If you say yes to this, then you will see another "Uninstaller Error" dialog saying "You do not have sufficient access to remove it from the Add or Remove Program list. Please contact your system administrator."

This can be a misleading because it implies that the problem is due to privileges when if fact you have already removed it but its not reflected in Add or Remove Programs.

How to Manually Remove Programs from the Add/Remove Programs List
http://www.bleepingcomputer.com/tutorials/manually-remove-programs-from-add-remove-programs/

Instruction's from Kellys Korner on Removing Invalid Entries in Add/Remove Programs
http://www.kellys-korner-xp.com/xp_a.htm#addremove
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users