Video_codec.exe

I'm running Win2k. I made the mistake of downloading and installing a program called video_codec.exe. The installer referenced video-codec.com or videocodec.com or something like that and I double checked and the website existed so I figured it was legitimate. After I installed it, I got an icon in the systemtray that flashes between the windows update icon and a red circle with a white X through it. The icon regularly has a message popup that says that my computer has a virus and I should "click here" to buy an antivirus at spyaxe.com. I have regular popups advertising random sites about every half-hour or so, and my IE homepage keeps changing to some default set by the virus (I don't remember the url).

I did everything you said to you on your "Read me first" post. I ran Bitdefender and a couple others. Most of them didn't finish because the IE window closed automatically (I'm assuming by the virus) before they had a chance to finish. However, I was able to finish running the Trend Micro Housecall scanner. Every scanner I ran found more infected files. I restarted in Safe Mode and ran Ad-Aware, Spybot, CCleaner, MS AntiSpyware, CWShredder, Kill2me, ewido, Avast, and HijackThis. I cleaned out a lot of the registry files that I thought were not necessary. I was never able to get rid of the icon in the systemtray though. While in Safe Mode and as long as I wasn't connected to the internet, I didn't have the IE popups. After I restarted in normal mode I haven't been able to connect to most websites. I can ping them just fine but neither IE or firefox can connect to most websites. Strangely I've really only been able to connect to the websites I use to pay my bills. But I'm not sure that the virus is doing that, I think I may have done it by erasing too much but I'm not sure. I still get the regular popup IE windows from the virus but the url doesn't work and each popup is just a blank page. I have attached my HijackThis report and a memory scan I did with ewido that includes some extra lists of stuff that continued to install itself after I restarted in normal mode and had all the spyware programs running.

Please help me.

 

Downloading, Installing, and Running HijackThis

We need the default HijackThis report from normal mode.

 

Here you go. Can you please let me know if you know how to get my internet working again? It's a pain having to find another computer to use just to try to get help. My internet is weird, I can connect to the internet I just can't browse for some reason. My gmail notifier will tell me I have email but I can't use either IE or firefox to actually go online to read my email.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to UnrealIRCd ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press "OK":

UnrealIRCd

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Post a fresh HijackThis log after you have completed the above.

 

For some reason, my internet randomly started working again. But here's the log file. After I ran services.msc and stopped the service and disabled it, it didn't show up in HJT.

 

Your HijackTHis log is clean.

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Well my internet stopped working again as soon I told you that it was working. I did everything you said, and I did an ewido scan in safe mode and then also in normal mode. The normal mode scan gave identical results except the Masterstats cookie wasn't there.

What do you think could be causing my browsers not to work? Do you think it's something to do with the settings I changed or is it a virus? The browswers are weird, they only work for a couple websites and occasionally work for everything. Other than that, they don't. But what's weird is that the internet connection seems to slow way down before the browsers stop working completely.

 

Have HijackThis fix the followingL

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.

 

Spysweeper didn't find anything but I've included the log, which includes all the previous scans I've run it through. Also, I realized that my browsers stop working after a little while, they don't just not work. I created a few new users and tried to use the browsers with the other users and it worked, but only for maybe a minute. It's strange, it doesn't just stop working, it seems like it slows to a halt. I can browse the internet and then pictures stop loading and then it goes really slow and then it stops. The process of stopping is pretty fast, but it's still strange that it slows down like that. Any ideas?

 

Actually Spy Seepere found some stuff and removed them.

Scan with HijackThis and fix the following:

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

I can't run Panda online because I can't get online with my computer. I have to use a different computer to be able to post to this forum. I ran Qoologic and rkfiles and attached the logs of those. Also, every time I restart windows in normal mode, Windows AntiSpyware catches a BHO installing itself again. So there's a still a file somewhere on the computer trying to reinstall at least a BHO every time Windows starts.

Also, my SpySweeper trial will run out in 3 days. I don't know if I'm going to need it anymore but if the trial runs out and I want to reinstall it, is there a way to erase the memory of the program from the registry or anything so I could reinstall the trial for another 14 days?

 

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. Delete the contents of C:\WINNT\Prefetch.

REBOOT to Normal Mode.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Okay, killbox.exe took care of all those files. None were left after restarting in Safe Mode. However, there were other similar files like atl71.dll and several MFCXXXX.dll and .map's, although I think that CCleaner took care of most of them because they weren't associated with anything. Btw, what is a .pdb file?

Also, when I restarted in Normal Mode, MS AntiSpyware had a popup that said that it allowed some host details thing named as.casalemedia.com according to something I had previously told it to allow. I must have allowed it before, not knowing what it was. I still don't know what it is but I deleted it from being allowed. I also looked at the host details tab in MS AntiSpyware and there were a lot of files/webaddresses allowed in there that apparently all point to 127.0.0.1. I don't know if that's legit or not. I attached a screenshot of the window so you can see what I mean. Is that supposed to be like that?

Also, when I ran CCleaner, I noticed a program in the Tools-->Uninstall section called ButtonDemo. I don't know what that is and I'm pretty sure I never intentionally installed it. I assumed it's something I don't want and when I tried to delete it I got an error message:

"Bad Installation. Error invoking Java VM (execv)
Crogram Files/Java/jre1.5.0_04/bin/javaw.exe"

And also, I noticed in c:/WINNT that there is a file named setdebug.exe with a teddybear icon and I remember reading an email once upon a time that said that that file is a virus file or something. I'm pretty sure the email was BS, am I right?

 

A .pdb file is a 'Portable' Document usually used on PDA's. In this case their purpose is a little more sinister. Don't delete any of those other files.

Follow the instruction in this thread, Running Hoster, to reset your hosts file.

Uninstall Java using Add or Remove Programs and reinstall use the latest version of Sun Microsystems Java Runtime Environment.

DO NOT delete that file it is a LEGITIMATE Windows file and required by WIndows to run correctly.

Download and Install:
- ExplorerXP

Run ExplorerXP, navigate to C:\WINNT\SYSTEM32; locate and delete this file asw3.tmp.

Next run REGEDIT, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System Initialization look for SOFTWARE\Microsoft\Windows\CurrentVersion\Run if that is the only key under System Initialization then delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System Initialization otherwise delete the SOFTWARE\Microsoft\Windows\CurrentVersion\Run under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System Initialization.

REBOOT post a fresh HijackThis log from Normal Mode. How is your computer running?

 

I ran ExplorerXP but I don't have asw3.tmp in my WINNT folder. Is ExplorerXP just a Window explorer or is there something special about it that you wanted me to run that as opposed to just using windows explorer?

I ran REGEDIT and there were 6 keys in the folder so I deleted SOFTWARE\Microsoft\Windows\CurrentVersion\Run and rebooted. My computer seems to be working okay, but when I rebooted I still got a BHO trying to install itself that I had to tell MS AntiSpyware to block. AntiSpyware also had to block as.casalemedia.com, that same host file. And my internet browsers are still not working. It's strange because IE works for maybe a minute after rebooting and then it just stops.

 

ExplorerXP is a Windows Explorer replacement that doesn't have some of the short comings of Windows Explorer.

What BHO is trying to load? Not all BHOs are bad. Your HijackTHis log shows none; however, there are 2 IE Toolbars shown in the log.

Rebbot allow the BHO, run HijackTHis and post the log; so, I can see what the BHO is trying to load.

 

Yeah, the Google toolbar is supposed to be there but I don't know what that radio toolbar is. I'm assuming it has something to do with the standard IE Radio Station Guide or something. I ran another hijackthis and it looks like the BHO that keeps trying to reinstall itself is that no-name one you told me to delete.

I reinstalled firefox to see if I could get it to work and still nothing. Do you have any idea what's keeping my computer from being able to browse the internet?

 

Disable Spybot's Teatimer.

Scan with HijackThis and fix the following:

Download
- Hoster

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Download
- RootkitRevealer

Run RootkitRevealer and post the log as an attachment.

 

I got rid of the BHOI, I reset my host file, and I ran RootkitRevealer. Rootkit Revealer couldn't find any discrepencies. I disabled TeaTimer. Why do you want it disabled?

 

TeaTmier can be a resource hog, and often interfers with fixes. I leave it disabled on my systems.

Post a fresh HijackThis log. How is your system running?

 

My computer is still the same. I start it up and it works for about a minute before stopping. It still has selective browsing. For the most part, it only lets me access the sites I use to pay my bills. So at least it's convenient, but it's strange. I reran MS AntiSpyware and it found nothing.

Btw, what is the synchronization manager? Is that something I need?

 

Synchronization Manager is a Microsoft process that sychronizes offline files. This is a valid program but it is not required to run on startup.

Just to make sure SpyAxe is not still hanging around; follow the directions for SpyAxe Removal.

 

Still the same problem. It's weird, my internet access comes and goes.

 

Run BlackLight from F-Secure and post the log when finished.

 

It didn't find anything. Okay, so my internet access is strange. It's completely inconsistent. Like I said before it comes and goes. It'll work for a short while (typically a couple minutes) until I try to access another host. Once I try to access another host, it either slows down and stops or just flat out stops all together. Sometimes I can simply close all IE windows and open another one up, and it'll work again. And sometimes I have to wait half an hour or more for it to work again. Does this make any sense to you?

 

Your system appears to be Malware free. I would say you are experiencing Software/OS problems. It could be your firewall or AV program is blocking something it shouldn't. Check and make sure that the Windows Firewall is off. You might be having problems with the WinSock, but if that were broken then you shouldn't be able to get internet access at all.

You may want to post in the software forum, with these issues to get further assistance.

 

I would guess that it's something I changed when I originally ran all the programs in Safe Mode. I'm thinking it may be one of the files I took off of the start up list that I shouldn't have. Is there a way I can look at what startup files I have turned off? I think I did it using Spybot but I'm not sure.

 

Spybot, by default should make backups before doing any changes. If a backup is available it will be listed in Recovery.

 

How do I check the Windows firewall?