View Full Version : Vocdec
I need help?
My comp is infected with Vcodec!!! A can not remove it with spybot 1.3!!!
How I can remove Vcodec from computer?
Please Help!!!
B.I.G.
Hello.
RE: Spybot-S&D version 1.3
If your Operating System is not Windows 95, please read the following:
Version 1.4 :Systems Supported (http://www.safer-networking.org/en/spybotsd/index.html)
Spybot-S&D Version 1.4 Download (http://www.spybot.info/en/download/index.html)
Uninstalling Previous Spybot-S&D (http://www.safer-networking.org/en/faq/27.html)
Tutorial (http://www.spybot.info/en/tutorial/index.html)
Solution to fix the pop-ups in TeaTimer. (http://forums.spybot.info/showthread.php?t=122)
Also:
BEFORE you post a log, and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)
Here is my logs!!!
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: sri 26.04.2006
The current time is: 8:32:32,26
Running from
C:\Documents and Settings\Administrator\Desktop\virus\nes\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@="C:\WINDOWS\system32\sivudro.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
Antivirus Test Online.url
~~~ system32 folder ~~~
1024 dir
ld****.tmp
ncompat.tlb
hp***.tmp
logfiles
~~~ Icons in System32 ~~~
ot.ico
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 792 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@="C:\WINDOWS\system32\sivudro.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
HI!!!!!
I still have a problem!!! a do everthing how is writen on forum. so now i send my logs, I hope that they can help you!!!
LonnyRJones
2006-04-26, 20:15
Hi B.I.G.
We have started using another tool for that
Reboot into safe mode and run SmitfraudFix Option 2 (clean)
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Once in safe mode ______________________________
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot your pc.
Post (not attach) the c:\rapport.txt and a new hijackthis log please.
Here are my new logs.I think that problem is gone. Thanks a lot!!! :)
and here is my smitRem log!!! One more time thank you!!!
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: źet 27.04.2006
The current time is: 8:29:45,76
Running from
C:\Documents and Settings\Administrator\Desktop\virus\nes\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
logfiles
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1984 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
LonnyRJones
2006-04-27, 10:57
Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R3 - URLSearchHook: (no name) - {213FBA1C-70D2-5F76-8F72-5A27B0E2EC99} - C:\WINDOWS\system32\vcfvm.dll (file missing)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpB226.tmp (file missing)
O15 - Trusted Zone: http://*.acdserver
O15 - Trusted Zone: http://*.bst16
O15 - Trusted Zone: http://*.bst21
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O20 - Winlogon Notify: winteu32 - C:\WINDOWS\SYSTEM32\winteu32.dll
Questionable program >
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Uninstall microsoft antispyware and go get there latest version.
Attach a copy of C:\WINDOWS\SYSTEM32\winteu32.dll
here please http://www.thespykiller.co.uk/forum/index.php?board=1.0
Post a fresh hijackthis log please, be sure to mention any current problems.
Hi, here is my fresh log. I did not check next thinks:
O15 - Trusted Zone: http://*.acdserver
O15 - Trusted Zone: http://*.bst16
O15 - Trusted Zone: http://*.bst21
I put these sites there.
I did not find anything else on my comp.
so I think that everything is ok now!
Sorry I stil have this problem you ca see on screenshot wich I post you,
I can not make access to him or delete him!!!!
LonnyRJones
2006-04-27, 12:55
Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
here is content of log file.!!!
04/27/06 14:12:23 [Info]: BlackLight Engine 1.0.36 initialized
04/27/06 14:12:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/27/06 14:12:24 [Note]: 7019 4
04/27/06 14:12:24 [Note]: 7005 0
04/27/06 14:12:34 [Note]: 7006 0
04/27/06 14:12:34 [Note]: 7011 2776
04/27/06 14:12:34 [Note]: 7026 0
04/27/06 14:12:35 [Note]: 7026 0
04/27/06 14:13:10 [Note]: FSRAW library version 1.7.1015
04/27/06 14:14:45 [Note]: 2000 1006
04/27/06 14:16:04 [Note]: 7007 0
I remove file winteu32.dll!!! I went to safe mode and deleted this file!!!!
LonnyRJones
2006-04-27, 14:31
Great
Fix this with hijackthis if you havent already
O20 - Winlogon Notify: winteu32 - C:\WINDOWS\SYSTEM32\winteu32.dll (file missing)
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
I try with hijackthis but it is stay on the place. I went to safe mode and delete that file. One more time thank you on help. Now it is appear to be ok!!!
LonnyRJones
2006-04-27, 23:16
OK, let us know how the pc is after a few days.
Hi!!!
My comp. runing ok for now!!!
Only problem is when I start IE after shut down my start page is about:blank.
I change this but it start to happening 2 days before?
This is only heppen after shut down!!!
When I restart my comp. it is ok!!! :bigthumb:
LonnyRJones
2006-05-03, 13:29
:bigthumb:
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.