Need help removing VCodec

[spy_who_lured_me]

Hi:
I am new to spybot Search and Destroy, however the kind of work this team is taking up is quite impressive and praise-worthy.
I recently downloaded Spybot Search and Destroy tool and I found there is something called VCoded installed on my machine. I am fixing it everytime with the Spybot Search and Destroy tool. However, it keeps coming back.
I need help removing it permenantly.
I look forward for your kind support into this matter.
Thank you in advance.

 

[tashi]

Hello.
Do you have an updated Spybot-S&D version 1.4?

To receive advice in the malware forum, please follow these instructions.
Before you post a log, and who will advise you.

 

[tashi]

Due to lack of a response this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.

 

[spy_who_lured_me]

Hi Tashi:
Yes I have spybot 1.4 version, Can you tell me what would you like me to do? However, I do not have internet connection now on the computer where I have this VCodec got installed.
Please suggest.
Thank you.

 

[LonnyRJones]

Can you get Hijackthis on the pc and get a log ?

 

[spy_who_lured_me]

I surely can. Do you want me to post log here?

 

[LonnyRJones]

Post a newly made hijackthis log, yes.

 

[spy_who_lured_me]

here is the log
Logfile of HijackThis v1.99.1
Scan saved at 10:18:35 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\brss01a.exe
E:\WINDOWS\system32\Brmfrmps.exe
E:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
E:\Program Files\Documentum\Shared\DcComponentInstaller.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\ewido anti-malware\ewidoguard.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\Mcshield.exe
E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Apoint2K\Apoint.exe
E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
E:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
E:\WINDOWS\System32\igfxtray.exe
E:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
E:\WINDOWS\System32\hkcmd.exe
E:\Program Files\Apoint2K\Apntex.exe
E:\WINDOWS\System32\ezSP_Px.exe
E:\WINDOWS\AGRSMMSG.exe
E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
E:\Program Files\D-Link\Air Utility\AirCFG.exe
E:\Program Files\VERITAS Software\Update Manager\sgtray.exe
E:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\TPSBattM.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
E:\Program Files\Brother\ControlCenter2\brctrcen.exe
E:\Program Files\Java\j2re1.5.0\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Yahoo!\Messenger\ypager.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
E:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\WZCBDL Service\WZCBDLS.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://config.mcgraw-hill.com/CONF/autoadmin.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = corp-proxy.mcgraw-hill.com:33333
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - E:\WINDOWS\_MWOLTB.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - E:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] E:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [B'sCLiP] E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] E:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] E:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [D-Link Air Utility] E:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [StorageGuard] "E:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "E:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] E:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] E:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] E:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ICQ Lite] E:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Service Manager.lnk = E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Status Monitor.lnk = E:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://E:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://E:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C0440E5-8BD4-2345-8E01-07264AE9A0BE} - http://85.255.113.214/1/gdnUS2296.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - E:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - E:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - E:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Documentum Desktop Component Installer - Documentum, Inc. - E:\Program Files\Documentum\Shared\DcComponentInstaller.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - E:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - E:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - C:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCOM - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceREGENCY - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - E:\Program Files\WZCBDL Service\WZCBDLS.exe

 

[LonnyRJones]

Fallow the advice in this post
smitfraud: http://forums.spybot.info/showthread.php?t=1958

Post back with all the logs mentioned, except the before hijackthis log..

 

[spy_who_lured_me]

Hi LonnyRJones:
I am going through the instructions, just not having access to internet for enough time is making it difficult for me to respond quick enough. Please do not close this thread, I am working on collecting logs and transferring them to different machine from where I can post them here.
Thank you.

 

[spy_who_lured_me]

Hi LonnyRJones
I have attached all the requested logs except for HiJackThis log as you mentioned.
Please let me know if I need to post anything else.
Thank you.

 

[LonnyRJones]

Is this file present ?
E:\WINDOWS\system32\stickrep.dll

Do make and post another hijackthis log, also mention any problems youve noticed

 

[spy_who_lured_me]

I would post HiJackThis Log, and check for that dll file you mentioned; would you want me to run roguescanfix as well? and send you the logs from Panda Active Scan?
Please do let me know.
Thank you.
Regards

 

[LonnyRJones]

Just a fresh hijackthis log and a manual check if that file exists

 

[spy_who_lured_me]

Hi LonnyRJones,
Attached is the latest HiJackThis log and I searched for stickrep.dll under System32 folder but could not find it there.

 

[LonnyRJones]

Start Hijackthis and place a check next to this dialer >
O16 - DPF: {0C0440E5-8BD4-2345-8E01-07264AE9A0BE} - http://85.255.113.214/1/gdnUS2296.exe
====================================
Hit fix checked and close Hijackthis.

Install SpywareBlaster (By JavaCool): http://www.javacoolsoftware.com/spywareblaster.html

Update suns java manualy
Sun Java V1.5.0_06 is Available: http://java.com/en/index.jsp
Afterwards Turn off it's auto-updater,(Its buggy) , in control panel java >
update tab uncheck its option to update automatically.
After you install the newer version its important to uninstall the old versions, via addremove programs.
http://forums.spybot.info/showthread.php?t=2559

Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

 

[spy_who_lured_me]

Hi LonnyRJones:
I did all the things recommended below. I am not sure if I am still infected, I am not definitely getting any spywarequake notifications or spybod S&D is not finding vcoded on my machine but is there anything else that I need to do in order to be sure, that I am not infected?
Thanks alot for all your help and guidance so far.

 

[LonnyRJones]

I think your good to go

We will leave the thread open for a few more days incase something pops up

Stay safe

 

[spy_who_lured_me]

Thanks alot.

 

[LonnyRJones]

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let Me or Tashi know.