TechSpot

Beware of self-load anti-spyware/anti-virusware

By Crispin L Fowle
Sep 28, 2006
  1. For a little over the past 24 hours, I have been dealing with an uninvited anti-spyware that came disguised as a "needed media reader" for some pictures that I wanted to download. (OK, so the pictures were porn.:eek: )

    Instead I recieved warnings of viruses and spies that needed to be removed for which I "needed" to download their software. :confused: Instead i tried running the Norton, Spybot, and Ad- aware that I already have.

    Norton determined that I had some Office 2003 to update - thankx, but that's not solving this problem

    Ad-Aware found nothing

    Spybot found files under PestTrap that ended with "pmsngr.exe" and removed them. the problem was that the warnings continued. I also recieved critical warnings of a "spyware.cyberlog-x" that was effecting my sytem.
    Manually, I went to "My Computer" to remove the anti-virusware. This helped but not completely.

    After several back-and-forths to Spybot (3x with the same result) and using search engines for the keywords, I finally discovered that the key file giving me the "critical warning" with a Yellow triangle/exclation point icon, was located in a File directory named "WinMediaCodec".

    IF ANYBODY FINDS A DIRECTORYWITH THIS NAME ... REMOVE IT!:unch:

    Removal of this directory - which may require rebooting - will remove this plague of a virus disguised as anti-virus programming. If you want to use windows search program under my files, the key word/ or part of a word is "Codec"

    Having removed this file directory, All Systems Normal!:grinthumb
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, the WinMediaCodec is a nasty little bugger without doubt. It`s part of the Virus burst infection as far as I`m aware.

    Might I suggest you go and read this thread HERE, then post a HJT log as an attachment. I`ll take a look at it for you and see if your system is really clean or not.

    Regards Howard :)

    This thread is for the use of Crispin L Fowle only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Crispin L Fowle

    Crispin L Fowle TS Rookie Topic Starter

    Howard,

    I tried to download the HJT program, but my internet connection got severed. Instead I re-ran inthe last 45 minutes:

    Ad-Aware SE - it found and removed:
    Win32.Trojandownloader.Zlob (2 objects)
    VirusBurst (1 object)
    MegaSearch Toolbar (3 objects)
    Tracking Cookie (4 objects)

    Spybot - Search and Destroy
    PestTrap
    HKEY_USERS\S-1-5-21-57989841-1563985344-854245398-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\*\pmsngr.exe
    HKEY_USERS\ ... \Sotware\Internet Services

    [That's just 2 entries, Down from 6 yesterday which incl - HKEY_LOCAL ...pmsnge.exe and a Zlob]

    PC onPoint 3.5 (unregistered) found, but will not treat until I pay them $35:
    Startup Programs 2 Problems
    ActiveX/Classess 3
    Application Paths 1
    Program ID Section 38
    Complete Registry Scan 84

    [Sorry PC onPoint, but I just put out $45 to replace the power cord w/ converter to my printer]

    Norton Firewall 2005 is paid up as of June (has been warning me of several sites trying to connect this passt day)
    Norton SytemWorks 2005 is due to expire in 3 months

    Howard, I hope that this can help since the HJT did not download properly

    Crispin L. Fowler
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try downloading HJT again. It`s only a very small download.

    If you manage to get it, make sure you rename the HijackThis.exe to HijackThis1991.exe and put it in it`s own folder in programme files.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...