Two Bugs within days

hi all,,,,, win98se.

Gekko not feeling sprite at the moment, Oz is being delivered with 'bugs';;
some affecting humans, and some affecting comps.
I got a 'schnnnnozz' that is red-raw, eyes that are dripping, & blah.

Folks, I just found 90% of my icons 'tampered' with, and Spybot tells me
I have 'Vcodec.emedia' followed by Avast telling me something similar.
(it got recognised as: - eCodec-v4.148.exe)
Neither of the two seem married, as Spybot is telling me all of the crap I
have is already in the registry.(6 entries) Avast on the other hand is
telling me it is from
something that is in 'my downloads' folder on the d/top, of which there is
an entry as if I d/loaded this 'thang'. (as if)

I have been checked it out via google but would rather have one of you
assist, especially as it is already in the registry.
I am still on dial up and still having problems, but I dont want to
disconnect
while I have the connection active as I would rather get a response here
prior to disconnecting or shutting down before bed.
I hope (although, I dont) that one of you guys have had to deal with this
and
can enlighten me. (i'm really too pooped to deal with this right now, so a
helping
hand would'nt go astray)(I also dont want to shut down the comp' or
disconnect
in case this trojan infiltrates further due to a re-boot.)
help!
Gekko

Also, in Avasts Log (xml) it shows my trojan as being:::::
"VirusWin32:Zlob-CP"
Gekko

sniff........




"Gekko" wrote in message
...
hi all,,,,, win98se.

Gekko not feeling sprite at the moment, Oz is being delivered with
'bugs';;
some affecting humans, and some affecting comps.
I got a 'schnnnnozz' that is red-raw, eyes that are dripping, & blah.

Folks, I just found 90% of my icons 'tampered' with, and Spybot tells me
I have 'Vcodec.emedia' followed by Avast telling me something similar.
(it got recognised as: - eCodec-v4.148.exe)
Neither of the two seem married, as Spybot is telling me all of the crap I
have is already in the registry.(6 entries) Avast on the other hand is
telling me it is from
something that is in 'my downloads' folder on the d/top, of which there is
an entry as if I d/loaded this 'thang'. (as if)

I have been checked it out via google but would rather have one of you
assist, especially as it is already in the registry.
I am still on dial up and still having problems, but I dont want to
disconnect
while I have the connection active as I would rather get a response here
prior to disconnecting or shutting down before bed.
I hope (although, I dont) that one of you guys have had to deal with this
and
can enlighten me. (i'm really too pooped to deal with this right now, so a
helping
hand would'nt go astray)(I also dont want to shut down the comp' or
disconnect
in case this trojan infiltrates further due to a re-boot.)
help!
Gekko

Damm, I really am off-peek at the moment.
Just thought I'd also mention that ' it ' is also in add/rem
as 'eMedia Codec 4.0'.
I dont want to start any deleting or removing til I hear from here
first.
Sorry for the branching info, i'm just not with it at the moment.
Gekko


"Gekko" wrote in message
...
hi all,,,,, win98se.

Gekko not feeling sprite at the moment, Oz is being delivered with
'bugs';;
some affecting humans, and some affecting comps.
I got a 'schnnnnozz' that is red-raw, eyes that are dripping, & blah.

Folks, I just found 90% of my icons 'tampered' with, and Spybot tells me
I have 'Vcodec.emedia' followed by Avast telling me something similar.
(it got recognised as: - eCodec-v4.148.exe)
Neither of the two seem married, as Spybot is telling me all of the crap I
have is already in the registry.(6 entries) Avast on the other hand is
telling me it is from
something that is in 'my downloads' folder on the d/top, of which there is
an entry as if I d/loaded this 'thang'. (as if)

I have been checked it out via google but would rather have one of you
assist, especially as it is already in the registry.
I am still on dial up and still having problems, but I dont want to
disconnect
while I have the connection active as I would rather get a response here
prior to disconnecting or shutting down before bed.
I hope (although, I dont) that one of you guys have had to deal with this
and
can enlighten me. (i'm really too pooped to deal with this right now, so a
helping
hand would'nt go astray)(I also dont want to shut down the comp' or
disconnect
in case this trojan infiltrates further due to a re-boot.)
help!
Gekko

Trojan.Emcodec
http://securityresponse.symantec.com...n.emcodec.html
Trojan.Emcodec is a Trojan horse that drops and executes a copy of Trojan.Zlob.J. The Trojan is an installer for eMediaCodec that is a codec for Windows Media Player.

Trojan.Zlob.J
http://securityresponse.symantec.com...an.zlob.j.html
Trojan.Zlob.J is a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

Troj/Zlob-CP
http://www.sophos.com/virusinfo/anal...rojzlobcp.html


--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375




"Gekko" wrote in message ...

hi all,,,,, win98se.

Gekko not feeling sprite at the moment, Oz is being delivered with 'bugs';;
some affecting humans, and some affecting comps.
I got a 'schnnnnozz' that is red-raw, eyes that are dripping, & blah.

Folks, I just found 90% of my icons 'tampered' with, and Spybot tells me
I have 'Vcodec.emedia' followed by Avast telling me something similar.
(it got recognised as: - eCodec-v4.148.exe)
Neither of the two seem married, as Spybot is telling me all of the crap I
have is already in the registry.(6 entries) Avast on the other hand is
telling me it is from
something that is in 'my downloads' folder on the d/top, of which there is
an entry as if I d/loaded this 'thang'. (as if)

I have been checked it out via google but would rather have one of you
assist, especially as it is already in the registry.
I am still on dial up and still having problems, but I dont want to
disconnect
while I have the connection active as I would rather get a response here
prior to disconnecting or shutting down before bed.
I hope (although, I dont) that one of you guys have had to deal with this
and
can enlighten me. (i'm really too pooped to deal with this right now, so a
helping
hand would'nt go astray)(I also dont want to shut down the comp' or
disconnect
in case this trojan infiltrates further due to a re-boot.)
help!
Gekko

Thanks brian,
I went to all three links; the first two were the same page
and the third gave a little bit of info.
Thing is, the first two are assuming I have Symantec installed, and they
tell what to do regarding using their product, and the third says nothing
about removal of the trojan.
My antiV is Avast.

Any ideas on how to get rid of it brian?
Gekko


"Brian A." gonefish'n@afarawaylake wrote in message
...
Trojan.Emcodec

http://securityresponse.symantec.com...n.emcodec.html
Trojan.Emcodec is a Trojan horse that drops and executes a copy of
Trojan.Zlob.J. The Trojan is an installer for eMediaCodec that is a codec
for Windows Media Player.

Trojan.Zlob.J
http://securityresponse.symantec.com...an.zlob.j.html
Trojan.Zlob.J is a back door Trojan that allows the remote attacker to
perform various malicious actions on the compromised computer.

Troj/Zlob-CP
http://www.sophos.com/virusinfo/anal...rojzlobcp.html


--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375




"Gekko" wrote in message
...
hi all,,,,, win98se.

Gekko not feeling sprite at the moment, Oz is being delivered with
'bugs';;
some affecting humans, and some affecting comps.
I got a 'schnnnnozz' that is red-raw, eyes that are dripping, & blah.

Folks, I just found 90% of my icons 'tampered' with, and Spybot tells me
I have 'Vcodec.emedia' followed by Avast telling me something similar.
(it got recognised as: - eCodec-v4.148.exe)
Neither of the two seem married, as Spybot is telling me all of the crap
I
have is already in the registry.(6 entries) Avast on the other hand is
telling me it is from
something that is in 'my downloads' folder on the d/top, of which there
is
an entry as if I d/loaded this 'thang'. (as if)

I have been checked it out via google but would rather have one of you
assist, especially as it is already in the registry.
I am still on dial up and still having problems, but I dont want to
disconnect
while I have the connection active as I would rather get a response here
prior to disconnecting or shutting down before bed.
I hope (although, I dont) that one of you guys have had to deal with
this
and
can enlighten me. (i'm really too pooped to deal with this right now, so
a
helping
hand would'nt go astray)(I also dont want to shut down the comp' or
disconnect
in case this trojan infiltrates further due to a re-boot.)
help!
Gekko

Brian, and any others that pick up on this thread.
I have registered at TomCoyotes forum in order to try and remove the
offender, but, as has been stated, it can be a while before someone
answers as they are snowed under with people with virii.

I am just wondering if it would be safe for me to use add/rem to start the
removal process as there is an entry in there;; In fact, here is an updated
complete list of where it has been found.
There are 4 entries in the registry:--
Hkey_local_machine\software\microsoft\windows\curr entversion\uninstall\eMedi
a Codec.
Hkey_classes_root\clsid\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
Hkey_classes_root\EMediaCodec.Chl
Hkey_local_machine\software\microsoft\windows\curr entversion\app
paths\ecodec.exe.

Next, there is new folder under C:\Programs called eMedia Codec and it has
one file in it of which is an Uninstal.exe.

I do not mess around in the registry at all, its all 'look but dont touch'
to me.
Anyone know if I am okay to do a Remove from add\rem? or will this
fire up an .exe somewhere else on my comp.
(At symantecs site, they tell me that all sorts of other files have placed
themselves on my comp', but I'm really not sure.)
Gekko

Gekko wrote:
Thanks brian,
I went to all three links; the first two were the same page
and the third gave a little bit of info.
Thing is, the first two are assuming I have Symantec installed, and
they tell what to do regarding using their product, and the third
says nothing about removal of the trojan.
My antiV is Avast.

Any ideas on how to get rid of it brian?

Since your AV program finds it, why not let it remove it?

--

dadiOH
____________________________

dadiOH's dandies v3.06...
....a help file of info about MP3s, recording from
LP/cassette and tips & tricks on this and that.
Get it at http://mysite.verizon.net/xico

Since your AV program finds it, why not let it remove it?

dadiOH
____________________________

because it only recognised a small part of it.
Gekko

On Sat, 10 Jun 2006 21:07:49 +0930, "Gekko" put
finger to keyboard and composed:

Since your AV program finds it, why not let it remove it?

dadiOH
____________________________

because it only recognised a small part of it.
Gekko

As long as that small part includes all the executables, then I don't
see the problem. At worst you will end up with orphaned registry
entries or superfluous folders.

I would read the technical discussions for each of the viral entities
identified in Brian's post and then remove those things added by them.

http://securityresponse.symantec.com...n.emcodec.html

Delete these files:

%Program files%\eMedia Codec\ecodec.exe
%Program files%\eMedia Codec\uninst.exe
%System%\dfrgsrv.exe

Using regedit.exe. navigate to the subkey:

HKEY_CLASSES_ROOT\EMediaCodec.Chl\CLSID

In the right pane, delete the value:

"" = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"


Navigate to and delete the following subkeys:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\eMedia
Codec
HKEY_CLASSES_ROOT\EMediaCodec.Chl

http://securityresponse.symantec.com...an.zlob.j.html

Delete this file:

%System%\dfrgsrv.exe

In the registry, navigate to the subkey:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run

In the right pane, delete the value:

"wininet.dll" = "dfrgsrv.exe"

http://www.sophos.com/virusinfo/anal...rojzlobcp.html

Delete this file:

System\ncompat.tlb

In the registry, navigate to the subkey:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\explorer\run

In the right pane, delete the value:

kernel32.dll pathname of the Trojan executable


If the files or registry keys differ between Win9x and other Windows
versions, then I would search the registry or hard drive for the
respective files and registry data.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

Without repeating what others mention. Although if you are working on it with help
from a nasties forum, continue along with them and: What frank said!

--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375




"Gekko" wrote in message
...
Since your AV program finds it, why not let it remove it?

dadiOH
____________________________

because it only recognised a small part of it.
Gekko