I had a scare today with some trogans one was called Trojan.Wincod and also had

this “personal antivirus” program that got in my PC. I search avast’s knowledge base and

nothing came up. All this happened with Avast running! How can this happen? :-[

It’s a rogue antivirus.

I suggest MBAM or SuperAntiSpyware Free.

Check for out of date and insecure software on your computer that can allow “drive-by” infections of your computer by malware.

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)

I was wondering why didn’t Avast catch this?

Because there are multiple variants and usually it in itself isn’t doing anything other than flash up bogus virus alerts, to try and get you to visit a site (mistake if you do) and run a scan where they will most certainly try to get you to pay for removal, etc. This could put you are risk of credit card/identity fraud also.

There is no standardisation in malware naming so it is not certain that all would call this the same.

What detected the fact that this was on your system ?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Before removal:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Thanks for your help…I used system restore to get things back to normal. I’ll see if I

can get a copy of that to Avast. I know for sure it was callen “personal antivirus” and it acted

like a virus removal program.

Hi alleneschell,

Trojan Wincod is a Trojan that sneaks through your system’s backdoor to infect your PC. How does Trojan Wincod get in? Trojan Wincod masks itself as a video codec you need. If you have Trojan Wincod, you’ll see this Trojan Wincod popup:

ERROR. Fatal Error! The media system on your computer is corrupt. Update your video codec immediately to resolve this issue.

You need this “video codec” like you need scamware on your PC. Which is fitting, because if you download this “video codec,” you’ll be taken to WinCoDecPRO.com to buy fake anti-spyware. Which is great, if you want to blow dough, but you’d better do that in a casino than in this case.

Before you get started, you should backup your system and your registry, so it’ll be easy to restore your computer if anything goes wrong. Re: http://support.microsoft.com/kb/322756

Disable system restore while cleansing a trojan and then enable again system restore: http://www.pchell.com/virus/systemrestore.shtml

To remove Trojan Wincod manually, you need to delete Trojan Wincod files.
Get rid of Trojan Wincod registry values, delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”WmpTray” = “[PATH TO TROJAN]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\”Debugger” = “http://wincodecpro.com/purchase.php?id=2″
HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia\WinCoDecPRO\”countr” = “[NUMBER OF TIMES TROJAN HAS EXECUTED]”
HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia
HKEY_LOCAL_MACHINE\SOFTWARE\GenericMultiMedia\WinCoDecPRO

Note: In any Trojan Wincod files I mention above, “%UserProfile%” is a variable referring to your current user’s profile folder. If you’re using Windows NT/2000/XP, by default this is “C:\Documents and Settings[CURRENT USER]” (e.g., “C:\Documents and Settings\AlleneSchell”)

How to delete Trojan Wincod files in Windows XP and Vista:

1. Click your Windows Start menu, and then click “Search.”
2. A speech bubble will pop up asking you, “What do you want to search for?” Click “All files and folders.”
3. Type a Trojan Wincod file in the search box, and select “Local Hard Drives.”
4. Click “Search.” Once the file is found, delete it.

How to stop Trojan Wincod processes:

1. Click the Start menu, select Run.
2. Type taskmgr.exe into the the Run command box, and click “OK.” You can also launch the Task Manager by pressing keys CTRL + Shift + ESC.
3. Click Processes tab, and find Trojan Wincod processes.
4. Once you’ve found the Trojan Wincod processes, right-click them and select “End Process” to kill Trojan Wincod.

How to remove Trojan Wincod registry keys:

Trojan Wincod warning Because your registry is such a key piece of your Windows system, you should always backup your registry before you edit it. Editing your registry can be intimidating if you’re not a computer expert, and when you change or a delete a critical registry key or value, there’s a chance you may need to reinstall your entire system. Make sure your backup your registry before editing it. And do it from a list that you have printed out in advance and follow that instruction to the dot. In that case not much should go wrong.

1. Select your Windows menu “Start,” and click “Run.” An “Open” field will appear. Type “regedit” and click “OK” to open up your Registry Editor.
2. Registry Editor will open as a window with two panes. The left side Registry Editor’s window lets you select various registry keys, and the right side displays the registry values of the registry key you select.
3. To find a registry key, such as any Trojan Wincod registry keys, select “Edit,” then select “Find,” and in the search bar type any of Trojan Wincod’s registry keys.
4. As soon as Trojan Wincod registry key appears, you can delete the Trojan Wincod registry key by right-clicking it and selecting “Modify,” then clicking “Delete.”

How to delete Trojan Wincod DLL files:

1. First locate Trojan Wincod DLL files you want to delete. Open your Windows Start menu, then click “Run.” Type “cmd” in Run, and click “OK.”
2. To change your current directory, type “cd” in the command box, press your “Space” key, and enter the full directory where the Trojan Wincod DLL file is located. If you’re not sure if the Trojan Wincod DLL file is located in a particular directory, enter “dir” in the command box to display a directory’s contents. To go one directory back, enter “cd …” in the command box and press “Enter.”
3. When you’ve located the Trojan Wincod DLL file you want to remove, type “regsvr32 /u SampleDLLName.dll” (e.g., “regsvr32 /u jl27script.dll”) and press your “Enter” key.

That’s it. If you want to restore any Trojan Wincod DLL file you removed, type “regsvr32 DLLJustDeleted.dll” (e.g., “regsvr32 jl27script.dll”) into your command box, and press your “Enter” key.

Did Trojan Wincod change your homepage?

1. Click Windows Start menu > Control Panel > Internet Options.
2. Under Home Page, select the General > Use Default.
3. Type in the URL you want as your home page (e.g., “http://www.homepage.com”).
4. Select Apply > OK.
5. You’ll want to open a fresh web page and then make sure that your new default home page pops up.

Use recuva file restore from here: http://www.recuva.com/download to restore eventually lost files through the workings of trojan.wincod,

That is all,

polonus

You’re welcome.

What security application first detected it though ?

I’m not sure, it was probably that rouge anti virus, my son was on youtube and I
was asleep and I got up to see this warning. I freaked and did system restore, it
seems to be fine now.

OK so this is just the fake alerts that I mentioned, I though that another program had notified you of this.

MBAM ans SAS as suggested should hopefully find and dispose of this rogue.

Because it’s a lack of detection… hope avast improve this particular one.
Sometimes, MBAM is better on detection and removing rogue programs.

would MBAM work even though I’ve used system restore?

Depends… it will work but, maybe, it does not detect the infected file anymore.
Update your MBAM and run a full scanning to check.

Update your MBAM and run a full scanning to check

BINGO I got the little sucker!! Thanks so much for your help ;D

You’re welcome. If you want to help me, don’t thank me, just sign up & use (sign up only is not enough) Mozy to get 2,200 Mb for free remote backup system. Enjoy its safety!