All Media Systems on Your Computer Have Been Crashed
If in your travels around the web you pick up some kind of virus or what not that switches your desktop image with the image to the left and then continually warns you about your a/v codecs being corrupted, Don’t Believe It! It’s a total scam! In most cases the “Update Now” is a hyper-link to a web site trying to sell you some kind of “security” software (currently one of the sites is wincodecpro.com). Don’t give them your credit card info or anything like that. IT’S A SCAM! Instead, enjoy the next many hours undoing all the things their little program does to your system. Here are my findings that should assist you in recovering:
1) Look for any new folders in your ‘Program Files’ directory (such as one called Media System). And delete it! Warning be sure this is not part of a program folder that you want! So, what you should find in this folder are three files: a)a .gif file; b)an .htlm file; c) and an .exe file (likely named wmptray.exe). Open the gif file and html and see what they are. You should be able to tell if they are legit or not.
2) Do an anti-virus scan and malware/adware scan. Install a firewall (i.e. ZoneAlarm) and do not allow wmptray.exe to access any websites other than something at microsoft.com!
3) Your ‘Task Manager’ may get disabled so you will likely have to use a program like the Eusing Free Registry Cleaner to view your start up programs. Again, look for the link C:\Program Files\Media System\wmptray.exe and disable this. As far as getting your ‘Task Mangager’ back? I haven’t figured it out quite yet so if you have any knowledge please post a reply to help me and others who fall into this trap.
Good luck.
![[Valid RSS]](http://www.hellasolutions.com/images/valid-rss-rogers.png "Validate my RSS feed")
Oh, and don’t worry about your codecs; they’re fine. Just check your system volume if you’ve noticed any change in audio output. In the event that your codecs are corrupted go to a legit site like microsoft.com, cnet.com, zdnet.com, or any of those major players for direct and reputable links to a/v codecs.
ran across your blog – after this showed up on my Dad’s PC…
the trick for taskmanager is to remove the registry setting this thing installs:
http://www.threatexpert.com/report.aspx?md5=6f13e94dd639c06dde1bfb70fa938a60
fyi:
i used msconfig to remove wmptray from startup – but it tries to re-add… I already had spybot with teatimer enabled – so I could deny the attempts to re-add
cheers, trschick. thanks for the link and info!
I have a trojan on my machine that looks and acts like the one described above but there is no “wmptray” or any of the registry keys mentioned in threatexpert.com.
One of the files associated with the virus is ..\Program Files\CA\eTrustITM\norealmon.exe. Removing that file from startup and then deleting it has not removed the virus though, so I’m still investigating…
OK, so I seem to have full functionality restored. There must be some junk left on my PC but it’s not visible if so.
So, if you have my variant of the virus just:
1. Remove “norealmon.exe” from startup by deleting the norealmon key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
2. To get taskmanager back delete the Debugger key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe.
3. To be able to change your wallpaper again follow the instructions at http://www.tomshardware.co.uk/forum/page-81426_35_0.html
4. Restart Windows and delete Program Files\CA\eTrustITM\norealmon.exe