Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

mezziacodec.chl problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

mezziacodec.chl problem

Unread postby kerol » November 10th, 2006, 2:57 pm

Hi, i have spybot S&D, ad-aware se, spywareblaster, spywareguard and bidefender v10 installed.
i ran scans and detected that trojan name AstaKiller in spybot and bitdefender.

scan results from spybot:

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

AstaKiller: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MezziaCodec.Chl

AstaKiller: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

scan results from bitdefender:

<System>=>HKEY_CLASSES_ROOT\MEZZIACODEC.CHL Detected: Trojan.Nebuler-G
<System>=>HKEY_CLASSES_ROOT\MEZZIACODEC.CHL Deleted
<System> Update failed

so both detected mezziacodec.chl. when i fix using spybot, mce showed an error 'specified cast is not valid' when i try to play music or video. after recover the registry, mce is good. (i'm using windows xp media center edition)

bitdefender failed to repair. i am new here.

could someone guide me.

thanks a lot.
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm
Advertisement
Register to Remove

hijackthis log

Unread postby kerol » November 10th, 2006, 4:05 pm

Logfile of HijackThis v1.99.1
Scan saved at 4:00:11 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

HELP PLEASE.........

Unread postby kerol » November 14th, 2006, 11:53 am

hello.. just could anyone help me.

sorry for the impatient.
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 15th, 2006, 6:49 am

Hi kerol and welcome to Malware Removal Forums :)

Sorry for the delay. You posted twice to your topic so helpers searching for 0 reply topics missed your topic...

What is the current state of the SpyBot S&D findings ?
Have you restored those ?

I'm thinking that this might be a false positive from Spybot S&D :
Code: Select all
AstaKiller: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}


You seem to have disabled some of the startups. I need to see what is disabled in case there is some malware lurking there...

Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as:
  • Name the file peek.bat
  • Save as Type: All files
  • Select the desktop icon on the left to save it on the desktop.

Double click on peek.bat and let it run.
When finished it will open a file in Notepad.
That file will be named startup.txt
Please post the contents of startup.txt into your next reply here.

if not exist Files MkDir Files

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt

Copy files\*.txt = startup.txt
rmdir /s /q files
Start Notepad startup.txt


Also post a fresh HijackThis log.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby kerol » November 22nd, 2006, 10:11 pm

Thanks a lot for helping me. This is the startup.txt.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BigDog303]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VM303_STI"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSI Live]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SetWallpaper"
"hkey"="HKLM"
"command"="C:\\Program Files\\MSI\\MSI Live\\SetWallpaper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby kerol » November 22nd, 2006, 10:16 pm

so, there is no problem relating with the mezziacodec.chl. Both SSD and BitDefender found it.

Just glad you want to help me. Thanks a lot
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 23rd, 2006, 2:28 am

Hi again :)

The following is a verified false positive from Spybot S&D (It shouldn't have been removed)
Code: Select all
AstaKiller: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}


So if you have the entry in quarantine at the moment, restore it. Then update the latest definitions to Spybot S&D, the entry shouldn't be flagged again.

Your HijackThis log looks good but there is this one thing that I want to point out...

The unregistered version of FlashGet serves up Ads in Internet Explorer that are downloaded from Cydoor servers. I would suggest removing it if it is this version. The registered version supposedly does not... so it should be ok. You can find safer alternatives. Please uninstall FlashGet in the Control Panel /Add Remove programs.

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot. (otherwise it may interfere with our cleaning process)

These are the items to fix in HijackThis.

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


This is the folder to remove - C:\Program Files\FlashGet

==========

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Let me also know how the computer is running :D
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

kapersky scan report

Unread postby kerol » November 23rd, 2006, 11:16 am

Hi again.

I already remove the flashget and the flashget folder.
When you said fix items in HijackThis, do you mean fix the selected items using the HijackThis, or simply remove the flashget folder.

And this is the Kapersky scan report.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 23, 2006 11:10:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/11/2006
Kaspersky Anti-Virus database records: 244818
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 45256
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:27:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\cert8.db Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\history.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\key3.db Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\parent.lock Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\call256.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\chat512.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\index2.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\user1024.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Application Data\Skype\umah.mohd.nor\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Application Data\Mozilla\Firefox\Profiles\mq8bvv1z.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\History\History.IE5\MSHist012006112320061124\index.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Temp\Perflib_Perfdata_19c.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Temp\Perflib_Perfdata_fb0.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Temp\~DF273.tmp Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Temp\~DF9DE3.tmp Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Temp\~DFF7E5.tmp Object is locked skipped
C:\Documents and Settings\Mohd Khairul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mohd Khairul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mohd Khairul\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6CDA4837-37D1-47D8-A8BC-DC3B8248ECC2}\RP34\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{07E94163-DB21-4F49-BFF2-58E818C5DBF5}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{57AC998A-7D83-4C9F-8F89-12F16F0FD766}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp0000158a\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_841055089_131072_1034 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
D:\Recorded TV\TempRec\{1D93A7F4-0218-4EDD-836F-7F4EA192D69D}.TmpSBE Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{6CDA4837-37D1-47D8-A8BC-DC3B8248ECC2}\RP34\change.log Object is locked skipped

Scan process completed.


I would like to thank you again for guiding me through this. Thanks a lot.
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 23rd, 2006, 3:27 pm

Hi again, looks good now :)

Sorry for the inconvenience. So you have now removed Flashget and it's folder. There might be some leftovers so run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. You have to disable SpywareGuard from it's icon before fixing any items. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


Seems to me that your BitDefender doesn't include a firewall. You don't seem to a firewall running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.


These are good (free) firewalls:Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
  • Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use AVG Anti-Spyware
    Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?
  • Stand Up and Be Counted !
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe ;)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

is system all clean?

Unread postby kerol » November 24th, 2006, 6:06 am

I followed all the instructions and installed all the recommended softwares.
I checked for update in SSD, but no update available. When i ran a scan in SSD again, the astakiller threat still exist.

What should I do.

Would you mind take a look this new HijackThis log.

Thanks a lot.


Logfile of HijackThis v1.99.1
Scan saved at 6:03:03 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 24th, 2006, 7:22 am

Hi again :)

I assume that Spybot found this particular entry:
Code: Select all
AstaKiller: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}

Just ignore that Spybot finding for now. It should be fixed in the following update...

Your HijackThis log looks clean :)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

MILLIONS THANKS

Unread postby kerol » November 24th, 2006, 11:22 am

Thanks, and thanks a lot. I just don't know what else to say. Thank you very much.

So, the problem already solved,or there still other cleaning step that I need to do.

I wish I could be like you help others. Could you please tell me how you learn to fix all the problems. I'm really interested in learning it.

Thanks again.
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 24th, 2006, 3:26 pm

You're very welcome :)
Yes, we're ready now...

Nice to hear that you're interested in learning to help others. I can't solve every problem :D
Here are instructions how to enroll in the Malware Removal University
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

MVPS Hosts file - need help

Unread postby kerol » November 24th, 2006, 3:27 pm

Hi again.

I forgot to ask. The MVPS Hosts file that you recommend to have, do I need to update it. I think it need to be updated, and doing it is by downloading the new version of the host file. Am I correct?

If it is need to be updated, could you tell me how?

Thanks a lot
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 24th, 2006, 4:19 pm

Hi again and yes, you need to keep the hosts file updated.

The easy way is to just download and extract the latest version of hosts.zip file to your desktop. Then just run the mvps.bat file and it will replace the old hosts file with the new one.

There are also tools for managing hosts file, eg Hostsman is a very easy to use tool...
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 365 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware