Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

mezziacodec.chl problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Thanks

Unread postby kerol » November 24th, 2006, 5:29 pm

Thanks for the great help and those emoticons.http://www.malwareremoval.com/forum/:D
Very Happy
Make me happy learning from you.

Thanks again
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm
Advertisement
Register to Remove

Unread postby Mr_JAk3 » November 25th, 2006, 4:30 am

You're very welcome, nice that we were able to help :D
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby NonSuch » November 25th, 2006, 7:25 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby ChrisRLG » November 26th, 2006, 3:46 pm

Topic re-opened on email request.

Please post a fresh HJT log for the helper to check.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby kerol » November 27th, 2006, 1:18 am

Sorry for reopening this thread. I thougth after updating the SSD everything will be fine.

I already updated the SSD, but after I ran a scan, SSD still give me warning of possible threat of AstaKiller.

When I ran a scan with BitDefender 10, it shows same result.

Scan result from BitDefender 10:

<System>=>HKEY_CLASSES_ROOT\MEZZIACODEC.CHL Detected: Trojan.Nebuler-G
<System>=>HKEY_CLASSES_ROOT\MEZZIACODEC.CHL Deleted
<System> Update failed

Scan result from SSD

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

AstaKiller: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\MezziaCodec.Chl


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-11 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-24 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-24 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-11-24 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-24 Includes\KeyloggersC.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-24 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-24 Includes\PUPSC.sbi (*)
2006-11-24 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-24 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-24 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-24 Includes\Trojans.sbi (*)
2006-11-24 Includes\TrojansC.sbi (*)


So, I'm quite confused. If the AstaKiller is false warning, why the BitDefender show the same result.
Is the Bitdefender also shows a false warning.

I ran scans with Ad-Aware SE Personal and AVG Anti-Spyware and both show no infections - system is clean.

Could you clear me on this. It scared seeing warning of possible threats.

Thanks a lot
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

HijackThis log

Unread postby kerol » November 27th, 2006, 1:23 am

The HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:21:25 PM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 27th, 2006, 3:46 am

Hi again Kerol :)

Ok there has been a small misunderstanding...

The following is a real recognition that you should Fix using Spybot S&D:

AstaKiller: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\MezziaCodec.Chl


The following was the false positive that was fixed to the database:

AstaKiller: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6BF52A52-394A-11D3-B153-00C04F79FAA6}


So fix the Spybot finding and restart the computer. Scan again with Spybot S&D, the AstaKiller entry shouldn't be found anymore.

Please let me know how it went :D
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Thanks

Unread postby kerol » November 27th, 2006, 5:12 am

I ran a scan with SSD, found AstaKiller, and fix it. Restart my computer, and ran another scan. AstaKiller does not appear.

Before this, I've tried fix the AstaKiller entry, and when I tried to play my music and video file in MCE, warning "specified cast is not valid". I couldn't play music and video file.
So, I thought the same result would occur if I fix it. But it didn't. The audio and video files successfully play. Great. Thanks a lot.

The SSD scan result.

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
http://www.tweakxp.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
tweakxp.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
http://www.flash.net=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
ask.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
http://www.ask.com=127.0.0.1

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---


As you can see, the AstaKiller has gone, but a new warning occurs, the Microsoft.Windows.RedirectedHosts

What is this, and what am I supposed to do.

Sorry for the problem and thanks again.
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Re: Thanks

Unread postby Mr_JAk3 » November 27th, 2006, 5:36 am

Hi again :)

kerol wrote:and when I tried to play my music and video file in MCE, warning "specified cast is not valid". I couldn't play music and video file.
.

The legit entry (false positive) that was removed earlier and caused this. The entry you just removed was a baddie leftover so that is why videos are working now.

You installed HostsMan ? Then you used it's update feature and installed the MVPS Hosts and hpHosts. Spybot is now warning you that you have blocked the access to these certain sites (edited the hosts file). Sometimes malware programs do this. In your case, you can just ignore these entries because they're not bad. So just leave those alone, it is a sign that you have succesfully installed the ad blocking hosts file :)

Then this:
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

The firewall notification feature has been disabled. IF you want windows to monitor your firewall's state, you may fix this entry with Spybot S&D.

Please ask me if you got any questions...

You're looking clean :)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Thanks again

Unread postby kerol » November 27th, 2006, 5:51 am

Hi again,

Yes I installed Hostman like your recommendation. So, the warning is caused by Hostman. I thought so. :D

So, there shouldn't be any errors occur and I can safely remove the AstaKiller from the recovery in SSD.

Do I need to clear all system restore previous checkpoints, or am I perfectly clean.

Thanks
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 27th, 2006, 8:35 am

Hello :)

So, there shouldn't be any errors occur and I can safely remove the AstaKiller from the recovery in SSD.

Yes you can clean the recovery section if everything is working fine...

Do I need to clear all system restore previous checkpoints, or am I perfectly clean.

The AstaKiller entry was backed up with the registry so yes, you should clear the restore points and create a fresh one :)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Thanks

Unread postby kerol » November 27th, 2006, 3:38 pm

Alright, all system restore checkpoints cleared.

Thanks a lot. See ya. :)
kerol
Regular Member
 
Posts: 16
Joined: November 10th, 2006, 1:38 pm

Unread postby Mr_JAk3 » November 28th, 2006, 12:55 am

You're very welcome :)

And welcome to the University, see ya ! :D
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby NonSuch » November 28th, 2006, 1:06 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 482 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware