Needing help with this ASAP

totalcompdummy · Dec 31, 2006

I have found the following on my comp & can't get rid of them.
What can I do (without reinstiling my windows to get rid of them?)

I have:
Emcodec is a Downloader Trojan
MediaCodec This is a trojan downloader.

I have Avast instilled along with ParetoLogic

I have done a 'boot scan' with Avast & have done a scan with ParetoLogic. I did have 4 threats until I did a scan with ParetoLogic & then did a boot scan with Avast.

That clean up 2 of them but am stuck with what to do with the remaining too. Anyone able to help me out?

chaslang · Dec 31, 2006

Welcome to Majorgeeks!

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

How are things working now?

totalcompdummy · Dec 31, 2006

Hi yea

Here is the Notepad thing that came up.
You asked me to post it, so here it is.

SmitFraudFix v2.132

Scan done at 8:54:13.04, Mon 01/01/2007
Run from C:\Documents and Settings\Penny\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\cthkpcv.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Penny

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Penny\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Penny\STARTM~1\Programs\Key Generator FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Penny\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Key Generator\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

If possible can you explain the above in English for me?

totalcompdummy · Dec 31, 2006

chaslang thanks for your help.

I managed to get rid all everything including a couple of minor addware things with the program that you gave me.

I think I will keep it & use when I both my anti virus software's can't remove things.

chaslang · Dec 31, 2006

Please remember that logs need to be attachments to messages! They should not be posted inline like you did.

Also you only posted the first rapport.txt log. You need to attach the second which shows what it fixed.

totalcompdummy said: ↑

I think I will keep it & use when I both my anti virus software's can't remove things.
Click to expand...

It is not a virus scanning program. It is only a tool designed to remove specific problems which are grouped into a family called SmitFraud. In additon the tool changes rapidly, sometime 5 times in a week. Thus you must always check for the current version before using. Also it is not a tool to use when you don't have a SmitFraud infection because it will remove your Desktop Wallpaper and change some other settings.

totalcompdummy · Dec 31, 2006

Sorry about the muck up with the thing that I did.

Is there a way for me to tell if the virus or whatever is comes under the ones that will be fixed by the program?

Do I just search for & then down load the tool when needed.

I will attach the file that shows everything is fine (or so I hope).

As I said I did a scan afterwards (the second safe mode) attempt. And nothing came up.

Anyway here is the file that I saved for you.
See I am a total dummy (when it comes to attaching things in here)

Hopefully that worked. I know who to do attachments in emails & things like that. So I am guessing what I did worked.

chaslang · Jan 2, 2007

totalcompdummy said: ↑

Is there a way for me to tell if the virus or whatever is comes under the ones that will be fixed by the program?
Click to expand...

Not really! It is a specialty tool and not a virus scanner.

totalcompdummy said: ↑

Do I just search for & then down load the tool when needed.
Click to expand...

You should only download and use this tool when recommended by an expert in a forum like this. It should not just be run for the heck of it or just as a guess at what is wrong.

totalcompdummy said: ↑

I will attach the file that shows everything is fine (or so I hope).
Click to expand...

All the log shows is what the tool found and fixed. It is not a complete malware scanning and detection tool. As I said before it was designed for a special set of problems all related to the SmitFraud family of infections. If you want to know if you PC is free from malware you would need to do the below standard cleaning procedure we use.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy

AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
Click to expand...

Log in or Sign up

Needing help with this ASAP

totalcompdummy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

totalcompdummy Private E-2

totalcompdummy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

totalcompdummy Private E-2

Attached Files:

rapport after clean.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member