PDA

View Full Version : My PC is infected by printer.exe and possibly ultimate defender



ineedhelp2008
23-12-2007, 01:37 PM
There is a little yellow warning triangle keep saying
Windows antivirus.

Windows has detected spyware infection!
It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install te most up-to-date antispyware for you

Click here to protect your computer from spyware!

I find C:\window\shell.exe, printer.exe, autorun.exe, wowfx.dll, findfast.exe
I think this thing is the same as http://forums.pcworld.co.nz/showthread.php?t=85689

But the solution in that post does not help. And I am a little different.
I can use regedit, task manager, but not control panel.
Trojan horse indicates the my task manager, regedit, and control panel is disabled in registry. It said it fixed it , but the same problem appear when I scan it again.

Teatimer find a process constantly trying to change my internet startpage every second

Here is my hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:37 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Acer\Empowering Technology\ePower\ePower_DMC .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\VM_STI .EXE
D:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\LAUNCH~1\LManager .exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Acer\Empowering Technology\eRecovery\Monitor .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe
D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg/startpage.jsp?sn=LXAFL0J0486470AE621601
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\RunOnce: [Trojan Remover] "C:\Program Files\Trojan Remover\RMVTRJAN.EXE" /restart2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: findfast.exe
O4 - Startup: findfast .exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12319 bytes


I checked geedd.exe, printer.exe, 2 findfast.exe, spoolves.exe, autorun.exe, wowfx.dll and hit "fix checked" but they keep coming back when I scan again
Please help
Thank you very much

wainuitech
23-12-2007, 01:46 PM
Welcome to Press F1 - the log shows some infections -
Windows will now download and install te most up-to-date antispyware for you DONT DO THIS from the windows prompt.

Down load from my sig both Spyware Doctor & Spybot S&D, install both, run them. Go to Speedys Sig (http://pressf1.pcworld.co.nz/member.php?u=8532) down load and update / run Trojan Remover.

Speedy is great at Hijack files, not to sure where he is at the moment, but he will be able to tell you what to delete better than me.

What Antivirus do you run ? According to the log files you have / Had both Nortons and AVG ??

Speedy Gonzales
23-12-2007, 01:47 PM
Get rid of Nortons, since u said it expired in PM.

Run HJT again tick these entries then tick fix checked

Close browser/s.

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe

O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe

O4 - Startup: findfast.exe

O4 - Startup: findfast .exe

O4 - Global Startup: autorun.exe

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

Then click on open the misc tools button / delete a file on reboot in HJT.

Find and add wowfx.dll,spoolvs.exe,printer.exe, to it.

Not sure if it adds more than 1 file or not. But add these.It maybe one file at a time.

Then ok, then reboot. See what happens then.

wainuitech
23-12-2007, 01:51 PM
Ignore this post - Speedy lived up to his name :thumbs: :lol:

ineedhelp2008
23-12-2007, 02:27 PM
When I click delete a file on reboot in HJT...
HJT just closes itself

ineedhelp2008
23-12-2007, 02:31 PM
hey...i just find the file that infect my computer? would that help?
I mean the zip file that I opened and get infection...the virus exe file, would that help?

pctek
23-12-2007, 03:05 PM
Do what they told you, including getting Spybot and Spyware Doctor as shown in Wainuitechs signature.

bevy121
23-12-2007, 04:26 PM
If "delete on reboot" in HJT wont work for you, try booting in safe mode (F8) and see if you can delete them from there.

If you use "Search -> find all files/folders" make sure you have
"Search system folders" and "Search hidden files and folders" both activated

Delete the ones Speedy said - wowfx.dll, spoolvs.exe, printer.exe

Also check there is none with these names just in case - if there is delete them too

53261691.DAT
42836685.SVD
26235911.DAT
30074248.SVD
75547737.DLL

ineedhelp2008
23-12-2007, 06:02 PM
I have used all the software u guys asked me to use. And I run an AVG 7.5 test and it removed some file.
Now my teatimer no longer indicates there is program trying to change my internet startpage, but the printer.exe, shell.exe, wowfx.dll, spoolvs.exe, are still there.
And I still cannot click "properties" of my computer.
I tried to delete files in safe mode..but they come back
And To bevy121, I cannot find the files u said.

Speedy Gonzales
23-12-2007, 06:33 PM
Did u do this??

Then click on open the misc tools button / delete a file on reboot in HJT.

Find and add wowfx.dll,spoolvs.exe,printer.exe, to it. Say Yes after you load all 3 files. Then it'll ask if u want to reboot. Reboot.

It doesnt sound like u did.

wainuitech
23-12-2007, 07:08 PM
Turn off System Restore as well, right click My Computer>Properties> System Restore Tab. Re run the cleaners.

Restore may be putting the infections back when the PC reboots - Its nice like that sometimes :rolleyes:

Speedy Gonzales
23-12-2007, 07:13 PM
Turn off System Restore as well, right click My Computer>Properties> System Restore Tab. Re run the cleaners.

Thats the main prob he/she tried it, it didnt work

From a PM earlier to me

I lost my administrator password, the Window XP boot CD and I cannot disable window system restore

Thebananamonkey
23-12-2007, 07:19 PM
I had a stubborn infection a little while ago and killbox sorted it out. I had to follow extensive online instructions to do it though, so I'm not about to give a runthrough. Surely there should be some comprehensive guides on the net somewhere? Google?

Don't try using killbox yourself though... dangerous app that one. Especially in untrained (ie: my) hands. I'd probably say delete C:... that would solve your problem though... I believe that's the US militaries top tactic though... see a bad guy (virus), level a suburb. Nice of me to bring politics into the forum huh?... anyway. GL

wainuitech
23-12-2007, 08:02 PM
Thats the main prob he/she tried it, it didnt work

From a PM earlier to me

I lost my administrator password, the Window XP boot CD and I cannot disable window system restore

Awhhhhh in a PM - thats why I didn't see it in the posts:rolleyes: :lol:

Is it a limited Account ?

Speedy Gonzales
23-12-2007, 08:10 PM
Sent u a PM WT.

He/she didnt say it was a limited account, just that he/she has lost the Admin password.

pctek
23-12-2007, 08:31 PM
I
Don't try using killbox yourself though... dangerous app that one. Especially in untrained (ie: my) hands.

Killbox is just the same as HJT's Delete on Reboot.

wainuitech
23-12-2007, 08:34 PM
Sent u a PM WT.

He/she didnt say it was a limited account, just that he/she has lost the Admin password.
Got it thanks Speedy - OK since it looks like the Admin needs to be entered, HERE (http://ophcrack.sourceforge.net/) is something that May work - then again it might not :p :nerd: I've had a 50/50 success rate with it. I personally have a program that can change the admin password - but thats no use here :mad: , so the above is worth a try, if you can get into safe mode VIA the admin account you can try to disable system restore.I think thats half the problem, when rebooting restore puts back the bugs. The link above is a program that runs from a bootable CD - but it can take hours to run and may or may not show you all passwords.Download page (http://sourceforge.net/project/showfiles.php?group_id=133599&package_id=167699&release_id=537116) but it is a 455Mb ISO file.

Just a thought - download Nod32 Antivirus - Durhhh to me- Nod32 WILL get into restore, many other AV's cant. It may just clean them Nod Trial (http://www.eset.com/download/download_NT.php)

Speedy Gonzales
23-12-2007, 08:44 PM
This may disable System restore (http://www.kellys-korner-xp.com/xp_restore.htm)

Thats if you know what youre doing in the registry

An alternative to the usual method of enabling and disabling Windows XP's System Restore feature is to use the registry. To use this alternative, perform the following steps: Start the registry editor (regedit.exe).

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore.

If a "DisableSR" value doesn't exist, go to the Edit menu, select New, DWORD value, and create the value.

Set the value to 1 to disable System Restore or 0 to enable System Restore.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sr to prevent the System Restore service from starting.

Double-click Start, and set the value to 4 to stop the service from starting or to 0 for normal startup. Close the registry editor.

I think you can stop a service in a command prompt with net start (service), and net stop (service).

For instance net stop wuauserv stops windows update service net start wuauserv restarts it.

net start in the command prompt shows a list of services, you can start

wainuitech
23-12-2007, 09:17 PM
Speedy - PM comming your way with a possible suggestion if poster no to happy about reg.

drcspy
24-12-2007, 02:48 AM
sounds like smitfraud to me get smitrem and run it

ineedhelp2008
24-12-2007, 07:18 AM
Thanks speedy, that website help a lot.
I disabled my system restore and the file I delte stop coming back
And I deleted spoolvs.exe, wowfx.dll, shell.exe, printer.exe
and I have access to "control panel" and the "properties" of "My computer"

but geedd.dll and geedd.exe are still there
When I try to delete them in safe mode, it says geedd.dll is being used by another program (which I cannot find out what it is)
and geedd.exe keep coming back right after I delete it..

And I find files like printer.exe.vir and spoolvs.exe.vir, the web says .vir means virus infected file. Do I have to delete them too? Or they are just file of antivirus

Thank you all, I mean everyone

ineedhelp2008
24-12-2007, 07:19 AM
I really appreciate the help from all of you
Thank you all

Speedy Gonzales
24-12-2007, 07:31 AM
Good to hear !

If system restore is still disabled.

Find and delete printer.exe, spoolvs.exe, wowfx.dll.

If rogueremover is still installed, run it again, update it first there was an update last night then scan.

It looks like geedd.dll belongs to vundo, which is adware.

Get this (http://securityresponse.symantec.com/avcenter/FxVundoB.exe.)

Which is from here (http://www.symantec.com/business/security_response/writeup.jsp?docid=2005-042913-5937-99)

This removal tool MUST be run in safe mode.

Also: If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.

Make sure system restore is still disabled.

And get this as well (http://securityresponse.symantec.com/avcenter/FixVundo.exe)

Follow the info from here (http://www.symantec.com/business/security_response/writeup.jsp?docid=2004-112210-3747-99)

ineedhelp2008
24-12-2007, 07:32 AM
Oh.. Just find out another strange thing
hijackthis find
C:\windows\system32\wowfx.dll
But When I go to the directory in safe mode, I can not find it. (I look up the hidden files as well)

Speedy Gonzales
24-12-2007, 07:38 AM
If you run hijackthis again and select the delete file on reboot option and then add, does wowfx.dll appear, when you go to c:\windows\system32??

If it does add it, then say yes to reboot.

Speedy Gonzales
24-12-2007, 07:52 AM
And while youre at it. since system restore is still disabled, boot into safe mode.

Log in (can you log in)?

Open my computer / go to tools / folder options / view.

Untick the hide protected operating system files.

Right mouse on the system volume information folder / properties/ security tab.

(If the security tab isnt there, untick use simple file sharing (under tools / folder options / view, down the bottom).

Then click on add (this is under the security tab), type in the name that appears, when you click on the start menu (up the top), Click on check names, if its right it'll add the name.

Then OK. Tick everything under allow. Then OK. Open the system volume information folder, and delete everything in it. If you've got more than 1 partition, or more than 1 hard drive, do the above for them as well.

Then reboot. And once you get rid of that wowfx.dll, geedd.dll and geedd.exe file, reverse what you did in the registry.

Or if right mouse on my computer / going to the system restore tab in normal windows works, go that way.

ineedhelp2008
24-12-2007, 08:15 AM
I cannot use the
delete file on reboot
in hijackthis. When I click the button, it closes hijackthis automatically

I have cleared the all file in system volume information
wowfx.dll come back when I delete it, and it says geedd.dll and geedd.exe are used by another program.

I used the the norton removing tools suggested by speedy in safe mode. It says I am not infected. rougeremover says I am clean

but wowfx.dll, geedd.dll, geedd.exe are still there

Speedy Gonzales
24-12-2007, 08:18 AM
Get Crossloop (https://www.crossloop.com/landing.htm)

Install it, then send a PM to me, with the code under share, I think it is.

I'll see if I can log into u remotely, and have a look.

Did u try doing it in safe mode??

ineedhelp2008
24-12-2007, 08:18 AM
I find this software that says can remove file on reboot, should I try this one?
http://www.softwarepatch.com/software/moveonboot.html

Speedy Gonzales
24-12-2007, 08:22 AM
You can try it, I've heard of it, but never used it.

caldas
24-12-2007, 10:52 AM
I have been going through this same problem and just when I thought I had it beat I don't.

You can delete the wowfx.dll, but there is something that keeps regenerating it. I have not found what is causing this. Consequently, it appears you can't delete it.

Any thoughts?

ineedhelp2008
24-12-2007, 11:03 AM
I have been going through this same problem and just when I thought I had it beat I don't.

You can delete the wowfx.dll, but there is something that keeps regenerating it. I have not found what is causing this. Consequently, it appears you can't delete it.

Any thoughts?

Thats exactly what happen to me
wowfx.dll
geedd.dll
geedd.exe

they regenerate themself..

Pancake
24-12-2007, 11:07 AM
I can help with this problem.I have fixed many of these...

This will help to identify malware on your system.
Please download Combofix from any of these locations:

Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
or
Here (http://www.forospyware.com/sUBs/ComboFix.exe)

Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that monitors your PC while CF is running.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.


Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

feersumendjinn
24-12-2007, 11:25 AM
http://housecall.trendmicro.com/
Try this (takes a while to run, even on broadband), would also turn off system restore to clear it (and avoid reinfection from there)
Wowfx.dll is part of a trojan called Agent-GIX

caldas
24-12-2007, 11:31 AM
Pancake,

combofix will not do anything for me. It could be because the wowfx.dll is considered a sevurity provider. I can't delete it from the registry as it too comes right back

Pancake
24-12-2007, 11:46 AM
caldas..

Have you run Combo ? If you can I would like to see the log.

ineedhelp2008
24-12-2007, 11:54 AM
I ran combofix...here is the log..those files are still there

ComboFix 07-12-21.4 - Lap Yin Leung 2007-12-23 15:33:09.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.77 [GMT -8:00]
Running from: C:\Documents and Settings\Lap Yin Leung\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lap Yin Leung\Application Data\trant.exe
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\drvhac.dll
C:\WINDOWS\system32\drvhacr.dll
C:\WINDOWS\system32\geedd.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.

2007-12-23 15:45 . 2007-12-23 15:45 334,336 --a------ C:\WINDOWS\system32\geedd.dll
2007-12-23 15:20 . 2007-12-23 15:46 337,920 --a------ C:\WINDOWS\system32\geedd.exe
2007-12-23 14:54 . 2007-12-23 15:11 337,920 --a------ C:\WINDOWS\system32\geedd.exe.vir
2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-12-23 13:56 . 2007-12-23 13:56 <DIR> d-------- C:\Program Files\CrossLoop
2007-12-22 16:00 . 2007-12-22 16:00 <DIR> d-------- C:\Program Files\CCleaner
2007-12-22 15:46 . 2007-12-22 15:46 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Grisoft
2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-22 15:38 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-22 12:24 . 2007-12-23 15:16 334,336 --a------ C:\WINDOWS\system32\geedd.dll.vir
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Program Files\Trojan Remover
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Simply Super Software
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-12-22 12:19 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-22 12:19 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-22 12:19 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-22 12:19 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-22 12:19 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-12-22 11:52 . 2007-12-22 11:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-12-22 11:29 . 2007-12-22 11:54 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-22 11:29 . 2007-12-22 11:54 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 10:19 . 2007-12-22 10:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 02:27 . 2005-04-20 02:48 9,728 --a------ C:\WINDOWS\system32\spoolvs.exe.vir
2007-12-22 02:23 . 2007-12-22 02:23 <DIR> d--hs---- C:\FOUND.006
2007-12-22 01:53 . 2005-04-20 01:22 9,728 --a------ C:\WINDOWS\system32\printer.exe.vir
2007-12-22 00:46 . 2007-12-22 00:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 23:29 . 2007-12-21 23:29 5,706 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-21 20:31 . 2007-12-23 15:45 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-21 20:30 . 2007-12-21 20:30 337,920 --a------ C:\WINDOWS\system32\RCX57.tmp
2007-12-21 20:30 . 2007-12-23 15:45 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-21 20:30 . 2007-12-23 15:45 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-21 20:30 . 2007-12-22 12:35 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-21 20:30 . 2007-12-23 15:45 40,960 --a------ C:\WINDOWS\VM_STI .EXE
2007-12-21 16:13 . 2007-12-22 10:54 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-21 14:27 . 2007-12-23 15:17 2,960 --ahs---- C:\WINDOWS\system32\ddeeg.ini2.vir
2007-12-21 14:27 . 2007-12-23 15:17 2,960 --ahs---- C:\WINDOWS\system32\ddeeg.ini.vir
2007-12-21 14:24 . 2007-12-21 14:24 26,624 -r-hs---- C:\Program Files\lsass.exe
2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\WINDOWS\system32\njprckha
2007-12-21 14:22 . 2007-12-21 14:22 0 --a------ C:\Install
2007-12-21 14:21 . 2007-12-21 14:21 <DIR> d-------- C:\Program Files\Bwfzeple
2007-12-21 14:21 . 2007-12-22 12:20 39,936 --a------ C:\WINDOWS\system32\awtuttq.dll.vir
2007-12-21 14:21 . 2007-12-21 14:21 21,504 --a------ C:\WINDOWS\system32\winexi32.dll
2007-11-24 23:01 . 2007-11-24 23:01 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-23 23:20 457,728 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-23 23:20 433,152 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-23 23:20 379,392 ----a-w C:\WINDOWS\Vm_sti.exe
2007-12-23 18:42 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-04 04:49 --------- d-----w C:\Documents and Settings\Lap Yin Leung\Application Data\XemiComputers
2007-11-04 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{103BE4BD-AEF6-46BC-879F-73483D202639}]
2007-12-23 15:45 334336 --a------ C:\WINDOWS\system32\geedd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00]
"SpybotSD TeaTimer"="D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"PcSync"="D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-23 15:20]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-23 15:45]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2007-12-23 15:45]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-23 15:45]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2007-12-23 15:45]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-12-23 15:46]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2007-12-23 15:46]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2007-12-23 15:46]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-12-23 15:46]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-12-23 15:46]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2007-12-23 15:46]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-12-23 15:46]
"DAEMON Tools-1033"="D:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-12-23 15:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [2007-12-23 15:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-23 15:46]
"LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll" [2006-02-24 03:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\geedd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar]
2007-10-19 11:08 3678208 --a------ D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
2005-10-24 16:45 2462208 --a------ C:\Acer\Empowering Technology\admtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
D:\Program Files\BitComet\BitComet.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
D:\Useless Software\bt\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
D:\Useless Software\Demontool 4.08HE 32bit\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2005-12-27 15:50 69632 --a------ C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-02-06 21:10 98304 --a------ C:\Program Files\Lexmark 2400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foxy]
D:\Program Files\Foxy\Foxy.exe -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-21 23:33 696320 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-03-06 09:48 286720 --a------ C:\Program Files\Lexmark 2400 Series\lxcrmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Junk Software\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaF sLoc.sys [2005-10-15 18:20]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.s ys [2005-01-14 15:57]
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2004-12-08 14:10]
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys [2006-06-16 19:17]
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys [2006-06-16 19:17]
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys [2006-06-16 19:17]
S2 MLPTDR_B;MLPTDR_B;C:\WINDOWS\system32\MLPTDR_B.sys [2003-09-02 13:06]
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe
\Shell\setup\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec454-e231-11db-b963-0016d4621b5e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec455-e231-11db-b963-0016d4621b5e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 15:46:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\geedd.dll
.
Completion time: 2007-12-23 15:50:36 - machine was rebooted
.
2007-12-12 09:27:52 --- E O F ---

ineedhelp2008
24-12-2007, 11:57 AM
This is hijackthis log
I cannot fix geedd.exe
still cannot use the delete on reboot function in hijackthis
wowfx.dll seems to be gone now..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:49 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\igfxtray .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Acer\Empowering Technology\ePower\ePower_DMC .exe
C:\WINDOWS\VM_STI .EXE
C:\PROGRA~1\LAUNCH~1\LManager .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Acer\Empowering Technology\eRecovery\Monitor .exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg/startpage.jsp?sn=LXAFL0J0486470AE621601
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9790 bytes

caldas
24-12-2007, 12:15 PM
I did run combofix but got no results or file for me.

Speedy Gonzales
24-12-2007, 12:28 PM
Disable teatimer. That maybe causing probs then try again.

ineedhelp2008
24-12-2007, 12:35 PM
I closed teatimer.exe in task manager before I run combofix
I am now trying it again

Pancake
24-12-2007, 12:42 PM
ineedhelp2008

This should help....

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:




KillAll::
File::
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\geedd.exe.vir
C:\WINDOWS\system32\geedd.dll.vir
C:\WINDOWS\system32\spoolvs.exe.vir
C:\WINDOWS\system32\printer.exe.vir
C:\WINDOWS\system32\ddeeg.ini2.vir
C:\WINDOWS\system32\ddeeg.ini.vir
C:\Program Files\lsass.exe
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\awtuttq.dll.vir
C:\WINDOWS\system32\winexi32.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
Folder::
C:\FOUND.006
C:\Program Files\Bwfzeple
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{103BE4BD-AEF6-46BC-879F-73483D202639}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]






Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Pancake
24-12-2007, 12:49 PM
Pancake,

combofix will not do anything for me. It could be because the wowfx.dll is considered a sevurity provider. I can't delete it from the registry as it too comes right back

Are you running Vista ???

ineedhelp2008
24-12-2007, 01:45 PM
Pancake,
I do what you told me in safe mode and then closed all process that is not needed to run window in safe mode as I don't really sure which process would interfere with combofix.
Thanks for the help. Sorry it takes quit a while

here is the log

ComboFix 07-12-21.4 - Lap Yin Leung 2007-12-23 17:27:29.3 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.343 [GMT -8:00]
Running from: C:\Documents and Settings\Lap Yin Leung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lap Yin Leung\Desktop\CFScript.txt

FILE
C:\Program Files\lsass.exe
C:\WINDOWS\system32\awtuttq.dll.vir
C:\WINDOWS\system32\ddeeg.ini.vir
C:\WINDOWS\system32\ddeeg.ini2.vir
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll.vir
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\geedd.exe.vir
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\printer.exe.vir
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\spoolvs.exe.vir
C:\WINDOWS\system32\winexi32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.006\FILE0002.CHK
C:\FOUND.006\FILE0003.CHK
C:\Program Files\Bwfzeple
C:\Program Files\lsass.exe
C:\WINDOWS\system32\awtuttq.dll.vir
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini.vir
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2.vir
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll.vir
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\geedd.exe.vir
C:\WINDOWS\system32\printer.exe.vir
C:\WINDOWS\system32\spoolvs.exe.vir
C:\WINDOWS\system32\winexi32.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-12-23 13:56 . 2007-12-23 13:56 <DIR> d-------- C:\Program Files\CrossLoop
2007-12-22 16:00 . 2007-12-22 16:00 <DIR> d-------- C:\Program Files\CCleaner
2007-12-22 15:46 . 2007-12-22 15:46 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Grisoft
2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-22 15:38 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Program Files\Trojan Remover
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Simply Super Software
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-12-22 12:19 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-22 12:19 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-22 12:19 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-22 12:19 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-22 12:19 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-12-22 11:52 . 2007-12-22 11:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-12-22 11:29 . 2007-12-22 11:54 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-22 11:29 . 2007-12-22 11:54 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 10:19 . 2007-12-22 10:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 00:46 . 2007-12-22 00:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 23:29 . 2007-12-21 23:29 5,706 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-21 20:31 . 2007-12-23 16:56 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-21 20:30 . 2007-12-21 20:30 337,920 --a------ C:\WINDOWS\system32\RCX57.tmp
2007-12-21 20:30 . 2007-12-23 16:56 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-21 20:30 . 2007-12-23 16:56 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-21 20:30 . 2007-12-22 12:35 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-21 20:30 . 2007-12-23 16:56 40,960 --a------ C:\WINDOWS\VM_STI .EXE
2007-12-21 16:13 . 2007-12-22 10:54 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\WINDOWS\system32\njprckha
2007-12-21 14:22 . 2007-12-21 14:22 0 --a------ C:\Install
2007-11-24 23:01 . 2007-11-24 23:01 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-24 01:24 457,728 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-24 01:24 433,152 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-24 01:24 379,392 ----a-w C:\WINDOWS\Vm_sti.exe
2007-12-24 01:24 354,816 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-04 04:49 --------- d-----w C:\Documents and Settings\Lap Yin Leung\Application Data\XemiComputers
2007-11-04 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-23_15.48.26.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-23 22:16:30 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
+ 2007-12-24 00:56:18 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
- 2007-12-23 23:45:56 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE
+ 2007-12-24 01:24:34 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE
- 2007-12-23 22:16:34 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
+ 2007-12-24 00:56:16 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
+ 2007-12-24 01:24:34 397,312 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
- 2007-12-23 18:42:06 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
+ 2007-12-24 00:56:20 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
- 2004-08-11 04:00:00 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe
+ 2007-12-24 01:24:38 795,136 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B9A37E4-D412-4FE8-944F-26706EFB32A1}]
2007-12-23 17:37 334336 --a------ C:\WINDOWS\system32\geedd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-23 17:37]
"SpybotSD TeaTimer"="D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"PcSync"="D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-23 17:24]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-23 17:24]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2007-12-23 17:24]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-23 17:37]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2007-12-23 17:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2007-12-23 17:37]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2007-12-23 17:24]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2007-12-23 17:24]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2007-12-23 17:24]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-12-23 17:24]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2007-12-23 17:24]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2007-12-23 17:24]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-12-23 17:25]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-12-23 17:25]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2007-12-23 17:25]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-12-23 17:37]
"DAEMON Tools-1033"="D:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-12-23 17:25]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [2007-12-23 17:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-23 17:38]
"LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll" [2006-02-24 03:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\geedd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar]
2007-10-19 11:08 3678208 --a------ D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
2005-10-24 16:45 2462208 --a------ C:\Acer\Empowering Technology\admtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
D:\Program Files\BitComet\BitComet.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
D:\Useless Software\bt\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
D:\Useless Software\Demontool 4.08HE 32bit\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2005-12-27 15:50 69632 --a------ C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-02-06 21:10 98304 --a------ C:\Program Files\Lexmark 2400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foxy]
D:\Program Files\Foxy\Foxy.exe -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-21 23:33 696320 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-03-06 09:48 286720 --a------ C:\Program Files\Lexmark 2400 Series\lxcrmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Junk Software\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe
\Shell\setup\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec454-e231-11db-b963-0016d4621b5e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec455-e231-11db-b963-0016d4621b5e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

*Newly Created Service* - INT15.SYS
.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 17:37:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\geedd.dll
.
Completion time: 2007-12-23 17:41:56 - machine was rebooted
C:\ComboFix3.txt ... 2007-12-23 15:50
C:\ComboFix2.txt ... 2007-12-23 17:01
.
2007-12-12 09:27:52 --- E O F ---

ineedhelp2008
24-12-2007, 01:45 PM
Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:37 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\igfxtray .exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\VM_STI .EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC .exe
D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Acer\Empowering Technology\eRecovery\Monitor .exe
C:\PROGRA~1\LAUNCH~1\LManager .exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg/startpage.jsp?sn=LXAFL0J0486470AE621601
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10026 bytes

Pancake
24-12-2007, 02:11 PM
No problem.All is going well..




Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe

===========================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:




KillAll::
File::
C:\WINDOWS\system32\mcrh.tmp
Folder::
C:\WINDOWS\system32\njprckha
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B9A37E4-D412-4FE8-944F-26706EFB32A1}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages REG_MULTI_SZ msv1_0"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll




Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

ineedhelp2008
24-12-2007, 03:10 PM
Here is combofix log
ComboFix 07-12-21.4 - Lap Yin Leung 2007-12-23 18:44:08.4 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.344 [GMT -8:00]
Running from: C:\Documents and Settings\Lap Yin Leung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lap Yin Leung\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\mcrh.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\njprckha\bg1.gif
C:\WINDOWS\system32\njprckha\bgtop.gif
C:\WINDOWS\system32\njprckha\bottom1.gif
C:\WINDOWS\system32\njprckha\essentials.gif
C:\WINDOWS\system32\njprckha\icon1.ico
C:\WINDOWS\system32\njprckha\install1.gif
C:\WINDOWS\system32\njprckha\left1.gif
C:\WINDOWS\system32\njprckha\li.gif
C:\WINDOWS\system32\njprckha\logo.gif
C:\WINDOWS\system32\njprckha\main.htm
C:\WINDOWS\system32\njprckha\mainframe.htm
C:\WINDOWS\system32\njprckha\reinstall1.gif
C:\WINDOWS\system32\njprckha\right1.gif
C:\WINDOWS\system32\njprckha\s1.htm
C:\WINDOWS\system32\njprckha\s2.htm
C:\WINDOWS\system32\njprckha\s3.htm
C:\WINDOWS\system32\njprckha\SMTop1.gif
C:\WINDOWS\system32\njprckha\SMTop2.gif
C:\WINDOWS\system32\njprckha\SMTop3.gif
C:\WINDOWS\system32\njprckha\SMTop4.gif
C:\WINDOWS\system32\njprckha\soft1_off.gif
C:\WINDOWS\system32\njprckha\soft1_off_ext.gif
C:\WINDOWS\system32\njprckha\soft1_on.gif
C:\WINDOWS\system32\njprckha\soft1_on_ext.gif
C:\WINDOWS\system32\njprckha\soft2_off.gif
C:\WINDOWS\system32\njprckha\soft2_off_ext.gif
C:\WINDOWS\system32\njprckha\soft2_on.gif
C:\WINDOWS\system32\njprckha\soft2_on_ext.gif
C:\WINDOWS\system32\njprckha\soft3_off.gif
C:\WINDOWS\system32\njprckha\soft3_off_ext.gif
C:\WINDOWS\system32\njprckha\soft3_on.gif
C:\WINDOWS\system32\njprckha\soft3_on_ext.gif
C:\WINDOWS\system32\njprckha\softbottom_off.gif
C:\WINDOWS\system32\njprckha\softbottom_on.gif
C:\WINDOWS\system32\njprckha\softleft_off.gif
C:\WINDOWS\system32\njprckha\softleft_on.gif
C:\WINDOWS\system32\njprckha\top1.gif
C:\WINDOWS\system32\njprckha\top2.gif
C:\WINDOWS\system32\njprckha\turnoff1.gif
C:\WINDOWS\system32\njprckha\turnon1.gif

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 17:38 . 2007-12-23 18:42 337,920 --a------ C:\WINDOWS\system32\geedd.exe
2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-12-23 13:56 . 2007-12-23 13:56 <DIR> d-------- C:\Program Files\CrossLoop
2007-12-22 16:00 . 2007-12-22 16:00 <DIR> d-------- C:\Program Files\CCleaner
2007-12-22 15:46 . 2007-12-22 15:46 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Grisoft
2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-22 15:38 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Program Files\Trojan Remover
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Simply Super Software
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-12-22 12:19 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-22 12:19 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-22 12:19 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-22 12:19 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-22 12:19 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-12-22 11:52 . 2007-12-22 11:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-12-22 11:29 . 2007-12-22 11:54 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-22 11:29 . 2007-12-22 11:54 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 10:19 . 2007-12-22 10:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 00:46 . 2007-12-22 00:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 23:29 . 2007-12-21 23:29 5,706 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-21 20:31 . 2007-12-23 17:37 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-21 20:30 . 2007-12-21 20:30 337,920 --a------ C:\WINDOWS\system32\RCX57.tmp
2007-12-21 20:30 . 2007-12-23 18:53 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-21 20:30 . 2007-12-23 18:53 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-21 20:30 . 2007-12-22 12:35 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-21 20:30 . 2007-12-23 18:53 40,960 --a------ C:\WINDOWS\VM_STI .EXE
2007-12-21 14:22 . 2007-12-21 14:22 0 --a------ C:\Install
2007-11-24 23:01 . 2007-11-24 23:01 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-24 02:42 379,392 ----a-w C:\WINDOWS\Vm_sti.exe
2007-12-24 02:41 457,728 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-24 02:41 433,152 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-24 02:41 354,816 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-23 18:42 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-04 04:49 --------- d-----w C:\Documents and Settings\Lap Yin Leung\Application Data\XemiComputers
2007-11-04 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-23_15.48.26.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-23 22:16:30 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
+ 2007-12-24 02:53:36 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
- 2007-12-23 23:45:56 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE
+ 2007-12-24 02:41:44 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE
- 2007-12-23 22:16:34 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
+ 2007-12-24 01:37:20 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
+ 2007-12-24 02:41:44 397,312 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
- 2007-12-23 18:42:06 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
+ 2007-12-24 01:37:22 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
- 2004-08-11 04:00:00 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe
+ 2007-12-24 02:41:48 795,136 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D4C844F-09C4-4692-9D79-699007AF68FA}]
2007-12-23 18:53 334336 --a------ C:\WINDOWS\system32\geedd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-23 18:53]
"SpybotSD TeaTimer"="D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"PcSync"="D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-23 18:53]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-23 18:53]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2007-12-23 18:53]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-23 18:53]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2007-12-23 18:53]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-12-23 18:53]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2007-12-23 18:42]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2007-12-23 18:42]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-12-23 18:42]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-12-23 18:54]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2007-12-23 18:54]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-12-23 18:54]
"DAEMON Tools-1033"="D:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-12-23 18:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [2007-12-23 18:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-23 18:54]
"LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll" [2006-02-24 03:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\geedd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast .exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast .exe
backup=C:\WINDOWS\pss\findfast .exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar]
2007-10-19 11:08 3678208 --a------ D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
2005-10-24 16:45 2462208 --a------ C:\Acer\Empowering Technology\admtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
D:\Program Files\BitComet\BitComet.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
D:\Useless Software\bt\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
D:\Useless Software\Demontool 4.08HE 32bit\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2005-12-27 15:50 69632 --a------ C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-02-06 21:10 98304 --a------ C:\Program Files\Lexmark 2400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foxy]
D:\Program Files\Foxy\Foxy.exe -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-21 23:33 696320 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-03-06 09:48 286720 --a------ C:\Program Files\Lexmark 2400 Series\lxcrmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Junk Software\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe
\Shell\setup\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec454-e231-11db-b963-0016d4621b5e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec455-e231-11db-b963-0016d4621b5e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

*Newly Created Service* - INT15.SYS
.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 18:53:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\geedd.dll
.
Completion time: 2007-12-23 18:58:14 - machine was rebooted
C:\ComboFix3.txt ... 2007-12-23 17:01
C:\ComboFix2.txt ... 2007-12-23 17:41
.
2007-12-12 09:27:52 --- E O F ---

ineedhelp2008
24-12-2007, 03:12 PM
Hijackthis log
the geedd.exe simply won't go away


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:28 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\igfxpers .exe
D:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC .exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\VM_STI .EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\PROGRA~1\LAUNCH~1\LManager .exe
C:\Acer\Empowering Technology\eRecovery\Monitor .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg/startpage.jsp?sn=LXAFL0J0486470AE621601
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9699 bytes

Pancake
24-12-2007, 03:39 PM
The file is dead so there is nothing to worry about but something is holding it back in HJT.Did you uninstall TeaTimer ?..lets hit it with this.


Hi...

Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) to your Desktop and unzip it.

Copy all the text contained in the code box below ( including the words "files to delete" ) by highlighting it and right clicking and selecting "Copy"




Files to delete:
C:\WINDOWS\system32\geedd.exe




Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.

Once your computer has rebooted, please post back the contents of C:\avenger.txt, a new Hijack This log.

===============================

Copy the bold text below to notepad. Save it as fixreg.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.




[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\SecurityProviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

Pancake
24-12-2007, 04:04 PM
I must admit that I have never seen this file stick like this before.


Download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If Vundofix does not find and delete the files, please try running it bit differently:
Double-click VundoFix.exe to run it.
You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
When VundoFix re-opens, click Scan for Vundo button.
Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
Copy & paste the 2 entries below into the top 2 boxes:
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\ddeeg.*
Click Add Files and click Close Window.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt

ineedhelp2008
24-12-2007, 04:08 PM
I did not remove teatimer. I was doing it in safe mode
Ok, do I do the registry thing after or before avenger?
I try doing it before avenger

But it says

Cannot import C:\Documents and Settings\Lap Yin Leung\desktop\fixreg.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.
----------------------------------------------

So now I am trying the avenger

hopefully it does not take too long before I make another reply
Thank you for staying with me for such a long time

ineedhelp2008
24-12-2007, 04:19 PM
avenger is finished

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\owwqhjeh

*******************

Script file located at: \??\C:\cqcxlxmq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\geedd.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ineedhelp2008
24-12-2007, 04:21 PM
Hijack this log after avenger is finished

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:49 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Acer\Empowering Technology\ePower\ePower_DMC .exe
C:\WINDOWS\VM_STI .EXE
C:\PROGRA~1\LAUNCH~1\LManager .exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Acer\Empowering Technology\eRecovery\Monitor .exe
D:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg/startpage.jsp?sn=LXAFL0J0486470AE621601
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9795 bytes

ineedhelp2008
24-12-2007, 04:23 PM
geedd.exe is gone in hijackthis now i think
and teatimer stop popping up and says something is trying to change my registry now

Now doing vundoFix.exe

caldas
24-12-2007, 05:34 PM
Are you running Vista ???

No ... in my case I am running XP.

I am running in safe mode and also each time I rebbot the following files show up in the windows directory:

murka.dat
medichi.exe
medichi2.exe

ineedhelp2008
24-12-2007, 06:13 PM
This is VundoFix log


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 8:32:26 PM 12/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
C:\WINDOWS\Vm_sti.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\geedd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe Has been deleted!

Attempting to delete C:\WINDOWS\Vm_sti.exe
C:\WINDOWS\Vm_sti.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.exe
C:\WINDOWS\system32\geedd.exe Has been deleted!

Performing Repairs to the registry.
Done!

ineedhelp2008
24-12-2007, 06:15 PM
This is hijackthis log
F3 geedd.exe comes back.....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:20 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL .EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Acer\Empowering Technology\ePower\ePower_DMC .exe
C:\PROGRA~1\LAUNCH~1\LManager .exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
D:\Program Files\D-Tools\daemon.exe
C:\Acer\Empowering Technology\eRecovery\Monitor .exe
D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg/startpage.jsp?sn=LXAFL0J0486470AE621601
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10364 bytes

ineedhelp2008
24-12-2007, 06:22 PM
http://aycu22.webshots.com/image/39501/2001911428732778185_rs.jpg

every time I reboot

there is this thing and some other warning that says registry change
for all value deleted, i allow

but i don't allow value added

and the entry like the one in this picture has different value everytime
but after I denied it, the same entry come back
should I simply disable teatimer?

wainuitech
24-12-2007, 06:23 PM
I have lost track of this posting - did you ever manage to disable system Restore.???

If not then some of these bugs will more than likely be getting put back after every reboot.

Just looking through the HJT log I see you only have AVG as the antivirus - As pointed out before I suggest you get a good Antivirus - AVG is useless. Download Nod32 Trial From Here (http://www.eset.com/download/download_NT.php) Nod WILL get into the restore, AVG wont.

Speedy Gonzales
24-12-2007, 07:09 PM
Get rid of Symantec and AVG theyre both hopeless.

Install NOD or Avast Home, if you want something free.

This log looks like it has more than it had before!

Did u delete the restore point Comobofix created??

Or click on its entry in system restore??

ineedhelp2008
24-12-2007, 07:10 PM
I have lost track of this posting - did you ever manage to disable system Restore.???

If not then some of these bugs will more than likely be getting put back after every reboot.

Just looking through the HJT log I see you only have AVG as the antivirus - As pointed out before I suggest you get a good Antivirus - AVG is useless. Download Nod32 Trial From Here (http://www.eset.com/download/download_NT.php) Nod WILL get into the restore, AVG wont.

I do disable system restore<---this is wrong

You are right..system restore is enabled again!...I disabled it before, now I will disable it again and run those thing once more

wainuitech
24-12-2007, 07:22 PM
I do disable system restore<---this is wrong Errrrr System restore keeps track of the reg among other things, what happens is if infections get into restore, even if you get the system Clean, sometimes depending on the infection it will reinfect the PC as soon as you reboot it. It is an endless battle.

Why do you say its wrong ?

By disbling Restore it deletes all the restore points both clean and the infected points.
If I read how you put it, even if you disable restore its turning its self back on? Never heard of that happening before, and I do this for a living - once its off its normally Off.

Seriously if you only have AVG as the Antivirus, download Nod32 - its far better than AVG and will get into system restore to clean it - AVG cant.

ineedhelp2008
24-12-2007, 07:57 PM
Errrrr System restore keeps track of the reg among other things, what happens is if infections get into restore, even if you get the system Clean, sometimes depending on the infection it will reinfect the PC as soon as you reboot it. It is an endless battle.

Why do you say its wrong ?

By disbling Restore it deletes all the restore points both clean and the infected points.
If I read how you put it, even if you disable restore its turning its self back on? Never heard of that happening before, and I do this for a living - once its off its normally Off.

Seriously if you only have AVG as the Antivirus, download Nod32 - its far better than AVG and will get into system restore to clean it - AVG cant.

I mean I was wrong about thinking I have disabled system restore while it is not

Because I disabled it in this afternoon but now I found that it is back


I think it might be combofix doing this..as it says it creates system restore point when I use it

wainuitech
24-12-2007, 08:05 PM
I think it might be combofix doing this..as it says it creates system restore point when I use it
Possible. Try the Nod32 after turning of restore again and see what happens.

ineedhelp2008
24-12-2007, 09:25 PM
Ok..let me sum up what I have done..

I use avenger suggested by pancakes to delete the four files infected

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\geedd.exe deleted successfully.
File C:\WINDOWS\system32\geedd.dll deleted successfully.


File C:\WINDOWS\system32\ddeegg.ini not found!
Deletion of file C:\WINDOWS\system32\ddeegg.ini failed!

Could not process line:
C:\WINDOWS\system32\ddeegg.ini
Status: 0xc0000034



File C:\WINDOWS\system32\ddeegg.ini2 not found!
Deletion of file C:\WINDOWS\system32\ddeegg.ini2 failed!

Could not process line:
C:\WINDOWS\system32\ddeegg.ini2
Status: 0xc0000034


Completed script processing.


2 success, 2 failure

Trojan remover says it cannot find geedd.exe but find a registry that is calling it. I don't think I should use combofix any more because it says it setup a system restore point which might activate system restore (which is also what we don't want)

But I can find all four of them in my system32 folder
I found ddeeg.ini and ddeeg.ini2 as hidden file in system32 folder
and in "properties" they are checked archive and hidden
it would not allow me to uncheck hidden since it is in grey
but it would allow me to uncheck archive
I opened ddeeg.ini and ddeeg.ini2 in notepad and delete all its content and saved
Can it be something in registry that prevent me from deleting these file?

I think geedd.exe is constantly adding registry to
HKEYLM\SOFTWARE\Microsoft\Windows\CurrentVersion\E xplorer\Browser Help Object\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

where xxx is a the notation we use when we are working in a "16nary" system (I don't know what is it call, u know the one u add a digit for every sixteen) And this program is smart, because it changes the registry file name to try to avoid me from denying it to add value in my registry.

I will try to use the programs given by u guys to remove the file on reboot.
And I will make sure system restore is off

Speedy Gonzales
24-12-2007, 09:39 PM
If trojan remover picks geedd.exe up, select delete reference from the registry, then reboot.

Run regedit, then search for wowfx.dll, geedd.exe, and geedd.dll

And delete their entries, make sure you dont delete anything else.

Then close regedit then reboot.

While system restore is off.

ineedhelp2008
24-12-2007, 10:49 PM
Trojan remover says
C:\WINDOWS\system32\geedd.dll
is called by
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\exp lorer\Browser Helper Objects\{473FA96D-3459-4FDC-ABA0-61EF1A7A247F}

something other then wowfx.dll, geedd.exe, geedd.dll, ddeeg.ini, ddeeg.ini2 must be creating this registry every time on reboot even after system restore is turned off
Not only that, it also create ggeedd.exe, geedd.dll, ddeeg.ini, ddeeg.ini2 after they are renamed and the reference registry name is deleted

The problem is not solved

apsattv
25-12-2007, 12:02 AM
Run prevxCSI and see what it identifys.

I just cleaned up a machine in the USA the other night using crossloop. I Used Trojanremover 6.6. Nod32, spybot s&D and prevxcsi to confirm that it was clear. Didn't disable the system restore Nod32 to care of cleaning that.

apsattv
25-12-2007, 12:06 AM
I should add they were using Bitdefender8 and it was screwed. Unistalled that and going fine now with nod32 2.7

ineedhelp2008
25-12-2007, 08:39 AM
Trojan remover says
geedd.dll is a Adware.VirtuMonde

I used the remover from symentec, it does not help

I tried PrevxCSI, it found some file and I deleted them
But they come back on reboot.

I am sure I have system restored disabled

Speedy Gonzales
25-12-2007, 08:51 AM
Open my computer, and highlight C.

Right mouse and select scan with trojan remover.

Scan the whole hdd.

Whatever it picks up, tell TR to delete it.

wainuitech
25-12-2007, 10:44 AM
You may also have whats called Rootkits - these are hidden files that some antispyware programs wont locate. Nod32, when set will locate these.

If you haven't already done so dump that useless AVG - download Nod32, once you do it, open Nod, down the bottom left hand corner is the words - "Display Standard mode" - Click that and select Toggle Advanced mode. On the left click "Computer Scan" Inthe middle of the new box, click "Custom Scan", select the memory, + all your drives. Down the bottom of that window is a button called "setup" click that - under "Ojects & Options, tick every thing, under Cleaning move the slider to the very right. Extensions and Other you can leave as is. Run a full scan.

You can also down load Hidden Folder (http://www.wenpoint.com/download/download.php) - it is free and install / run it, it will show any hidden files, some of which may be your "bugs" you can right click on any result and google it, delete it what ever to find out what it does /is. You can also download Sophos Antirootkit (http://www.sophos.com/support/cleaners/sarsfx.exe) this is a direct link, other wise you will have to sign up Here and download (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html) But it is free, this really digs DEEP in your system - will take a while to run, but be careful - ask here what to remove, as I found several "hidden" items on one of my systems that are actually used by IE and Safari Web Browsers.

NOTE: I have been doing a bit of research on this problem - it appears that there are reports that files may be called something else and these are whats recreating the infections. Some create random names, and are hidden.

ineedhelp2008
25-12-2007, 02:40 PM
Trojan remover scaned drive c and delete some file, but they come back
Using nod32 now..this might be a long scan...

Thank you all for sticking up to this thread

Speedy Gonzales
25-12-2007, 02:49 PM
And is System restore still disabled? It will have to be disabled so they dont come back.

apsattv
25-12-2007, 03:29 PM
prevxcsi will only i.d the stuff. Nod32 combined with a first scan using trojanremover. Will see it cleaned up

Use prevxcsi to confirm afterwards that its gone also you reall should be disconnected from the net while you are doing the scans just so you dont get reinfected.

Pancake
26-12-2007, 12:21 PM
Trojan remover scaned drive c and delete some file, but they come back
Using nod32 now..this might be a long scan...

Thank you all for sticking up to this thread

I suggest you uninstall all you protection programs as well as Teatimer and then we go for removing it from the reg files.Its one of thes that is stopping the fix.

ineedhelp2008
26-12-2007, 11:41 PM
I suggest you uninstall all you protection programs as well as Teatimer and then we go for removing it from the reg files.Its one of thes that is stopping the fix.

any idea how to remove teatimer?
I googled it but I cannot find any

drcspy
27-12-2007, 01:14 AM
you dont 'remove' teatimer you turn it off........from within spybot....

minster
27-12-2007, 06:40 PM
Wouldn't it be much quicker to reformat the pc?:D

ineedhelp2008
30-12-2007, 09:37 PM
just to let u guys know..
I think my computer is clean now..
I disabled teatimer, and run bacically every antivirus/spyware/adware/malware availabe.
It seems to me that it is clean now.
Thank you for helping