| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 85813 | 2007-12-23 01:37:00 | My PC is infected by printer.exe and possibly ultimate defender | ineedhelp2008 (13207) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 623757 | 2007-12-23 22:52:00 | I have been going through this same problem and just when I thought I had it beat I don't. You can delete the wowfx.dll, but there is something that keeps regenerating it. I have not found what is causing this. Consequently, it appears you can't delete it. Any thoughts? |
caldas (13208) | ||
| 623758 | 2007-12-23 23:03:00 | I have been going through this same problem and just when I thought I had it beat I don't. You can delete the wowfx.dll, but there is something that keeps regenerating it. I have not found what is causing this. Consequently, it appears you can't delete it. Any thoughts? Thats exactly what happen to me wowfx.dll geedd.dll geedd.exe they regenerate themself.. |
ineedhelp2008 (13207) | ||
| 623759 | 2007-12-23 23:07:00 | I can help with this problem.I have fixed many of these... This will help to identify malware on your system. Please download Combofix from any of these locations: Here (download.bleepingcomputer.com) or Here (www.forospyware.com) Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that monitors your PC while CF is running. 1. Double click on combo.exe & follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt. 3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for. Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Caution...Never run and remove files using ComboFix without being supervised by a security analyst. |
Pancake (6359) | ||
| 623760 | 2007-12-23 23:25:00 | http://housecall.trendmicro.com/ Try this (takes a while to run, even on broadband), would also turn off system restore to clear it (and avoid reinfection from there) Wowfx.dll is part of a trojan called Agent-GIX |
feersumendjinn (64) | ||
| 623761 | 2007-12-23 23:31:00 | Pancake, combofix will not do anything for me. It could be because the wowfx.dll is considered a sevurity provider. I can't delete it from the registry as it too comes right back |
caldas (13208) | ||
| 623762 | 2007-12-23 23:46:00 | caldas.. Have you run Combo ? If you can I would like to see the log. |
Pancake (6359) | ||
| 623763 | 2007-12-23 23:54:00 | I ran combofix . . . here is the log . . those files are still there ComboFix 07-12-21 . 4 - Lap Yin Leung 2007-12-23 15:33:09 . 1 - FAT32x86 Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 77 [GMT -8:00] Running from: C:\Documents and Settings\Lap Yin Leung\Desktop\ComboFix . exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Lap Yin Leung\Application Data\trant . exe C:\WINDOWS\system32\ddeeg . ini C:\WINDOWS\system32\ddeeg . ini2 C:\WINDOWS\system32\drvhac . dll C:\WINDOWS\system32\drvhacr . dll C:\WINDOWS\system32\geedd . dll . ((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 ))))))))))))))))))))))))))))))) . 2007-12-23 15:45 . 2007-12-23 15:45 334,336 --a------ C:\WINDOWS\system32\geedd . dll 2007-12-23 15:20 . 2007-12-23 15:46 337,920 --a------ C:\WINDOWS\system32\geedd . exe 2007-12-23 14:54 . 2007-12-23 15:11 337,920 --a------ C:\WINDOWS\system32\geedd . exe . vir 2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\GiPo@Utilities 2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared 2007-12-23 13:56 . 2007-12-23 13:56 <DIR> d-------- C:\Program Files\CrossLoop 2007-12-22 16:00 . 2007-12-22 16:00 <DIR> d-------- C:\Program Files\CCleaner 2007-12-22 15:46 . 2007-12-22 15:46 <DIR> d-------- C:\Program Files\RogueRemover FREE 2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Grisoft 2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-22 15:38 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln . sys 2007-12-22 12:24 . 2007-12-23 15:16 334,336 --a------ C:\WINDOWS\system32\geedd . dll . vir 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Program Files\Trojan Remover 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Simply Super Software 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2007-12-22 12:19 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36 . dll 2007-12-22 12:19 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3 . dll 2007-12-22 12:19 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26 . dll 2007-12-22 12:19 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2 . dll 2007-12-22 12:19 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet . dll 2007-12-22 11:52 . 2007-12-22 11:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot2 2007-12-22 11:29 . 2007-12-22 11:54 23,392 --a------ C:\WINDOWS\system32\nscompat . tlb 2007-12-22 11:29 . 2007-12-22 11:54 16,832 --a------ C:\WINDOWS\system32\amcompat . tlb 2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Program Files\Lavasoft 2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-22 10:19 . 2007-12-22 10:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-22 02:27 . 2005-04-20 02:48 9,728 --a------ C:\WINDOWS\system32\spoolvs . exe . vir 2007-12-22 02:23 . 2007-12-22 02:23 <DIR> d--hs---- C:\FOUND . 006 2007-12-22 01:53 . 2005-04-20 01:22 9,728 --a------ C:\WINDOWS\system32\printer . exe . vir 2007-12-22 00:46 . 2007-12-22 00:46 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-21 23:29 . 2007-12-21 23:29 5,706 --a------ C:\WINDOWS\system32\tmp . reg 2007-12-21 20:31 . 2007-12-23 15:45 15,360 --a------ C:\WINDOWS\system32\ctfmon . exe 2007-12-21 20:30 . 2007-12-21 20:30 337,920 --a------ C:\WINDOWS\system32\RCX57 . tmp 2007-12-21 20:30 . 2007-12-23 15:45 118,784 --a------ C:\WINDOWS\system32\igfxpers . exe 2007-12-21 20:30 . 2007-12-23 15:45 94,208 --a------ C:\WINDOWS\system32\igfxtray . exe 2007-12-21 20:30 . 2007-12-22 12:35 77,824 --a------ C:\WINDOWS\system32\hkcmd . exe 2007-12-21 20:30 . 2007-12-23 15:45 40,960 --a------ C:\WINDOWS\VM_STI . EXE 2007-12-21 16:13 . 2007-12-22 10:54 143 --a------ C:\WINDOWS\system32\mcrh . tmp 2007-12-21 14:27 . 2007-12-23 15:17 2,960 --ahs---- C:\WINDOWS\system32\ddeeg . ini2 . vir 2007-12-21 14:27 . 2007-12-23 15:17 2,960 --ahs---- C:\WINDOWS\system32\ddeeg . ini . vir 2007-12-21 14:24 . 2007-12-21 14:24 26,624 -r-hs---- C:\Program Files\lsass . exe 2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\WINDOWS\system32\njprckha 2007-12-21 14:22 . 2007-12-21 14:22 0 --a------ C:\Install 2007-12-21 14:21 . 2007-12-21 14:21 <DIR> d-------- C:\Program Files\Bwfzeple 2007-12-21 14:21 . 2007-12-22 12:20 39,936 --a------ C:\WINDOWS\system32\awtuttq . dll . vir 2007-12-21 14:21 . 2007-12-21 14:21 21,504 --a------ C:\WINDOWS\system32\winexi32 . dll 2007-11-24 23:01 . 2007-11-24 23:01 <DIR> d-------- C:\Program Files\iPod . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-23 23:20 457,728 ----a-w C:\WINDOWS\system32\igfxpers . exe 2007-12-23 23:20 433,152 ----a-w C:\WINDOWS\system32\igfxtray . exe 2007-12-23 23:20 379,392 ----a-w C:\WINDOWS\Vm_sti . exe 2007-12-23 18:42 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig . exe 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv . sys 2007-11-04 04:49 --------- d-----w C:\Documents and Settings\Lap Yin Leung\Application Data\XemiComputers 2007-11-04 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml . dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz . dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz . dll 2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf . dll 2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf . dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32 . dll 2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet . dll 2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime . dll 2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck . dll 2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url . dll 2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache . dll 2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon . dll 2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie . dll 2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe . dll 2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs . dll 2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled . dll 2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds . dll 2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce . dll 2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32 . dll 2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr . dll 2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy . dll 2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil . dll 2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie . dll 2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans . dll 2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating . dll 2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng . dll 2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr . dll 2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack . dll 2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit . exe 2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore . exe 2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit . exe 2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui . dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{103BE4BD-AEF6-46BC-879F-73483D202639}] 2007-12-23 15:45 334336 --a------ C:\WINDOWS\system32\geedd . dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon . exe"="C:\WINDOWS\system32\ctfmon . exe" [2004-08-10 20:00] "SpybotSD TeaTimer"="D:\Junk Software\Spybot - Search & Destroy\TeaTimer . exe" [2005-05-31 01:04] "PcSync"="D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2 . exe" [2006-06-27 16:21] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray . exe" [2007-12-23 15:20] "igfxpers"="C:\WINDOWS\system32\igfxpers . exe" [2007-12-23 15:45] "BluetoothAuthenticationAgent"="bthprops . cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops . cpl] "RTHDCPL"="RTHDCPL . EXE" [2006-06-28 14:54 C:\WINDOWS\RTHDCPL . exe] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel . exe" [2007-12-23 15:45] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh . exe" [2007-12-23 15:45] "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI . exe" [2007-12-23 15:45] "IMJPMIG8 . 1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG . exe" [2004-08-10 20:00] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe" [2004-08-10 20:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-10 20:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-10 20:00] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC . exe" [2007-12-23 15:46] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management . exe" [2007-12-23 15:46] "BigDogPath"="C:\WINDOWS\VM_STI . exe" [2007-12-23 15:46] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager . exe" [2007-12-23 15:46] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc . exe" [2007-12-23 15:46] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor . exe" [2007-12-23 15:46] "FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032 . exe" [2007-12-23 15:46] "DAEMON Tools-1033"="D:\Program Files\D-Tools\daemon . exe" [2004-08-22 17:05] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan . exe" [2007-12-23 15:46] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7 . 5\avgas . exe" [2007-12-23 15:46] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched . exe" [2007-12-23 15:46] "LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e . dll" [2006-02-24 03:54] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale . msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale . theme [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=C:\WINDOWS\system32\geedd . exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd Notification Packages REG_MULTI_SZ scecli scecli [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] SecurityProviders msapsspc . dll, schannel . dll, digest . dll, msnsspc . dll, wowfx . dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch . lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch . lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun . exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun . exe backup=C:\WINDOWS\pss\autorun . exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar] 2007-10-19 11:08 3678208 --a------ D:\Program Files\XemiComputers\Active Desktop Calendar\ADC . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray . exe] 2005-10-24 16:45 2462208 --a------ C:\Acer\Empowering Technology\admtray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR . EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet] D:\Program Files\BitComet\BitComet . exe /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] D:\Useless Software\bt\bittorrent . exe --force_start_minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] D:\Useless Software\Demontool 4 . 08HE 32bit\DAEMON Tools\daemon . exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader] 2005-12-27 15:50 69632 --a------ C:\Acer\Empowering Technology\eDataSecurity\eDSloader . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] 2006-02-06 21:10 98304 --a------ C:\Program Files\Lexmark 2400 Series\ezprint . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foxy] D:\Program Files\Foxy\Foxy . exe -tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] C:\Program Files\Google\Google Talk\googletalk . exe /autostart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-12-21 23:33 696320 --a------ C:\Program Files\iTunes\iTunesHelper . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp] Alaunch [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon . exe] 2006-03-06 09:48 286720 --a------ C:\Program Files\Lexmark 2400 Series\lxcrmon . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Program Files\MSN Messenger\MsnMsgr . Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] D:\Junk Software\Nokia\Nokia PC Suite 6\LaunchApplication . exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer] C:\WINDOWS\system32\printer . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask . exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] SkyTel . EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv] C:\WINDOWS\system32\spoolvs . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched . exe -osboot R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaF sLoc . sys [2005-10-15 18:20] R2 int15 . sys;int15 . sys;C:\Acer\Empowering Technology\eRecovery\int15 . sys [2005-01-13 14:46] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio . sys [2005-06-30 16:58] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm . s ys [2005-01-14 15:57] R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr . sys [2004-12-08 14:10] R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK . sys [2006-06-16 19:17] R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK . sys [2006-06-16 19:17] R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK . sys [2006-06-16 19:17] S2 MLPTDR_B;MLPTDR_B;C:\WINDOWS\system32\MLPTDR_B . sys [2003-09-02 13:06] S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt . sys [2005-09-13 15:34] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\Setup . exe \Shell\setup\command - F:\setup . exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec454-e231-11db-b963-0016d4621b5e}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32 . EXE Shell32 . DLL,ShellExec_RunDLL Recycled\ctfmon . exe \Shell\Open(&0)\command - Recycled\ctfmon . exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec455-e231-11db-b963-0016d4621b5e}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32 . EXE Shell32 . DLL,ShellExec_RunDLL Recycled\ctfmon . exe \Shell\Open(&0)\command - Recycled\ctfmon . exe . ************************************************** ************************ catchme 0 . 3 . 1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2007-12-23 15:46:06 Windows 5 . 1 . 2600 Service Pack 2 FAT NTAPI scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer . EXE [6 . 00 . 2900 . 3156] -> C:\WINDOWS\system32\geedd . dll . Completion time: 2007-12-23 15:50:36 - machine was rebooted . 2007-12-12 09:27:52 --- E O F --- |
ineedhelp2008 (13207) | ||
| 623764 | 2007-12-23 23:57:00 | This is hijackthis log I cannot fix geedd.exe still cannot use the delete on reboot function in hijackthis wowfx.dll seems to be gone now.. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:54:49 PM, on 12/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\RTHDCPL.EXE D:\Program Files\D-Tools\daemon.exe C:\WINDOWS\system32\igfxtray .exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\WINDOWS\system32\igfxpers .exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe C:\Acer\Empowering Technology\ePower\ePower_DMC .exe C:\WINDOWS\VM_STI .EXE C:\PROGRA~1\LAUNCH~1\LManager .exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Acer\Empowering Technology\eRecovery\Monitor .exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Real\Update_OB\realsched .exe C:\WINDOWS\system32\ctfmon .exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Acer\Empowering Technology\admServ.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe C:\WINDOWS\system32\svchost.exe C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = us.rd.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = www.aceradvantage.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - cdn.scan.safety.live.com O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 9790 bytes |
ineedhelp2008 (13207) | ||
| 623765 | 2007-12-24 00:15:00 | I did run combofix but got no results or file for me. | caldas (13208) | ||
| 623766 | 2007-12-24 00:28:00 | Disable teatimer. That maybe causing probs then try again. | Speedy Gonzales (78) | ||
| 1 2 3 4 5 6 7 8 | |||||