| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 85813 | 2007-12-23 01:37:00 | My PC is infected by printer.exe and possibly ultimate defender | ineedhelp2008 (13207) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 623787 | 2007-12-24 07:10:00 | I have lost track of this posting - did you ever manage to disable system Restore.??? If not then some of these bugs will more than likely be getting put back after every reboot. Just looking through the HJT log I see you only have AVG as the antivirus - As pointed out before I suggest you get a good Antivirus - AVG is useless. Download Nod32 Trial From Here (www.eset.com) Nod WILL get into the restore, AVG wont. I do disable system restore<---this is wrong You are right..system restore is enabled again!...I disabled it before, now I will disable it again and run those thing once more |
ineedhelp2008 (13207) | ||
| 623788 | 2007-12-24 07:22:00 | I do disable system restore<---this is wrong Errrrr System restore keeps track of the reg among other things, what happens is if infections get into restore, even if you get the system Clean, sometimes depending on the infection it will reinfect the PC as soon as you reboot it. It is an endless battle. Why do you say its wrong ? By disbling Restore it deletes all the restore points both clean and the infected points. If I read how you put it, even if you disable restore its turning its self back on? Never heard of that happening before, and I do this for a living - once its off its normally Off. Seriously if you only have AVG as the Antivirus, download Nod32 - its far better than AVG and will get into system restore to clean it - AVG cant. |
wainuitech (129) | ||
| 623789 | 2007-12-24 07:57:00 | Errrrr System restore keeps track of the reg among other things, what happens is if infections get into restore, even if you get the system Clean, sometimes depending on the infection it will reinfect the PC as soon as you reboot it. It is an endless battle. Why do you say its wrong ? By disbling Restore it deletes all the restore points both clean and the infected points. If I read how you put it, even if you disable restore its turning its self back on? Never heard of that happening before, and I do this for a living - once its off its normally Off. Seriously if you only have AVG as the Antivirus, download Nod32 - its far better than AVG and will get into system restore to clean it - AVG cant. I mean I was wrong about thinking I have disabled system restore while it is not Because I disabled it in this afternoon but now I found that it is back I think it might be combofix doing this..as it says it creates system restore point when I use it |
ineedhelp2008 (13207) | ||
| 623790 | 2007-12-24 08:05:00 | I think it might be combofix doing this..as it says it creates system restore point when I use it Possible. Try the Nod32 after turning of restore again and see what happens. |
wainuitech (129) | ||
| 623791 | 2007-12-24 09:25:00 | Ok..let me sum up what I have done.. I use avenger suggested by pancakes to delete the four files infected Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\geedd.exe deleted successfully. File C:\WINDOWS\system32\geedd.dll deleted successfully. File C:\WINDOWS\system32\ddeegg.ini not found! Deletion of file C:\WINDOWS\system32\ddeegg.ini failed! Could not process line: C:\WINDOWS\system32\ddeegg.ini Status: 0xc0000034 File C:\WINDOWS\system32\ddeegg.ini2 not found! Deletion of file C:\WINDOWS\system32\ddeegg.ini2 failed! Could not process line: C:\WINDOWS\system32\ddeegg.ini2 Status: 0xc0000034 Completed script processing. 2 success, 2 failure Trojan remover says it cannot find geedd.exe but find a registry that is calling it. I don't think I should use combofix any more because it says it setup a system restore point which might activate system restore (which is also what we don't want) But I can find all four of them in my system32 folder I found ddeeg.ini and ddeeg.ini2 as hidden file in system32 folder and in "properties" they are checked archive and hidden it would not allow me to uncheck hidden since it is in grey but it would allow me to uncheck archive I opened ddeeg.ini and ddeeg.ini2 in notepad and delete all its content and saved Can it be something in registry that prevent me from deleting these file? I think geedd.exe is constantly adding registry to HKEYLM\SOFTWARE\Microsoft\Windows\CurrentVersion\E xplorer\Browser Help Object\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} where xxx is a the notation we use when we are working in a "16nary" system (I don't know what is it call, u know the one u add a digit for every sixteen) And this program is smart, because it changes the registry file name to try to avoid me from denying it to add value in my registry. I will try to use the programs given by u guys to remove the file on reboot. And I will make sure system restore is off |
ineedhelp2008 (13207) | ||
| 623792 | 2007-12-24 09:39:00 | If trojan remover picks geedd.exe up, select delete reference from the registry, then reboot. Run regedit, then search for wowfx.dll, geedd.exe, and geedd.dll And delete their entries, make sure you dont delete anything else. Then close regedit then reboot. While system restore is off. |
Speedy Gonzales (78) | ||
| 623793 | 2007-12-24 10:49:00 | Trojan remover says C:\WINDOWS\system32\geedd.dll is called by HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\exp lorer\Browser Helper Objects\{473FA96D-3459-4FDC-ABA0-61EF1A7A247F} something other then wowfx.dll, geedd.exe, geedd.dll, ddeeg.ini, ddeeg.ini2 must be creating this registry every time on reboot even after system restore is turned off Not only that, it also create ggeedd.exe, geedd.dll, ddeeg.ini, ddeeg.ini2 after they are renamed and the reference registry name is deleted The problem is not solved |
ineedhelp2008 (13207) | ||
| 623794 | 2007-12-24 12:02:00 | Run prevxCSI and see what it identifys. I just cleaned up a machine in the USA the other night using crossloop. I Used Trojanremover 6.6. Nod32, spybot s&D and prevxcsi to confirm that it was clear. Didn't disable the system restore Nod32 to care of cleaning that. |
apsattv (7406) | ||
| 623795 | 2007-12-24 12:06:00 | I should add they were using Bitdefender8 and it was screwed. Unistalled that and going fine now with nod32 2.7 | apsattv (7406) | ||
| 623796 | 2007-12-24 20:39:00 | Trojan remover says geedd.dll is a Adware.VirtuMonde I used the remover from symentec, it does not help I tried PrevxCSI, it found some file and I deleted them But they come back on reboot. I am sure I have system restored disabled |
ineedhelp2008 (13207) | ||
| 1 2 3 4 5 6 7 8 | |||||