Locate and open the C:\Program Files\Trend Micro\HijackThisfolder. Locate the HijackThis.exefile. Rt click that file ->> Select rename ->> rename it H.exe.
The rerun H.exe (formerly Hijackthis.exe) and post a fresh log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:34 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:44 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Please download Combofix and save to your desktop:
Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.
ComboFix 08-01-15.3 - DJ 2008-01-14 18:13:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT -5:00]
Running from: C:\Documents and Settings\DJ.MARINE-480RR1Q1\My Documents\Downloaded Programs\Tools\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! .
The following files were disabled during the run:
C:\WINDOWS\system32\DrvTrNTl.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Save the File as
CFScript(exactly as shown no spaces) ->> Save it to your
Desktop
Using the Image as a reference, drag
CFScript into
ComboFix.exe
You will be prompted to run Combofix again, Do so Following the same rules as indicated in my first post Then post the contents of the C:\ComboFix.txt log in your reply
Geeba.dll is still in the system32 file. So are it's 2 .ini files, which I can delete but immediately re-appear. When I try to delete Gebba.dll a warning says that I cannot as the file is in use.
ComboFix 08-01-16.1 - DJ 2008-01-16 17:57:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.169 [GMT -5:00]
Running from: C:\Documents and Settings\DJ.MARINE-480RR1Q1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DJ.MARINE-480RR1Q1\Desktop\CFscript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\DrvTrNTl.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
1. Please download The Avenger by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger.exe to your desktop(How to extract (decompress) zipped or compressed files, help in the link here:)
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete: C:\WINDOWS\system32\abeeg.ini C:\WINDOWS\system32\abeeg.ini2 C:\WINDOWS\system32\geeba.dll C:\WINDOWS\system32\geeba.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text you copied above to clipboard into this window by pressing (Ctrl+V).
Click *Done*
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh combofix log
bamajim
10.4K Posts
0
January 14th, 2008 13:00
Let's see whats in hiding
Locate and open the C:\Program Files\Trend Micro\HijackThis folder. Locate the HijackThis.exe file. Rt click that file ->> Select rename ->> rename it H.exe.
The rerun H.exe (formerly Hijackthis.exe) and post a fresh log.
"The world is what you make of it"
2Trippin
27 Posts
0
January 14th, 2008 16:00
2Trippin
27 Posts
0
January 14th, 2008 16:00
Scan saved at 1:25:34 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\H\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Kaboodle Toolbar - {92857633-2441-4A14-8236-DFCB97AD3E87} - C:\PROGRA~1\kaboodle\KABOOD~1\KTBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp .exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193516424291
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} - http://stores.homestead.com/storeadmin/utilities/pssbedit.cab
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
End of file - 4791 bytes
bamajim
10.4K Posts
0
January 14th, 2008 18:00
"The world is what you make of it"
2Trippin
27 Posts
0
January 14th, 2008 20:00
Scan saved at 5:50:44 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\H\H.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: KTBho Class - {25EDC164-41A6-47C3-80BD-5E4FBE1BA7AB} - C:\PROGRA~1\kaboodle\KABOOD~1\KTBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {EFD9D47C-641A-44C7-B538-A8506034F401} - C:\WINDOWS\system32\geeba.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Kaboodle Toolbar - {92857633-2441-4A14-8236-DFCB97AD3E87} - C:\PROGRA~1\kaboodle\KABOOD~1\KTBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp .exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193516424291
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} - http://stores.homestead.com/storeadmin/utilities/pssbedit.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuvttu - vtuvttu.dll (file missing)
O20 - Winlogon Notify: winppp32 - winppp32.dll (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
End of file - 5806 bytes
bamajim
10.4K Posts
0
January 14th, 2008 20:00
Well done.
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
"The world is what you make of it"
2Trippin
27 Posts
0
January 14th, 2008 20:00
2Trippin
27 Posts
0
January 14th, 2008 21:00
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT -5:00]
Running from: C:\Documents and Settings\DJ.MARINE-480RR1Q1\My Documents\Downloaded Programs\Tools\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\DrvTrNTl.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.
2008-01-14 18:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 23:47 . 2008-01-14 17:49
2008-01-13 23:26 . 2008-01-15 18:28 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2008-01-13 23:26 . 2008-01-15 18:28 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2008-01-13 21:42 . 2008-01-15 18:30
2008-01-13 21:42 . 2008-01-13 21:42
2008-01-13 21:42 . 2008-01-13 21:42
2008-01-13 21:42 . 2008-01-13 21:42
2008-01-13 18:59 . 2008-01-13 19:48
2008-01-13 17:09 . 2008-01-13 18:19
2008-01-13 08:43 . 2008-01-13 19:03 366,592 --a------ C:\WINDOWS\lsass .exe
2008-01-12 17:45 . 2008-01-12 17:45
2008-01-12 17:45 . 2008-01-15 18:29 13,048 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-12 16:51 . 2008-01-15 18:28 25,296 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-15 18:28 25,296 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-15 18:28 16,948 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-15 18:28 16,948 --a------ C:\WINDOWS\system32\BMXState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-15 18:28 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-12 16:51 . 2008-01-15 18:28 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-12 14:33 . 2008-01-12 14:33 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-12 14:33 . 2008-01-12 14:33 2 --a------ C:\408352875
2007-12-30 11:11 . 2007-12-30 14:25 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2007-12-22 21:00 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-22 20:58 . 2007-12-22 20:58
2007-12-17 14:38 . 2007-12-17 14:38
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 19:50 --------- d-----w C:\Program Files\Common Files\Vbox
2008-01-15 23:30 338,944 ----a-w C:\WINDOWS\system32\geeba.exe
2008-01-14 00:49 --------- d-----w C:\Program Files\Serials 2000 7.1 Plus
2008-01-13 19:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2007-12-30 16:11 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-26 01:24 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-26 00:54 --------- d-----w C:\Documents and Settings\DJ.MARINE-480RR1Q1\Application Data\Ahead
2007-12-23 02:00 --------- d-----w C:\Program Files\Java
2007-12-02 14:05 --------- d-----w C:\Documents and Settings\DJ.MARINE-480RR1Q1\Application Data\gtk-2.0
2007-12-01 14:59 --------- d-----w C:\Program Files\GIMP-2.0
2007-11-22 16:20 --------- d-----w C:\Program Files\Yahoo!
2007-11-02 18:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-02 18:26 389,120 ------w C:\WINDOWS\Setup1.exe
2004-09-13 17:56 57,424 -c--a-w C:\Documents and Settings\DJ.MARINE-480RR1Q1\Application Data\GDIPFONTCACHEV1.DAT
2004-01-27 18:23 3,149 -c--a-w C:\Program Files\Common Files\remove_tools.html
2003-05-21 23:45 461 -c--a-w C:\Program Files\INSTALL.LOG
2001-04-27 02:45 266 --sh--w C:\Program Files\desktop.ini
2001-04-27 02:45 11,079 -c-ha-w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
2008-01-15 18:30 335360 --------- C:\WINDOWS\system32\geeba.dll
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-15 18:13 1771520]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 13:16 5058560]
"avp"="C:\WINDOWS\avp .exe" [ ]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1997-09-23 05:30 35328]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
vtuvttu.dll
winppp32.dll
"load"=C:\WINDOWS\system32\geeba.exe
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geeba
R3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys [2003-02-27 15:27]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-29 00:59]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\system32\Drivers\Kazoo.sys [2002-05-08 10:56]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [1997-10-08 18:35]
**************************************************************************
Rootkit scan 2008-01-15 18:32:50
Windows 5.1.2600 Service Pack 2 NTFS
hidden files: 0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
-> C:\WINDOWS\system32\geeba.dll
.
Completion time: 2008-01-15 18:39:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 23:39:36
2Trippin
27 Posts
0
January 14th, 2008 21:00
2Trippin
27 Posts
0
January 14th, 2008 21:00
bamajim
10.4K Posts
0
January 15th, 2008 13:00
Geeba.dll file is still in the system32 file and not deleteable. Did I do something wrong?
You didn't do anything wrong.Sometimes it takes a run or two at these infections to completely remove them.
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
RENV::
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\WINDOWS\lsass .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A599530-128A-47BE-9620-77FE3E50AFA6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avp"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvttu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winppp32]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
"The world is what you make of it"
Message Edited by bamajim on 01-15-2008 09:07 AM
2Trippin
27 Posts
0
January 15th, 2008 21:00
2Trippin
27 Posts
0
January 15th, 2008 21:00
2Trippin
27 Posts
0
January 15th, 2008 21:00
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.169 [GMT -5:00]
Running from: C:\Documents and Settings\DJ.MARINE-480RR1Q1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DJ.MARINE-480RR1Q1\Desktop\CFscript.txt
* Created a new restore point
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\DrvTrNTl.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.
2008-01-14 18:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 23:47 . 2008-01-14 17:49
2008-01-13 23:26 . 2008-01-16 18:12 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2008-01-13 23:26 . 2008-01-16 18:12 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2008-01-13 21:42 . 2008-01-16 18:15
2008-01-13 21:42 . 2008-01-13 21:42
2008-01-13 21:42 . 2008-01-13 21:42
2008-01-13 21:42 . 2008-01-13 21:42
2008-01-13 18:59 . 2008-01-16 17:57
2008-01-13 17:09 . 2008-01-13 18:19
2008-01-12 17:45 . 2008-01-12 17:45
2008-01-12 17:45 . 2008-01-15 18:29 13,048 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-12 16:51 . 2008-01-16 18:12 25,296 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-16 18:12 25,296 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-16 18:12 16,516 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-16 18:12 16,516 --a------ C:\WINDOWS\system32\BMXState-{00000000-00000000-0000000D-00001102-00000002-80651102}.rfx
2008-01-12 16:51 . 2008-01-16 18:12 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-12 16:51 . 2008-01-16 18:12 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-12 14:33 . 2008-01-12 14:33 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-12 14:33 . 2008-01-12 14:33 2 --a------ C:\408352875
2007-12-30 11:11 . 2007-12-30 14:25 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2007-12-22 21:00 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-22 20:58 . 2007-12-22 20:58
2007-12-17 14:38 . 2007-12-17 14:38
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 19:50 --------- d-----w C:\Program Files\Common Files\Vbox
2008-01-14 00:49 --------- d-----w C:\Program Files\Serials 2000 7.1 Plus
2008-01-13 19:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2007-12-30 16:11 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-26 01:24 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-26 00:54 --------- d-----w C:\Documents and Settings\DJ.MARINE-480RR1Q1\Application Data\Ahead
2007-12-23 02:00 --------- d-----w C:\Program Files\Java
2007-12-02 14:05 --------- d-----w C:\Documents and Settings\DJ.MARINE-480RR1Q1\Application Data\gtk-2.0
2007-12-01 14:59 --------- d-----w C:\Program Files\GIMP-2.0
2007-11-22 16:20 --------- d-----w C:\Program Files\Yahoo!
2007-11-02 18:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-02 18:26 389,120 ------w C:\WINDOWS\Setup1.exe
2004-09-13 17:56 57,424 -c--a-w C:\Documents and Settings\DJ.MARINE-480RR1Q1\Application Data\GDIPFONTCACHEV1.DAT
2004-01-27 18:23 3,149 -c--a-w C:\Program Files\Common Files\remove_tools.html
2003-05-21 23:45 461 -c--a-w C:\Program Files\INSTALL.LOG
2001-04-27 02:45 266 --sh--w C:\Program Files\desktop.ini
2001-04-27 02:45 11,079 -c-ha-w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2008-01-15_18.38.55.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 23:11:03 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000001\NTUSER.DAT
+ 2008-01-16 22:54:36 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000001\NTUSER.DAT
- 2008-01-14 23:11:03 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000002\UsrClass.dat
+ 2008-01-16 22:54:36 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000002\UsrClass.dat
- 2008-01-14 23:11:04 7,028,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000003\NTUSER.DAT
+ 2008-01-16 22:54:36 7,028,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000003\NTUSER.DAT
- 2008-01-14 23:11:04 409,600 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000004\UsrClass.dat
+ 2008-01-16 22:54:36 409,600 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000004\UsrClass.dat
- 2008-01-14 23:11:04 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000005\NTUSER.DAT
+ 2008-01-16 22:54:36 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000005\NTUSER.DAT
- 2008-01-14 23:11:04 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000006\UsrClass.dat
+ 2008-01-16 22:54:36 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\ 00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
2008-01-16 18:15 335360 --------- C:\WINDOWS\system32\geeba.dll
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-16 17:57 1771520]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 13:16 5058560]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1997-09-23 05:30 35328]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
"load"=C:\WINDOWS\system32\geeba.exe
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geeba
R3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys [2003-02-27 15:27]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-29 00:59]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\system32\Drivers\Kazoo.sys [2002-05-08 10:56]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [1997-10-08 18:35]
**************************************************************************
Rootkit scan 2008-01-16 18:17:08
Windows 5.1.2600 Service Pack 2 NTFS
hidden files: 0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
-> C:\WINDOWS\system32\geeba.dll
.
Completion time: 2008-01-16 18:23:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 23:23:40
ComboFix2.txt 2008-01-15 23:39:47
bamajim
10.4K Posts
0
January 15th, 2008 23:00
It's trying to be difficult
1. Please download The Avenger by Swandog46 to your Desktop.
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
4. The Avenger will automatically do the following:
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh combofix log
"The world is what you make of it"