# Solved: Trojan.Win32.BHO.c



## Shelbyvilian (Mar 25, 2006)

Hello and Thank You,

I have a new Dell system, about 4 months old. Running Iolo System Mechanic Professional 6. The Kaspersky Anti-Virus reported two dangerous objects:

winlogon.exe\geeda.dll
explorer.exe\geeda.dll

If I attempt to process and remove them, I get the blue screen. If I boot in safe mode, the AV program reports the files are processed and deleted, but the file remains. If I close and restart the AV program, still in safe mode, it again reports the dangerous objects. 

c:\windows\system32\geeda.dll 
Size 38,925 bytes
Created 8-Mar, 10:32:29PM EST

I have the latest virus definitions, and cannot find anything specific on this particular virus. So I'm not sure of the dangers or risks from this infection, nor how to get rid of the darn thing. 

I've been dealing with Iolo support for a week, with no good results. They even tried to pawn me off to Kaspersky, who refused to help. My wife has promised dire consequences should I fail to repair this soon. Your help is very much appreciated!

-Shelbyvilian


----------



## Cheeseball81 (Mar 3, 2004)

Welcome to TSG 

Click here to download *HJTsetup.exe*: http://www.thespykiller.co.uk/files/HJTSetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Shelbyvilian (Mar 25, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 12:48:47 PM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://suscom.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...sbcydial/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\system32\geeda.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Dustin\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.techguy.org
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: geeda - C:\WINDOWS\SYSTEM32\geeda.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe


----------



## Cheeseball81 (Mar 3, 2004)

Download and run *VundoFix*: http://www.atribune.org/ccount/click.php?id=4
Double-click *VundoFix.exe* to run it.
Put a check next to *Run VundoFix as a task*.
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*.
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of *C:\vundofix.txt* and a new HijackThis log.


----------



## Shelbyvilian (Mar 25, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 1:03:50 PM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://suscom.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...sbcydial/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Dustin\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.techguy.org
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

VundoFix V4.2.35

Checking Java version...

Java version is 1.4.2.3

Scan started at 12:58:14 PM 3/25/2006

Listing files found while scanning....

C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\geeda.dll

Attempting to delete C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\geeda.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\geeda.dll Could not be deleted.

Performing Repairs to the registry.
Done


----------



## Cheeseball81 (Mar 3, 2004)

Uninstall *MyWay Search Assistant *from Add/Remove Programs.

Click here to download the trial version of *Ewido Security Suite*: 
http://www.ewido.net/en/download/

· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click update.
· Click on Start and let it update.
· *DO NOT* run a scan yet.

Restart your computer into *Safe Mode* now. 
(Start tapping the *F8* key at Startup, before the Windows logo screen).
Perform the following steps in Safe Mode:

* Run *Ewido*:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.

*Post a new Hijack This log and the results of the Ewido scan.*

You *MUST* do this as part of the cleaning process
Go to www.java.com & download the latest version of java *1.5.0.6 *

Install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java.


----------



## Shelbyvilian (Mar 25, 2006)

Run Ewido
Click Update
Click Start Update..."connection could not be established"


----------



## Cheeseball81 (Mar 3, 2004)

The servers must be busy. Run it without the update.


----------



## Shelbyvilian (Mar 25, 2006)

It was my anti-hacker software.


----------



## Shelbyvilian (Mar 25, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 2:16:35 PM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://suscom.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...sbcydial/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\d\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.techguy.org
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:06:38 PM, 3/25/2006
+ Report-Checksum: AA961517

+ Scan result:

C:\Documents and Settings\a\Cookies\[email protected]lick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\a\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\a\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\d\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\l\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\m\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\m\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\m\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\m\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\m\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\m\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\m\Cookies\[email protected][1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Ad-logics : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.X10 : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Commission-junction : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Gator : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Spylog : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Commission-junction : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected]tats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected]tats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected]tats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected]tats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\OldMachineData\WINDOWS\Profiles\l\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Linksynergy : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\temp\l\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\temp\l\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\system32\geeda.dll -> Adware.Virtumonde : Cleaned with backup

::Report End


----------



## Cheeseball81 (Mar 3, 2004)

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\d\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE*

Reboot. How are things now?


----------



## Shelbyvilian (Mar 25, 2006)

Success! My wife thanks you, my son thanks you, and I thank you.

I've probably taken enough of your time, but just for my own edification I'd like to summarize the good work we did here today:

1) The HijackThis tool scans the Windows registry, to confirm how geeda.dll has attached itself. As well as other undesirables.
2) The VundoFix tool is able to remove the geeda.dll registry listing, but not the file itself because...not sure why. Because it is a system file?
3) The Ewido tool was able to remove the geeda.dll file. Maybe my Kaspersky AV program would have been able to do this at this point?
4) Any idea what this trojan was intended to do or how I may have acquired it?


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome  It was definitely because your Java was outdated.

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the *Thread Tools* drop down menu.


----------

