TechSpot - PC Technology News and Analysis

strutn · #1 04-07-2008, 04:01 PM

I log in this morning, opened a browser Spybot TeaTimer window popped up informing me that "geBqOeCR.dll" was trying to make a register change. I selected "Deny/Rember" and the warning box kept popping up for about 5 minutes before stopping.

Unsuccessful detection when I ran Spybot and Spyware Doctor in Safe Mode, and ran Ad-Aware in Normal Mode. I inserted my U3 version USB flash drive, ran the U3 version of Avast anti-virus and it detected "geBqOeCR.dll" file and warned that it is a trojan that records personal information and to immediately remove the USB flash drive.

The file will not let me delete it in Safe Mode because it is running.
- Windows XP Pro version 2002 with SP2
- IBM ThinkCentre MT-M 8143
- Intel Pentium 4 CPU 3GHz
- 2.99GHz
- 1GB of RAM

Thank you in advance for you time and effort.

kritius · #2 04-07-2008, 07:09 PM

Hosts File Corrupted

Download HostsXpert v4.1 and unzip it to your computer, somewhere where you can find it.

Double click on HostsXpert.exe to launch the program.
Click on Restore MS Hosts File to restore your Hosts file to its default condition.
Click on Make ReadOnly to secure it against further infection.
Exit the program.

Visit the Website for more information.

More will follow.

strutn · #3 04-08-2008, 12:17 PM

I downloaded HostsXpert, restored file, and made it Read Only. The file is still in the C:\Windows\System32 folder.

File name "fcccbcA5.dll" was blocked by COMODO firewall. I denied access to it but of course it keeps trying. Is it safe?

Lastly, I had Add-Ons in my IE Explorer web browser 6.0 that I did not recognize so I disabled. They are:

cbXNDTnK.dll
khfCSJcd.dll
ddcYSmnk.dll
geBqOeCR.dll
fcccbcA5.dll

What is my next step?

kritius · #4 04-08-2008, 12:22 PM

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please attach the log into your next reply.
If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

Download this file to your desktop from either of the two below listed places :

HERE or HERE
disconnect from the internet, disable any real time monitoring and close all browser windows.
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

strutn · #5 04-08-2008, 12:25 PM

Sorry. In reference to my previous post, the file "geBqOeCR.dll" is still in the C:\Windows\System32 folder and will not let me rename it. The file "fcccbcA5.dll" is in the same folder, not in the ADD-ONs.

I ran the Avast anti-virus on my USB flash drive again and look up the information on the "geBqOeCR.dll" file. It states that it is: win32:Tra+BHO [Trj]. I hope this helps.

Thanks!

strutn · #6 04-08-2008, 12:25 PM

Ok, I will run download the next file from your post.

strutn · #7 04-08-2008, 01:19 PM

The Malwarebytes' Anti-Malware log is attached.

I will now run Combofix...

strutn · #8 04-08-2008, 03:20 PM

Combofix has completed running and the Combofix.log is attached.

kritius · #9 04-08-2008, 03:25 PM

Ill look at them soon.

strutn · #10 04-09-2008, 03:00 PM

I will keep checking for your response. Thank you!

strutn · #11 05-12-2008, 12:58 AM

Should I assume that we are complete? If so, my computer has been running great and I really appreciate the help. Thank you!

Blind Dragon · #12 05-16-2008, 12:45 AM

Kritius should be back from vacation soon, you just need to clean up a bit.

For a 2nd opinion:

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary.
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer"
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply along with a fresh Hijackthis log

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
"My Computer", "Trash Bin", "Control Panel" etc will not open.	flm74	Windows OS	5	05-24-2008 07:57 AM
hey, I have a problem, someone check the "hijackthislog"?	Fairman	Security and the Web	3	07-08-2007 01:01 PM
.ico file graphics not displaying while in folders "List" view setting	mdexter2	Windows OS	0	11-20-2006 05:48 AM
HP "Runner File" error for "HP Updates."	Cue Club 2	Windows OS	6	04-11-2006 07:46 PM
"File Error Exception of Type System OutofMemoryException was thrown."	thewolfe	Windows OS	3	06-24-2003 09:03 AM