Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with gea.exe/other Trojan horses


  • Please log in to reply
3 replies to this topic

#1 npc29

npc29

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 05 July 2009 - 01:13 PM

I've got an issue with a nasty piece of malware that doesn't seem to want to let me do anything.

The problem happened when I clicked a link on google search. It's my own fault for not making sure it was safe. Long story short, AVG Free popped up with a notice and I ran it to get the virus removed. It told me it wouldn't remove one of the objects unless I restarted, so I did it. There was also some odd pop-ups via IE explorer (I use firefox) that kept coming up. Something about creepy monsters or something odd like that. It was the same pop-up numerous times.

When I restarted the computer, I logged on and it too abnormally longer to do so. Once it finally logged on, it did nothing. The desktop background loaded, but the taskbar and none of the icons did, it's basically my background.

One thing that popped up was a notice about a program called "gea.exe" having an error and having to be shutdown. It then wants me to "send an error report."

Right now I'm operating basically through the task manager. Some programs I can't open, one of them being Malwarebytes. The error that it gives me is 708 (126).. I tried uninstalling it and re-installing it hoping it would work, but it gives me the same message. The research I've done says that error is related to the language selection?

I've ran AVG again and it came up with a few infections. One of them being that gea.exe program. All of the infections are listed in my Local Settings/Temp folders. I tried to remove all the infections, but AVG just blinks at the bottom, I think saying none of the files could be removed, but it goes too fast to be read and everything is still there. Some of the other files say the infection is a Trojan Horse. I cannot remember exactly what the final names were on all of them, I should have written them down, but they are all random strings of numbers and or letters followed by ".exe".

My latest AVG run has found something in my start menu and programs folder called fmnupd32.exe (Trojan Horse 2Sheur2 ANDl). It seems to be no longer finding the other viruses.

I tried starting the computer up in safe mode, but it does not go any further than the dreaded blue screen that tells me and error occurred. I've also tried restarting to the latest point when Windows was working properly and it either gives me a different blue screen or does the same thing when I normally start up and log on.

I've done everything that I've been told to do in the prep guide with the exception of backing up my files. I installed Corbian but it will not open up all the way. I've doing my best to transfer all my important files over from my laptop to the computer I'm on now just in case.

If this cannot be fixed, I'd be fully okay with grabbing what important files I need and doing a system restore, but any help to fixing this nasty infection would be greatly appreciated.

Here is my HJT log.


DDS (Ver_09-06-26.01) - NTFSx86
Run by nino at 12:31:44.68 on Sun 07/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\nino\gea.exe \s
BHO: c:\windows\system32\sdjee3inf.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\sdjee3inf.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [<NO NAME>] c:\docume~1\nino\locals~1\temp\ic0bu43r.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\nino\locals~1\temp\ic0bu43r.exe
uRun: [Windows System Recover!] c:\docume~1\nino\locals~1\temp\notepad.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ymetray] "c:\program files\yahoo!\yahoo! music engine\YahooMusicEngine.exe" -preload
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [13852504] c:\documents and settings\all users\application data\13852504\13852504.exe
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\nino\locals~1\temp\ixp000.tmp\"
mRunOnce: [tmp21431312] cmd /Q /C "c:\windows\tmp21431312.bat"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: __c00D08D7 - c:\windows\system32\__c00D08D7.dat
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,c:\docume~1\nino\locals~1\temp\2138198438mxx.dll
SSODL: ZAvWokhrc - {50AE8B79-FA04-21D3-C62B-5B4271ED488E} - c:\windows\system32\yqbelyw.dll
STS: c:\windows\system32\sdjee3inf.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\sdjee3inf.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nino\applic~1\mozilla\firefox\profiles\ccr02ec9.default\
FF - prefs.js: browser.startup.homepage - hxxp://espn.go.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\nino\application data\mozilla\firefox\profiles\ccr02ec9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-05 12:25 <DIR> --d----- c:\program files\Cobian Backup 8
2009-07-05 11:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-03 14:04 112,716 a------- c:\windows\system32\drivers\93963998.sys
2009-07-03 14:03 245 a------- c:\windows\tmp21431312.bat
2009-07-03 14:03 <DIR> --dsh--- c:\windows\System Volume Information
2009-07-03 14:03 15,000 a------- c:\windows\system32\gsf83iujid.dll
2009-07-03 14:03 2 a------- C:\1353616248
2009-07-03 14:03 15,000 a------- c:\windows\system32\sdjee3inf.dll
2009-07-03 14:03 10 a------- c:\windows\system32\kr_done1
2009-07-03 14:03 <DIR> --d----- c:\program files\Jcore
2009-07-03 14:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13852504
2009-07-03 14:03 135,168 a------- c:\windows\system32\tpsaxyd.exe
2009-07-03 14:03 8 a------- c:\windows\system32\comsa32.sys
2009-07-03 13:56 868,899 a------- c:\windows\system32\rn.tmp
2009-07-01 10:55 12,544 a------- c:\windows\system32\iehelper.dll
2009-07-01 10:45 2 a------- c:\windows\010112010146118114.dat
2009-07-01 10:45 28,672 a------- c:\windows\ld11.exe
2009-06-08 14:15 <DIR> --d----- c:\program files\SecondLife

==================== Find3M ====================

2009-06-26 17:34 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 17:34 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-17 17:21 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-05-17 17:21 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-27 16:40 36,578 a------- c:\windows\system32\nvModes.dat
2009-04-25 01:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-23 16:34 130,496 a------- c:\windows\HPHins13.dat
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 05:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 11:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 11:11 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll

============= FINISH: 12:33:24.35 ===============

Attached Files


Edited by npc29, 05 July 2009 - 01:15 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:23 PM

Posted 06 July 2009 - 06:56 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 npc29

npc29
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 06 July 2009 - 11:34 AM

Okay, Malwarebytes isn't working. That is one of my issues.

I tried uninstalling it and now reinstalling it and I'm getting an error as it completes the installation. I used the first link you provided to make sure I have the latest version.

Run-time error '372':
Failed to load control 'vbalGrid' from vbalgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.


It finishes installing and I click the check marks for both updating and launching MBAM and after I do that the above error appears again. I click OK and it appears once more. I click it again and MBAM just shuts down.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:23 PM

Posted 07 July 2009 - 06:57 AM

Hi,

This actually doesn't suprise me at all with the huge amount of malware you are dealing with....

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users