[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Download.Trojan

Posted on 2005-05-05
29
Medium Priority
?
2,846 Views
Last Modified: 2013-12-04

Help ! I'm running Windows XP and have Norton ISS running on my maching.   I get a message that pops up thats says I have a infected file in C:\windows\system32\geebc.dll.   Norton cannot delete or quarantine the file.  When I go into safe mode it says the file is being used by another process and I cannot delete or rename it.  What can i do ??
0
Comment
Question by:MykeVS
  • 9
  • 6
  • 6
  • +3
28 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 13941357
Hi MykeVS,

Download and run Hijack This - and post the log back here
http://download.com.com/3000-8022-10227352.html?tag=lst-0-3

Also run Trend Micro Housecall
http://housecall.trendmicro.com/

thanks

-red

0
 

Author Comment

by:MykeVS
ID: 13941410
<<  HijackThis log removed by Humeniuk - Page Editor 5/6/2005  >>
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 13941434
tick and fix the following, then reboot into safe mode and delete geebc.dll

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\geebc.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: ScreenThemes.lnk = C:\Program Files\ScreenThemes\scthemes.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O20 - Winlogon Notify: geebc - C:\WINDOWS\SYSTEM32\geebc.dll
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:MykeVS
ID: 13941577
I ticked off the entries and clicked the fixed/repair button, but the geebc.dll entries are still there AAARGGGHH!  When I try to delete or rename in safe mode I get: Cannot perform this process as it is being used by another process.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 13941596
okie dokie,

have you got your windows xp cd handy?

if so boot off it and repair using the recovery console

from here, find the file and delete it (it is similar to a dos prompt if that helps)

can you do that?

-red
0
 

Author Comment

by:MykeVS
ID: 13941666
I have the XP Dell backup disk.  How do I boot off it and where is the recovery console ?
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 13941680
just put the disk in the cd drive and let it boot up

it will come up before the windows xp screen and say something like

press any key to bood from CD....

once that starts it will bring up the windows xp installer

one of the first options in there is,

repair an installation using the recovery console

once there, go through and find the file (best to know where it is first)

then just

del c:\windows\system32\geebc.dll

then reboot into safe mode and try to find it (should be gone)

-red
0
 
LVL 9

Expert Comment

by:woodendude
ID: 13941697
http://pcworld.com/downloads/file_download.asp?fid=23611&fileidx=1   will identify it, allow you to rename it, disable it or delete it.
0
 

Author Comment

by:MykeVS
ID: 13941774
I put the dell cd in that has XP on it but it wont boot off the CD, can I make a boot CD  ?  I also tried the bhodemon thing but it says access denied to geebc.dll which is the file I'm trying to kill.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 13941789
you may have to reconfigure your bios.

another thing you can try (for the sake of fun and games)

open up task manager (CTRL+SHIFT+ESCAPE)

go to the processes tab

end the processes explorer.exe and iexplore.exe

once that is done, go to file>new task(run) and type in CMD

then go and delete that gbeec.dll file

-red
0
 
LVL 32

Expert Comment

by:r-k
ID: 13941843
Are you running XP Pro or XP Home?
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13943147

How to delete undeletable files:

http://www.dougknox.com/xp/tips/xp_undeletable_file.htm

Zee
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 13943419
sorry humeniuk, sorry all,

i will note that for next time

-red
0
 
LVL 5

Expert Comment

by:rulirahmadi
ID: 13943432
Check ur regedit for unknown startup programs also check ur msconfig editor (click 'start' button then 'run' and type 'msconfig' in the box) for the 'service' and 'startup' tab.
0
 

Author Comment

by:MykeVS
ID: 13948440
How to create the boot disk or change the bios to boot from the disk ??  I tried idea from Zee http://www.dougknox.com/xp/tips/xp_undeletable_file.htm and that didnt work.  I have to find a way to access the file and delete but it continuously says its being used in another process whether I'm in safe mode or not.  I also tried to kill explorer and delete it but that didnt work either.
0
 
LVL 32

Expert Comment

by:r-k
ID: 13948471
Change the permissions on the file you want to delete so that no one, not even system or administrator, has any permissions. Then reboot, change the permission back so you can delete it, and delete it.
0
 
LVL 9

Expert Comment

by:woodendude
ID: 13948473
 I also tried the bhodemon thing but it says access denied to geebc.dll which is the file I'm trying to kill.<<<<< did you disable it? Or did it deny you access when trying too?
0
 

Author Comment

by:MykeVS
ID: 13948509
How do I change the permissions ??  How do I disable in BHOdemon ? When I started it tried to read the file and said access denied to the file I was try to delete and it didnt show up.
0
 

Author Comment

by:MykeVS
ID: 13948517
this recovery console sounds promising, how do I get it to boot from the cd ?
0
 
LVL 32

Expert Comment

by:r-k
ID: 13948530
Here is how you can change permissions:

(1) Reboot in safe mode

(2) Right-click on the file (e.g. gbeec.dll) in Windows Explorer
      Select "Properties", then the "Security" tab
      Click on "Advanced", then un-check the box that reads "inherit permissions..."
      When a dialog box pops up, click on "Remove"
      This will remove all permissions for that file.

Then reboot and you can change permissions back and delete the file (even if you don't, the file can't be used by anyone again, not even by the malware).

0
 
LVL 9

Expert Comment

by:woodendude
ID: 13948548
When you open BHO the installed BHO'S are listed, just unchecked the desired one and then you should be able to delete the file as it is not in use.
0
 

Author Comment

by:MykeVS
ID: 13948574
I tried to change the permissions in safe mode and when I tried to save it it told me access denied....
0
 
LVL 32

Expert Comment

by:r-k
ID: 13948594
"I tried to change the permissions in safe mode and when I tried to save it it told me access denied...."

You don't need to save anything. After you "Remove" the permissions as mentioned above, then click on OK etc, it will warn that you have denied access to everyone, just accept that, and click OK etc.

Also, make sure you login as a user with Admin rights in Safe mode. A "restricted" user may not be able to change file permissions.
0
 

Author Comment

by:MykeVS
ID: 13948600
I still cant delete the file but Norton no longer finds it as a virus !  I guess thats a good thing !  Should I still try and delete the file or am I safe now?
0
 
LVL 32

Expert Comment

by:r-k
ID: 13948759
>>>
I still cant delete the file but Norton no longer finds it as a virus !  I guess thats a good thing !  Should I still try and delete the file or am I safe now?
<<<

 I hope you were able to change the permissions to no access for everyone. If so, that file is harmless now. However, if you do want to go the extra mile, you can delete it as follows:

(1) Boot in Safe mode.

(2) Right-click on the file in Windows Explorer
      Select "Properties", then the "Security" tab
      Click on "Add", then enter your own login name, then OK
      Then, "check" the box labeled "Full Control", then OK
      Then (still in Windows Explorer), right-click on the file and select Delete
      Then empty the trash.

(3)  Reboot, and make sure file is really gone.

That's it. VERY important to delete the file in step(2) before going to step (3) (reboot)

Good luck.
      Click on "Advanced", then un-check the box that reads "inherit permissions..."
      When a dialog box pops up, click on "Remove"
      This will remove all permissions for that file.
0
 
LVL 32

Accepted Solution

by:
r-k earned 1600 total points
ID: 13948766
Sorry, ignore the stuff after "Good Luck" above - some bad cutting and pasting there :(
0
 
LVL 9

Expert Comment

by:woodendude
ID: 13948812
Surprised the BHO deamon didn't work. Good to see you've got it solved.
0
 
LVL 5

Expert Comment

by:rulirahmadi
ID: 13950338
Mmm, I dunno that we can change/add the security for the files. Like Linux/Unix. :)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month18 days, 22 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question