Jump to content
Sign in to follow this  
Guest Rabies

Out of options!

Recommended Posts

Guest Rabies

I have two viruses. I knew I had them and I knew what files were affected, since 2 days ago. The files affected are efeed.dll and geedc.dll.

 

Googling for those filenames results in nothing useful. (Amazingly. I can't possibly be the first to have those infections???)

 

So I Googled for the symptoms, which are popup windows for Winfix, TrafficExplorer and other software. My research tells me I have "Look2me" variant 200. But NO software can detect it EXCEPT PCPitstop!

 

Amazing no? I have done full scans with :

 

Mcafee Viruscan (up-to-date; this is what I have running 24/7 on my system)

housecall.antivirus.com

Spybot Search & Destroy

AdAware

(would try MS Antispyware but the beta has expired)

 

NONE of them detect anything!

 

Finally I found and tried the viruscan here on PCPitstop. Guess what? It found 2 infected files:

 

The Trj/Pakes.AV Virus was found in file C:\WINDOWS\SYSTEM32\efeed.dll

The Trj/ShellHook.E Virus was found in file C:\WINDOWS\SYSTEM32\geedc.dll

 

So the question is now what?!

I already followed the fix advice that I found for "Look2me" and I thought that took care of it until this morning, when I saw the damn popups return.

 

I am running on XP Pro.

Edited by Rabies

Share this post


Link to post
Share on other sites

After reading the removal instructions for look2me I did notice that nothing was mentioned of turning off system restore before you begin. Did you turn that off first? (start, programs, accessories, system tools, system restore) Just wasting your time if you didn't. Once you reboot, it will be back.

Share this post


Link to post
Share on other sites

I'd be surprised if any of those manual instructions work. The only time I have seen Look2Me removed is with a special tool, created by one of the HJT experts\developers.

 

If I were you Rabies, I'd post a log over in the HJT forum.

 

You may also find that eWido catches it as well:(tho, still may not remove it)

eWidow Security Suite

Share this post


Link to post
Share on other sites
Guest Rabies

Welp, you can add Symantec's special Look2me removal tool as yet another program that does not even detect this infection. (Symantec Spyware.Look2Me Removal Tool 1.0.1)

 

I'll be checking those links above out, but my hopes are not high. I get the feeling I have a very new variant.

 

I'll also post to HJT forum, but I checked out the log from HJT and I see absolutely nothing out of the ordinary.

Share this post


Link to post
Share on other sites

I just did a bit of Googling, it seems the file:

geedc.dll

 

Also may come with Vundo Infection, again, requiring some more special fixing.

 

Anything that has not been updated in the last couple of months will not work, as the infection recently changed.

 

This can be removed fairly easily, don't fret, once the analysts have a log, they will get you fixed up.

Share this post


Link to post
Share on other sites
Guest Rabies

Update:

McAfee just released a new DAT update within the last few hours.

It detected "Adware-Virtumundo" in efeed.dll but cannot clean or delete the file.

 

It still does not detect the infection in geedc.dll

Share this post


Link to post
Share on other sites

The second of those tools may work, tho I think I recall them very much hit and miss.

 

The first one was for the older variant, very few of those around today.

 

Really, the best thing for you to do is post a log in a forum, for an analyst to decipher it. Trying to remove it yourself is just gonna cause you headaches.

Share this post


Link to post
Share on other sites
Guest Rabies

OK I'm an idiot. I didn't realize HijackThis could delete files. Everybody's always going on about the HJT LOGS that I thought it was strictly a reporting tool

 

So as you might guess by now, I managed to delete efeed.dll through HJT. (geedc.dll was deleted manually)

 

The good part of this spyware/trojan crap is that it created a backup of efeed.dll called "deefe.bak" and "deefe.bak2". I used the one that was the correct size (178kb) and renamed it to efeed.dll, figuring that Windows might actually need that file.

 

~RB

Share this post


Link to post
Share on other sites

This infection cannot be fixed with HJT alone, you need a special tool, to search for and root out the other files in this infection. More than likely, there are one or two others, hidden which HJT cannot not always see.

 

I'd be surprised if this does not come back.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...