PDA

View Full Version : Repeated messages DDL and google



claresheradan
2009-10-08, 11:18
Hello,

We are getting a repeated pop-up saying “ The application or DDL C:PROGRA-\Google-4\GEOC62-1.DDL is not a valid Windows image. Please check this against your installation diskette.” Having looked at your site I have done this hijack log. It would be great if someone could help.I am a bit out of my depth but think I have done everything correctly.

Many thanks

Clare
______________________________________________________________

Comparison of your HijackThis log file items to others
The table below compares the items HijackThis found on your computer with those on other people's computers. The column "% of PCs with item" indicates what percent of other people's HijackThis log files contain the item in that row of the table. Additional information will be provided as more HijackThis log files are added to the AnalyzeThis database.

Thanks very much

Clare

Each entry is coded to indicate the type of item it is on your computer. An explanation of these codes may be found at the bottom of this page.


Index % of PCs with item Code Data
61 0.0% O8 E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
62 0.0% O8 Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
63 0.0% O8 Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
64 0.0% O8 Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
65 0.0% O8 Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
66 0.0% O8 Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
67 0.0% O8 Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
68 0.0% O8 Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
69 0.0% O8 Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
70 0.0% O8 Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
78 0.0% P01 C:\WINDOWS\Explorer.EXE
79 0.0% P01 C:\WINDOWS\system32\svchost.exe
80 0.0% P01 C:\WINDOWS\system32\lsass.exe
81 0.0% P01 C:\WINDOWS\system32\winlogon.exe
82 0.0% P01 C:\WINDOWS\system32\services.exe
83 0.0% P01 C:\WINDOWS\System32\smss.exe
84 0.0% P01 C:\WINDOWS\system32\spoolsv.exe
85 0.0% P01 C:\WINDOWS\system32\ctfmon.exe
86 0.0% P01 C:\Program Files\Internet Explorer\iexplore.exe
87 0.0% P01 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
88 0.0% P01 C:\Program Files\QuickTime\qttask.exe
89 0.0% P01 C:\Program Files\iPod\bin\iPodService.exe
90 0.0% P01 C:\Program Files\iTunes\iTunesHelper.exe
91 0.0% P01 C:\WINDOWS\System32\hkcmd.exe
92 0.0% P01 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
93 0.0% P01 C:\WINDOWS\system32\igfxpers.exe
94 0.0% P01 C:\WINDOWS\System32\HPZipm12.exe
95 0.0% P01 C:\WINDOWS\system32\igfxsrvc.exe
96 0.0% P01 C:\Program Files\Dell Support\DSAgnt.exe
97 0.0% P01 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
98 0.0% P01 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
99 0.0% P01 C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
100 0.0% P01 C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
101 0.0% P01 C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
102 0.0% P01 C:\Program Files\TalkTalk\bin\sprtcmd.exe
103 0.0% P01 C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
104 0.0% P01 C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
105 0.0% P01 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
106 0.0% P01 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
107 0.0% P01 C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSAgent.exe
108 0.0% P01 C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe
109 0.0% P01 C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe
110 0.0% P01 C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSMonitor.exe
111 0.0% P01 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
112 0.0% P01 C:\PROGRA~1\AVG\AVG8\avgtray.exe
113 0.0% P01 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
114 0.0% P01 C:\PROGRA~1\AVG\AVG8\avgam.exe
115 0.0% P01 C:\PROGRA~1\AVG\AVG8\avgrsx.exe
116 0.0% P01 C:\PROGRA~1\AVG\AVG8\avgnsx.exe
117 0.0% P01 C:\PROGRA~1\AVG\AVG8\avgfws8.exe
118 0.0% P01 C:\Program Files\Windows Live\Toolbar\wltuser.exe
119 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
120 0.0% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
121 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
122 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
123 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
124 0.0% R1 HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mytalktalk.net/

Explanation of the codes

R - Registry, StartPage/SearchPage changes


•R0 - Changed registry value
•R1 - Created registry value
•R2 - Created registry key
•R3 - Created extra registry value where only one should be

F - IniFiles, autoloading entries


•F0 - Changed inifile value
•F1 - Created inifile value
•F2 - Changed inifile value, mapped to Registry
•F3 - Created inifile value, mapped to Registry

N - Netscape/Mozilla StartPage/SearchPage changes


•N1 - Change in prefs.js of Netscape 4.x
•N2 - Change in prefs.js of Netscape 6
•N3 - Change in prefs.js of Netscape 7
•N4 - Change in prefs.js of Mozilla

O - Other, several sections which represent:


•O1 - Hijack of auto.search.msn.com with Hosts file
•O2 - Enumeration of existing MSIE BHO's
•O3 - Enumeration of existing MSIE toolbars
•O4 - Enumeration of suspicious autoloading Registry entries
•O5 - Blocking of loading Internet Options in Control Panel
•O6 - Disabling of 'Internet Options' Main tab with Policies
•O7 - Disabling of Regedit with Policies
•O8 - Extra MSIE context menu items
•O9 - Extra 'Tools' menuitems and buttons
•O10 - Breaking of Internet access by New.Net or WebHancer
•O11 - Extra options in MSIE 'Advanced' settings tab
•O12 - MSIE plugins for file extensions or MIME types
•O13 - Hijack of default URL prefixes
•O14 - Changing of IERESET.INF
•O15 - Trusted Zone Autoadd
•O16 - Download Program Files item
•O17 - Domain hijack
•O18 - Enumeration of existing protocols and filters
•O19 - User stylesheet hijack
•O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
•O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
•O22 - SharedTaskScheduler autorun Registry key
•O23 - Enumeration of NT Services
•O24 - Enumeration of ActiveX Desktop Components

Dakeyras
2009-10-10, 15:30
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hi claresheradan and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Scan with Rooter:

Please download Rooter (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Feric.71.mespages.googlepages.com%2FRooter.exe) to your desktop.

Double click on Rooter.exe to start the application.
Now click on the Scan button.
When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
Now click on Close button to exit Rooter.
Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$

Scan with RSIT:

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit

When completed the above, please post back the following in the order asked for:

How is you computer performing now, any further symptoms and or problems encountered?
Rooter Log.
Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.

Dakeyras
2009-10-14, 19:09
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.