Removing Geeda.dll Without Fucking About Like Other Guides Or Using Dumbass Tools By Symantec That Don't Work (1124 hits)
Category: NoneRating: 0.49 on 27 reviews (Rate this item) (V)
Submitted by SoxSexSax (View user info) at 2007-11-15 10:32:18 EST
Removing Geeda.dll Without Fucking About Like Other Guides Or Using Dumbass Tools By Symantec That Don't Work
Author: SoxSexSax AKA Inferno AKA Russell Lambert
Date: 15/11/2007
DISCLAIMER: This guide requires manual editing of registry entries, and the use of a tool with the ability to crash your PC. I take NO responsibility for any damage you do to your PC following this guide. It is offered 'as is' to try and help those in need of it, but I offer no guarantees as to the usefulness or reliability of the information.
(With that said, I have tried this on three different geeda infected pcs and it has fixed all of them)
Like most malware, geeda.dll goes to lengths to try and make itself be hard to delete. Of course, as most malware writers are semi-retarded script kiddies, it's almost never impossible to delete if you know how. I myself was infected with geeda.dll recently, and went looking for a guide on how to fix it. I found some, but they were convoluted, long-winded and often were trying to fix multiple problems at once, when all I wanted was the remove geeda bit. Symantec reckon they have a tool that deletes geeda.dll...well I tried using that and it took over 20 minutes to scan my harddrive before telling me I wasn't infected (did you even try looking in Windows\System32 you dumbass piece of shit software? Huh? Symantec...you suck!)
Fortunately for me, my search was only to save time, as I am more than capable of working things like this out for myself. And as I already know two people who have been infected in the same way, I realised I wasn't the only one struggling to find information on it. So here are the steps that I took, and that you should take, to remove geeda without messing about:
#1: Download the latest Process Explorer tool (type Process Explorer into Google, should be easy to locate)
#2: Reboot the computer
#3: Start Process Explorer
#4: Double click on every single running process (one at a time obviously). On the dialog that pops up for each, select the Threads tab at the top.
#5: Manually look at the threads of each process, and if the word 'geeda' is in the thread name, select it then click the Kill Thread button.
#6: For your convenience, I can tell you that you are likely to find geeda related threads in Explorer.exe, Lsass.exe and, if running, IExplore.exe. However, don't assume these are the only ones, you must check all of the processes as missing just one geeda thread will cause this cleanup to fail (if geeda is still loaded when the computer shuts down it automatically adds itself back into the registry, undoing all our work from steps 7 to 12)
#7: When you are happy you have stopped every single geeda thread, start regedit (Start - Run - type Regedit then hit Enter)
#8: Make sure you have the top node of the treeview selected (My Computer), then click Find under the Edit menu. (Reason for selecting the top node is that regedit's search only goes down and doesn't loop)
#9: Type geeda into the find box (leave off the .dll bit). Start the search. Note that pressing F3 in Regedit is repeat last search, which will come in handy. BTW, it's a good idea to start Notepad (or any text editor) now as you'll need it in a minute.
#10: When a registry entry containing geeda is found, the action to take depends on the registry key in question. Make sure you read this bit CAREFULLY, as messing up here could screw your PC (especially part b):
a) If the key (which is the folder in the left hand pane containing the value) is a guid (a long string of numbers/letters enclosed in squiggly {} brackets, such as {208D2C60-3AEA-1069-A2D7-08002B30309D}) then we want to make a note of the guid in question before deleting the key. Right click on the containing key in the left hand pane of regedit and select Rename, then press Ctrl-C to copy the current name to the clipboard. Paste this into notepad (or whatever editor you use) as we'll need it later. When you have the key name backed up, cancel the rename, then delete the key completely (right click - delete)
b) If the key name is 'Lsa', it's "be careful" time. Geeda hooks itself into Explorer by adding itself to the Authentication Packages string in this key. On 99.9% of Windows XP computers, the correct entry for the value Authentication Packages in the Lsa key is 'msv1_0' (without the quotes obviously), so replace whatever value is listed by Authentication Packages with it. IF YOU MESS THIS UP YOU CAN BREAK THE USER ACCOUNTS ON THE PC. This is fixable (logging in as administrator in Safe Mode and fixing it properly) but you'd rather avoid it as it can take upwards of 5 minutes to log in if this registry entry is screwed (I speak from experience here).
c) If the key name is something other than Lsa or a guid, it's slightly more difficult to determine the correct course of action (I have no trouble, neither would any IT professional, but it's hard to decide whether to delete the whole key or just the geeda-containing value without experience to guide you). While I accept this is a slightly grey area, generally if geeda is the only file referenced in the key, delete the whole key. If other files than geeda are referenced, just delete the values pertaining to geeda. Provided you don't do this on the Lsa key, chances are your PC will still work fine even if you do take the sub-optimal course for a key, though if in doubt just delete the value containing geeda rather than the key, as this is safer.
#11: When the search finishes, run it again. (Better to take an extra 30 seconds now to check than miss one entry and have to start the whole process from scratch...I speak from experience here AGAIN) Make sure it finds no matches for geeda at all (starting from the top of the treeview remember) before continuing.
#12: In your running copy of notepad (or similar) you should have at least one, possibly more, guids. (If you don't have even one then you didn't search properly) Copy the alpha-numeric bit (every thing except the { and }) to the clipboard, then do another search in RegEdit for this value (make sure you go to the top again...). When it finds a match, delete the key if the key is a guid, otherwise delete the value (99% of the time it will be a guid and it'll be delete the key). If you have more than one guid in notepad, do this for all of them.
#13: If you've followed my instructions to the letter, you should now be able to reboot your computer into Safe mode, and delete geeda.dll. Just in case you don't know, you get into Safe Mode by pressing F8 at the start of the boot process (if you struggle just literally keep tapping it right from turning the power on until it works) and then selecting Safe Mode from the menu. Geeda.dll is normally (read: every time I've seen it and according to every report I've read) in the C:\Windows\System32 directory (unless you have Windows installed somewhere other than C:\Windows, but if you have then you're probably savvy enough to have automatically corrected it). If all has gone well, you should now be able to simply right click on the file and Delete it.
#14: Reboot into normal windows and off you go! You one, geeda nil.
##DISTRIBUTION##
I have distributed this information around many sites on the web, as can you if you find it useful or think you know people who will. All I ask is that you keep the Author and Date sections at the top with it because A) it's uncool to take credit for the work of others and B) in two years time a new version of geeda could be about that this guide doesn't fix, and the date gives people a fighting chance of deciding whether the information is useful to them or not.
User Reviews
Submitted by TheUniter (user info) at 2007-11-18 10:24:30 EST (#)
Ranking: 0
Submitted by steph (user info) at 2007-11-17 10:37:31 EST (#)
Ranking: 2
Submitted by redskieslookfake (user info) at 2007-11-15 14:20:24 CST (#)
Ranking: -2
get a mac
---
The Apple logo and hefty price tag makes it magically immune to viruses, malware, etc, right?
Submitted by steph (user info) at 2007-11-17 10:35:31 EST (#)
Ranking: 2
Wow, something actually useful on Uber. Thanks.
Submitted by DeathJester (user info) at 2007-11-17 09:09:11 EST (#)
Ranking: 2
This helped me.
Submitted by TheDoctor (user info) at 2007-11-16 15:13:41 EST (#)
Ranking: -2
No Comment
Submitted by TechnoRatty (user info) at 2007-11-15 20:39:41 EST (#)
Ranking: 2
console.WriteLine("...and why not.....");
Submitted by BranDo (user info) at 2007-11-15 18:41:05 EST (#)
Ranking: 2
You really must have been bored.
Lots of criminals return to the crime scene.
Even if it takes some years.
I'm a non poster but been around long enough to 'know' you.
Didn't have an account while you were posting the inferno series so didn't rate.
I remember Nitty calling it an Ubernovel.
You're Ubernovelty.
Now go back to being bored.
Submitted by Axolotl (user info) at 2007-11-15 16:07:01 EST (#)
Ranking: 0
WTF
Submitted by i_can_get_you_a_toe (user info) at 2007-11-15 15:52:16 EST (#)
Ranking: 0
nerd.
Submitted by redskieslookfake (user info) at 2007-11-15 15:20:24 EST (#)
Ranking: -2
get a mac
Submitted by apollo88 (user info) at 2007-11-15 15:06:30 EST (#)
Ranking: 2
all you cunts should bow down to this cunt.
finish that series you were writing, cockface.
Submitted by TonyDanza (user info) at 2007-11-15 12:28:15 EST (#)
Ranking: 2
Useful, indeed.
But what shall I do if I'm attacked by GUIDO.dll?
Submitted by BLITZKREIG_BOB (user info) at 2007-11-15 12:05:53 EST (#)
Ranking: 2
Lousy 3-headed monster, that Geeda.
Submitted by ConorJS (user info) at 2007-11-15 11:54:37 EST (#)
Ranking: 2
lol
Submitted by MudWhistle (user info) at 2007-11-15 11:09:00 EST (#)
Ranking: 0
hopefully i'll never need this
Submitted by Darth_Famine (user info) at 2007-11-15 10:58:29 EST (#)
Ranking: 2
All well and true, but do you really trust the average computer user to follow instructions?
Submitted by sicosemen (user info) at 2007-11-15 10:54:50 EST (#)
Ranking: -1
http://www.ubersite.com/m/113157 NSFW
Submitted by SoxSexSax (user info) at 2007-11-15 10:50:47 EST (#)
Ranking: 0
Actually the reason I responded was because I'm at work bored out of my face. But thanks for giving me an excuse to call you a dumb cunt again.
Dumb cunt.
Submitted by HadToBeDone (user info) at 2007-11-15 10:47:50 EST (#)
Ranking: 0
I'm so glad that people who can't remove spyware will come to a reputable site like Uber for their computer advice.
Submitted by polyamorousaj (user info) at 2007-11-15 10:47:00 EST (#)
Ranking: 2
That it has. What've you been up to the past two years??
Submitted by czwij (user info) at 2007-11-15 10:46:59 EST (#)
Ranking: -2
wtf?
stfu!
gtfo...
Submitted by sicosemen (user info) at 2007-11-15 10:46:26 EST (#)
Ranking: -2
If you didn't give a fuck then you would have ignored us. Instead you acknowledged us and displayed your suffering from receiving a -2.
Submitted by SoxSexSax (user info) at 2007-11-15 10:44:25 EST (#)
Ranking: 0
LOL ty poly, been a while mate ain't it.
And as to fuckwit and fuckwittier (read sicosemen and HurtByTheSun), like I give a fuck about your retarded opinions. Dumb cunts.
Submitted by Berty (user info) at 2007-11-15 10:41:12 EST (#)
Ranking: 0
Potentially useful maybe, but not exactly thrilling stuff. Kind of like a post about 'useful tips' featuring "use old underpant elastic as shoelaces! They'll never come untied until YOU want them to!"
Submitted by polyamorousaj (user info) at 2007-11-15 10:41:01 EST (#)
Ranking: 2
You are the wind beneath my wings.
Submitted by sicosemen (user info) at 2007-11-15 10:40:33 EST (#)
Ranking: -2
Go ahead and leave for another 2 years....you certainly weren't missed.
Submitted by HurtByTheSun (user info) at 2007-11-15 10:37:38 EST (#)
Ranking: -2
Certainly didn't read this.