Followed Tutorial still need some help.

Re: Part 2 file upload

Welcome to Major Geeks!

Wow! You are very badly infected!!!!! I'm not sure how many people are using this PC, but whoever is needs to be alot more careful where they surf and what they are downloading and clicking on.

We have a lot of work to do so let's dig in! I'm going to be posting multiple messages since there is so much to do. Posting it in one message would get to long and confusing. Finish the procedures in the order posted.

Procedure # 1:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to error monitor
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • McAfee Real-time Scanner
  • McAfee SystemGuards
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste EmonSrv into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • McShield
  • McSysmon
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now Copy the bold text below to notepad. Save it as fixFAss.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now move on to my second procedure!

 

Re: Part 2 file upload

Procedure # 2:


Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\lfrmewrk.exe
C:\WINDOWS\system32\MSRundll.exe
C:\WINDOWS\system32\MSRundll.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\mcdsrv16_070412.dll start
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll
O2 - BHO: macfed Class - {CB7CA266-4479-4997-86AF-7554AA8A0AF4} - C:\WINDOWS\system32\NAVIGA~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ²Æ¸»Í¨ - {C1F0024B-8278-4999-B7E6-2718426D9FE6} - C:\Program Files\²Æ¸»Í¨\caif.dll (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now move on to the third procedure!

 

Procedure # 3:


Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Now attach the below new logs and tell me how the above steps went.

1. avenger.txt
2. GetRunKey
3. ShowNew
4. HJT

 

In your first HJT log the below line showed:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Now it shows like this:
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)

Did you delete this file on your own? This is for your Intel Graphics Card. My procedures did not ask for this to be deleted.

It also looks like you did not properly perform the stopping disabling, and deleting of the services in the first part of Procedure # 1 . Only the McAfee SystemGuards service was removed. Are you sure you did them properly? And now a new bad service has appeared. Let's try this again.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to error monitor
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • McAfee Real-time Scanner
  • 2991A112
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste EmonSrv into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • McShield
  • 2991A112
• Now exit HJT and reboot this time when it tells you it needs to.

After reboot, run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll (file missing)
O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - C:\WINDOWS\SYSTEM32\rxpkzwpcbfjwb.dll
O2 - BHO: okteba Class - {CE7C3CF0-4B15-11D1-ABED-709549C16969} - C:\WINDOWS\okteba\okteba.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now let's delete some more malware files with Avenger!

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, attach the below new logs and tell me how the above steps went.

1. avenger.txt
2. GetRunKey
3. ShowNew
4. HJT

 

Try again after booting in safe mode and shut down all unnecessary processes first.

Also please answer my question about igfxsrvc.dll

 

Never delete anything unless you know exactly what it is. Igfxsrvc.dll is a part of the libraries that handles Intel Graphics Accelerators Helper. Your system may function okay without it, but you could some day need it for some purpose. You should look into getting the DLL file reinstalled.

Not while AVG is installed! If you want to try this, you must uninstall AVG first and then reboot. After reboot you can then try installing McAfee. After the install, I would again reboot, and then attempt a complete uninstall. Make sure that it uninstalls completely (look at your logs) before reinstalling AVG.

Some files that I had you delete with Avenger have reappeared even though Avenger deleted them. They are listed below:

Code:

"C:\WINDOWS\SYSTEM32\"
iebhoset.ini  Apr 17 2007          20  "iebhoset.ini"
ieset.ini     Apr 17 2007         140  "ieset.ini"
peizhi.ini    Apr 17 2007          71  "peizhi.ini"

They seem to related to Chinese type websites. Do you access Chinese websites or use Chinese software? If not, please try deleting these files manually. If they will not delete, please try putting copies of them into a ZIP file and attach the ZIP file here.

 

Good job!

Let me know the results.

Yes! But I see the below installed which appears to be Japanese related (yes for embroidery but did you install it and are those files related to it?)

Tajima DG/ML by Pulse