Help with Malware

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


Now download MsnVirRem.exe to your desktop.

• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it
• Once open, click the button labeled Search and Destroy Your computer will now be scanned for Infected Files
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the REBOOT Button.
• After the Reboot, you will receive file not found errors! Please acknowledge them and continue.
• A Message should popup from MsnVirRem if not, double click the program again and it will finish.
• Please attach the C:\msnvirrem.log to your next message.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=C:\WINDOWS\system32\egfcxi\services.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\egfcxi\services.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - blank (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: services.lnk = ?
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\egfcxi\services.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.msn
C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20070210-210358.backup
C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20070211-151409.backup
C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20070211-195151.backup

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\WINDOWS\system32\egfcxi

Now run Ccleaner!

Now download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Try this! Click Start, Run, and enter regedit and click OK. This should open the Windows Registry Editor. In the Registry Editor click File and select Import. Navigate to the C:\Documents and Settings\Ryan\Desktop\fixME.reg file on your Desktop and double click on it. Does it add into the registry now? Just continue on with all other instructions anyway.

You did not attach the log! I'm not sure what you mean about a bunch of icons. Let me modify the instructions for MsnVirRem a little though.

• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it which will Create a new randomly named EXE file to your Desktop.
• Double click on this new randomly named EXE file on your Desktop to run it.
• Once running, click the button labeled Search and Destroy Your computer will now be scanned for Infected Files
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the REBOOT Button.
• After the Reboot, you will receive file not found errors! Please acknowledge them and continue.
• A Message should popup from MsnVirRem if not, double click the program again and it will finish.
• Please attach the C:\msnvirrem.log to your next message.

 

Well that's obvious since you were not able to fix the O4 - Startup: services.lnk = ? which is one of the key problems still related to your malware.

No it's not from the malware. Just have HJT fix that line and set you start page to what you want. It has nothing to do with using Firefox. It is an IE start page setting.

Also fix the below line:
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

Try fixing the O4 - Startup: services.lnk = ? line again after booting in safe mode. If that does not remove it permanently, please run the below.

Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

Try this! You will need to print or save these instructions locally since no connection will be available while doing them.

• Physically unplug your cable to the internet
• Shutdown ALL unnecessary application
• Also make sure you shut down AVG and also ZoneAlarm
• now run HijackThis and attempt to fix the O4 - Startup: services.lnk = ? line
• Then immediately check a new scan to see if it is gone! Is it? Let's call this check point 1.
• If it was gone at check point 1 continue, with the below bullet list instructions otherwise skip to the end to attach new logs.
• with your cable still unplugged, reboot.
• Then immediately check a new scan to see if it is gone! Is it? Let's call this check point 2.
• If it was gone at check point 2 continue, with the below bullet list instructions otherwise skip to the end to attach new logs.
• plug in your cable to the internet and open 1 browser window.
• Then immediately check a new scan to see if it is gone! Is it? Let's call this check point 3.
• Either way move on to the below!

Now attach the below new logs and tell me how the above steps went. Answer questions about the check points.

1. GetRunKey
   [*]ShowNew
   [*]HJT

 

Make sure you are not blocking IE in your firewall.

What is stage 3? Did you do what I requested yet?

 

Right click Start and select Explore

Paste the below into the Address Bar and hit return. List everything you see in the right window pane!

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup

 

Okay then look in the below folder and tell me what you find:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup


By the way, how are things working right now? Are you having any malware problems?

 

Your previous log from ShowNew reveal Trend PC-cillin 2000 still in the registry. Does it appear in Add/Remove programs? If so, uninstall it. Did you have it and AVG installed at the same time (even if only for a short time)?

Uninstall AVG then reboot, then reinstall and get all updates. Make sure you have the current version of AVG Free Edition

Does that fix autoupdate?

Since everything is running Okay, I'm going to ignore that last O4 line in HJT. I'm not sure why you cannot get it to fix, but the files that would normally cause it (one in the Startup folder) don't exist.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely!