Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My friend needs help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My friend needs help

Unread postby williesbest2 » September 25th, 2005, 11:53 pm

One of my friends got a nasty piece of spyware on his computer. It's called EGDACCESS. I've tried everything I could possibly think of to get this nasty off.
1. Ran Counterspy (failed)
2. Ran Norton (failed)
3. Ran Spybot (failed)
4. Ran Ad-Aware (failed)
5. Ran HijackThis (detected and removed but came right back afterwards even after safe mode and disabling system restore)

Anyone know what I can do to get his computer back up. HijackThis log below:


Logfile of HijackThis v1.99.1
Scan saved at 8:39:39 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\mailskinner\mailskinner.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runescape.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1064.dll,InstantAccess
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binaries/E ... 064_XP.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0080964937
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/sta ... launch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67F8A71D-63FC-4918-A230-A66F0A5F12F7}: NameServer = 216.106.1.2 216.106.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{67F8A71D-63FC-4918-A230-A66F0A5F12F7}: NameServer = 216.106.1.2 216.106.1.3
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
User avatar
williesbest2
Regular Member
 
Posts: 62
Joined: September 25th, 2005, 11:50 pm
Advertisement
Register to Remove

Unread postby markkhunt » September 26th, 2005, 6:06 pm

Hi, williesbest2. Welcome to the forums.

I'm looking at your log now and will be back with you as quickly as possible. If you have any questions at all during the fix, please do not hesitate to ask.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby markkhunt » September 26th, 2005, 8:34 pm

Hi, williesbest2. I will have you start the computer in Safe Mode, which will prevent you from accessing the Internet, so you'll either want to print these instructions or save them to a file on the desktop for reference.

I noticed that you’re running HijackThis from a temporary folder. HijackThis creates backups of all the changes we make, so that we can do a restore if something goes wrong. When HijackThis is in a temporary folder, the program and the backups it creates can be easily deleted. I need you to create a new folder (C:\HJT or something similar), and either move the HijackThis.exe you have or download the program again and save it in this new folder.

Open Notepad. Copy the contents of the Code box below and paste it into a new Notepad file. Please save the file as fixreg.reg to the desktop and make sure that Save as type is set to All files. We will use this file later in Safe Mode.

Code: Select all
REGEDIT4

[-HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2]
 
[-HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2.1] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{2ABE804B-4D3A-41BF-A172-304627874B45}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94742E3F-D9A1-4780-9A87-2FFA43655DA2}] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{A02780C3-7F77-4E28-855B-28890F3CF37A}] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{B843DA96-2B2D-447E-90AB-B92929AA11AF}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML.1] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer.1] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial.1] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{62BFAEC2-82A5-4117-A98B-FEA89413D924}] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{81C2F7F3-F930-455E-9AA5-0876D387C787}] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{83F0D6AA-CD15-46B5-AA4E-BDB506B4AE53}]
 
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{7699AEF9-F83A-44FA-B374-AA02CEDF247D}] 

[-HKEY_USERS\.DEFAULT\Software\EGDHTML]



Run HijackThis, click Do a system scan only, and check the box next to each of these items to have them fixed. If something isn't there, please continue with the next item on the list.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1064.dll,InstantAccess
O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binaries/E ... 064_XP.cab


Close all open windows and browsers, including this one, and click Fix Checked.

We need to make sure you can see all files, including hidden and system files. Please click Start => My Computer. On the menu bar select Tools => Folder Options, and then select the View tab. Under the Hidden files and folders heading, please make sure Show hidden files and folders is checked and Hide protected operating system files (recommended) is unchecked. Click Yes to confirm, and then click OK.

Now, restart your computer into Safe Mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml

Use Windows Explorer and delete the following files shown below in red if present:

C:\Windows\ExeDialer.exe
C:\Windows\Sysstem32\EGDACCESS_1064.dll
C:\Windows\System32\EGDHTML_1064.dll
C:\Windows\System32\EGDIAL.dll
C:\Windows\System32\mseggrpid.dll


Use Windows Explorer and delete the following folder shown below in red if present:

C:\Program Files\Instant Access\

Click Start => Search => All files and folders and type EGCOMLIB2.dll in the All or part of the file name box. Make sure that Look in is set for the C: drive, and then click Search. If the file is found, it will appear in the right-hand panel. Please delete every instance of the file found.

Now, please double-click the fixreg.reg file you saved to the desktop earlier and say Yes to merge the information to the Registry.

Restart your computer normally, not Safe Mode, and please post another HijackThis log for me to review. How did it go? Please let me know if you had trouble completing any of these steps.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby williesbest2 » September 27th, 2005, 5:37 pm

Is it possible that I could save the code to a CD and then bring it over to his computer, because he doesn't understand what to do. I'll post a HijackThis log after I'm done doing it.
User avatar
williesbest2
Regular Member
 
Posts: 62
Joined: September 25th, 2005, 11:50 pm

Unread postby markkhunt » September 27th, 2005, 6:14 pm

williesbest2, if you want to save the instructions as a text file to a CD or disk and take the instructions with you, that should be fine.

The only thing you might not have visible is the URL for HijackThis, if you want to dowload it again. You may download it from http://downloads.malwareremoval.com/HijackThis.exe
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby williesbest2 » September 27th, 2005, 6:56 pm

No, I mean can I just save the green part to a disk, and name is fixreg.reg, so I don't have to type all that out.
User avatar
williesbest2
Regular Member
 
Posts: 62
Joined: September 25th, 2005, 11:50 pm

Unread postby markkhunt » September 27th, 2005, 7:22 pm

Oh, I'm sorry, I misunderstood what you wanted to know. :oops:

Yes, you may create the fixreg.reg file and save that to a CD or disk. That will work just fine.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby williesbest2 » September 27th, 2005, 8:35 pm

Since this is a dialer, is he being charged per pop-up or anything? Because it doesn't sound like it's free.
User avatar
williesbest2
Regular Member
 
Posts: 62
Joined: September 25th, 2005, 11:50 pm

Unread postby markkhunt » September 27th, 2005, 9:04 pm

If the dialer file is executed, it can dial a high-cost telephone number. If your friend is using dial-up, I would advise him to leave his modem unplugged as much as possible until his computer is cleaned. Hopefully, the charges, if any, can be kept to a minimum.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby williesbest2 » September 27th, 2005, 10:03 pm

He does have dialup and has been using his computer like crazy. He get's porn pop-ups ads at random. So I'm thinking his bill might be kind of high. I'm going to follow your directions on Saturday afternoon. Hopefully his bill won't be too high.
User avatar
williesbest2
Regular Member
 
Posts: 62
Joined: September 25th, 2005, 11:50 pm

Unread postby markkhunt » September 28th, 2005, 8:08 am

Let me know how it goes. I'll be here when you return. :)
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby williesbest2 » October 1st, 2005, 7:16 pm

Well, I fixed his computer. At first when I used HijackThis, I removed it (in safe mode), but then it came right back as a different name and gave an error message. I then ran Spy Sweeper and it removed the rest of it, along with Registry Mechanic, Tweaknow RegCleaner, Ad-Aware, and AVG. I reinstalled HijackThis into it's own folder, not a temp folder. I ran HijackThis three times to make sure it didn't come back. Everything is all right now, but one thing.

When I looked at his dialup account (I went on his internet). He had two different accounts. The first one was the legit one that he uses to get onto the internet. The second one, was called "access-to" and the number was **********. Do you have any idea on what this is? I didn't want to delete it, in case it was something important.
User avatar
williesbest2
Regular Member
 
Posts: 62
Joined: September 25th, 2005, 11:50 pm

Unread postby markkhunt » October 1st, 2005, 8:56 pm

Hi, williesbest2.

If your friend does not recognize the extra "access-to" account, it can probably be safely deleted. Before you do that, however, I would like you to PM (hit the PM button at the bottom of this post) me the telephone number in that account so I can do a little investigation. Please do not post the number in the forums.

Also, could you post another HijackThis log, so I can see if we have any further cleanup to do.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby williesbest2 » October 4th, 2005, 2:36 pm

I'll see if I can get him to run HijackThis again (Be warned that if his computer isn't showing signs of anything on it, he will not want to run the program again, he's scared of computers I think). The phone number (in case you didn't receive the PM) is just 10 stars, nothing more.
User avatar
williesbest2
Regular Member
 
Posts: 62
Joined: September 25th, 2005, 11:50 pm

Unread postby markkhunt » October 4th, 2005, 3:33 pm

Yes, I have the PM. Thank you. Unfortunately, I don't know what this extra account is. It could be something that was added by malware, or it could be an account that was pre-installed for your friend to register his computer when he got it or some of the pre-installed software. If he doesn't use it to access the Internet, he should be able to safely delete that account.

Well, all we can do is ask that he post another log. Please make sure he is aware that computers can be infected with malware and not have any symptoms. The only way to determine he's clean is to see a clean log.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware