Unusual File in windows

[coyboss]

I am trying to remove a file from an HP Pavilion a305w
desktop computer.

This file is in the registry under run and runonce, every
time I remove the entry it returns automatically. The
file is located in the temp directory of both the
administrator and Owners documents and settings acounts.

The name of the file is egfhrbg.dll


The only thing this file does to the computer, is cause
emails to be sent out by the thousands to random email
addresses with random subject lines.

The computers performance is not affected in any way.

Does anybody have any idea how to remove this file
permantently, it does not show up as a virus with either
norton or trendmicro online scans.

Thanks in advance,

Dwight

[Bill in SD, CA]

Welcome to TechIMO!!

Sounds like a virus, worm, or trojan.

Nothing on google for the file name.

Maybe try The Cleaner for trojans.

Update the definitions. 30 day free trial.

Bill

[haxxorpoop]

Have you tried things such as Spybot S and D or AdAware? THose things may help you rid your problems

http://www.safer-networking.org/

Welcome to TechIMO.

[coyboss]

Yes have tried SPybot, Adaware, online scans for viruses, the Cleaner, hijackthis,......


Still no answer or fix!!!!!

Does any body else have any ideas????

ty in advance!!

Dwight

[Optimus Prime]

I assume that you have the latest definitions for the A/V products. If it won't get rid of the virus (which it is) using conventional means, i'd suggest... dun dun dun...... a format.

[Front242]

Have you tried removing it while in safe mode?

[Gettinbye]

If you wouldn't mind, can you post your running processes? Perhaps it's being rewritten because this "bug" is still running when you delete the reg key...
I would agree that this is viral in nature, but as Bill said, google and other searches bring up nothing, which would indicate a random generation of a filename, an remote install package (such as BPK keylogger), or a new bug...
BTW-you posted that you've removed the entry from the registry: but have you searched your computer for the location of this "egfhrbg.dll" file and manually deleted it, and THEN deleted the registry entry?

[Front242]

Gettinbye, thanks for being alot clearer than my post. If you cannot stop the process in standard mode then try ending process in safe mode then remove it from your settings and registry (while in safe mode) is what I meant.

[coyboss]

Have tried safe mode removal, have even went into Dos (booted to an NTFS DOS disk and deleted all instances of the file still to no avail. Unfortunately cannot remove the file while WINDOWS is running, won't allow it to be removed windows says "cannot delete file, it us being used by another person or program"

Now how about a log of all startup stuff
"
StartupList report, 1/15/2004, 12:06:57 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hp psc 1000 series.lnk = ?
hpoddt01.exe.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
KBD = C:\HP\KBD\KBD.EXE
hpsysdrv = c:\windows\system\hpsysdrv.exe
HPHUPD05 = c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
ccRegVfy = "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp = "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
AlcxMonitor = ALCXMNTR.EXE
egfhrbg = rundll32 C:\WINDOWS\System32:egfhrbg.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

*egfhrbg = rundll32 C:\WINDOWS\System32:egfhrbg.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1100 series#1071161476.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/S...in/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/S.../bin/cabsa.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

[Yahoo! Audio UI1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.co...998.3366319444

[Yahoo! Webcam Viewer Wrapper]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yvwrctl.dll
CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

[H2hPool Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\h2hpool.ocx
CODEBASE = http://mirror.worldwinner.com//games...ol/h2hpool.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
"

Hope this helps some one figure out what is going on!!!!


Thanks in advance

Dwight

[jagnorm]

Try this one...

http://us.mcafee.com/virusInfo/default.asp?id=stinger

download and follow the directions

Good Luck...