1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't get rid of the malware

Discussion in 'Malware Removal' started by mbmadiw, Sep 25, 2011.

  1. mbmadiw

    mbmadiw Corporal

    My friend gave me his computer to fix because he said it was restarting on its own. When you log in, it gets to the Desktop and then restarts.

    In Safe Mode, it'll stay on the Desktop, but there are multiple popups asking you what program you want to open things with. That happens whenever you click on anything too. Right clicking and selecting start will allow you to open a program. There are also redirects when using IE 8.

    I have followed the Read & Run Me First instructions, but had some trouble with certain steps:

    • I cannot uninstall most items. I get an error saying the specified module cannot be found.
      Combo Fix runs but some of the stages say I must use an administrator command prompt. I am logged in with the original computer administrator account.
      Root Repeal won't scan. It says Could not initialize driver. Please contact the author. and then Could not scan drive c (error 0xc0000024) I downloaded it from two different sources, just to be sure that I had received a good copy of the software. I found a reference that said Windows Update will fix this problem. I cannot get Windows Update to start.

    After running all of these scans as best as I could, the computer was still obviously infected and showed the same things happening. I ran all of the scans again, but there was no change. Each time Super AntiSpyware and MalwareBytes run, they find hundreds of items. They clear them, the computer restarts, and they're all back. I run the scans again, repeat, repeat.

    Attached are the logs from the last time I've run everything. I did them in the correct order per the instructions.

    Thank you for your assistance! :wave
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]
    Extract avenger.exe from the Zip file and save it to your desktop.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  3. mbmadiw

    mbmadiw Corporal

    Successful:
    -Downloaded Avenger
    -Ran Hijack This and fixed items per your list
    -Merged fixME.reg into registry and got success message

    Problem:
    1. Opened The Avenger and inserted script, Step 1 successful. Rebooted as directed by the program
    2. Immediately after logging in, the computer rebooted on its own (just like it has been)
    3. I then went into Safe Mode to check for the log file. There was none. I opened The Avenger to check for a log file. It said there are none.
    4. I rebooted again to give it another chance, same thing happened as in items #2 and #3 above.

    Should I go ahead and run the C:\MGtools\GetLogs.bat file?
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes.
     
  5. mbmadiw

    mbmadiw Corporal

    OK - Here is the one log that I can attach. :)
    Tell me what's next! Thanks so much.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nothing was fixed. Let's try it again.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    Driver::
    My Web Search Service
    eemldjxq
    ejeffge
    jnmi
    kygtlmwn
    nqwudb
    ppho
    
    File::
    C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
    C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
    C:\ProgramData\81amysc2c3drnt
    C:\WINDOWS\System32\drivers\eemldjxq.sys
    C:\WINDOWS\System32\drivers\ejeffge.sys
    C:\WINDOWS\System32\drivers\jnmi.sys
    C:\WINDOWS\System32\drivers\kygtlmwn.sys
    C:\WINDOWS\System32\drivers\nqwudb.sys
    C:\WINDOWS\System32\drivers\ppho.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "My Web Search Bar Search Scope Monitor"=-
    "MyWebSearch Email Plugin"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "2743579992"=-
    "Ososilowadilaki"=-
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  7. mbmadiw

    mbmadiw Corporal

    I was able to run HJT and merge the registry changes again. Got the success message.

    I was not able to drop the CFscript.txt file onto the ComboFix icon. Just like when I try to open a program by clicking on the icon, I get a popup asking me what program to run it with. I cannot get past this, because it won't allow me to pick a program. Right clicking on the .txt file and selecting Open With does the same thing.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this. Let's have a fresh look on what is going on.
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please go to the below link and scroll down to the exe file fix:

    Fix Exe Association

    Or use THIS ONE.

    Can you now do the ComboFix fix?
     
  10. mbmadiw

    mbmadiw Corporal

    For the exe file association fix, the first link didn't work, but I got a success message with the second one.

    I've attached the ComboFix and GetLogs.bat logs.

    Thank you for your continued work on this problem.
     

    Attached Files:

  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your ComboFix log states that you should try running it again. Please do the fix one more time and attach the new log.
     
  12. mbmadiw

    mbmadiw Corporal

    I ran ComboFix two more times, but both times the logs say it needs to run again. I'm attaching both for your reference.
     

    Attached Files:

  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Crap. Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    But first:

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Download OTL to your desktop.

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    
    :services
    My Web Search Service
    eemldjxq
    ejeffge
    jnmi
    kygtlmwn
    nqwudb
    ppho
    
    :files
    C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
    C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
    C:\ProgramData\81amysc2c3drnt
    C:\WINDOWS\System32\drivers\eemldjxq.sys
    C:\WINDOWS\System32\drivers\ejeffge.sys
    C:\WINDOWS\System32\drivers\jnmi.sys
    C:\WINDOWS\System32\drivers\kygtlmwn.sys
    C:\WINDOWS\System32\drivers\nqwudb.sys
    C:\WINDOWS\System32\drivers\ppho.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  14. mbmadiw

    mbmadiw Corporal

    • Got the success message for the fixME.reg file.
    • OTL appeared to run correctly, but the log did not open after the reboot. I found a log at C:\_OTL\MovedFiles and have attached that.
    • MGlogs.zip is attached
     

    Attached Files:

  15. mbmadiw

    mbmadiw Corporal

    oops - didn't attach this with the last post
     

    Attached Files:

  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's looking better, but let's try doing this in normal mode:

    Use add/remove programs to uninstall:
    My Web Search (IWON)

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :otl
    O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
    O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe  "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
    O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
    O23 - Service: My Web Search Service  (MyWebSearchService32) - Unknown owner - C:\Windows\system32\IMJP10K32.exe (file missing)
    
    :files
    C:\cotvrcla.txt
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  17. mbmadiw

    mbmadiw Corporal

    I can't uninstall My Web Search. What should I do?
     
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try Revo Uninstaller.
    Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.
     
  19. mbmadiw

    mbmadiw Corporal

    Revo Uninstaller may have worked. When I first clicked to uninstall, it gave me the same dialog box telling me there was an error. However, it did appear to go through the steps and remove everything. (?) After it was done MyWebSearch was no longer in the list.

    analyse.exe seemed to then run fine. fixME.reg got the success message.

    OTL got hung up and froze the computer for quite a long time. Tried again after a reboot, same thing. No log was made for it.

    getlogs.bat ran and the zipped logs folder is attached.
     

    Attached Files:

    Last edited: Sep 30, 2011
  20. mbmadiw

    mbmadiw Corporal

    sorry - not sure if i uploaded the right file and now it won't let me upload it again
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds