Error when running combofix stage of malware removal

Skip ComboFix and continue thru to MGtools. Then attach logs from the below:

• SUPERAntiSpyware
• Malwarebytes
• RootRepeal
• MGtools

 

This setting for hide files has nothing to do with the ability of scanners to find malware. We have you set that option so that "you" can see the malware and hidden files and folders.

You don't need to do this. This is only a workaround that is given if malware blocks the original file names from running.

I'm quite surprised at all the legit file names that SUPERAntiSpyware (SAS) has declared as being infected. SAS is not an antivirus program and I would not expect it to be looking for virus signatures attached to files so this seems somewhat questionable. Many of these applications could be broken now so it may be necessary to either restore them from the quarantine or to reinstall.

However let's not do this yet. Let's first see if we can really determine whether they were infected and also see if any other malware does exist. And I have a bunch of questions related to things I see.

Are the below Proxy Server settings things that you knowingly setup?

======================================================================
HKEY_USERS\S-1-5-21-1292428093-583907252-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer REG_SZ 10.15.172.10:3128
======================================================================
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer REG_SZ 10.15.172.10:3128
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer REG_SZ 10.15.172.10:3128
======================================================================

What is the below Conduit Engine toolbar for ? Did you knowingly install this?
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll


If you did not install this then uninstall Conduit Engine


Are the below DNS setting correct for your ISP?
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F87C030-2722-4947-900B-5026E303E523}: NameServer = 89.101.160.4,89.101.160.5



Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {EEB820FE-4F06-1F23-C313-308AC823EC3F} - c:\windows\system32\egokrroo.dll
O4 - HKUS\S-1-5-18\..\Run: [CY08W456F0] C:\WINDOWS\TEMP\Njd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [GAGEZ8R8ZB] C:\WINDOWS\TEMP\Njc.exe (User 'SYSTEM')
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

After clicking Fix, exit HJT.



Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
btdna.exe
 
:Files
C:\Documents and Settings\All Users\Application Data\ooI3KI36.dat
C:\$AVG8.VAULT$
C:\WINDOWS\system32\sshnas21.dll
C:\WINDOWS\system32\tmp.tmp
C:\WINDOWS\Temp\1166384365636265.tmp
C:\WINDOWS\Temp\4153031819640750.tmp
C:\WINDOWS\Temp\ccec
C:\WINDOWS\Temp\GUR1.tmp
C:\WINDOWS\Temp\GUR2.tmp
C:\WINDOWS\Temp\hxfv
C:\WINDOWS\Temp\ibyv
C:\WINDOWS\Temp\ivst
C:\WINDOWS\Temp\Njb.exe
C:\WINDOWS\Temp\Njc.exe
C:\WINDOWS\Temp\Njd.exe
C:\WINDOWS\Temp\nqvc
C:\WINDOWS\Temp\povh
C:\WINDOWS\Temp\qxth
C:\WINDOWS\Temp\svrc
C:\WINDOWS\Temp\usyj
C:\WINDOWS\Temp\vraf
C:\WINDOWS\Temp\xrrx
C:\WINDOWS\Temp\xtkp
C:\Documents and Settings\Killian\Local Settings\Temp\11.tmp
C:\Documents and Settings\Killian\Local Settings\Temp\22bb2d.mst
C:\Documents and Settings\Killian\Local Settings\Temp\utt9.tmp
C:\Documents and Settings\Killian\Local Settings\Temp\uttA.tmp
C:\Documents and Settings\Killian\Local Settings\Temp\uttA.tmp.bat
C:\Documents and Settings\Killian\Local Settings\Temp\{AC76BA86-1033-0000-7760-000000000003}
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job"
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
C:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
c:\windows\system32\egokrroo.dll
 
:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CY08W456F0"=-
"GAGEZ8R8ZB"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEB820FE-4F06-1F23-C313-308AC823EC3F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
 
 
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It is highly recommended that you come to the forum and work on what it posted. Emails are sent immediately and ver frequently, fixes have to be edited/amended. What is in the forum will always be correct. What is in emails may be incomplete and incorrect.

You need to run C:\MGtools\GetLogs.bat again and attach the new MGlogs.zip file since you seem to have run it before fixing everything ( like the analyse.exe fix ).

The fix did not work properly from what I can see in your log. OTM had some problems trying to run.

You may need to address this in the software forum. This is a common problem with Windows. Incomplete or corrupted uninstalls and installs can cause weird problems.

 

Yes let's try the whole procedure over again followed in the order seen in my fix.

 

Okay let's try this a different way.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {EEB820FE-4F06-1F23-C313-308AC823EC3F} - c:\windows\system32\egokrroo.dll
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [AMService] C:\WINDOWS\TEMP\jces\setup.exe (User 'SYSTEM')
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F87C030-2722-4947-900B-5026E303E523}: NameServer = 89.101.160.4,89.101.160.5
O23 - Service: AMService - KLWQQBNZYZRRJH - C:\WINDOWS\TEMP\jces\setup.exe

After clicking Fix, exit HJT.

Open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

sc stop AMService
sc delete AMService

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Sean Walsh\Local Settings\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Let try somehting a little differently. Download ProcessExplorer as show below.

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

Run Process Explorer

In the top section of the Process Explorer screen double click on svchost.exe to bring up the svchost.exe properties screen.

NOTE: You will see a few svchost.exe processed running which is normal. You will need to repeat this step on each svchost.exe
file since what the egokrroo.dll file we will be looking for is not hooked into everyone. In fact it may only be hooked into
on of the svchost.exe processes.

After double click on the svchost.exe process, click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
egokrroo.dll

After you have killed all instances of any of the above DLLs under svchost click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
egokrroo.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2790392
O2 - BHO: (no name) - {EEB820FE-4F06-1F23-C313-308AC823EC3F} - c:\windows\system32\egokrroo.dll
O2 - BHO: brumatsswgrm Object - {F46BA0B8-3B23-4BBE-8FCB-3102CE0CF852} - C:\WINDOWS\$XNTUninstall643$\vojim.dll
O4 - HKLM\..\Run: [bipro] rundll32 "C:\WINDOWS\$XNTUninstall643$\mxuug.dll",,Run

After clicking Fix, exit HJT.


Run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

NOTE: Please follow the below instructions very carefully. If you don't understand anything or run into a problem, stop and ask before continuing.

Please download and install this >>> RegistrarLite

Now using the program navigate to the following key by copying and pasting the below into the Address bar and hitting enter or clicking the green Go button

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost


The first thing we want to do is make a backup of this key so do the below.

• Click File and select Export
• Give it a name like NetSvcsBU and save it to your Desktop.
• It will automatically be saved as NetSvcsBU.reg on your Desktop.

Now you will see information like in the below snapshot ( double click to expand this snapshot ). Notice the registry value highlighted in red which is named netsvcs. You will see two of these netsvcs names. One is a folder at the top and one is a registry value which is the highlighted one in my snapshot.



Once you locate the netsvcs registry value shown, double click on it and a form simlar to the below snapshot will open. Items in your list will be differnet but we will be looking for specific items.



In your list of Text items you will see the below. Notice the ones I have hightlighted in bold brown.

Now I want you to select them one at a time and do the below:

• highlight just the ffrzjmnn text with using your mouse.
• Then hit the Delete key on your keyboard which just erase the text leaving a blank line.
• Hit the Delete key one more time to delete the blank line
• highlight just the SSHNAS text with using your mouse.
• Then hit the Delete key on your keyboard which just erase the text leaving a blank line.
• Hit the Delete key one more time to delete the blank line
• Then click the Apply button
• Then click the OK button to close this open form for the netsvcs value

Now you can exit Registrar Lite and continue with the below.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: adfatsswpr Object - {284A389D-7FC5-4388-8AD4-8B4C3AB948BA} - C:\WINDOWS\$XNTUninstall643$\mxuug.dll

After clicking Fix, exit HJT.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay that looks much better.


Are you having any current malware problems?

 

This may be something you need to work in the Software Forum. It sounds like your Right Click Context Menus are messed up. Does the menu pop up? Or do you only get the request to install Acrobat?

 

And do your right click Context Menus now appear properly?

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!