Combofix gets stuck

Yes complete the other pieces of the READ ME including AVG AntiSpyware, Spybot, and MGtools. Then attach the logs from AVG Antispyware and MGlogs.zip from MGtools.

 

You need to attach ONLY the logs that are requested in the READ ME. We did not ask for a HijackThis log or the other logs you are attaching. Since you already attached the log from AVG Antispyware, you need to attach the C:\MGlogs.zip file and nothing else.

 

You also need to run AVG Antispyware again and attach new log, but this time do not Ignore everything like your previous log shows. There is no sense in running the scans if you ignore the problems. You need to Quarantine or Delete what it finds.

 

These problems are occurring because you did not follow instructions. The instructions for MGtools specifically state the MGtools.exe must be download to the Root folder of your Windows boot drive. And that is where it must be run from. You put it on drive E and you should have it on drive C.

• Download the current version (your copy is already out of date) of MGtools.exe from here: MGtools.exe
• Save it to C:\MGtools.exe
• Then run C:\MGtools.exe
• Now attach the C:\MGlogs.zip.

You have a ton on malware on this PC. It would be much easier if you could get ComboFix to run.

You implied earlier that you deleted or uninstall AVG with CCleaner. DO NOT do this. Leave AVG Antispyware installed.

 

I'm not blasting you. We cannot help you if you don't follow instructions.

Here is the results from your newfiles.txt log previously posted.

Code:

"E:\MGtools\"
zip.exe       Jan 13 2005      126976  "zip.exe"
getlogs.bat   Nov 27 2007        3460  "GetLogs.Bat"
getrun~1.bat  Dec 13 2007       94089  "GetRunKey.bat"
grep.exe      Apr 14 2003       80412  "grep.exe"
locate.com    Jan 13 2005       11254  "locate.com"
ltime.exe     Oct 28 1986       13184  "ltime.exe"
shownew.bat   Nov 28 2007       41576  "ShowNew.bat"
swreg.exe     Feb 15 2007      139776  "swreg.exe"
config.reg    Dec 12 2007        1552  "config.reg"
getunk~1.bat  Oct 25 2007        2271  "GetUnKeys.bat"
chodefix.bat  Jun  7 2007        6146  "chodefix.bat"
fixchode.reg  Jun  7 2007         738  "fixChode.reg"
regfix.bat    Apr 18 2007         145  "Regfix.bat"
enable~1.reg  Aug  1 2007         120  "EnableUAC.reg"
disabl~1.reg  Aug  1 2007         120  "DisableUAC.reg"
hide.reg      Jul 26 2007         213  "hide.reg"
unhide.reg    Aug  3 2007         213  "unhide.reg"
iefix.reg     Apr  2 2004        1756  "IEFIX.reg"
analyse.exe   Jul 12 2007      401720  "analyse.exe"
getdet~1.exe  Oct 30 2006      245760  "GetDetails.exe"
proces~1.exe  Aug  1 2006        6656  "ProcessDll.exe"
21 items found:  21 files, 0 directories.
   Total of file sizes:  1,178,137 bytes      1.12 M
               2 Dir(s)     189,366,272 bytes free
 

Tell me where it shows you that MGtools was installed. It shows me drive E and that is the reason for my comment. It must be installed and run from the proper location and the logs show me that it was not. And neither was GetRunKey.

Your new logs just attached while I was writing this show that you now installed it properly.

 

The current log you just attached from AVG Antispyware still shows that you Ignored all the problems again! You need to Quarantine of Delete what it is finding and attach a log that shows me that you are fixing these problems instead of ignoring them.

 

It's not a problem! You just need to understand that we are stubborn about instructions being followed because it is important to you and for us. It speeds up the time it takes to get you working again and results in less wasted time on our parts which means we have more time to help other people. If tonight was as busy as the last few nights, message # 9 would have been the last post you saw from me until sometime tomorrow night. That would have meant another day before we were able to get started fixing this PC.

You still need to run AVG Antispyware properly. Did you see message # 15?

 

Note: the very last time you ran MGtools.exe. You still ran it wrong. You ran it from here:
C:\Documents and Settings\Maria\Local Settings\Temporary Internet Files\Content.IE5\RRD2JY4Z\MGtools[1].exe

which is seen in your HijackThis log which is part of the scans that MGtools automatically runs. You were lucky it worked at all. You must try to be more careful. It you could download it here, you could have downloaded it to c:\MGtools.exe.

Don't worry about it now but from now on you must do exactly what the instructions request. I'm trying to prepare a fix now, but you must get the items from AVG Antispyware fixed.

 

Either you missed the options or you obtained the log before you did the fixes.

 

Actually it says the root folder of your Windows boot drive is where MGtools.exe need to be saved and then you need to run it from there. Don't worry about it now. It is currently installed OK.

Let's start fixing things!

First an observation: This PC is running without any protection!!! No wonder it is so badly infected.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.officialsearchlist.org/Email/
R3 - URLSearchHook: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFly1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0CF46468-AC82-9EC5-5B79-008AA7762D88} - C:\Program Files\Vpctgfmw\xrnoqccu.dll (file missing)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {15F68E2E-6415-4245-8927-85B6A1EDE8FD} - C:\Program Files\Online Services\mexobaki555077.dll (file missing)
O2 - BHO: (no name) - {171A424E-CC43-4F7C-B587-E7A14E7F8785} - (no file)
O2 - BHO: (no name) - {19C13064-2A7F-4633-A837-8FF6BA95BAC5} - C:\Program Files\Online Services\mexobaki83122.dll (file missing)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {3566557D-985A-4050-BAB7-8FE9F0C9D91D} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {541BA30D-17DC-4946-B054-A36E2BFA9379} - C:\WINDOWS\system32\jkhhh.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: 0 - {6A58A76B-315B-4D38-B19D-6564AD505243} - C:\Program Files\Windows Plus\quka.dll (file missing)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6D1B52BB-694A-49E0-A12E-AC8C7956CE52} - (no file)
O2 - BHO: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFly1.dll
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - C:\Program Files\Ysvffbnb\tcowdkez.dll (file missing)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\fccawwv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {98C99E19-F44C-4040-984F-9A930FDBCF3B} - C:\Program Files\Online Services\mexobaki4444.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {C08A1EFF-F2FF-4F45-BBD0-6B92DBEA95D1} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {E4E749C8-FCAF-41C3-B940-BCA74A6E91E0} - (no file)
O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {F6B4060B-D4F0-412C-BC2D-CF9B52CE7BD2} - (no file)
O3 - Toolbar: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFly1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [mxsxkfon] rundll32.exe "C:\Program Files\hsjolcnu\vmtsdefg.dll",Init
O4 - HKLM\..\Run: [cxwjcrox] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\cxwjcrox.dll"
O4 - HKLM\..\Run: [xepgzgxo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xepgzgxo.dll"
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kndsrngq.exe
O20 - Winlogon Notify: fccawwv - C:\WINDOWS\SYSTEM32\fccawwv.dll
O20 - Winlogon Notify: winsxf32 - winsxf32.dll (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Yes that's correct but you also should have seen C:\MGtools.exe. That is where your problems began. It needs to be there.

You don't need to delete anything from Prefetch. That is normal. What you need to do now is follow Exactly what I wrote in my previous message.

 

Just continue thru all steps. It is critical that you complete all steps without doing anything else but what is listed.

You don't need to be doing anything with MGtools.exe anymore. Just do what was given in my last set of instructions as I requested.

 

How did you get the other tools onto this PC? Do it the same way but make sure you copy Avenger to the Desktop as requested or it may not run properly.

 

You will need to start the fixes from message # 23 all over again and they may no longer even be totally correct since malware could spread/change due to the reboot. Just start over and ignore things you don't see. Just complete all steps.

I was logging off already and just noticed you posted again. This will be my last reply tonight.

 

Looks like the fix worked okay and you don't need to repeat anything. Just do this.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {6C374E14-8177-4FF7-8381-9BF1CBD78DD1} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\fccawwv.dll (file missing)

After clicking Fix, exit HJT.

Other than that, your logs look clean. How are things working?

There are many kinds of infections so the answer is not straight forward:

• if your PC is off, obviously nothing can spread
• however the act of shutting down, or booting up can allow certain infections to be recreated or to spread even worse than previously
• also yes some infections can do things to your PC if your PC is left on and not being physically used by you.

You should not need to worry about any of the above since you appear to be in pretty good shape now.

 

You're welcome!

You don't need it and my final steps will be having you remove all items from MGtools. Whenever a malware problem is found, you really should be downloading and using the current copy of MGtools.exe that is online because it can change frequently just like malware does. Basically you want to make sure you always have the current version.

I'm not sure what you mean. Do you mean your wallpaper files are gone?

Covered in my final instructions given below.

Yes we are all volunteers doing this in our free time. You can support us by spreading the good word to all your friends. Do all of your downloading from Major Geeks download directories.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

No that will not work. The procedures are more related to the Windows boot drive which is why the MGtools.exe file had to be on that drive.

You could use a scanner like AVG Antispyware or any other scanner (including virus scanners) to scan the removal drive. You just have to select it to be scanned.

You can do this if you don't need anything that is on it, or you could just start by removing anything that you don't recognize.

 

You're welcome. Surf safely!