Combofix not working in Vista

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ForTozs, Dec 15, 2007.

  1. ForTozs

    ForTozs Private E-2

    Whenever I try to run combofix I get the following message: "Deleting Files/Folders: Access Denied. Administrator permissions are needed to use the selected options. Use an administrator command prompt to complete these tasks." I have tried right-clicking and "run as administrator" but I get the same thing. I am trying to go through the README FIRST sticky, but I can't get the combofix.txt file created. I am trying to work out a problem with Symantec Antivirus. For some reason I can't get autoprotect enabled. Does anyone know what I need to do to get combofix to run?
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just skip ComboFix and continue. There appears to be a recent problem in ComboFix and we are seeing this happen alot but not always.
     
  3. ForTozs

    ForTozs Private E-2

    Thanks. I will run the rest of it and post the logs tommorow.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. Remember to attach the logs from:

    - AVG Antispyware
    - MGtools.exe ( the log is the C:\MGlogs.zip file)

    Note: Your issue with Symantec autoprotect may not be a malware issue. It may come down to an uninstall, reboot, cleanup left overs from Symantec and then a reinstall of Symantec.
     
  5. ForTozs

    ForTozs Private E-2

    Here are the logs. I have uninstalled Symantec AV for now since I am using AVG. Hopefully that is not a malware issue and will reinstall correctly. I am definitely getting some unwanted popups though.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not according to your logs! Do you mean you uninstalled it after posting your logs? It would have been better if you got your logs afterwards. Note that Symantec almost never uninstall properly or completely and it is not a good idea to install another antivirus program until the first is completely removed.

    NOTE: You are infected! So we have some work to do.


    Uninstall the below old versions of software:
    Java(TM) SE Runtime Environment 6
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {09547478-A6BE-43BA-8634-857FD948CD66} - C:\Users\jason\AppData\Local\Temp\ursss.dll
    O2 - BHO: (no name) - {1515B906-999A-48F3-8BF4-B7EC61BF5B38} - C:\Windows\system32\qomli.dll
    O2 - BHO: {b2c36f52-f277-cecb-51b4-6993ef1af9c7} - {7c9fa1fe-3996-4b15-bcec-772f25f63c2b} - C:\Windows\system32\hgnqmpgf.dll
    O2 - BHO: (no name) - {E84DDC33-8EE6-4696-9938-772D3104FF67} - C:\Users\jason\AppData\Local\Temp\ursss.dll
    O4 - HKLM\..\Run: [364d2326] rundll32.exe "C:\Windows\system32\clbpyklh.dll",b
    O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\qomli.dll,#1

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Windows\Temp\
    C:\Users\jason\AppData\Local\Temp\

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
  7. ForTozs

    ForTozs Private E-2

    Thanks for all your help. I sent you an older log file so there were some differences. I am still getting pop-ups. Avenger says it won't run in Vista. I tried to manually delete ursss.dll but it won't work either. Is there other shareware that can delete this for me? I hope I haven't screwed up uninstalling and reinstalling virus programs. If I need to start over, I can do that. I did clean everything else in your instructions.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. I just forgot you were running Vista. Use the below procedure.

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {09547478-A6BE-43BA-8634-857FD948CD66} - C:\Users\jason\AppData\Local\Temp\ursss.dll
    O2 - BHO: (no name) - {1515B906-999A-48F3-8BF4-B7EC61BF5B38} - C:\Windows\system32\qomli.dll
    O2 - BHO: {b2c36f52-f277-cecb-51b4-6993ef1af9c7} - {7c9fa1fe-3996-4b15-bcec-772f25f63c2b} - C:\Windows\system32\hgnqmpgf.dll
    O2 - BHO: (no name) - {E84DDC33-8EE6-4696-9938-772D3104FF67} - C:\Users\jason\AppData\Local\Temp\ursss.dll
    O4 - HKLM\..\Run: [364d2326] rundll32.exe "C:\Windows\system32\clbpyklh.dll",b
    O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\qomli.dll,#1

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Users\jason\AppData\Local\Temp\ursss.dll
    C:\Windows\System32\emvuxqcy.exe
    C:\Windows\System32\clbpyklh.dll
    C:\Windows\System32\hgnqmpgf.dll
    C:\Windows\System32\hlkypblc.ini
    C:\Windows\System32\hunsoyah.ini
    C:\Windows\system32\qomli.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.

    After reboot look for all of the above files we had Pocket Killbox attempt to delete. If you still see them, delete them yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\AskTBar


    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Windows\Temp\
    C:\Users\jason\AppData\Local\Temp\


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created

    Make sure you tell me how things are working now!
     
  9. ForTozs

    ForTozs Private E-2

    OK i followed the steps but when I try to start killbox I get a mscomctl.ocx error. I downloaded the file into my system32 folder, but killbox still doesn't want to open. Thoughts?
     
  10. ForTozs

    ForTozs Private E-2

    Nevermid! truns now with Run as administrtor...
     
  11. ForTozs

    ForTozs Private E-2

    Here is the updated file. Still couldn't delete ursss.dll. I got the PendingFileRenameOperations prompt. Maybe the log can shed some light. The pop-ups haven't happened in awhile though.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your MGlogs.zip file is incomplete. Make sure you have disabledUAC as requested in the instructions for MGtools.exe. Also use Run As Admin when you run GetLogs.bat
     
  13. ForTozs

    ForTozs Private E-2

    OK. I have disabled UAC and ran the tools as administrator. Here is the file.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    While I look thru your logs and create a new procedure, please do the below.

    Disable Windows Defender's realtime protection which could be getting in our way.

    Disable Windows Defender:
    • Open Windows Defender
    • Click Tools
    • Click General Settings
    • Scroll down to Real Time Protection Options
    • Uncheck Turn on Real Time Protection (recommended)
    • Close Windows Defender
    Once your log is clean you can re-enable Windows Defender Real Time Protection.
     
  15. ForTozs

    ForTozs Private E-2

    Thanks. OK.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry I lost Internet access and it just came back now. Here is where I'm at.

    Okay this malware appears to have hooked itself into many of your running processes including your Windows Defender and Symantec Antivirus which are supposed to be protecting you from things like this. That does not speak well for their ability to protect you. This could be easier to cleanup from safe mode where much less is running. But let's see if we can reduce the cleanup by trying to stop a few processes and then get a new MGlogs.zip file so I can see what remains. Right now there would be a very very long lost of things to do. So I'm trying to reduce the length of the procedure. All of the below process have the infected DLL hooked into them.
    Do you need AOL to be connected here? My next message will continue with a list of processes to kill but I need to know about AOL.
     
  17. ForTozs

    ForTozs Private E-2

    Wow. No I absolutely do not want AOL in the tray. I hate having stuff down there. I would have gotten to getting rid of it until all this happened. This is a new computer. I took all the malware protection for granted that I had implemented thanks to you guys. I just absolutely forgot and began downloading programs I needed before I even thought about installing my antivirus. Lesson learned.
     
  18. ForTozs

    ForTozs Private E-2

    You want me to kill all of those? Should I use task manager?
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! We need to use something else and we will only kill certain ones.

    Download a tool we will need: Process Explorer

    Extract it to its own folder somewhere that you will be able to locate it to use

    • Unzip it to its own folder somewhere you can locate it.
    • Now run procexp.exe by double clicking on it.
    • Let's configure some options first:
      • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
      • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
    • Now one by one select each of the below process and if found right click on them and select Kill Process. If they restart again, don't worry about it. Just continue
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Symantec AntiVirus\VPTray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Common Files\aol\1197330168\ee\aolsoftware.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\WLTRAY.EXE

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created

    Just incase our work gets interrupted, DO NOT shutdown, reboot etc after doing the above or you will just have to do all of it again.
     
  20. ForTozs

    ForTozs Private E-2

    OK. I think that was all of them. Symantec processes would not close: access denied. I had already shut down some processes in task manager. I hope that didn't hurt anything. If I need to reboot and do it again let me know. RunDLL restarted and maybe another one I can't remember.
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, I'm trying to create another method of removing this new vintage Vundo infection that is more problematic on Vista.

    Previously you implied you do not want AOL in the tray, but my real question is do you need the AOL software. If not, you should just uninstall it.
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run Process Explorer by double clicking on the procexp.exe file.
    • Step 1 - unhook DLL from rundll32.exe
    • In the top section of the Process Explorer screen double click on rundll32.exe to bring up the rundll32.exe Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    • Step 2 - unhook DLL from lsass.exe
    • Next double click on lsass.exe to bring up the Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    • Step 3 - unhook DLL from explorer.exe
    • Next double click on explorer.exe to bring up the Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    • Step 4 - unhook DLL from iexplore.exe
    • Next double click on iexplorer.exe to bring up the Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    Now just exit Process Explorer.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {8CA1DDA6-655D-40D2-A1BE-E8894B0BE3F5} - C:\Users\jason\AppData\Local\Temp\ursss.dll
    O2 - BHO: (no name) - {92CFB35C-DB2C-49DF-9E13-61B89C5302D8} - C:\Users\jason\AppData\Local\Temp\ursss.dll
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\jason\AppData\Local\Temp\ursss.dll,c

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Users\jason\AppData\Local\Temp\sssru.ini
    C:\Users\jason\AppData\Local\Temp\ursss.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below files and delete if found:
    C:\Users\jason\AppData\Local\Temp\sssru.ini
    C:\Users\jason\AppData\Local\Temp\ursss.dll

    Also look for any other files that begin with sssru and and delete them too.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created

    Make sure you tell me how things are working now!
     
  23. ForTozs

    ForTozs Private E-2

    Sorry its taken so long. I know you want to fix this problem as much as I do. I wish I had better news but I still can't delete the files in my temp folder. I went ahead and attached the mgtool zip. I still haven't had a pop-up all day.
     

    Attached Files:

  24. ForTozs

    ForTozs Private E-2

    By the way, I am "running as administrator" for all executables and user account control is off.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you have any problems doing what I requested with Process Explorer?
    Did the fixME.reg patch say it was successfully added to the registry?

    Had you rebooted or powered down after you posted message # 20 but before doing my fix?

    See if you are able to run ComboFix now. We may need to use it to get this fixed.
     
    Last edited: Dec 18, 2007
  26. ForTozs

    ForTozs Private E-2

    No problems with process explorer and a window popped up saying that I had successfully added stuff to the registry. I never rebooted, but the computer did hibernate due to inactivity. I will try to run combofix again.
     
  27. ForTozs

    ForTozs Private E-2

    Wierd... Symantec is coming up with autoprotect results for Trojan.Vundo and AdClicker. Deleting files I've never seen. gamadril2007, hqofexxr.exe, etc. Now I have pop-ups again. Turns out my wife went against my advice to not use the internet on this computer. Hopefully, the adclicker is not as bad and Symantec actually did clean it as it says. My desktop background is missing.
     
  28. ForTozs

    ForTozs Private E-2

    Combofix is behaving differently, but still no luck. Now it locks up at "Deleting Files/Folders:" and explorer fails and must be executed from task manager. I am on a home network. I don't know if that makes a difference, but just want to let you know in case it could matter (e.g., the host computer is infected and keeps reinfecting me). Also, my first step at fixing this was running Symantec's FixVundo program. I don't know if this could have messed with any of my computer's settings. And who knows how else I could have done something wrong along the way. I might try the whole thing over again just to make sure I didn't skip anything. I could have easily made a mistake.

    Here is what the Combofix.txt said that it created

    ComboFix 07-12-15.1 - jason 2007-12-19 17:00:03.7 - NTFSx86
    Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1198 [GMT -6:00]
    Running from: C:\Users\jason\Downloads\ComboFix.exe
    .
     
    Last edited: Dec 18, 2007
  29. ForTozs

    ForTozs Private E-2

    OK. The files in my temp folder are finally gone! Not sure exactly what I did wrong last time, but it seemed to work this time. Here is my new MGTools log. I hope its clean. No pop-ups so far. Thanks for all your help. I'm sorry I couldn't get it right sooner.
     

    Attached Files:

  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This program is just about totally useless in removing Vundo infections. In most cases, it does not even detect anything. But no it would not mess anything up.

    Sorry to tell you but you are not clean yet. Based on your log, the files are still there and so is your infection. But I see a few other files to remove. So I will work up another procedure and post it in my next message.
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run Process Explorer by double clicking on the procexp.exe file.
    • Step 1 - unhook DLL from rundll32.exe
    • In the top section of the Process Explorer screen double click on rundll32.exe to bring up the rundll32.exe Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    • Step 2 - unhook DLL from lsass.exe
    • Next double click on lsass.exe to bring up the Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    • Step 3 - unhook DLL from explorer.exe
    • Next double click on explorer.exe to bring up the Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    • Step 4 - unhook DLL from iexplore.exe
    • Next double click on iexplorer.exe to bring up the Properties form.
    • Click on the Threads tab at the top.
    • Once you see this screen click on each instance of the ursss.dll files (if found) and then click the kill button.
    • After you have killed all instances of any of ursss.dll under rundll32.exe click ok.
    • (If you do not find ursss.dll , just continue on.)
    Now just exit Process Explorer.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {5F260D65-2699-4CCB-A3D1-AE37AB2E672E} - C:\Users\jason\AppData\Local\Temp\ursss.dll
    O2 - BHO: (no name) - {85988B9C-56C3-4E5D-B718-2197A38822DD} - C:\Users\jason\AppData\Local\Temp\ursss.dll

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Windows\System32\cbxwv.dll
    C:\Windows\System32\hggdb.dll
    C:\Windows\System32\tuspm.dll
    C:\Users\jason\AppData\Local\Temp\sssru.ini
    C:\Users\jason\AppData\Local\Temp\ursss.dll

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below files and delete if found. If they will not delete then repeat the above but when Killbox reboots your PC, boot into safe mode and try to delete the files.
    C:\Windows\System32\cbxwv.dll
    C:\Windows\System32\hggdb.dll
    C:\Windows\System32\tuspm.dll
    C:\Users\jason\AppData\Local\Temp\sssru.ini
    C:\Users\jason\AppData\Local\Temp\ursss.dll

    Also look for any other files that begin with sssru and and delete them too.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created

    Make sure you tell me how things are working now!
     
  32. ForTozs

    ForTozs Private E-2

    Everything is running OK. ursss.dll was nowhere to be found, and I deleted the other files with no problems. Here is the log.
     

    Attached Files:

  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why do you say this???? The lines are still in your HJT log and the files are still in your Temp and system32 folders? How are you missing them? Are your logs not current logs? Check you HJT log and also all of the below files are still on your PC according to the newfiles.txt log:

    C:\Windows\System32\cbxwv.dll
    C:\Windows\System32\hggdb.dll
    C:\Windows\System32\tuspm.dll
    C:\Users\jason\AppData\Local\Temp\sssru.ini
    C:\Users\jason\AppData\Local\Temp\ursss.dll


    Don't you see what I'm asking you to delete? You need to make sure that you are manually checking to get all of the files deleted because Killbox does not seem to be doing it for you.

    [EDIT] On second look. I think that maybe what is happening is that you are not allowing GetLogs.bat to run properly and that you are therefore attaching old logs. You must make sure that you have disabledUAC also try use Run As Admin on GetLogs.bat. Make sure you wait for it to complete running.
     
  34. ForTozs

    ForTozs Private E-2

    That might very well be it. I had turned UAC back on. See if these are better.
     

    Attached Files:

  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bingo! ;) You're logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
  36. ForTozs

    ForTozs Private E-2

    Thank you so much. I have completed your final instructions. Everything seems to run fine. I might see you again if I decide to uninstall Symantec as many would seem to recommend. I will see how things go. This is the second time this site has helped me, and I must say that it is so refreshing that there are people out there willing to help others in need without expecting anything in return. Talk about the spirit of giving! Keep up the good work and Merry Christmas! :D
     
  37. ForTozs

    ForTozs Private E-2

    I do have on more quick question... How can I get my time to display normally again? Right now it is giving me military time.
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.

    Merry Christmas!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds