Combofix not working in Vista

[ForTozs]

Whenever I try to run combofix I get the following message: "Deleting Files/Folders: Access Denied. Administrator permissions are needed to use the selected options. Use an administrator command prompt to complete these tasks." I have tried right-clicking and "run as administrator" but I get the same thing. I am trying to go through the README FIRST sticky, but I can't get the combofix.txt file created. I am trying to work out a problem with Symantec Antivirus. For some reason I can't get autoprotect enabled. Does anyone know what I need to do to get combofix to run?

[chaslang]

Just skip ComboFix and continue. There appears to be a recent problem in ComboFix and we are seeing this happen alot but not always.

[ForTozs]

Thanks. I will run the rest of it and post the logs tommorow.

[chaslang]

Okay. Remember to attach the logs from:

- AVG Antispyware
- MGtools.exe ( the log is the C:\MGlogs.zip file)

Note: Your issue with Symantec autoprotect may not be a malware issue. It may come down to an uninstall, reboot, cleanup left overs from Symantec and then a reinstall of Symantec.

[ForTozs]

Here are the logs. I have uninstalled Symantec AV for now since I am using AVG. Hopefully that is not a malware issue and will reinstall correctly. I am definitely getting some unwanted popups though.

[chaslang]

Quote:

Originally Posted by ForTozs

Here are the logs. I have uninstalled Symantec AV for now since I am using AVG.

Not according to your logs! Do you mean you uninstalled it after posting your logs? It would have been better if you got your logs afterwards. Note that Symantec almost never uninstall properly or completely and it is not a good idea to install another antivirus program until the first is completely removed.

NOTE: You are infected! So we have some work to do.


Uninstall the below old versions of software:
Java(TM) SE Runtime Environment 6
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {09547478-A6BE-43BA-8634-857FD948CD66} - C:\Users\jason\AppData\Local\Temp\ursss.dll
O2 - BHO: (no name) - {1515B906-999A-48F3-8BF4-B7EC61BF5B38} - C:\Windows\system32\qomli.dll
O2 - BHO: {b2c36f52-f277-cecb-51b4-6993ef1af9c7} - {7c9fa1fe-3996-4b15-bcec-772f25f63c2b} - C:\Windows\system32\hgnqmpgf.dll
O2 - BHO: (no name) - {E84DDC33-8EE6-4696-9938-772D3104FF67} - C:\Users\jason\AppData\Local\Temp\ursss.dll
O4 - HKLM\..\Run: [364d2326] rundll32.exe "C:\Windows\system32\clbpyklh.dll",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\qomli.dll,#1

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Quote:

Files to delete:
C:\Users\jason\AppData\Local\Temp\ursss.dll
C:\Windows\System32\emvuxqcy.exe
C:\Windows\System32\clbpyklh.dll
C:\Windows\System32\hgnqmpgf.dll
C:\Windows\System32\hlkypblc.ini
C:\Windows\System32\hunsoyah.ini
C:\Windows\system32\qomli.dll
Folders to delete:
C:\Program Files\AskTBar

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | 364d2326
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | MSServer

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\Temp\
C:\Users\jason\AppData\Local\Temp\

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

[ForTozs]

Thanks for all your help. I sent you an older log file so there were some differences. I am still getting pop-ups. Avenger says it won't run in Vista. I tried to manually delete ursss.dll but it won't work either. Is there other shareware that can delete this for me? I hope I haven't screwed up uninstalling and reinstalling virus programs. If I need to start over, I can do that. I did clean everything else in your instructions.

[chaslang]

Sorry about that. I just forgot you were running Vista. Use the below procedure.

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {09547478-A6BE-43BA-8634-857FD948CD66} - C:\Users\jason\AppData\Local\Temp\ursss.dll
O2 - BHO: (no name) - {1515B906-999A-48F3-8BF4-B7EC61BF5B38} - C:\Windows\system32\qomli.dll
O2 - BHO: {b2c36f52-f277-cecb-51b4-6993ef1af9c7} - {7c9fa1fe-3996-4b15-bcec-772f25f63c2b} - C:\Windows\system32\hgnqmpgf.dll
O2 - BHO: (no name) - {E84DDC33-8EE6-4696-9938-772D3104FF67} - C:\Users\jason\AppData\Local\Temp\ursss.dll
O4 - HKLM\..\Run: [364d2326] rundll32.exe "C:\Windows\system32\clbpyklh.dll",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\qomli.dll,#1

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"364d2326"=-
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"MSServer"=-

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Users\jason\AppData\Local\Temp\ursss.dll
C:\Windows\System32\emvuxqcy.exe
C:\Windows\System32\clbpyklh.dll
C:\Windows\System32\hgnqmpgf.dll
C:\Windows\System32\hlkypblc.ini
C:\Windows\System32\hunsoyah.ini
C:\Windows\system32\qomli.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot look for all of the above files we had Pocket Killbox attempt to delete. If you still see them, delete them yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\AskTBar


Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\Temp\
C:\Users\jason\AppData\Local\Temp\


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created

Make sure you tell me how things are working now!

[ForTozs]

OK i followed the steps but when I try to start killbox I get a mscomctl.ocx error. I downloaded the file into my system32 folder, but killbox still doesn't want to open. Thoughts?

[ForTozs]

Nevermid! truns now with Run as administrtor...

[ForTozs]

Here is the updated file. Still couldn't delete ursss.dll. I got the PendingFileRenameOperations prompt. Maybe the log can shed some light. The pop-ups haven't happened in awhile though.

[chaslang]

Your MGlogs.zip file is incomplete. Make sure you have disabledUAC as requested in the instructions for MGtools.exe. Also use Run As Admin when you run GetLogs.bat

[ForTozs]

OK. I have disabled UAC and ran the tools as administrator. Here is the file.

[chaslang]

While I look thru your logs and create a new procedure, please do the below.

Disable Windows Defender's realtime protection which could be getting in our way.

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

[ForTozs]

Thanks. OK.

[chaslang]

Sorry I lost Internet access and it just came back now. Here is where I'm at.

Okay this malware appears to have hooked itself into many of your running processes including your Windows Defender and Symantec Antivirus which are supposed to be protecting you from things like this. That does not speak well for their ability to protect you. This could be easier to cleanup from safe mode where much less is running. But let's see if we can reduce the cleanup by trying to stop a few processes and then get a new MGlogs.zip file so I can see what remains. Right now there would be a very very long lost of things to do. So I'm trying to reduce the length of the procedure. All of the below process have the infected DLL hooked into them.

Quote:

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe)
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe <--- amazing protection software that cannot protect itself.
C:\Program Files\Windows Defender\MSASCui.exe <--- amazing protection software that cannot protect itself.
C:\Program Files\Common Files\aol\1197330168\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe <--- amazing protection software that cannot protect itself.
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\lsass.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\WindowsMobile\wmdc.exe

Do you need AOL to be connected here? My next message will continue with a list of processes to kill but I need to know about AOL.

[ForTozs]

Wow. No I absolutely do not want AOL in the tray. I hate having stuff down there. I would have gotten to getting rid of it until all this happened. This is a new computer. I took all the malware protection for granted that I had implemented thanks to you guys. I just absolutely forgot and began downloading programs I needed before I even thought about installing my antivirus. Lesson learned.

[ForTozs]

You want me to kill all of those? Should I use task manager?

[chaslang]

Quote:

Originally Posted by ForTozs

You want me to kill all of those? Should I use task manager?

No! We need to use something else and we will only kill certain ones.

Download a tool we will need: Process Explorer

Extract it to its own folder somewhere that you will be able to locate it to use

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now one by one select each of the below process and if found right click on them and select Kill Process. If they restart again, don't worry about it. Just continue

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\aol\1197330168\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\WLTRAY.EXE

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created

Just incase our work gets interrupted, DO NOT shutdown, reboot etc after doing the above or you will just have to do all of it again.

[ForTozs]

OK. I think that was all of them. Symantec processes would not close: access denied. I had already shut down some processes in task manager. I hope that didn't hurt anything. If I need to reboot and do it again let me know. RunDLL restarted and maybe another one I can't remember.