MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 09-25-11, 15:13
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Can't get rid of the malware

My friend gave me his computer to fix because he said it was restarting on its own. When you log in, it gets to the Desktop and then restarts.

In Safe Mode, it'll stay on the Desktop, but there are multiple popups asking you what program you want to open things with. That happens whenever you click on anything too. Right clicking and selecting start will allow you to open a program. There are also redirects when using IE 8.

I have followed the Read & Run Me First instructions, but had some trouble with certain steps:
  • I cannot uninstall most items. I get an error saying the specified module cannot be found.
    Combo Fix runs but some of the stages say I must use an administrator command prompt. I am logged in with the original computer administrator account.
    Root Repeal won't scan. It says Could not initialize driver. Please contact the author. and then Could not scan drive c (error 0xc0000024) I downloaded it from two different sources, just to be sure that I had received a good copy of the software. I found a reference that said Windows Update will fix this problem. I cannot get Windows Update to start.

After running all of these scans as best as I could, the computer was still obviously infected and showed the same things happening. I ran all of the scans again, but there was no change. Each time Super AntiSpyware and MalwareBytes run, they find hundreds of items. They clear them, the computer restarts, and they're all back. I run the scans again, repeat, repeat.

Attached are the logs from the last time I've run everything. I did them in the correct order per the instructions.

Thank you for your assistance!
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 09-25-2011 - 14-02-36.log (46.6 KB, 2 views)
File Type: txt mbam-log-2011-09-25 (15-31-19).txt (18.9 KB, 2 views)
File Type: zip MGlogs.zip (217.1 KB, 2 views)
Reply With Quote
Sponsored links
  #2  
Old 09-25-11, 17:42
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,667
Thanks: 445
Thanked 4,644 Times in 4,384 Posts
Default Re: Can't get rid of the malware

Download The Avenger by Swandog46 to your Desktop.

See the download links under this icon
Extract avenger.exe from the Zip file and save it to your desktop.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
Quote:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:54263
O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: My Web Search Service (MyWebSearchService32) - Unknown owner - C:\Windows\system32\IMJP10K32.exe (file missing)
O23 - Service: Thread Ordering Server (THREADORDER32) - Unknown owner - C:\Windows\system32\KBDINKAN32.exe (file missing)
O23 - Service: Desktop Window Manager Session Manager (UxSms32) - Unknown owner - C:\Windows\system32\msdmo32.exe (file missing)
After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
"MyWebSearch Email Plugin"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"2743579992"=-
"Ososilowadilaki"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


  1. Run avenger.exe by double-clicking on it.
  2. Click OK at the warning to continue to use The Avenger
  3. Do not change any of the check box options!
  4. Shut down your protection software now to avoid possible conflicts.
  5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    Quote:
    Drivers to delete:
    ejeffge
    jnmi
    kygtlmwn
    nqwudb

    Files to delete:
    C:\WINDOWS\Tasks\Woumbfg.job
    C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
    C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
    C:\ProgramData\81amysc2c3drnt
    C:\WINDOWS\System32\drivers\ejeffge.sys
    C:\WINDOWS\System32\drivers\jnmi.sys
    C:\WINDOWS\System32\drivers\kygtlmwn.sys
    C:\WINDOWS\System32\drivers\nqwudb.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
  6. Now click the button
  7. Click Yes to the prompt to confirm you want to execute.
  8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
  9. Your PC should reboot, if not, reboot it yourself.
  10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
  11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
The Following User Says Thank You to TimW For This Useful Post:
mbmadiw (09-25-11)
  #3  
Old 09-25-11, 18:59
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

Successful:
-Downloaded Avenger
-Ran Hijack This and fixed items per your list
-Merged fixME.reg into registry and got success message

Problem:
1. Opened The Avenger and inserted script, Step 1 successful. Rebooted as directed by the program
2. Immediately after logging in, the computer rebooted on its own (just like it has been)
3. I then went into Safe Mode to check for the log file. There was none. I opened The Avenger to check for a log file. It said there are none.
4. I rebooted again to give it another chance, same thing happened as in items #2 and #3 above.

Should I go ahead and run the C:\MGtools\GetLogs.bat file?
Reply With Quote
  #4  
Old 09-25-11, 19:05
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,402
Thanks: 911
Thanked 3,587 Times in 3,496 Posts
Default Re: Can't get rid of the malware

Quote:
Should I go ahead and run the C:\MGtools\GetLogs.bat file?
Yes.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
mbmadiw (09-25-11)
  #5  
Old 09-25-11, 19:12
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

OK - Here is the one log that I can attach.
Tell me what's next! Thanks so much.
Attached Files
File Type: zip MGlogs.zip (219.6 KB, 3 views)
Reply With Quote
Sponsored links
  #6  
Old 09-26-11, 09:39
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,667
Thanks: 445
Thanked 4,644 Times in 4,384 Posts
Default Re: Can't get rid of the malware

Nothing was fixed. Let's try it again.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
Quote:
O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: My Web Search Service (MyWebSearchService32) - Unknown owner - C:\Windows\system32\IMJP10K32.exe (file missing)
After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
"MyWebSearch Email Plugin"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"2743579992"=-
"Ososilowadilaki"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now let's use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
My Web Search Service
eemldjxq
ejeffge
jnmi
kygtlmwn
nqwudb
ppho

File::
C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
C:\ProgramData\81amysc2c3drnt
C:\WINDOWS\System32\drivers\eemldjxq.sys
C:\WINDOWS\System32\drivers\ejeffge.sys
C:\WINDOWS\System32\drivers\jnmi.sys
C:\WINDOWS\System32\drivers\kygtlmwn.sys
C:\WINDOWS\System32\drivers\nqwudb.sys
C:\WINDOWS\System32\drivers\ppho.sys
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
"MyWebSearch Email Plugin"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"2743579992"=-
"Ososilowadilaki"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:
  • C:\MGlogs.zip

Make sure you tell me how things are working now!
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #7  
Old 09-26-11, 19:15
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

I was able to run HJT and merge the registry changes again. Got the success message.

I was not able to drop the CFscript.txt file onto the ComboFix icon. Just like when I try to open a program by clicking on the icon, I get a popup asking me what program to run it with. I cannot get past this, because it won't allow me to pick a program. Right clicking on the .txt file and selecting Open With does the same thing.
Reply With Quote
  #8  
Old 09-26-11, 20:41
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,402
Thanks: 911
Thanked 3,587 Times in 3,496 Posts
Default Re: Can't get rid of the malware

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this. Let's have a fresh look on what is going on.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #9  
Old 09-27-11, 13:00
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,667
Thanks: 445
Thanked 4,644 Times in 4,384 Posts
Default Re: Can't get rid of the malware

Please go to the below link and scroll down to the exe file fix:

Fix Exe Association

Or use THIS ONE.

Can you now do the ComboFix fix?
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #10  
Old 09-27-11, 20:16
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

For the exe file association fix, the first link didn't work, but I got a success message with the second one.

I've attached the ComboFix and GetLogs.bat logs.

Thank you for your continued work on this problem.
Attached Files
File Type: txt ComboFix.txt (275 Bytes, 2 views)
File Type: zip MGlogs.zip (219.7 KB, 1 views)
Reply With Quote
Sponsored links
  #11  
Old 09-28-11, 11:47
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,667
Thanks: 445
Thanked 4,644 Times in 4,384 Posts
Default Re: Can't get rid of the malware

Your ComboFix log states that you should try running it again. Please do the fix one more time and attach the new log.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #12  
Old 09-28-11, 16:49
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

I ran ComboFix two more times, but both times the logs say it needs to run again. I'm attaching both for your reference.
Attached Files
File Type: txt ComboFix1.txt (964 Bytes, 1 views)
File Type: txt ComboFix2.txt (932 Bytes, 1 views)
Reply With Quote
  #13  
Old 09-28-11, 17:17
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,667
Thanks: 445
Thanked 4,644 Times in 4,384 Posts
Default Re: Can't get rid of the malware

Crap. Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

But first:

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
"MyWebSearch Email Plugin"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"2743579992"=-
"Ososilowadilaki"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Download OTL to your desktop.

Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:
:processes

:services
My Web Search Service
eemldjxq
ejeffge
jnmi
kygtlmwn
nqwudb
ppho

:files
C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
C:\ProgramData\81amysc2c3drnt
C:\WINDOWS\System32\drivers\eemldjxq.sys
C:\WINDOWS\System32\drivers\ejeffge.sys
C:\WINDOWS\System32\drivers\jnmi.sys
C:\WINDOWS\System32\drivers\kygtlmwn.sys
C:\WINDOWS\System32\drivers\nqwudb.sys
C:\WINDOWS\System32\drivers\ppho.sys
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
  • Then click the Run Fix button at the top.
  • Click the OK button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:
  • C:\MGlogs.zip

Make sure you tell me how things are working now!
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #14  
Old 09-28-11, 19:24
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

  • Got the success message for the fixME.reg file.
  • OTL appeared to run correctly, but the log did not open after the reboot. I found a log at C:\_OTL\MovedFiles and have attached that.
  • MGlogs.zip is attached
Attached Files
File Type: log 09282011_201115.log (6.0 KB, 2 views)
Reply With Quote
  #15  
Old 09-28-11, 19:25
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

oops - didn't attach this with the last post
Attached Files
File Type: zip MGlogs.zip (219.3 KB, 2 views)
Reply With Quote
Sponsored links
  #16  
Old 09-29-11, 10:32
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,667
Thanks: 445
Thanked 4,644 Times in 4,384 Posts
Default Re: Can't get rid of the malware

It's looking better, but let's try doing this in normal mode:

Use add/remove programs to uninstall:
My Web Search (IWON)

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
Quote:
O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: My Web Search Service (MyWebSearchService32) - Unknown owner - C:\Windows\system32\IMJP10K32.exe (file missing)
After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
"MyWebSearch Email Plugin"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"2743579992"=-
"Ososilowadilaki"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:
:processes
:otl
O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe  "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: My Web Search Service  (MyWebSearchService32) - Unknown owner - C:\Windows\system32\IMJP10K32.exe (file missing)

:files
C:\cotvrcla.txt
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
  • Then click the Run Fix button at the top.
  • Click the OK button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:
  • C:\MGlogs.zip

Make sure you tell me how things are working now!
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #17  
Old 09-29-11, 18:00
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

I can't uninstall My Web Search. What should I do?
Reply With Quote
  #18  
Old 09-29-11, 19:05
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,402
Thanks: 911
Thanked 3,587 Times in 3,496 Posts
Default Re: Can't get rid of the malware

Try Revo Uninstaller.
Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #19  
Old 09-30-11, 21:34
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

Revo Uninstaller may have worked. When I first clicked to uninstall, it gave me the same dialog box telling me there was an error. However, it did appear to go through the steps and remove everything. (?) After it was done MyWebSearch was no longer in the list.

analyse.exe seemed to then run fine. fixME.reg got the success message.

OTL got hung up and froze the computer for quite a long time. Tried again after a reboot, same thing. No log was made for it.

getlogs.bat ran and the zipped logs folder is attached.
Attached Files
File Type: zip MGlogs.zip (220.3 KB, 1 views)

Last edited by mbmadiw; 09-30-11 at 21:38.. Reason: mistake - see logs in post below instead of this one
Reply With Quote
  #20  
Old 09-30-11, 21:40
mbmadiw's Avatar
mbmadiw mbmadiw is offline
Corporal
 
Join Date: Jan 2006
Posts: 219
Thanks: 10
Thanked 0 Times in 0 Posts
Default Re: Can't get rid of the malware

sorry - not sure if i uploaded the right file and now it won't let me upload it again
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HELP-Requested Malware Removal (Infector.Gen2 / Malware Pacger Gen) geekmatt Malware Removal 6 08-03-10 01:57
Trojans/malware blocking virtually every malware remover tool badlydrawngirl Malware Removal 10 04-07-10 21:23
STOP 24 after removing malware and malware removal apps. hankyknot Hardware 0 02-19-09 09:21
unable to run any anti-malware tools and also cant open any anit-malware related site kallam238 Malware Removal 6 01-21-09 15:07
Trying to follow malware removal procedure, but malware is preventing me? eagerinsight Malware Removal 4 12-12-08 01:17


All times are GMT -5. The time now is 15:07.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger