# Can't get rid of the malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mbmadiw, Sep 25, 2011.

My friend gave me his computer to fix because he said it was restarting on its own. When you log in, it gets to the Desktop and then restarts.

In Safe Mode, it'll stay on the Desktop, but there are multiple popups asking you what program you want to open things with. That happens whenever you click on anything too. Right clicking and selecting start will allow you to open a program. There are also redirects when using IE 8.

I have followed the Read & Run Me First instructions, but had some trouble with certain steps:

• I cannot uninstall most items. I get an error saying the specified module cannot be found.
Combo Fix runs but some of the stages say I must use an administrator command prompt. I am logged in with the original computer administrator account.
Root Repeal won't scan. It says Could not initialize driver. Please contact the author. and then Could not scan drive c (error 0xc0000024) I downloaded it from two different sources, just to be sure that I had received a good copy of the software. I found a reference that said Windows Update will fix this problem. I cannot get Windows Update to start.

After running all of these scans as best as I could, the computer was still obviously infected and showed the same things happening. I ran all of the scans again, but there was no change. Each time Super AntiSpyware and MalwareBytes run, they find hundreds of items. They clear them, the computer restarts, and they're all back. I run the scans again, repeat, repeat.

Attached are the logs from the last time I've run everything. I did them in the correct order per the instructions.

Thank you for your assistance! :wave

File size:
46.6 KB
Views:
2
File size:
18.9 KB
Views:
2
File size:
217.1 KB
Views:
2
2. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Extract avenger.exe from the Zip file and save it to your desktop.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
to the registry. If you do not get a success message, it definitely did not work.

1. Run avenger.exe by double-clicking on it.
2. Click OK at the warning to continue to use The Avenger
3. Do not change any of the check box options!
4. Shut down your protection software now to avoid possible conflicts.
5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
6. Now click the button
7. Click Yes to the prompt to confirm you want to execute.
8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
9. Your PC should reboot, if not, reboot it yourself.
10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

Successful:
-Ran Hijack This and fixed items per your list
-Merged fixME.reg into registry and got success message

Problem:
1. Opened The Avenger and inserted script, Step 1 successful. Rebooted as directed by the program
2. Immediately after logging in, the computer rebooted on its own (just like it has been)
3. I then went into Safe Mode to check for the log file. There was none. I opened The Avenger to check for a log file. It said there are none.
4. I rebooted again to give it another chance, same thing happened as in items #2 and #3 above.

Should I go ahead and run the C:\MGtools\GetLogs.bat file?

4. ### Kestrel13!Super Malware Fighter - Major DilemmaStaff Member

Yes.

OK - Here is the one log that I can attach.
Tell me what's next! Thanks so much.

File size:
219.6 KB
Views:
3
6. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Nothing was fixed. Let's try it again.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
to the registry. If you do not get a success message, it definitely did not work.

Now let's use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
My Web Search Service
eemldjxq
ejeffge
jnmi
kygtlmwn
nqwudb
ppho

File::
C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
C:\ProgramData\81amysc2c3drnt
C:\WINDOWS\System32\drivers\eemldjxq.sys
C:\WINDOWS\System32\drivers\ejeffge.sys
C:\WINDOWS\System32\drivers\jnmi.sys
C:\WINDOWS\System32\drivers\kygtlmwn.sys
C:\WINDOWS\System32\drivers\nqwudb.sys
C:\WINDOWS\System32\drivers\ppho.sys
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
"MyWebSearch Email Plugin"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"2743579992"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]


* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

I was able to run HJT and merge the registry changes again. Got the success message.

I was not able to drop the CFscript.txt file onto the ComboFix icon. Just like when I try to open a program by clicking on the icon, I get a popup asking me what program to run it with. I cannot get past this, because it won't allow me to pick a program. Right clicking on the .txt file and selecting Open With does the same thing.

8. ### Kestrel13!Super Malware Fighter - Major DilemmaStaff Member

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this. Let's have a fresh look on what is going on.

9. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Please go to the below link and scroll down to the exe file fix:

Fix Exe Association

Or use THIS ONE.

Can you now do the ComboFix fix?

For the exe file association fix, the first link didn't work, but I got a success message with the second one.

I've attached the ComboFix and GetLogs.bat logs.

Thank you for your continued work on this problem.

File size:
275 bytes
Views:
2
File size:
219.7 KB
Views:
1
11. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Your ComboFix log states that you should try running it again. Please do the fix one more time and attach the new log.

I ran ComboFix two more times, but both times the logs say it needs to run again. I'm attaching both for your reference.

File size:
964 bytes
Views:
1
File size:
932 bytes
Views:
1
13. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Crap. Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

But first:

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
to the registry. If you do not get a success message, it definitely did not work.

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:
:processes

:services
My Web Search Service
eemldjxq
ejeffge
jnmi
kygtlmwn
nqwudb
ppho

:files
C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
C:\ProgramData\81amysc2c3drnt
C:\WINDOWS\System32\drivers\eemldjxq.sys
C:\WINDOWS\System32\drivers\ejeffge.sys
C:\WINDOWS\System32\drivers\jnmi.sys
C:\WINDOWS\System32\drivers\kygtlmwn.sys
C:\WINDOWS\System32\drivers\nqwudb.sys
C:\WINDOWS\System32\drivers\ppho.sys
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]


• Then click the Run Fix button at the top.
• Click the OK button.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

• Got the success message for the fixME.reg file.
• OTL appeared to run correctly, but the log did not open after the reboot. I found a log at C:\_OTL\MovedFiles and have attached that.
• MGlogs.zip is attached

#### Attached Files:

• ###### 09282011_201115.log
File size:
6 KB
Views:
2

oops - didn't attach this with the last post

File size:
219.3 KB
Views:
2
16. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

It's looking better, but let's try doing this in normal mode:

My Web Search (IWON)

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
to the registry. If you do not get a success message, it definitely did not work.

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:
:processes
:otl
O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe  "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: My Web Search Service  (MyWebSearchService32) - Unknown owner - C:\Windows\system32\IMJP10K32.exe (file missing)

:files
C:\cotvrcla.txt
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]


• Then click the Run Fix button at the top.
• Click the OK button.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

I can't uninstall My Web Search. What should I do?

18. ### Kestrel13!Super Malware Fighter - Major DilemmaStaff Member

Try Revo Uninstaller.
Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.

Revo Uninstaller may have worked. When I first clicked to uninstall, it gave me the same dialog box telling me there was an error. However, it did appear to go through the steps and remove everything. (?) After it was done MyWebSearch was no longer in the list.

analyse.exe seemed to then run fine. fixME.reg got the success message.

OTL got hung up and froze the computer for quite a long time. Tried again after a reboot, same thing. No log was made for it.

getlogs.bat ran and the zipped logs folder is attached.

#### Attached Files:

• ###### MGlogs.zip
File size:
220.3 KB
Views:
1
Last edited: Sep 30, 2011

sorry - not sure if i uploaded the right file and now it won't let me upload it again

21. ### thisisuMalware Consultant

No worries. It's attached in post #19

22. ### Kestrel13!Super Malware Fighter - Major DilemmaStaff Member

All of the below needs to be done in NORMAL mode please, not safe mode, unless you actually cannot use normal mode.

No but it still shows in uninstall a program listing, I can see them all in the newfiles log. Use Revo again and uninstall any of the below if you see them.

• AVG Free 9.0 <--- Outdated and may hinder our fix in my opinion.
• Java(TM) 6 Update 17 <--- Outdated.
• Java(TM) SE Runtime Environment 6 Update 1 <--- Outdated.
• My Web Search (IWON)
• PC Power Speed 1.0.0.0
• Norton Security Scan
• Inbox Toolbar

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished): (But yours should have already been uninstalled by now)

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O1 - Hosts: ÿþ127.0.0.1 localhost
• O1 - Hosts: ::1 localhost
• O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
• O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
• O4 - HKLM\..\Run: [cleanddm] C:\Windows\system32\config\systemprofile\AppData\Local\cleanddm.exe
• O4 - HKCU\..\Run: [conhost] C:\Users\kobebryant\AppData\Roaming\Microsoft\conhost.exe
• O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
• O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
• O23 - Service: Thread Ordering Server (THREADORDER32) - Unknown owner - C:\Windows\system32\KBDINKAN32.exe (file missing)
• O23 - Service: Desktop Window Manager Session Manager (UxSms32) - Unknown owner - C:\Windows\system32\msdmo32.exe (file missing)

After clicking Fix exit HJT.

Now we need to use ComboFix by sUBs

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Driver::
UxSms32

File::
C:\Windows\system32\AUDIOKSE32.dll
C:\WINDOWS\System32\743097211
C:\WINDOWS\System32\temppf.sys
C:\Windows\system32\config\systemprofile\AppData\Local\cleanddm.exe
C:\Users\kobebryant\AppData\Roaming\Microsoft\conhost.exe
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
C:\Windows\system32\KBDINKAN32.exe
C:\Windows\system32\msdmo32.exe

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"conhost"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"cleanddm"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe

• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
• Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
• Found non-standard or infected MBR.
• Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now try to run Rootrepeal as well please.

Now try to run OTL as follows:

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

SystemLook

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
Code:
:regfind
2743579992
Ososilowadilaki
• Click the Look button to start the scan.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
C:\win32kdiag.exe -f -r

Now we need to scan the system with this special tool.
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
cmd /c junction -s c:\ >C:\log.txt
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

I can enter Normal mode, but it restarts the computer within about 30 seconds. This is one of the initial problems that has not yet been corrected. So, I have to do everything in Safe Mode still.

Revo Uninstaller: I removed every item on your list. For each item, (except MyWebSearch), I got one of the following error messages:
• Windows Installer service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
• Running the application's uninstaller failed. Possible invalid uninstall command
• The Windows Installer service is not accessible in Safe Mode. Please try again . . .
However, it still did go through each of the steps saying the program, registry items and extra files were removed.

HJT: appeared to run successfully

ComboFix: When dragging the CFscript.txt file onto the icon, I again had the problem of the Open With dialog box popping up. I used the .exe fix to correct it again. ComboFix appeared to run successfully as it has before.

TDSS Killer: No threats found

MBR Check: Done

RootRepeal: Upon opening the program, I get this message: FOPS - DeviceIoControlError! Error Code = 0x0000024 Extended Info (0x00000100)

OTL: Scan ran. The two notepad windows did not open.

SystemLook: Ran and Notepad window opened

Java: Downloaded, but could not run. Error: The Windows Installer service is not accessible in Safe Mode.

GetLogs.bat: ran

Win32kDiag: When attempting to run I got this error message: c:\win32kdiag.exe Application not found. I tried to run it by right click, Run as Administrator. It opened and gave a log.

Junction.exe: Same problem as with win32kdiag. I was unable to run this one by right clicking.

I am attaching the logs of every one that you requested, as long as they produced a log.
Thank you for your continued help on this.

#### Attached Files:

File size:
798 bytes
Views:
2
File size:
41.6 KB
Views:
0
File size:
61.1 KB
Views:
2
• ###### MBRCheck_10.02.11_11.36.34.txt
File size:
7.6 KB
Views:
2

Remaining logs that I couldn't attach to last message

File size:
366 bytes
Views:
3
File size:
1.7 KB
Views:
3
File size:
239.2 KB
Views:
1
25. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
to the registry. If you do not get a success message, it definitely did not work.

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:
:processes
:otl
O2 - BHO: (Reg Error: Value error.) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll File not found
O2 - BHO: (Reg Error: Value error.) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll File not found
O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL File not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL File not found
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL File not found
O3 - HKLM\..\Toolbar: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
O3 - HKLM\..\Toolbar: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll File not found
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h File not found

:files
C:\ProgramData\58buw8x567u4lj0h5muh1i27tls0vo45a5
C:\ProgramData\nnrkxa3212pn2yo44twiuj27ui6iqwd
C:\ProgramData\l727u6qd31hn2kq7144hchw2vtw41c5d5b4omb
C:\ProgramData\s46818j8p3gi8c5tpls8164006cc2f3ohoum
C:\Users\kobebryant\AppData\Local\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
C:\ProgramData\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
C:\Users\kobebryant\AppData\Local\oxetamew.dll
C:\Users\kobebryant\AppData\Local\ewokukaseg.dll
C:\Users\kobebryant\AppData\Local\oxehosozidohu.dll
C:\Users\kobebryant\AppData\Local\ajotapimo.dll
C:\Users\kobebryant\AppData\Local\ekowanubilil.dll
C:\Users\kobebryant\AppData\Local\Xjufuwaru.dat
C:\Users\kobebryant\AppData\Local\Jqoyifa.bin

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]


• Then click the Run Fix button at the top.
• Click the OK button.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

got the fixME.reg success message
OTL and GetLogs.bat seemed to run well
Logs attached!

File size:
15.6 KB
Views:
2
File size:
239.3 KB
Views:
1
27. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Uninstall MBAM, reboot and run CCleaner. Then download a new version of MBAM and run it new.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
After clicking Fix, exit HJT.

Do a search and see if you can find and delete:
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:regfind
2743579992
:file
2743579992

Click the Look button to start the scan.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
to the registry. If you do not get a success message, it definitely did not work.

Now re-run OTL and attach that new log.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

Successful:
• uninstalled MBAM
• ran CCleaner
• ran analyse.exe
• ran SystemLook.exe
• merge fixME.reg (got success message)
• ran GetLogs.bat
All requested logs plus mbam log are attached in this and the next message

Could not find:
• C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
• C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll

#### Attached Files:

File size:
18.9 KB
Views:
3
File size:
41.6 KB
Views:
1
File size:
50.8 KB
Views:
3
• ###### SystemLook.txt
File size:
770 bytes
Views:
3

and here's the last log

File size:
202.4 KB
Views:
1
30. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Much better!!! Your logs are starting to look good.

Go to start / run / and type:
services.msc
When the panel opens, scroll down and find these two services:
My Web Search Service (MyWebSearchService)
My Web Search Service (MyWebSearchService32)
Make sure they are stopped and delete them.

Now let's run Combo one more time:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
wrcqjdf

File::
C:\WINDOWS\System32\drivers\wrcqjdf.sys


* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now tell me how things are running.

glad to hear we're making some progress!

I found those two items, but couldn't find a way to delete them. Is it because I'm in Safe Mode (can't stay in Normal mode-it restarts), or am I missing something obvious? There is no option in the menu, toolbars or right click menu. Delete key didn't work.

Ran Combofix twice because I noticed the log said overlay aborted. Says it again in second log which is attached!

File size:
428 bytes
Views:
2
32. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:
:processes
:otl
:services
wrcqjdf
MyWebSearchService
MyWebSearchService32
:files
C:\WINDOWS\System32\drivers\wrcqjdf.sys
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]


• Then click the Run Fix button at the top.
• Click the OK button.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

Here are the latest logs! Are we seeing the light at the end of the tunnel?

File size:
3.9 KB
Views:
3
File size:
205 KB
Views:
4
34. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Some items are still showing in your MGLogs. Did you run it before doing the OTL fix?

Please try to run C:\MGtools\GetLogs.bat file in normal mode. And also run

I am always doing everything in the exact order you tell me to.

I cannot run anything in Normal mode. The computer restarts after getting to the desktop.

I cannot run Root Repeal. Please see the full description of why in my previous posts.

36. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Kaspersky Virus Removal Tool

First we will run a virus scan.

• On the first tab select all elements down to Computer and then select start scan.
• Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop.

Now an analysis scan

• Select the Manual Disinfection tab
• Press the Gather System Information button
• Once done , still on the Manual Disinfection tab click the little icon of a file which is the "reports" button. Now click on Manual Disinfection report.You should see an option to save a report here with a little button with an icon of a disk. Attach this log please.
• The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

2nd log is attached
The first log is 65 mb, so I can't attach it. If it helps you know what happened, 34 threats were found.

what's next?

File size:
8.1 KB
Views:
1
38. ### Kestrel13!Super Malware Fighter - Major DilemmaStaff Member

Then break the log up into two logs or zip it up so that TimW can take a look.

alrighty then - thought the max upload size was 97 kb, now i see I can do more than that with zipped files

Anyway, the computer is freezing. It can't handle opening a file of that size. TimW-please see the private message I sent about getting the log to you. Thank you.

40. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Let's try this. Go to start / run and type:
msconfig
When it opens, go to services, check the box to hide all MS services and then disable the rest. Then click on the startup tab and disable all those. Now see if you can stay running in normal mode. Let me know.

I did get your zipped file, nothing was found.

I did the above steps, but am sorry to report that it still restarted as soon as it gets to the desktop in normal mode.

42. ### TimWMajorGeeks Administrator - Jedi Malware ExpertStaff Member

Your issues are not malware related. We still have adaware crap to remove, but it is not the reason for normal mode not working. I suggest you start a thread in the software forum to address that issues.

In the meantime, we can try to finish cleaning house.

Use add/remove programs to try to uninstall:
Crawler Toolbar
FrostWire 4.21.3
Java(TM) SE Runtime Environment 6 Update 1
My Web Search (IWON)

You can try using Revo Uninstaller to remove those programs.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
to the registry. If you do not get a success message, it definitely did not work.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:
:Processes
explorer.exe

:Services
MyWebSearchService
MyWebSearchService32

:Files
C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
C:\PROGRAM FILES\MYWEBSEARCH

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-
"MyWebSearch Email Plugin"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"2743579992"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{007358C5-5BD1-43F6-91B1-87217EF02ECa}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0082DFEF-84A7-4A49-84F7-E96D8292CFDb}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]
• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

Java Runtime 7