Applications Accessing Internet Freeze Up

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mmeyer, Jul 7, 2009.

  1. Mmeyer

    Mmeyer Private E-2

    Hi all -

    Problem:
    Any application that needs to access the internet periodically freezes up and then my entire system freezes, forcing me to manually reboot the computer by turning it on and off. This affects all apps accessing the internet (not just browsers), like iTunes, Firefox, etc.


    What I have done:
    I have run all the apps you asked prior to writing. I am including the logs, with the exception of combofix.exe log as I had to run each of the apps in safe-mode (with networking) because they would freeze up when I tried to run in normal mode. Combofix reboots to normal mode and then freezes up so I couldn't get the log.

    I should note that I have used this site before, and so had a version of SuperAntiSpyware which I ran before coming here, and did find infected files. I include this log as SAS1.log. After realizing I still had problems I came to the site and re-ran everything following your instructions. So, I also include the full SuperAntiSpyware log as SAS2.log ... you will note it shows no infections because after running it the first time I chose to fix the problems.
     

    Attached Files:

    Mmeyer, Jul 7, 2009
    #1
  2. Mmeyer

    Mmeyer Private E-2

    Applications Accessing Internet Freeze Up ... Post2

    ... Here is the last log I got from running root-repeal.
     

    Attached Files:

    Mmeyer, Jul 7, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Luckily, the scans took care of most of it.

    I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing. As this is a prime example:

    C:\Documents and Settings\Mike\Desktop\AntiVirus2009 ---> Delete this!

    What is this:
    C:\BLP

    You did not attach a log from running ComboFix.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jul 9, 2009
    #3
  4. Mmeyer

    Mmeyer Private E-2

    Hi - Thanks for getting back to me.
    To answer your questions / deal with your suggestions:
    1) I moved the "antivirus2009" folder to my hard drive and moved a few of the apps off of the desktop.
    2) BLP is a folder containing an application for my work.
    3) I downloaded avenger, but I am unable to run it in either normal mode OR safe mode. The command window appears and I get a message in the window stating "program too big to fit in memory" which seems rather odd since the app isn't even a mb in size.
    4) HOWEVER, I have noticed that since I first posted this things have gotten significantly worse. Periodically ANY app running on my machine will freeze up, now, and I will have to reboot the machine manually (with or without internet connections turned on). It is as thought the malware is devouring all the memory on my machine.
    5) I was able to run Mgtools in safe-mode, so I am attaching the log. I should note that when running MGtools I receive a popup error (which I ignored) stating "NTVDM has encountered System error"
    6) The problem with combofix.exe was that I had to run it in safe mode to make it work (it was freezing up in normal mode), but combofix would ask for a re-boot to finish the cleaning job and it would reboot to normal mode and freeze up. So I couldn't get the log.

    Please let me know what to do as the machine is fast becoming completely unusable.

    Thanks again for the help.
     

    Attached Files:

    Mmeyer, Jul 10, 2009
    #4
  5. Mmeyer

    Mmeyer Private E-2

    OK -- I somehow got avenger to run without the error I mentioned. I got a log and saved it before my machine froze up again. Posting it here.....
     

    Attached Files:

    Mmeyer, Jul 10, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I didnt tell you to move it! Read my last post, I told you to delete it. It is the main cause of your problems.
    The main cause of that issue is you did not download it to where you were told to download it to:
    C:\ComboFix
    Move it to your desktop:
    C:\Documents and Settings\Mike\Desktop\ComboFix

    Your avenger log is empty.

    Now once you have put Combo where it belongs:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\system32\jubijezo
C:\WINDOWS\system32\juhumuyo.dll  
C:\program Files\Manson\liser.exe
C:\Documents and Settings\All Users\Application Data\15222964      
C:\Documents and Settings\All Users\Application Data\95232956 

Folder::
C:\Documents and Settings\Mike\Desktop\AntiVirus2009
C:\WINDOWS\system32\jubijezo
C:\Documents and Settings\All Users\Application Data\15222964      
C:\Documents and Settings\All Users\Application Data\95232956 

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kell"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now clean out these folders!
    C:\WINDOWS\Temp\
    C:\Documents and Settings\Mike\Local Settings\temp\

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Jul 10, 2009
    #6
  7. Mmeyer

    Mmeyer Private E-2

    Antivirus2009 was a folder I created to store logs and setup apps for the stuff from this website. Regardless, I deleted it.

    I downloaded combo-fix (true, first to my c drive but thought i had moved it to the desktop) .... regardless, when I restarted my pc it McAffee came back on line, told me combofix.exe was a virus and killed it.

    So, I came back to this site to re-download it and am getting a 404 error when I attempt to access the link you guys have for it:
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Is there another place to download combofix?
     
    Mmeyer, Jul 10, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That was a poor choice of naming....as antivirus2009 is a rogue program that infects systems. You can restore it if you like. Just take the line out of my combo fix.

    You need to disable McAfee when you download and run Combo.
    The link you just posted does work.

    Maybe we should first try an online scan if you can't get combo to download.
    Using BitDefender Online Scan.
     
    TimW, Jul 10, 2009
    #8
  9. Mmeyer

    Mmeyer Private E-2

    I got Combo to load off of a different site. I have both sets of logs attached, here, though MGtools only worked in safe mode and only worked when I ran the .exe, not the bat file. At any rate, here they are.
     

    Attached Files:

    Mmeyer, Jul 10, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What happened when you ran Combo? Look at the log you attached...was there an error message or anything happen when it tried to reboot the system?

    You need to use windows explorer and find and delete these:
    C:\WINDOWS\Tasks\at1.job
    C:\WINDOWS\Tasks\at10.job
    C:\WINDOWS\Tasks\at11.job
    C:\WINDOWS\Tasks\at12.job
    C:\WINDOWS\Tasks\at13.job
    C:\WINDOWS\Tasks\at14.job
    C:\WINDOWS\Tasks\at15.job
    C:\WINDOWS\Tasks\at16.job
    C:\WINDOWS\Tasks\at17.job
    C:\WINDOWS\Tasks\at18.job
    C:\WINDOWS\Tasks\at19.job
    C:\WINDOWS\Tasks\at2.job
    C:\WINDOWS\Tasks\at20.job
    C:\WINDOWS\Tasks\at21.job
    C:\WINDOWS\Tasks\at22.job
    C:\WINDOWS\Tasks\at23.job
    C:\WINDOWS\Tasks\at24.job
    C:\WINDOWS\Tasks\at25.job
    C:\WINDOWS\Tasks\at26.job
    C:\WINDOWS\Tasks\at27.job
    C:\WINDOWS\Tasks\at28.job
    C:\WINDOWS\Tasks\at29.job
    C:\WINDOWS\Tasks\at3.job
    C:\WINDOWS\Tasks\at30.job
    C:\WINDOWS\Tasks\at31.job
    C:\WINDOWS\Tasks\at32.job
    C:\WINDOWS\Tasks\at33.job
    C:\WINDOWS\Tasks\at34.job
    C:\WINDOWS\Tasks\at35.job
    C:\WINDOWS\Tasks\at36.job
    C:\WINDOWS\Tasks\at37.job
    C:\WINDOWS\Tasks\at38.job
    C:\WINDOWS\Tasks\at39.job
    C:\WINDOWS\Tasks\at4.job
    C:\WINDOWS\Tasks\at40.job
    C:\WINDOWS\Tasks\at41.job
    C:\WINDOWS\Tasks\at42.job
    C:\WINDOWS\Tasks\at43.job
    C:\WINDOWS\Tasks\at44.job
    C:\WINDOWS\Tasks\at45.job
    C:\WINDOWS\Tasks\at46.job
    C:\WINDOWS\Tasks\at47.job
    C:\WINDOWS\Tasks\at48.job
    C:\WINDOWS\Tasks\at5.job
    C:\WINDOWS\Tasks\at6.job
    C:\WINDOWS\Tasks\at7.job
    C:\WINDOWS\Tasks\at8.job
    C:\WINDOWS\Tasks\at9.job
    C:\WINDOWS\Temp\$$$dq3e
    C:\WINDOWS\Temp\$$yt7.$$
    C:\WINDOWS\Temp\$67we.$

    See if you can run Combo again and get a full log.....then re-run MGTools.exe and get me both of those logs.

    Did you not try doing the BitDefender online scan?
     
    TimW, Jul 12, 2009
    #10
  11. Mmeyer

    Mmeyer Private E-2

    Hi,
    I did run bit-defender (on-line version). It froze up about 15% of the way into the file-scan process. I rebooted into safe-mode with network access and attempted to run it again, with the same result.

    I noticed three other things as well:
    1) I am getting a message in my task-bar from what looks to be a McAfee-like icon telling me I may not be fully protected and to "click on the balloon" to see, but I have not done this. When I check McAfee protection status (from within the McAfee Security Center) it says I am fully protected.

    2) Combofix is no longer on my machine and I am still unable to download it from the website you have posted, nor from the other site I got it last time. Again, I get a 404 error when I attempt to go to the page in either normal mode or safe mode.

    3) With regards to (2), above, the files and folders you have in the script are no longer on my machine (at least not visible in explorer or from the command prompt in DOS in safe mode).

    I deleted the *.job files you mentioned, above, and I deleted the $$ files as well.

    I am enclosing the MGTools.zip file, but, as mentioned I am unable to run Combofix. This recent set of incidents is the first time I've had problems downloading/running combofix.

    Please let me know your thoughts, and thanks again.
     

    Attached Files:

    Mmeyer, Jul 12, 2009
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    GMER's MBR.exe

    • Double click on the MBR.exe file to run it.
    • A log will be produced & saved to the desktop, called MBR.log.
    • Attach this log to your next message.


    Now delete the current mbr.log file and then run the below instructions.
    Click Start > Run and copy & paste the following text in the code box into the Run box and then click OK. You must copy and paste or type in this exactly. The quotes must be exactly as shown and there is a space before the -f
    Code:
    
     "%userprofile%\desktop\mbr.exe" -f
    Now double click on the mbr.exe file and attach the new mbr.log
     
    TimW, Jul 12, 2009
    #12
  13. Mmeyer

    Mmeyer Private E-2

    Hey -
    Since I am using Firefox, it had me first download MBR.EXE which I put on the desktop. (Presumably this is okay; if not, let me know and I'll try to run it from the site directly).
    I double clicked it, produced the log, and renamed it as MBR0.log.

    I then went to Start / Run / and typed in the string you gave me. It automatically ran MBR.EXE again, and produced a log. I renamed this log MBR1.log, for the sake of continuity.

    I have attached both logs below.
     

    Attached Files:

    Mmeyer, Jul 13, 2009
    #13
  14. Mmeyer

    Mmeyer Private E-2

    Hi -- Not bumping! Just wanted to add some extra information if you are formulating a means by which to uninfect my machine.

    I noticed in the MBR logs that it found some hooks which could be deleted using "Fixmbr" in the recovery console. It seems I have recovery console loaded on my PC, but when I attempt to access it I get a blue screen. I ran CHKDSK /F and it found no corruption of my harddrive.

    Is this the only means to "fix" the the MBR problem; do I actually have an MBR problem based on the logs?

    Please help!
     
    Mmeyer, Jul 15, 2009
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes. I suspect you do. The other method to access the recovery console is by booting to your OS disc. Enter the recovery console that way and just type in fixmbr and hit enter. They type exit to reboot your system.

    Then re-run MBR.exe and attach both that log and a new MGLogs;zip.
     
    TimW, Jul 18, 2009
    #15
  16. Mmeyer

    Mmeyer Private E-2

    Hey thanks for getting back to me!

    Ok, I was able to access the recovery console by changing the boot order so that I booted from my OS CD.

    I ran fixmbr in the recovery console. It told me I had a non-standard mbr and that this might cause problems, but I ran it anyway.

    I'm attaching 3 sets of logs:
    1) MBR3.LOG = the first MBR run you have me do
    2) MBR4.LOG = 2nd MBR run after entering the command string you gave me
    3) MGLogs.ZIP

    I noticed an odd message, again, in the MBR logs:

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x012A0123B
    malicious code @ sector 0x012A0123E !
    PE file found in sector at 0x012A01254 !

    So, doesn't look like this took care of everything ...

    But ....
    I will note that this is the first time I have been able to run MGLogs outside of safemode. The machine did not freeze up this time. Also, I have not had to reboot my machine due to freeze-up in the last 20 minutes, which, recently, is a new record. Hopefully this fixed it.

    Anyway, please let me know, and thanks, again!
     

    Attached Files:

    Mmeyer, Jul 18, 2009
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is our opinion that this is a false positive being reported by GMER. Your logs are clean. Let me know what other issues you may still have.

    In the meantime.....If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Jul 20, 2009
    #17
  18. Mmeyer

    Mmeyer Private E-2

    Will do, and thank you very much for the help.
     
    Mmeyer, Jul 23, 2009
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome....safe surfing. :)
     
    TimW, Jul 26, 2009
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds