Laptop is in trouble

BrattyAndrea · Feb 11, 2011

Here are the requested logs except for root repeal as I could not get it to run. I had errors with it. All of these were run in safe mode, as my laptop locks up in normal mode. Also when I try to run in normal mode, it hangs with a black screen for a long amount of time. When it finally loads it takes only about 5 0r 10 minutes and it locks up if I try to do anything. Any help would be greatly apprieciated as I am at a loss with it. Thanks!

Kestrel13! · Feb 11, 2011

You did not attach the correct log from running MGTools. You need to attach the C:\MGLogs.zip.

BrattyAndrea · Feb 11, 2011

Thank you for responding. I looked for C:\MGLogs.zip and couldnt find it. LOL I found it this morning, guess I was tired or irritated with computer last night. Below is the attached file you have asked for. Sorry for the delay.

Kestrel13! · Feb 11, 2011

Ask Toolbar <--- Uninstall this.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\sched.exe (file missing)
O23 - Service: Avira AntiVir Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

After clicking Fix exit HJT.

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Folder::
c:\program files\STOPzilla!
c:\program files\Common Files\iS3
c:\programdata\STOPzilla!
C:\Users\Andrea\AppData\Roaming\AVG
C:\ProgramData\AVG10
C:\ProgramData\Avira
C:\Users\Andrea\AppData\Roaming\AVG10
C:\Program Files\AVG
C:\Program Files\Avira
c:\program files\Viewpoint
c:\program files\COMODO
File::
c:\windows\system32\config\systemprofile\AppData\Local\ucunaduq.dll
c:\windows\system32\config\systemprofile\AppData\Local\Dvirecazuwipi.bin
c:\users\Andrea\AppData\Roaming\Microsoft\Windows\Templates\IS360Setup.exe
c:\program files\1123201012375046.bat
c:\program files\1122201016552394.bat
C:\Users\Andrea\AppData\Roaming\Microsoft\Windows\Templates\58G3tyIDc
C:\Users\Andrea\AppData\Roaming\Microsoft\Windows\Templates\avg
Driver::
Viewpoint Manager Service
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AD1432A0-D226-4C72-9AF7-39838046095E}]
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cc,cc,83,46,54,67,5c,40,9a,9b,0e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cc,cc,83,46,54,67,5c,40,9a,9b,0e,\

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet011\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet011\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet011\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some data on it

Right click on the screen and select > Select All

Press Control+C

Open a notepad and press Control+V

now please ATTACH that report to this thread

Now in normal mode please! run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

BrattyAndrea · Feb 11, 2011

Thank you for responding. I am running in safe mode so do I still need to disable anti virus or anti spyware? I tried to uninstall the thing you asked me too and I get this error...

"the windows installer service could not be accessed. this can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

will wait for your response before I do what else was asked of me Thanks

Kestrel13! · Feb 11, 2011

You need not worry about uninstalling the ask toolbar yet, wait a while. Just run my fix in safe mode and just disable protection software if necessary.

BrattyAndrea · Feb 11, 2011

ok combo fix is telling my avast is still running...how do i disable in safe mode? sorry im not that smart lol

Kestrel13! · Feb 11, 2011

Just go ahead and run Combofix despite the warning.

BrattyAndrea · Feb 11, 2011

ok thanks I am doing it now

BrattyAndrea · Feb 11, 2011

I am still waiting on combofix which i had to run in safe mode...it went through then said combo fix was rebooting my laptop...now its trying to run in normal mode..windows has not loaded and i have a black screen with nothing except the blue combofix box that popped up that just says please wait. it has been on this for quite some time.. is this normal?

Kestrel13! · Feb 11, 2011

Reboot the machine and continue with the rest of my instructions. Then attach the requested logs. I am due in at work in 20 mins.

BrattyAndrea · Feb 11, 2011

here is the MBRcheck attachment i will try to do last step in normal mode, altho i dont think its gonna work

BrattyAndrea · Feb 11, 2011

ok here is the last log you asked for. I did get laptop to finally load up normal and get the scan for you, but it is still very slow loading up.

TimW · Feb 11, 2011

Please use add/remove programs to uninstall:
ThreatFire
Ask Toolbar

Now use windows explorer to find and delete:
C:\Windows\System32\drivers\avgntflt.sys
C:\Program Files\AVG
C:\Users\Andrea\AppData\Roaming\Microsoft\Windows\Templates\AVG
C:\Users\Andrea\AppData\Roaming\AVG
C:\Users\Andrea\AppData\Roaming\AVG10

You may wish to use:
Startup_CPL

If you have any questions about what to disable, post in the software forum.

What malware issues are you still having?

BrattyAndrea · Feb 11, 2011

will do the things you have asked..im not sure i still have a malware problem. My laptop is very slow loading windows and it tells me my system restore has been turned off my group policy which i did not turn off...i wanted to put the laptop back in the state it was purchased in, but the repair my computer option does not work either. Also the laptop locks up quite often. So I am not sure what is the problem. Thank you for the help

TimW · Feb 11, 2011

You should post in the software forum for those issues. It's beyond the scope of the malware forum. Do you have your installation disc?

BrattyAndrea · Feb 11, 2011

yes i have the disks, i just dont have them with me as i am in the process of moving and they are in storage in a different state. So when I finish doing the things you have asked, do i need to turn UAC back on and run that defogger thing or?

TimW · Feb 11, 2011

I will give you the final instructions below. Once you catch up with your disc, I would suggest you try doing a repair install.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Help Support MajorGeeks
Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook

BrattyAndrea · Feb 11, 2011

ok thank you both for all your help. So am I safe to use it when I finish the rest of the process?

TimW · Feb 11, 2011

As far as malware is concerned, yes.

And on behalf of Kes and myself, you are very welcome. Do post in the software forum for any further questions.

BrattyAndrea · Feb 11, 2011

sorry to bother you again..i can not find this file MGclean.bat to do the clean up:confused

TimW · Feb 12, 2011

It should be here:
C:\MGtools\MGclean.bat

If it is missing from that folder, you can download a new copy of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the exe and you should then have a new MGTools folder.

Log in or Sign up

Laptop is in trouble

BrattyAndrea Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 02-10-2011 - 18-20-07.log

mbam-log-2011-02-10 (18-58-05).txt

combofix.txt

MGtoolsLogs.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

BrattyAndrea Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Attached Files:

MBRCheck_02.11.11_10.41.34.txt

BrattyAndrea Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Laptop is in trouble

BrattyAndrea Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

BrattyAndrea Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

BrattyAndrea Private E-2

Attached Files:

BrattyAndrea Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BrattyAndrea Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Useful Searches