Unexplained reboots and programme not responding.

Hi there,
Its the first ive posted on a forum for this kind of thing so please bear with me.

After extracting an exe from an unverified source my antivirus and firewall were both disabled and i received messages informing me that i had been infested with spyware.

I have followed the instructions from the 'read & run me before asking support' thread.

Initially i could not run ad-aware because after detecting 2 objects i would receive a winlogon.exe error and my computer would reboot. That is now sorted and the anti virus and anti spyware scanners now show nothing. Despite this my computer is still really slow, taking about 30 mins after boot for all the icons in system tray to finally show, i receive constant programme not responding errors and am getting alot of unexplained reboots.

Hopefully someone can help with this.
BDscan, active scan andhijack logs are attached.

Thanks in advance.

 

I've now started having many problems with a particular dll - msvcr80.dll. i receive error messages for msascui.exe and msnmsgr.exe both missing an entry point in the above dll.

Im really at a loss here. Help please

 

Follow the driections for SpywareQuake & SpyFalcon Removal Procedure.

 

Thanks for the response Puter Dude,

I followed the directions as stated. The only listed file i could find was CFGMGR32.dll. After initially completing the process i lost my internet connection, so i booted back into safe and followed the process again. I now have my connection back but it is very slow.

Upon boot i receive IType.exe error msg stating the above dll. could not be found. Also i get a msg saying im missing my ATI driver. I still receive the MSACui.exe and MSNMSGR.exe error msgs missing entry point in MSVCR80.dll as stated in previous post.

smitfiles log is attached.

Thanks

 

My apologies, please ignore the last post.

The file CFGMR32.dll which i deleted was not the correct file. The actual file should have been CFGMNR32.dll.

After restoring the wrongly deleted dll. my connection, and IType.exe are okay. Though this means none of the files listed in the directions were present to be deleted.

Still left with MSACui.exe and MSNMSGR.exe errors.

Sorry for the mistake.

 

Follow the directions for:
Using GetRunKey
Using ShowNew

Post runkey.txt and newfiles.txt

 

Thanks Puter Dude,

Please find the attached files

 

tart by downloading two tools we will need

- Process Explorer
- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of geebb.dll once and then click the kill button. After you have killed all of the geebb.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of geebb.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of geebb.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of geebb.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of geebb.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of geebb.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\Program Files\Common Files\{38EB1850-0965-2057-0705-05030429002c}\Update.exe
C:\WINDOWS\Setup1.exe
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\system32\dsmux.exe
C:\WINDOWS\system32\wnscpsv.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Hello again Shadow,

Thankyou for your continued help.

I followed the instructions, though was unable to locate iexplore.exe in process explorer. The rest was followed to the letter except for one or two missing values in the HJT fix. However, it unfortunately seems to little effect. My computer is still relatively slow, i receive the MSACui.exe and MSNMSGR.exe errors missing entry point in MSVCR80.dll and during the first attempt at writing this reply my computer rebooted.

The new HJT log is attached.

Once again, thank you for your continuing efforts to help. From the amount of fresh posts i see from you each morning i can tell that you are obviously a very busy man. Thank you, it is muchly appreciated.

 

Delete c:\program files\Windows Defender\MSASCui.exe.manifest

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

REBOOT.

What do you get for error messages now?

 

Good morning once again Shadow.

I deleted the manifest file from windows defender as stated and fixed the entry in HJT.

I still receive the MSNMSGR.exe error and though the MSACui.exe has now stopped it is replaced with a Windows Defender failed to initialise error: 0x800106ba. Also my computer is still painfully slow on boot.

Thanks bud

 

Search for a manifest file for msnmsgr.exe; if found delet it.

Update Windows Defender, still get the error message?

Post a fresh HijackThis log.

 

Okay Shadow, I deleted the MSNMSGR.exe.manifest file and now messenger is working fine with no error msgs at startup. What are manifest files by the way? I've noticed quite a number of them on my system.

With regard to Windows defender, i am unable to update because i cannot access the programme - i receive the same error msg listed above.

Compuetr is still slow and rebooting alot more often than i would like

HJT log is attached

Thanks again

 

Manifest files are used by Microsoft Speech Server (MSS) to identify:
•The Start page to load for an application. This information is used by Speech Application Deployment Service (SADS), which manages application deployment for MSS.
•Application resources to preload and cache, for improved performance. This information is used by Speech Engine Services (SES), to ensure that large resources are fetched and loaded into available engines before they are required by the user.

Since WIndows Defender isn't functioning properly at this time uninstall it. You also have SpySweeper and Ewdio installed. All of these applications are goingto slow your system somewhat for each application as they provided real-time protection. With all of them providing real-time protection ,in addtion to Norton, you are going to experience performance issues. Uninstall Ewdio, leave SpySweeper installed.

What does that do for boot times?

 

Thanks Shadow,

i was considering uninstalling Defender, following your advice i now have. Should i reinstall? Hopefully that will fix the problem, ill wait for your recommendation.

With regard to SpySweeper... i dont have it on my system anymore. I installed and ran it in an attempt to pick something up not found by the other scans prior to posting on the forum. So out of those two, its just Ewido i have. I'll leave that on there.

Boot times seem to have imrpoved ever so slightly, but in all honesty my main concern is the reboots. They are still occurring, and for seemingly no reason.

Thanks again

 

Reinstalling Windows Defender may fix the problem or may be it won't. Never hurts to try.

What. if any. error messages do you receive when the system reboots?

 

No error messages im afraid Shadow. Just the reboots. Its getting really annoying actually, seems to always happen when im trying to install software and it it waits until installation is very close to completion then off, then on again. grrrr

Not much information to go on i know. Hopefully you'll have a suggestion.

Thanks

 

Right-click on My Computer
Select Properties
Click on the Advanced Tab
Under Startup and Recovery, click the Settings button
Startup and Recovery dialog will open.
Under System failure, uncheck Automatically restart
Click OK
Click Apply
Click OK

The next time the computer restarts, you should get the infamous BSOD. I need to know what that error message is word for word.

 

And the blue screen of death says:

Stop: 0x0000008E (0xC000000S, 0xEFSCDB4A, 0xEE00B9EC, 0x00000000)

any ideas?

Thanks matey

 

And another:

Stop: 0x0000008E (0x0000005 0xEF5E3B4A 0xEDEC19EC 0x00000000)
(by the way, in the above post the first 2 strings of numbers in the brackets contain the letter 'S' - they should be 5's, sorry cant read my own writing)

Havent had a spontaneous reboot over this past day, the above two stop errors ocurred while trying to install software.

Thanks

 

It's a hardware related error message. You either have a bad RAM module, or a driver is corrupt. Test your RAM with Memtest86+. Reinstall your Video Drivers

 

Hi Shadow,

I reinstalled my video drivers but i still get a stop error when trying to install this new software. I have ran memtest and though i do not know how to interpret the results, it does identify a number a problems. Is it worth me posting for help in the hardware forum, or is corrupted memory only fixed by replacing it?

Thanks

 

If Memtest identified problems with your RAM, then you will have to replace the faulty RAM module.

 

The thing is, it identified almost 1000 errors. Does this mean im really screwed?

Its strange that its a hardware fault causing my problems because they only started ocurring after the malware incident. Could the malware have cause the corrutption? Or do you think this is most likely a separate issue to the malware that has just been lurking around. Truth be told, i havent had a random reboot for a couple of days, so perhaps they were caused by the malware and now is solved. Either way, unless theres a temporary solution to the corrupted ram i guess its buying new memory for me.

Thanks for all your help over the past week Shadow. You certainly are the 'dude'.

 

It's a bad RAM module, the Malware problem is a speperate issue; and revealed a hardware problem in the process.