trouble with Vista desktop PC

We need you to run the procedure in normal boot mode unless that is impossible. While better than nothing, logs from safe mode do not give us the information we need.

Also each user account may need to be cleaned if there are really infections present. You need to start with one user account and ALL scans/logs for that user account need to be provided. If other accounts are infected, they would have to be changed to be admin type accounts while cleaning and then changed back to restricted user accounts once deemed clean.

I see from your safe mode logs, that the Burtis account was used so that is what we will start with. Can you get me at least a log from MGtools run in normal boot mode?

 

Thus far I'm not seeing any malware issues. I do see that you seem to have issues with your Windows Environment Variable settings. You are missing at least one normal setting named AppData and this could cause many issues. This is not a malware problem but more of Windows problem.

Let's see if we can collect some additional info and possibly fix this setting.

Please download Env.bat and save it to your Desktop. Then right click on the Env.bat and select Run As Administrator. This will run very fast and will add a log to C:\MGlogs.zip. Attach the updated MGlogs.zip file.


Also do you have any idea what the below is doing as part of your environment variables.
asl.log=Destination=file;OnFirstLog=command,environment

 

I was correct about your AppData environment variable not being set properly. Lets try to fix it.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot your PC and after reboot, to the below.


Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• the TDSSkiller log
• the MBRcheck log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please continue on to MBRcheck and MGtools.

You did not answer my earlier question about the below

 

It is a system setting that can be either a permanent type setting or a temporary setting which stores information about the environment your programs are running in. It is called a variable because they can be modified. Your AppData environment variable had been change to an incorrect value and thus was causing problems for many programs since it was not set to point to where it should point.


Your MBRcheck log shows the below

Code:

      Size  Device Name          MBR Status
  --------------------------------------------
    335 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   Unknown MBR code
            SHA1: CEFD837A02A1F4445A136688B10013AE4399C2CF

While an unknown MBR does not necessarily mean it is infected, in many cases it is. And since you are having problems, it may be a good idea to fix yours.

Before we do this, I have to ask two questions:

1. Do you have important data backed up?
2. Do you have your Vista Boot DVD which we will need to use to boot to the System Recovery Environment to repair your MBR?

Let's also cleanup a few misc non-malware items which may help with your performance issues ( like slow start up ).



Uninstall the below software:
Conduit Engine
Java(TM) 6 Update 24

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

 

You should back up important data now.

Those discs are not what you need. They are not bootable Vista discs. Let's see if you can do the below to enter System Recovery Options.



To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• If you can do all of the above to get to the Command Prompt then just type exit in the command prompt to boot back into normal Windows and let me know you were able to do this or not.

NOTE: You need to follow the rest of my instructions in my previous message anyway before we can proceed to the next stage of fixing your MBR.

 

You don't need to use a Backup program. You can just copy the files/folders you want to copy. You need to copy them someplace not on your PC, like to a CD or DVD or to an external disk drive. If you were trying to use a backup utility to copy them to another copy on the same hard disk then that serves no purpose for why we are backing them up.

No you need to follow the instructions I gave already. My request for you to backup your files is for what we need to do next.

 

Consider purchasing an external USB drive so that you can always use it for backups. A 500GB drive is fairly cheap. And sales on 1 TB ( terabyte ) drives are happening all the time.

 

You're welcome. Just post back once you have completed those previous instructions.

 

OKay follow the same instructions as in message # 12 to boot back into the System Recovery Environment to get to the command prompt. Then in the command prompt window, enter the below commands ( note the space after bootrec ). The second one will reboot the PC. Allow it to boot back to normal Windows

• bootrec /fixmbr
• exit

Once back in Windows...

Re-run another scan with MBRCheck and attach its latest log.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



Now attach the below log:

• the new MBRcheck log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Try booting in safe mode and running both programs.

 

Your MBR is fixed.

Then I would suggest that you are not having malware problems. You are likely having issues related to all the software you are loading/running at startup.

Like what exactly and where. Your logs are clean. The only things we did thus far was fix an unknown MBR which may be the reason why you can access the internet now.

The MGlogs.zip file you attached is not a new log. The files in it are from 1/27 and yesterday was 2/5 so it would appear that you did not get C:\MGtools\GetLogs.bat to run properly to create a new log. Try running it again and make sure it finishes running. Let me know if there are any problems running. Wait for your startup instabilities to cease before trying to run it.

 

Nothing of any real concern in there.

I assume you meant Window Security Center? You have the services for WSC and Defender stopped and disabled. Try starting them and setting the proper

Please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Security Center service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Automatic (Delayed Start).

Now locate the Windows Defender service and Start it and set the Startup type to Automatic, Did this Start?

Now close the above services forms and reboot your PC. After reboot, get a new log from MGtools and attach it here along with your answers to what happened while trying to start all the above services. Also see if they are still running ( Started ) after the reboot.

 

Download the below file and save it to your Desktop

fixservice.reg

Then right click on it and select Merge and allow it to be added to your registry.
Then reboot your PC.

After reboot, check the status of the Security Center and Windows Defender services.


Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the FSS.txt log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

This means part of it worked and part of it did not which is quite normal due to some LEGACY registry keys that were in the simple patch.

At this point to see what I need to see, logs from normal boot mode are necessary.

What I gave you would not fix the problems you are having with stability. It was only a quick attempt at trying to kick start the Security Center and Defender services.

As stated earlier, your problems are really not due to malware. Even the unknown MBR may not have been a real infection. It seems your problems are deep rooted in Windows itself or with hardware or driver software. Or potentially other software you are loading at startup. We could try disabling a variety of startup processes and services to see if it helps. In some cases it may be better to uninstall the software completely. However in the end, you may be looking at a reinstall to fix things.

One other observation from the last MGlogs.zip obtain in normal bootmode is an excessive number of open TCP/IP connections to your PC. I see more than 8 times the number I normally see on a Vista PC. This could slow you down a lot since. You may be allowing lots of people to connect to your PC due to uTorrent or other similar programs allowing connections to your PC. Possibly some of this is also due to excessive gaming.

Would you still like to try a few fixes or would you rather bite the bullet and reinstall?

 

No we have not but it does not matter for the single account the we have been check logs for. They are clean.... unless something new has actually been picked up since last running full scans. However running scans in safe boot mode, could miss things.

Yes.

To where and how often? Is this occurring in safe boot mode on your user accout? Also which browser are you using when redirected?

Then I suggest uninstalling it completely since it is still running and possibly corrupted. Uninstall it right now!!!

Okay, we will try a couple things.

My experience is that online gaming always contributes to slow downs. Especially things like Steam which loads services/process everytime you startup.

Possibly! I don't know what they are. Did you make them, or did they come with the PC?

Uninstall the below:
æTorrent
Spybot - Search & Destroy
SUPERAntiSpyware
TeamViewer 6
uTorrentBar Toolbar

Delete the below files:
C:\ProgramData\qjaxlkio.dss
C:\Users\Burtis\AppData\Local\temp\6nb1wJRF.exe.part
C:\Users\Burtis\AppData\Local\temp\fb8YmeEs.exe.part
C:\Users\Burtis\AppData\Local\temp\LbVuSzui.exe.part

Delete the below folders:
C:\Users\Burtis\AppData\Local\temp\svba6.tmp
C:\Users\Burtis\AppData\Local\temp\svpop.tmp

Now while in Safe Mode, run MSconfig and choose Selective Startup. Then goto the Services tab and first check the Hide all Microsoft Service box at the bottom. Then disable all remaining services you see. Then select the Startup tab and locate each of the below. Names may appear differently.

[hpsysdrv] c:\hp\support\hpsysdrv.exe
[NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
[NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
[NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
[HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
[QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
[WinampAgent] "C:\Users\Nicky #2\Downloads\Winamp\winampa.exe"
[AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
[iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
[Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
[lxdwmon.exe] "C:\Program Files\Lexmark 7600 Series\lxdwmon.exe"
[EzPrint] "C:\Program Files\Lexmark 7600 Series\ezprint.exe"
[TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[Skytel] Skytel.exe
[IMBooster] C:\Program Files\Iminent\IMBooster\imbooster.exe /warmup
[LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
[WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
[DirectPlayerCore] "C:\Users\Eve\Desktop\NBC Direct\DirectPlayerCore.exe"

Then uncheck them so that they do not startup. Then click Apply and OK. Then reboot and see if you can run in Normal Boot Mode.

Also no matter whether it has to be safe mode or normal boot mode works, do the below

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Run MSconfig again and on the General tab choose the Selective startup radio button. Then in the check boxes below this, uncheck both the Load system services and Load startup items

Then click Apply and OK and allow your PC to boot normally ( do not choose safe boot ).

You will not be able to do very much in this mode. We just want to see if it starts up and runs this way without having the extremely slow down issues you have mentioned.

You will have reboot back to safe mode to use it like you have been using it so you can report to me what happened above.

 

I need to see an MGlogs.zip obtain from the semi-normal boot mode you were able to get into. Based on what you are saying, your problems are not malware but some software/driver you are loading and I may have to send you to the Software Forum for you to figure out which one or ones. We are way to busy here with malware to work on Windows/software issues.

 

And it runs okay like this correct?

If the answer is yes, then what you need to do ( and this will be tedious ) is to stay in this type mode but use the Services tab to slowly start enabling a couple services at a time ( you MUST keep track of what you are doing --- like what is enabled and what is disabled each time ) to see if you can zero in on which item or items when enabled cause the problems that you are having. Just use the Service tab right now and ignore the Startup tab. Obviously you have to reboot after each time you enable a couple services to see the effect. It will not change anything until you reboot.

 

Okay then it would seem that this agrees with what I had stated at the beginning of this thread and that is you don't seem to be having malware problems. Seems you have Windows problems or software/driver conflict issues. You can try uninstalling any other junk you had insatlled ( like all those toolbars and browser helper objects or any other addons to your browser.

I could look at a new set of logs from MGtools but I don't think I'm going to be able see anything more than what I have been saying about this not being a malware issue.

Perhaps you should bite the bullet and just do a clean reinstall if you are not happy with the way the system is performing.

 

Ah well this is new info. So let's dig into this. Which browser are you redirected with? Is it only with Firefox ? Does it also happen if Firefox is shutdown and you use Internet Explorer?

Do you currently have internet access on this PC with how you have it configured? Your last MGlogs.zip showed no internet capability because your DHCP service was still disabled. Also many other services were disabled at the time of that last log. Since you zeroed in on the print spooler problem, please attach a new MGlogs.zip that shows the real current running condition so that I can better tell what if anything is still going on.

 

Good. Then let's see if you can complete the below which will require having a USB flashdrive. Note, you have an x32 system.

Please do the below so that we can boot to System Recovery Options to run a scan.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.


Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

Download this >> View attachment fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run MSconfig and select the Startup tab. Renable all the startup process you have disable. Do not change the status of the Print Spooler service that you have disable due to the problems it causes. Then click Apply and reboot your PC. See if it runs okay now too. If not, trouble should the startup processes the same way you did with the services to see which ones may be problems.

After the above reboot, continue on with the below instructions.

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the OTL.txt and Extra.txt logs
• C:\MGlogs.zip

Make sure you tell me how things are working now!