BSOD Win Vista

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

You did not get the current version of MGtools to run properly and some very old outdated copy ran. Please do the below:

1. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
2. Now download the current version of MGtools and save it to your root folder or to your Desktop. DO NOT put it where you put it last time which was C:\Users\Medicine\Desktop\Cure\MGtools.exe
   
3. Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

Uninstall the below:
Ask Toolbar
Java(TM) 6 Update 26
Java(TM) 6 Update 6




Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Ignore the uninstalls step. And try running ComboFix in safe boot mode.

Run the GetLogs.bat part of MGtools in normal boot mode if possible.

 

No! We don't need a new log until a fix is run and since ComboFix did not run then no fix was run. I will work up a different fix.n In the meantime, delete the current combofix.exe file you have.

 

Now download The Avenger by Swandog46, and save it to your Desktop.
See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Users\KING\AppData\Local\temp\


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Delete the below folders in your root folder.

Code:

C:\
cleanup.bat   Jun 15 2012         574  "cleanup.bat"
cleanup.exe   Jun 15 2012       19286  "cleanup.exe"
combof~1.lnk  Feb 27 2010         302  "ComboFix.exe - Shortcut.lnk"
hijack~1.exe  Feb 26 2010      396288  "HijackThis.exe"
hijack~1.log  Jun 14 2012        6970  "hijackthis.log"

Also delete the below folders in your root folder:

Code:

C:\
COMBOFIX      Jun 15 2012              "ComboFix"
QOOBOX        Jun 15 2012              "Qoobox"

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - .DEFAULT User Startup: tiitmy.exe (User 'Default user')
O4 - .DEFAULT User Startup: ukce.exe (User 'Default user')
O4 - .DEFAULT User Startup: xegyde.exe (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

After clicking Fix, exit HJT.

Now reboot your PC.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

Now please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

 

Please only do what is requested an nothing more. i.e., Do not go back and run something that did not previously run unless I ask you to do so.

The log from analyse.exe (HijackThis) shows most items were not fixed. Did you actually get it to run and fix those items? Were there any error messages?

Are you still in normal startup mode right now?

 

Okay then do the below all from normal boot mode.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - .DEFAULT User Startup: tiitmy.exe (User 'Default user')
O4 - .DEFAULT User Startup: ukce.exe (User 'Default user')
O4 - .DEFAULT User Startup: xegyde.exe (User 'Default user')

After clicking Fix, exit HJT.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Do you have your Vista Boot DVD?

 

Okay then get a new log from MGtools to attach. Those items that were not going way are typical of a Ramnit infection and if you really had one of these infections, a restore may not fix everything that could be wrong.

I also suggest running the ESET scan in the below and attach this log:

Using ESET's Online Scanner