blue screen and bugs, system slowed to crawl

My background was changed to a blue screen with the spyware message and I've seen the bugs crawl eating graphics. My system has slowed to an absolute crawl and it takes about 15 minutes to get response after clicking anything.

I've followed all the steps in the README AND RUN ME FIRST - Malware removal guide. Done all of the cleanup, swapped out my Java, ran CCleaner, etc. I downloaded the programs and ran them all to get log files. Combofix seemed to run, but did not generate a log file called combofix.txt. It seems to have created bugs.txt which is attached.

Please advise! Thanks in advance!

 

here are the other log files.

 

Hi E-squared,
Welcome to Major Geeks!

Please begin by doing the following:


1) Run CCleaner at the default setting with the Windows tab as the top one. Before you run it, please go to settings / custom / files and folders to be cleaned and add the below folders:

Before you add the following folders to be cleaned, go to Windows Explorer and look in each of these Temp folders to see if there is anything in them you need to keep. The main thing to look for is if your browser is set to download programs automatically to one of these folders.

C:\Documents and Settings\Administrator\Local Settings\Temp\*.*
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\*.*
C:\Windows\Temp\*.*

After you've added these to the list, run CCleaner. When you finish, go back into CCleaner, go to settings / custom / files and folders to be cleaned and remove these folders.

Please continue as follows:

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphcpkrj0ej1c] C:\WINDOWS\system32\lphcpkrj0ej1c.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

Do the following belong to programs you know or want to keep? Did you add the O15 item to your trusted zone? If not, please fix them as well.

O8 - Extra context menu item: ÓÃάÌÄ(ViDown)ÏÂÔØÊÓƵ - C:\Program Files\ViDown\vd_link.htm
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

Please look at the following and decide if these are programs which need to run at startup. If not, please fix them as well.

O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.

4) After you complete the above, please reinstall Combofix as per the instructions in Using Combofix. If it asks you if it can install combofix over the existing version, say yes, however, be sure you are installing it to the desktop. Once it's been installed on desktop, I want you to do the following:

Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

DIRLOOK::
C:\327882R2FWJFW

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

abri, thanks for the quick response!

I followed all of the steps in your post.
Ccleaner ran ok.
Removed MSN Messenger.
MGTools/analyze.exe (HJT) - removed all items you listed, none were things I needed.
Did exactly as you said for Combofix, however, it still doesn't create a log file called combolog.txt. It creates bugs.txt (which I attached again but looks unchanged). The only visual evidence I have that combofix runs is a little progress bar that appears briefly and goes away. there are no other dialog boxes or prompts as you indicated. is this normal?
ran Ccleaner again and getlogs

logs are attached.
thanks again for your help in this matter!

 

bug.txt didn't upload last post...

 

Hi E-Squared,
You have something new. I'm looking into it. Can you open the folder called C:\327882R2FWJFW and tell me what files are inside of it? Do not click on any of the files. You can right-click on the folders or any of the files to go to properties which might give me more information. I'd like to know the size, dates, any information if available about the kinds of files inside of it.
Thanks.
abri

 

I saved the directory output from dos to a text file which is attached.
thanks

 

should I just delete this entire directory?

 

No. Just wait. Thanks.

 

Any ideas yet? at this point I'm thinking I'm going to have to reformat the drive after trying to copy any files I want off. http://forums.majorgeeks.com/images/smilies/cry.gif
:cry

 

Hi E-squared,

Thanks for your patience. It shouldn't be necessary to reformat. It would be a good idea to back up your data. We get a lot of people who have bugs and this problem can be solved. It is more unusual to have delay times of 15 minutes to load a program, and while I was thinking these two were related and they may still be, they may also be two different problems.

I had to go all the way back to the beginning of your thread, because I realized I still have not seen a combofix log. You have some files in one of your temp folders that have to be removed. Let's start there:

Please go to C:\Documents and Settings\HP_Administrator\Local Settings\Temp\
open the folder and delete the contents. If you can't delete them all at once, do a few at a time. Delete everything which Windows allows you to delete.

Then I want you to run CCleaner at the default setting with the Windows tab as the one on top. (In other words, double-click on the CCleaner icon and when it opens, click on Start Cleaner).

Then, since Combofix is not running correctly I want you to do a couple of different things. Go to Using SDFix and follow the instructions. See if you can get it to run.

Then I want you to reinstall Combofix over the old one and then try and run it again. See if it runs any differently. To do this go to ComboFix

Finally, I would like for you to run two online scans which require Internet Explorer with Active X enabled. The instructions for these are at the following links. Please follow the instructions for each carefully so that we can get a log we can use.

Running BitDefender Online Scan

Running Panda Active Scan


Let me know if you're able to do any of these things and post any logs you get.
Thanks.
abri

 

deleted files out of Temp.
ran Ccleaner.
ran SDFix, but it seems to hang. gets to the point that it says "Checking Running Processes and Services" but then just stays there for at least 20-30 min so far. I would assume it wouldn't take that long before completing to let me restart out of safe mode?

I don't know if I'm going to be able to run those on-line scans either because so far I haven't been able to bring Firefox up at all lately. IE might work, I'll try that.

So not sure if I should bother with ComboFix again or not at this point.

 

Hi E-squared,

1) I should have asked you to run a rootkit scan right away. Please go to Alternate Scans, scroll about halfway down the page to where it lists Rootkit Scans and follow the instructions for Running GMER and for the BitDefender Rootkit.

Then I would also like for you to do a registry search for sysrest. For that please do the following:


2) Next please download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter sysrest in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

Please attach the results of all three of these when you're finished.

Thanks.
abri

 

ok, hold on. I fired off SDFix one more time and came back and it looks like it actually is completing. just restarted and it is finishing.

sorry, now what order should I do from here?
GMER
BitDefender Rootscan
Registry search
then combofix again?
then Panda

I kinda got confused on the overall order to do them at this point :confused
thanks!
E

 

ok, here is the SDFix scan log file.

what next?
thx

 

Thanks E-squared!

The SDFix deleted sysrest which is what I'm trying to get rid of. Please do the regsearch next and see if there are any instances left of it in your registry?

Thanks.
abri

 

ran regsearch and log is attached.
looks like it didn't find it anywhere else
E

 

Hi E-squared,

Is it still taking you 15 minutes to do things? If so, please do a test of your physical drive before you continue with scans for malware. To do this test, click on Start / My Computer, then right-click on the C drive and select properties. Select the tools tab and in the top box there's a place to check the disk for errors. Click on that option and allow it to run. If it finds errors, it will attempt to correct them.

Then, if you are still having problems with speed, please continue with Running GMER to detect rootkits

Let me know how this goes?
abri

 

things are faster now. I don't know at what point it got faster, it seemed to be somewhat incremental maybe? I don't believe it is as fast as it used to be for some things. But definately usable compared to before.

I did the physical drive test, although it took a long time and I didn't see if it actually found/fixed anything.

should I still do GMER? probably can't hurt right?
E

 

Here are some relative timing numbers just so you know my system isn't running at normal speeds. Microsoft Outlook takes about 30sec-1min to open. Firefox won't open at all for some reason. Internet Exploder starts to come up in about 1 min, but takes about 5 min to completely be operational. It seems to take a very long time to load any webpage.
E

 

Right, it can't hurt and if you have the time to run it, I'd be curious if anything shows up in it.