computer always freezing

Hi there and welcome to the forums. We are currently reviewing your logs and will get back to you with a set of instructions as soon as we can.

Thanks for your patience during this time.
Kes

 

Hadn't forgotton you.. I had been away for the weekend

Please download the below:

GMER's MBR.exe

• Double click on the MBR.exe file to run it.
• A log will be produced & saved to the desktop, called MBR.log.
• Attach this log to your next message.

1. FYI:

Ad-Aware is not as effective as SUPERAntiSpyware and Malwarebytes that we had you install. So we suggest that you uninstall Ad-Aware (unless you purchased it) to avoid wasting any system resources on it.


2. Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\99D888
C:\WINDOWS\system32\butenufu

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3.Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix and GMER

5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hi there. We need to do the below:

1... Please ensure all your protection software IE: anti-virus and anti spyware is disabled/shut down before we continue on...

2... Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

3... Run the new MGTools.exe and attach the log it generates into your next reply.

4...Download Dr.Web CureIt and save it to your desktop.

• Doubleclick the cureit-beta.exe file and allow to run
• If it prompts you about getting any updates, get the update and then rerun the cureit-beta.exe installation.
• When it finishes you will have a green window with a Start and and Update selection. Click Start
• the Express Scan of your PC window will come up. Click OK to scan main memory to detect infected process in memory.
• If anything is found in memory, click the yes button when it asks you if you want to cure it. This is only a short scan.
• You may see a popup window to Buy or get a discount on the program. Just click the X at the top right to close this popup. The scan will continue.
• Once the short scan is completed, click the Custom Scan radio button. Then Select each of your hard disk drives (that is if you have more than one). A red dot shows which drives have been chosen.
• Click the green arrow at the right under the Dr.Web logo, and the scan will start.
• Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! This is necessary because there could be files in use that will be moved or deleted during reboot.
• After reboot, rename the DrWeb.csv file to DrWeb.txt so that it can be uploaded here and then attach the log from Dr.Web to your next reply

Thanks
Kestrel13!

 

GMER's MBR.exe

• Double click on the MBR.exe file to run it.
• A log will be produced & saved to the desktop, called MBR.log.
• Attach this log to your next message.

Now delete the current mbr.log file and then run the below instructions.
Click Start > Run and copy & paste the following text in the code box into the Run box and then click OK. You must copy and paste or type in this exactly. The quotes must be exactly as shown and there is a space before the -f

Code:

     "%userprofile%\desktop\mbr.exe" -f

Now double click on the mbr.exe file and attach the new mbr.log

Now use windows explorer to look for and if present delete:
C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$$yt7.$$
C:\WINDOWS\Temp\$67we.$

Clean out all that you can from that folder.

Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Now run the new MGTools.exe and attach the C:\mglogs.zip that it generates into your next reply.

Thanks
Kes

 

1. Please reboot with the XP CD and get into the recovery console....once there, type fixmbr and then hit enter.

Next...

2. Now reboot your machine.

3. Go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

4. Run the new MGTools.exe and attach the C:\MGlogs.zip that it generates into your next reply.

5. Also watch out for any error messages other than those mentioned in the Using MGtools link and let me know about those if you receieve any.

Thanks
Kes13!

 

Hi

Could you please follow the instructions in the ComboFix procedure for downloading and installing the Recovery Console properly and if that works, to retry booting to the RC and running fixmbr.

If you cannot do the above, you need to borrow a CD from someone so they can do this.

Thanks
Kes

 

Please follow what is in the ComboFix procedure we gave in the READ & RUN ME for running ComboFix. It explains how to install the RC which also refers to the above link and tells you exactly what to use.

Thanks
Kes

 

You cannot make a bootable copy of Windows by just copying the files in the i386 folder onto a CD/DVD. You need to follow special procedures to make a CD bootable and to get the Windows XP SP level desired on it. To get a Win XP SP3 bootable CD, you already need a Win XP SP2 bootable CD. The below procedure explains how to slipstream a Win XP SP3 CD

http://www.winsupersite.com/showcase/xpsp3_slipstream.asp

 

You need to read this:

Yes you can use your father's CD to just get to the Recovery Console, but if you father's Windows XP CD is not an SP3 CD and it is not for the same version of XP, you should not use it for anything else (like running sfc)

You may be better off now to work this out in the Software Forum if you need any help in slipstreaming or burning a CD...etc. We can only help you with malware and already stated you need to get to the Recovery Console to run fixmbr. Until you have a Windows XP CD, we cannot help you anymore unless you want to try using Radix as I hinted at earlier to fix your MBR.

Best of luck and sorry we can't be of more assistance in this forum.

Kes and the team

 

Now we need to use Radix to try and fix your MBR

Radix Rootkit Detection Tool

• Right click on your Desktop and select New and fhen Folder to create a new folder on your Desktop. Name the folder Radix.
• Download Radix from usec.at. Scroll down to the bottom of the page and click the Download Radix icon. Save it to your Desktop in the new Radix folder just created.
• Unzip the archive into this Radix folder you created.
• Run the program by double-clicking the radixgui.exe.
• Click Yes to accept the license agreement.

• Click on the MBR tab
• Hit the "Check" button at the bottom left of the screen
• Once it has run a check look towards bottom right of screen and choose to "save log"
• Attach this log into your next reply.

 

Hi there

Please double open up Radix > hit MBR tab > click check > once finished > hit fix > and save log which you will need to attach here into your next reply. Let me know of any problems you encounter throughout doing this.

Thanks
Kes13!

 

You must make a backup of all your important data and personal files now! Copy them to cd. Do not copy any exe files or programs.

When you open Radix, do you have a restore button?

 

If you have your data files backed up, then re-run Radix...then clicking the Restore button will bring up a form showing the win2kxp.mbr and winvista.mbr files that Radix already has saved copies of. Of course choose the proper file and let it run.

Then attach the resultant log.

 

All it will fix is your MBR...which is only on the C drive......back up to the d.

 

Good, now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

 

One more time....Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\Temp\$$$dq3e       
C:\WINDOWS\Temp\$$yt7.$$     
C:\WINDOWS\Temp\$67we.$       
C:\WINDOWS\Temp\hlktmp       
C:\WINDOWS\Temp\MCE00000
C:\WINDOWS\Temp\MCE00001      
C:\WINDOWS\Temp\MCE00002      
C:\WINDOWS\Temp\xsw2
C:\Documents and Settings\ucdawg12\Local Settings\temp\afl.log      
C:\Documents and Settings\ucdawg12\Local Settings\temp\alm.log       
C:\Documents and Settings\ucdawg12\Local Settings\temp\amt.log

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

This isn't good......let's try using Avenger.

Download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

 

The fact that these temp files will not delete means you still have an MBR infection.

The instructions for fixing the MBR for a Dell are here (It involves burning a Dell Utility to a CD and booting from it). Making the CD can be done from another machine.

http://support.ap.dell.com/support/t...=my&l=en&s=gen

 

If that did not work....then I suggest that you reformat that drive and do a clean install.

 

You can post in the software forum....but it is just a matter of setting your cd to be the first boot device in the bios, booting to the xp cd and then following the prompts....you will want to only format the c drive if you have more than one partition and then install on that partition.