Computer freeze-up -- malware?

Dear all,

Hello to everyone! I'm absolutely new and already totally desperate. I do very much hope you can help me out, as my computer (laptop) is freezing up. It has become increasingly worse over the last couple of days, and by now programmes and especially websites freeze every couple of seconds. I have done everything (I hope) you recommended and will try and attach all the files with this and the next message.

My heartfelt thanks already for taking the time and looking at them -- I very much appreciate this!

Kirsten

 

The second half... Sorry, this is taking ages, as nothing is really working anymore.

Thanks very much once again.

Kirsten

 

You have several infected emails. Look at your BitDefender log to find out which ones are infected.

You should replace Netscape. Netscape is a serious out of date browser and vulnerable to several exploits.

You have both Norman and Sophos Anti-Virus programs installed on your comuter. You only need 1. Having more that 1 resident Antivirus application on your computer will cause problems. They will interfer with each of and create conflicts, causing system performance to suffer. Pick one uninstall the other.

Download
- Pocket Killbox

Follow the directions for Running HostsXpert (formerly Hoster)

Using Add or Remove Programs in the Control Panel; uninstall the following:

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the following fresh logs.
1. CounterSpy
2. ShowNew
3. GetRunKey
4. HijackThis

 

Thanks! I've got as far as this:


Using Add or Remove Programs in the Control Panel; uninstall the following:Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.


Unfortunately, it won't merge with the registry (name & all files correct). I suppose I can't skip this step, can I? I'd appreciate your feedback!

Kirsten

 

Just skip that step and continue with the instructions. There may be something else interfering with the registry patch.

 

Right. I've followed all the steps:

As mentioned the Fix.reg file wasn't accepted.

There was no message when running Killbox.

I couldn't find system32\i, so I hope this has been deleted by Killbox.

I have attached the HJT & CounterSpy logs, but seem to be having problems uploading the ShowNew and GetRun ones. I'll keep on trying.

I'm afraid the problem is still there.

Would it make sense to download another browser now, or should I simply use the Explorer?

I'd be totally lost -- thanks once again!

 

And here are the troublesome ShowNew and GetRunKey logs...

 

Your running processes shows that Sophos is the Anti-Virus that is running. However HijackThis shows several Norman Anti-Virus Services are running. Is Norman still installed?

The installed version of Acrobat Reader on this compter is out-dated. Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the following fresh logs.
1. ShowNew
2. GetRunKey
3. HijackThis

Be Sure to tell me how things are running!

 

Thanks! I think we are really getting there.

I have uninstalled Netscape and replaced it with Opera now -- that seems to have made quite a difference.

I have also updated Acrobat Reader.

I do use Sophos. Norman should no longer be installed and I cannot find it anywhere, either: it does not show up in 'search' nor in the programmes list.

There was no message when running Killboy.

Once again 'FixReg.reg' was not accepted, as it isn't a registry file (though it is described as such under properties).

Nevertheless, the computer seems to be running okay now, fingers crossed.

I have attached the three fresh logs and would very much appreciate your feedback on them. Many thanks once again.

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Download and unzip ToggleHidden.zip (attached below) to your Desktop. Double-Click on the ToggleHidden Folder locate ShowIT.bat and double-click it.

Reboot

Post the following fresh logs.
1. ShowNew
2. GetRunKey
3. HijackThis

Be Sure to tell me how things are running!

 

Everything seems to be running okay. However, I keep getting little messages by Counterspy telling me that 'the feature you are trying to use is on a network resource that is unavailable'. These can be cancelled, and I can still use it, but it is a bit disconcerting.

Apart from that there don't seem to be any problems.

Again, thanks!

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button. Click the 'Scan' button.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Reboot

Windows Installer is running when you start the system. This could be becuase of a failed software installation or malware.

Follow the directions for Using Sophos Anti-Rootkit.

Download fresh copies of ShowNew and GetRunKey

Post the following logs:
1. Sophos Anti-Rootkit
2. ShowNew
3. GetRunKey
4. HijackThis

 

Right: Fix.Reg.reg has finally been accepted & merged. Should I delete it now?

However, C:\WINDOWS\System32\msiexec.exe was not on the HijackThis list -- good news maybe?

Again, there was no message/prompt when running Killbox.

The four latest logs have been attached.

Thank you!

 

And the HJT log.

 

Your logs are clean. What malware issues are you having, if any?

 

It seems to be running okay -- I'll keep an eye on it for the next couple of days and see if anything suspicious pops up.

Should I toggle System Restore now?



In any case, thank you very, very much indeed for taking me through all the steps, for your time and for your feedback!

You have been an immeasurable help -- I could never have done this on my own.

 

Maybe this is needless worrying, but working with the internet all day I have noticed that pages seem to load much slower than they should.

Worrying because this is exactly how it started last time, till the entire system appeared to be freezing up. The line is okay -- I had it checked -- and I have changed the browser. Could there still be something interfering?

Your advice would be much appreciated.

 

You can post new logs and I can take another look.

 

I was not entirely sure which logs to attach -- I hope these are the ones needed.

Thank you for having another look.

 

And the GetRunKey log.

 

Uninstall CounterSpy

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Post a fresg HijackThis Log

 

I have uninstalled CounterSpy.

I have also tried to delete the Norman files by 'Fix checked' but don't seem to be able to get rid of it -- it is still on the list, as you will see in the log.

???

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Norman Virus Control on-access component or nvcoas (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Norman Virus Control on-access component or nvcoas (Whichever you found above)

Repeat the process for the following Services:

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Reboot

Post a fresh HijackThis log.

 

The two Norman files are no longer on the list. There is, however, one called Norman API-hooking helper. Will that need to be dealt with, too?

I have not yet toggled the system, as advised on the initial malware removal site -- would you think it a good idea to do so now?

Thanks once again for your time and advice!

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Norman API-hooking helper or NipSvc(Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Norman API-hooking helper or NipSvc (Whichever you found above)

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

Everything seems to be running okay now.

I know I am repeating myself, but: thank you very much. You were an immense help -- I really appreciate it.

 

You're welcome.