Computer Problems, Trying to Ensure not Malware

Good evening. My computer is having a lot of trouble running very slowly, and with random BSOD crashes. I figured I would start with the malware possibilities before exploring the likelihood of a windows or hardware problem.

I ran the FAQ instructions on my Windows 7 64-bit OS without fail except for Combofix, which would not run at all. While it was extracting files after I ran the EXE file, it caused consistent BSOD crashes referencing "procexp113.sys"

The computer is sluggish and sometimes choppy, things like typing on the screen sometimes lag, video doesn't refresh like I expect it to, and the random BSOD's under basically all scenarios including at IDLE running no programs. I should note that the BSOD screens freeze themselves and don't reboot the machine, meaning that any of the logs Windows would write to report the minidumps never get written. Some direction would be appreciated.

It looks as though the SAS log found some files that it had quarantined a few years ago on a different machine when I copied my files, I really don't think those files were causing any trouble.

 

Hi dabluebery,

http://dus.x10.mx/canned/otlicon.gif Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:files[/COLOR]
  xcopy %Temp%\smtmp\1 "%allusersprofile%\Start Menu" /H /I /S /Y /C
  xcopy %Temp%\smtmp\2 "%userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
  xcopy %Temp%\smtmp\3 "%appdata%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
  xcopy %Temp%\smtmp\4 "%allusersprofile%\Desktop" /H /I /S /Y /C
  C:\Users\Rob Desktop\AppData\Local\Temp1.html
  C:\Users\Rob Desktop\AppData\Local\Temp5.html
  C:\EbuDllTmpDir
  C:\Users\Rob Desktop\Local Settings\TEMP\_unps.exe
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [createrestorepoint]
  [emptytemp]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

http://img839.imageshack.us/img839/3005/combofixicon.gif Now retry running ComboFix.exe
If it still does not work, continue to the below step.


http://img40.imageshack.us/img40/6925/getlogs.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

OTL was successful, with logs attached as requested.

TDSSKiller was unsuccessful, even when renamed to XXXXX.com as suggested, as it caused consecutive BSOD crashes while extracting, referencing what seem to be random driver names:

99780677.sys, 42133397.sys, 13530579.sys

Thank you.

 

Ok, continue with the rest of the instructions (MBRCheck, ComboFix, GetLogs.bat) and attach those logs as well.

 

Two additional logs attached. Combofix still giving BSOD crashes referencing procexp113.sys

 

For the remainder of this removal procedure, leave your external hard drive unplugged. I want to see if you still get BSODs without it plugged in. Has it been plugged in this entire time by the way?

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
• Please note that I am also deleting ComboFix and TDSSKiller so you may attempt to download and run them again.
  
  Code:

  [COLOR="DarkRed"]:otl[/COLOR]
  O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3:[b]64bit:[/b] - HKCU\..\Toolbar\WebBrowser - No CLSID value found.
  O4 - HKLM..\Run: []  File not found
  [2011/09/14 23:39:10 | 000,000,000 | ---D | C] -- C:\Qoobox
  [2011/09/14 23:38:37 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
  [2011/09/14 21:04:39 | 004,209,769 | R--- | C] (Swearware) -- C:\Users\Rob Desktop\Desktop\ComboFix.exe
  [COLOR="DarkRed"]:services [/COLOR]
  13530579
  42133397
  99780677
  [COLOR="DarkRed"]:files[/COLOR]
  C:\Windows\SysNative\drivers\13530579.sys
  C:\Windows\SysNative\drivers\42133397.sys
  C:\Windows\SysNative\drivers\99780677.sys
  C:\Windows\system32\drivers\13530579.sys
  C:\Windows\system32\drivers\42133397.sys
  C:\Windows\system32\drivers\99780677.sys
  C:\Users\Rob Desktop\Desktop\55654.com
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO15D2.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO2001.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO2EE.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO4185.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO425F.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO4404.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO56B9.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO59D.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO8D16.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIO906.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\DIOE3AC.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\ge2312
  C:\Users\Rob Desktop\Local Settings\TEMP\ge4092
  C:\Users\Rob Desktop\Local Settings\TEMP\ge4348
  C:\Users\Rob Desktop\Local Settings\TEMP\ge4816
  C:\Users\Rob Desktop\Local Settings\TEMP\~PI89F6.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\~PI8A93.tmp
  C:\Users\Rob Desktop\Local Settings\TEMP\~PI8CC7.tmp
  dir c:\windows\minidump /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
  "Userinit"="c:\windows\system32\userinit.exe,"
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [createrestorepoint]
  [emptytemp]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

http://img225.imageshack.us/img225/2641/win32diag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

http://img839.imageshack.us/img839/3005/combofixicon.gif Now retry running ComboFix.exe
If it still does not work, continue to the below step.

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

The flash drive has been connected from the beginning of your fixes, at least.

The OTL program seems to be hanging (not responding) with the first line of code in the status bar at the bottom.

O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

 

How long have you waited?
Reboot your PC and try it again in Normal Mode
If it still hangs for more than 20 minutes, reboot and try it in Safe Mode.

 

If you still have trouble, see if the below helps out at all:

http://img17.imageshack.us/img17/8313/rkill.gif Please download RKill by Grinler to your desktop.
RKill is an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.

RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
Note: You only need to get one of them to run, not all of them.

RKill.com Download Link
RKill.exe Download Link
RKill.scr Download Link
eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
iExplore.exe Download Link
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link

Once you get one of these to run properly and a log shows up at the end, immediately try continuing with the steps I have outlined here.