malware or hardware problem?

Discussion in 'Malware Help (A Specialist Will Reply)' started by babyyoda, Sep 12, 2009.

  1. babyyoda

    babyyoda Private E-2

    I started having problems with my PC around June 7, 2009. I was downloading some files and simultaneously updating java and, I think, running itunes when the problems started. Trying to restore to previous dates didn't help. I just shut it down and used my laptop cause I was in denial and didn't want to deal with the issue. Later I needed to use some programs on my tower, so I ran Malware Removal on it June 26th. The symptoms are sluggishness, freezing, stop errors. It does NOT restart on it's own. I've attached the logs. Combofix just sat there for about 90 minutes after running and never produced a log. It's pretty much been shut down for the last couple months. I need to face the music and get this resolved. Any help would be greatly appreciated.
    Also, it usually freezes when I'm running itunes, Zune, Studio media suite, nero, etc., and less frequently IE or firefox.
     

    Attached Files:

    Last edited: Sep 12, 2009
    babyyoda, Sep 12, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are way out of date with your version of SUPERAntiSpyware.

    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this new log.

    Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.

    You also did not allow MGTools.exe to run to completion. Please re-run it and allow it to finish. It will tell you when it is done. (Make sure you click on the pop up to run HJT).

    Attach the new logs for:
    SAS
    MBAM
    C:\MGLogs.zip
     
    TimW, Sep 18, 2009
    #2
  3. babyyoda

    babyyoda Private E-2

    Thanks for taking the time to review my problem. I've attached the 3 logs you requested. I tried for about 3 hours to get mgtools to run in normal mode, but it wouldn't get past getunkey before quitting. I finally ran it it safe mode.

    Other symptoms that may or may not be relevant:
    -Windows media player always crashes immediately after open.
    -While my computer was idle and before I re-ran the programs you requested, I received a windows stop error:
    INVALID_PROCESS_DETACH_ATTEMPT
    stop: 0x00000006 (0x00000000,0x00000000,0x00000000,0x00000000)

    Again, thanks for taking your time to help!
     

    Attached Files:

    Last edited: Sep 20, 2009
    babyyoda, Sep 20, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It looks like you have a MBR infection. Let's see if we cant deal with this.

    GMER's MBR.exe

    • Double click on the MBR.exe file to run it.
    • A log will be produced & saved to the desktop, called MBR.log.
    • Attach this log to your next message.


    Now delete the current mbr.log file and then run the below instructions.
    Click Start > Run and copy & paste the following text in the code box into the Run box and then click OK. You must copy and paste or type in this exactly. The quotes must be exactly as shown and there is a space before the -f
    Code:
    
     "%userprofile%\desktop\mbr.exe" -f
    Now double click on the mbr.exe file and attach the new mbr.log

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete:
    C:\Documents and Settings\kdb\Application Data\a96475
    and
    Code:
    C:\WINDOWS\Temp\"
$$$dq3e       Sep 20 2009       71758  "$$$dq3e"
$$yt7.$$      Jul  5 2009       94280  "$$yt7.$$"
$67we.$       Sep 18 2009       13230  "$67we.$"
xsw2
    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 25, 2009
    #4
  5. babyyoda

    babyyoda Private E-2

    I encountered some additional issues trying to implement the fix. I will take me 3 posts to explain everything, because I have 9 attachments to share. I understood that I was supposed to have 3 mbr.log files, but I may have
    read that too literally. Also, I had issues implementing in normal mode which I will explain later. So I attempted the fix twice, once in normal mode and once in safe mode, this caused me to have 8 log files to report to you. The
    9th file is a MS Word doc that illustrates the error messages I encountered in normal mode. Some of the files that you had me to delete keep coming back. Does this have anything to do with the RAID configuration?

    Everything worked fine until after the registry update.

    -FixME.reg executed successfully (in both normal mode and safe mode).

    -File deletion

    When I navigated to C:\Documents and Settings\kdb\
    and before I opened \application data I received an error box that said:

    "Your request cannot be completed because the service could not be found or did not respond. The service might be experiencing technical difficulties, or you may need to adjust your network settings." (I'm sending a screen shot of this in a follow-up post)

    I couldn't get to \application data unless I addressed this box. The options were "Try Again" or "Cancel". I clicked the red 'x' at the top, and the box went away. From there I was able to open \Application Data and successfully delete a96475.

    Was I supposed to delete the files in \windows\temp in a certain order? I did not delete them in the order listed, because I received an error when trying to delete $$$dq3e, $$yt7.$$, and $67we.$. For each one of these files I
    received an error like this:

    "Cannot delete $67we.$: It is being used by another person or program. Close any programs that might be using the file and try again."

    I have Unlocker Assistant installed which allowed me to unlock the files and delete them, but they keep coming back.

    \windows\temp\xsw2 did not give me that error.

    The problem is that xsw2, $$$dq3e, $$yt7.$$, and $67we.$ all return after a reboot, so I'm still having problems.

    -CCleaner
    Since the instructions said "clean out only temp files and nothing else", I unchecked EVERYTHING EXCEPT the option under System > Temporary Files.
    (I just reread READ & RUN ME FIRST and now think that was a bad idea :( )
    Was that correct? I noticed that when I ran it in normal mode, it cleaned out everything left in \windows\temp, but when I implemented the fix in safe mode, it did not clean out \windows\temp, and it no longer cleans it in normal mode.

    -MGtools
    Once again, GetLogs.bat did not complete execution in normal mode, but it did in safe mode. You will see the difference in the log files.

    -MBR.LOG
    You will notice that the mbr.log from normal mode are very different from the ones from safe mode.

    I will follow up with 2 additional posts that have log files and information graphics.

    I can't thank you enough for taking the time to help me.
     

    Attached Files:

    babyyoda, Sep 26, 2009
    #5
  6. babyyoda

    babyyoda Private E-2

    As I mentioned before, this is the 2nd post containing the word file that shows the pictures of the errors I received while implementing the fix. The following and and last post will contain the logs from the run in safe mode.
     

    Attached Files:

    babyyoda, Sep 26, 2009
    #6
  7. babyyoda

    babyyoda Private E-2

    This is the last post, so you now should have all 9 attachments detailing the results of my implementation of the fix. The registry execution was successful in safe mode, too. The only problem with safe mode besides the files coming back was with Ccleaner.

    Thanks, again!!!!
     

    Attached Files:

    babyyoda, Sep 26, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    The files are not showing in your log when in safe mode. Are you saying they still exist in normal mode?

    Please get your xp cd, restart your computer and enter the bios ( often F1 or F10...). Go to the start up order and set your first boot to the cd, then second to hard drive, and insert your cd. Save and exit the bios. Your computer will restart, it will ask if you wish to boot to cd...do so. Then enter the recovery console.

    Once there, type fixmbr. Enter and then reboot. Once you are back to a normal boot, go to the temp folder and see if those files are still there, and if so, delete them.

    Re-run SAS and MBAM and attach those logs.
    Then try running the MGTools, getlogs.bat and tell me exactly what happens.
     
    TimW, Oct 2, 2009
    #8
  9. babyyoda

    babyyoda Private E-2

    THANKS BILLIONS!!!!

    I was trying so hard not to get the pointy-finger-red-text-scolding, but I failed on that front. :-D Funny how things work when you actually follow ALL the instructions! The great news is that my problem appears to be solved.

    Yes, that was the situation, but the files appear to be gone for good in both safe mode and normal mode.

    I followed your latest instructions. All requested logs were produced in normal boot mode and are attached.
     

    Attached Files:

    Last edited: Oct 3, 2009
    babyyoda, Oct 3, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look clean.

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Oct 8, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds