Something nasty completely locking up my Windows 7 machine

Kevsters · Oct 12, 2010

Hi,

I have a major problem it seems. I have something that is making my laptop completely unusable in normal mode. I can run the computer in safe mode, and also if I do a special boot with all services disabled.

I have attempted to run all of the first cleaning items. They did not show anything, and also the SAS seemed to stop before it finished the registry.

Attaching the logs.

Thanks for any help - I am getting to the stage where I am thinking of doing a fresh install...

Kevin

Kestrel13! · Oct 12, 2010

Do you have 64 bit windows?

Why did you not run MGTools?

Could I see the logs from those please?

Kevsters · Oct 12, 2010

Hi Kestrel,

Thank you very much for your help.

Yes I have a 64 bit machine.

I ran SuperAntiSpyware, which seemed to run fine up to about 6800 registry entries, then seemed to hang. It sort of did nothing for 20 minutes then maybe 100 entries - I let it go for nearly an hour then stopped it. Do you want me to let it run right through (I was estimating that it would take hundreds of hours to finish...)?

I have run MG Tools (sorry I attached the wrong file).

Logs attached.

Also, I ran everything in safe mode as the only way I can get the computer to do anything in normal mode was to use MSCONFIG to disable all services.

Thanks

Kevin

Kestrel13! · Oct 13, 2010

Hmm... I am not seeing anything untowards in those logs, but then, it was run in safe mode. Now describe to me exactly what happens when you try to use normal mode, do you remember anything that happened, what you were doing at the time when you first noticed something wasn't right?

Run this scan with safe mode with networking. (If you haven't already done so)

Using ESET's Online Scanner

Also give this a go:

SUPERAntiSpyware Online Safe Scan

Don't forget to answer my questions.

Kevsters · Oct 13, 2010

Thanks for having a look,

When I first noticed something, I had left the computer running after I had been working and surfing, and I had come back to the computer after about a day or so. I can't recall if the computer was in sleep mode or not, but when I went to do something it was unresponsive, so as far as I recall I just thought it had crashed and did a hard reboot. After it came back up it was still extremely slow (eg boot time of 30 minutes), and then I started noticing things like the AV was turned off etc.

So when I try to run normal mode, it takes so long to do anything that I am unsure if things are even working or not.

I will run the ESET and SAS online scanners now.

A quick question - is it worth me creating my Toshiba recovery CDs now, or would that just take the rootkit with it (assuming thats the problem)?

Thanks for your help

Kevin

Kestrel13! · Oct 13, 2010

I will run the ESET and SAS online scanners now.
Click to expand...

Yes please.

A quick question - is it worth me creating my Toshiba recovery CDs now?
Click to expand...

No, the instability of the machine at the moment might hinder your progress so let's wait, but in the mean time you can if you feel safer back up anything you need document wise.

Kevsters · Oct 14, 2010

Thanks,

Scanners run, see logs.

Everything is backed up.

FYI - I was thinking that I can use the Toshiba factory restore partition if that is deemed the best idea...

Thanks.

Kevin

Kestrel13! · Oct 14, 2010

Well neither of those scans showed malware. I want you to give running MGTools.exe a go in normal mode and attach the C:\MGlogs.zip. If you really are unable to do this then I may have to send you to the software forum until you are up and running again in normal mode.

or would that just take the rootkit with it (assuming thats the problem)?
Click to expand...

I am not seeing any signs of a rootkit.

Kevsters · Oct 15, 2010

Thanks for your advice,

MGtools run in normal mode - logs attached.

Kevin

PS. I also tried to start the avast shields after i ran mgtools - screenshot attached.

Kestrel13! · Oct 15, 2010

I believe the problems you are having are software related not malware. So I think in the end I will have to send you to the software forum, and perhaps you can post on the avast forum regarding the issues with that. Let's just try a few things here.

Download and run OTM. (In normal mode)

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.
Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:files
C:\Users\Kevin\Local Settings\TEMP\107016.od
C:\Users\Kevin\Local Settings\TEMP\14098605.od
C:\Users\Kevin\Local Settings\TEMP\173270.od
C:\Users\Kevin\Local Settings\TEMP\2136059.od
C:\Users\Kevin\Local Settings\TEMP\23665897.od
C:\Users\Kevin\Local Settings\TEMP\26720241.od
C:\Users\Kevin\Local Settings\TEMP\30051533.od
C:\Users\Kevin\Local Settings\TEMP\3222762.od
C:\Users\Kevin\Local Settings\TEMP\37424015.od
C:\Users\Kevin\Local Settings\TEMP\38458552.od
C:\Users\Kevin\Local Settings\TEMP\38972793.od
C:\Users\Kevin\Local Settings\TEMP\390189.od
C:\Users\Kevin\Local Settings\TEMP\39565067.od
C:\Users\Kevin\Local Settings\TEMP\4909101.od
C:\Users\Kevin\Local Settings\TEMP\51948.od
C:\Users\Kevin\Local Settings\TEMP\553335.od
C:\Users\Kevin\Local Settings\TEMP\6A4.tmp
C:\Users\Kevin\Local Settings\TEMP\987080.od
C:\Users\Kevin\Local Settings\TEMP\9FE8.tmp
C:\Users\Kevin\Local Settings\TEMP\Cookies
C:\Users\Kevin\Local Settings\TEMP\CVR1CE9.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVR206F.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVR2CEA.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVR7129.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVR8CCD.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVR97FB.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRA1D9.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRA497.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRAD79.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRB70B.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRB7F1.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRB8F.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRCAAD.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRD4B8.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRE791.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRF42D.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\CVRF99.tmp.cvr
C:\Users\Kevin\Local Settings\TEMP\F36F.tmp
C:\Users\Kevin\Local Settings\TEMP\Low
C:\Users\Kevin\Local Settings\TEMP\pglcqpog.sys
C:\Users\Kevin\Local Settings\TEMP\Temporary Internet Files
C:\Users\Kevin\Local Settings\TEMP\~DF095D4C140731A3BE.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF0A946730A35FB2E4.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF12510B233518819A.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF1611388F4F196AE5.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF199A0A6F4843DD65.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF23535F5B1EEA140A.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF2ECA049AB4A6D274.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF32326EF389D1AD48.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF3C2C2E5DAA932D56.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF3CF8A10FED8FA1A9.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF3DB5263FAB727ED2.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF40936941D6A64828.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF4715BF99B3C302D3.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF48471854F7A0E40C.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF484BE7D441C3D3D0.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF65F60DE55F6E08E0.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF6F8194551F94158A.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF83A92EEB2715DA57.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF894DBCC53DA4B463.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF89849C727A53C213.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF8F54687B283482A0.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF94C820137D662386.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF94C9E6D90EF2607E.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF950246A9261A48BF.TMP
C:\Users\Kevin\Local Settings\TEMP\~DF9BA816D58FF97FA9.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFA48D6DC311DFB97B.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFAEC1E03FBEA2D1BF.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFBFC49A2BC37C543C.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFCC66137A13CFFC0B.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFEEC3FD9BA835CEB0.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFF09F96EFCE4FF8C7.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFF30EEC9096451FAB.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFFC3204922350483D.TMP
C:\Users\Kevin\Local Settings\TEMP\~DFFC3F1C02146EF49B.TMP

:Commands
[emptytemp]
[Reboot]

Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Use the machine a while in normal mode and tell me how it behaves now.

Kevsters · Oct 15, 2010

Thanks for your help,

Attached are the OTM logs and the MGtools logs.

It does seem to be running quicker, though still very slow (improved from 'extremely slow').

I have also uninstalled Avast and installed AVG to see if I can get it to work, and it worked fine.

I will have a bit of a test now to see how things work.

Thanks very much for your help and sorry for causing you effort for nothing.

Kevin

Kestrel13! · Oct 17, 2010

Yes, your logs are clean, so any other remaining issues will have to be resolved in the software forum.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Something nasty completely locking up my Windows 7 machine

Kevsters Private E-2

Attached Files:

mbam-log-2010-10-12 (21-11-08).txt

MBRCheck_10.12.10_11.02.06.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kevsters Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kevsters Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kevsters Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 10-14-2010 - 15-05-38.log

ESETScan.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kevsters Private E-2

Attached Files:

MGlogs.zip

avast_shields.jpg

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kevsters Private E-2

Attached Files:

MGlogs.zip

OTM_10162010_102725.log

avgsummary.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member