Windows Vista - You are about to be logged off

Discussion in 'Malware Help (A Specialist Will Reply)' started by Tinkerdog, Sep 15, 2010.

  1. Tinkerdog

    Tinkerdog Private E-2

    Was given this laptop to fix that restarts within a couple of minutes of starting up. Sometimes with a single message saying 'You are about to be logged off' warning me that 'Windows has encountered a critical problem and will restart automatically in one minuteit will shut down after a minute has passed. Sometimes this is preceeded by a message saying 'services and controller app stopped working and was closed'. After a minute the screen goes black and the computer restarts.

    I did the normal cleanup procedure, removed a lot of malware and a few viruses. The computer ran faster but the main problem remained. I found out the services.exe file was crashing, and that if I disabled the wireless adapter on the laptop it ran fine (but without internet access of course). I therfore uninstalled the network card drivers and reinstalled fresh versions, but that didn't help.

    I then tried te wired network connection whilst the wireless was disabled and soon after the network was detected by the network and sharing center the same problem occured.

    I followed your 'read me' guide and got the logs requested, however rootrepeal would not scan because it said something about an invalid partition when scanning the drives.
     

    Attached Files:

    Tinkerdog, Sep 15, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Running from: F:\ComboFix.exe <--- We need ComboFix to be directly on your desktop from the drive you boot windows from. Please move it there before we continue as shown below:

    If you did not deliberately set this proxy yourself then please include it in our fixable list below:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\Windows\System32\drivers\ejohyuhi.sy

Folder::
c:\users\Sharon\AppData\Local\gpwqybtlu
c:\users\Sharon\AppData\Roaming\Evaqyk
c:\users\Sharon\AppData\Roaming\Kayq

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ejohyuhi]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now Run Ccleaner. Only run the cleaner itself, do not run anything on any of the other forms.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how the machine is behaving now?
     
    Kestrel13!, Sep 15, 2010
    #2
  3. Tinkerdog

    Tinkerdog Private E-2

    Hi Kestrel13,

    Sorry it took a couple days till I got around to following your instructions, I got my eyes lasered and the computer screen was tiring them out.

    Ok, I followed your instructions to the letter I believe.

    The logs you requested (if I am right) are:

    combofix.txt
    and
    MGlogs.zip

    It seems the problem is fixed, thankyou very much, :). I'll post again if the problem reoccurs, and let me know if there any final steps I should perform.

    Cheers,
     

    Attached Files:

    Tinkerdog, Sep 17, 2010
    #3
  4. Tinkerdog

    Tinkerdog Private E-2

    Sorry to say, but the problem has come back, about ten minutes after my post. The laptop is just as bad as before. Any other ideas?
     
    Tinkerdog, Sep 17, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    My fault! I had .sy instead of .sys extension on the file we wanted dead!

    Let's try again then:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\Windows\System32\drivers\ejohyuhi.sys
C:\Windows\temp\BITC2F0.tmp
C:\Windows\temp\BITC716.tmp
C:\Windows\temp\BITCCB2.tmp
C:\Windows\temp\BITCF90.tmp

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ejohyuhi]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How are things running now?
     
    Kestrel13!, Sep 17, 2010
    #5
  6. Tinkerdog

    Tinkerdog Private E-2

    That seems to have worked, thank you so much, :D.
     

    Attached Files:

    Tinkerdog, Sep 19, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm this registry value won't die... let's try a reg patch.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Sep 20, 2010
    #7
  8. Tinkerdog

    Tinkerdog Private E-2

    Hey Kestrel,

    Thanks for all your help, had to return the laptop, but will run the regfix if they encounter any more problems. You were very helpful indeed, :).
     
    Tinkerdog, Oct 6, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, I would get them to run it if I were you, something is still not right, so... I'll be around when you need me. :)
     
    Kestrel13!, Oct 6, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds