Vista freeze

[Droopy]

Hi,

Since a few weeks, my PC (running Vista family edition) seems infected.

It works in safe mode.

It freeze after a few seconds in normal mode.

I had restore to some previous restore point but still same problem.

Here is the MB log :

Malwarebytes' Anti-Malware 1.28

Version de la base de donn

[JeanInMontana]

Hi Droopy and welcome to Malwarbytes. You need to put HJT into the folder it was meant to go into, named HiJackThis and in Program Files on the main drive, usually C:\ Program Files. Please do this and then update MBAM run another quick scan, post that log and a new HJT log.

[Droopy]

Thanks for the answer.

Here are the 2 logs :

Malwarebytes' Anti-Malware 1.28

Version de la base de donn

[JeanInMontana]

I'm not seeing malware. Did you scan with MBAM in normal boot? This is crucial to do that. You have some evidence of a past infection and possibly system damage. If you did scan with MBAM in normal mode then I would suggest you try a check disk for errors see if any are found.

[Droopy]

well i cannot scan in normal mode because it freeze after a few seconds.

this is my problem.

[JeanInMontana]

So it's MBAM freezing not the OS? Open MBAM and in the settings section uncheck scan memory, try running again. Continue unchecking items if that doesn't work. Be sure your only running a quick scan, not the full.

[Droopy]

Sorry but I don't get it.

In normal mode, Vista freeze before I can start MBAM.

In safe mode it works.

I don't understand what you meant.

[JeanInMontana]

OK I didn't understand you either, now I do. Let's give this tool a try, it runs very fast and should show us something.

Review this article here how to use ComboFix

Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

[JeanInMontana]

OK the topic is reopened. If your circumstances have not changed please follow the ComboFix instructions.

[Droopy]

OK thanks I will use ComboFix tomorrow.

[JeanInMontana]

Let's get this done. Running CF takes about 30 seconds. Malware needs to be dealt with in a timely fashon to be effective at all.

[Droopy]

Here is the log :

It took about 30 minutes to get the report after CF restart the PC.

ComboFix 08-10-21.03 - Pierre 2008-10-22 11:17:24.1 - NTFSx86 NETWORK

Microsoft

[JeanInMontana]

CF normally runs in about 30 seconds. I am not French and do not read French very well. It's very hard for me to see what is what when you post your logs in French. Please choose English for all logs. Your ComboFix log is not complete either. You either didn't let it finish or you didn't post all the log. This doesn't show me all I need to see. I do see lots of P2P software and you need to remove that if we are to continue. We will not be involved in illegall activities here and unless your paying for whatever your downloading with the P2P it is illegal.

See if you can update MBAM and run it and HJT in normal mode. I need feed back on what changes if any have happened. Are you able to boot to normal now an run the system? CF did remove two items.

[Droopy]

Sorry about french but I didn't choose french and I didn't see anywhere where I could choose english.

I let CF finish and I did post all the log.

As I already mentioned, I had to wait about 30 min to get the log file.

About P2P software I don't use it but I cannot remove it.

For example, I uninstalled Frostwire and it is impossible to uninstall Shareaza !

I still cannot run in normal mode, Vista freeze before I can't start any program.

I appreciate your help, thanks.

[Droopy]

What can I do now ?

Do you need a new scan ?

Thanks in advance for your help.

[JeanInMontana]

Combo fix produces a HJT log, so since it is not posted you did not post all the log. Perhaps you have the entire system set for French, since you are French that makes sense. If you don't use P2P how did all this get on the machine? Those are all P2P programs. Not just one mind you but 3. Someone uses them and they are illegal to use to get music and video that should be paid for, and most likely how you got infected.

"{47974CE3-0114-4A3F-AFEA-C4B634D5F5AA}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:

[Droopy]

I didn't say that there were no P2P software installed though I didn't install it myself.

I now have exclusive control of the PC.

I tried to uninstall all P2P software but didn't succeed.

Frostwire : the Frostwire directory doesn't exist in "C:\Program Files"

Shareaza : the file "C:\Program Files\Shareaza\Uninstall\uninst0000.dat" doesn't exist.

[JeanInMontana]

There is nothing in the log that screams malware. If it were ran in normal boot perhaps it would show. The files show in the Panda scan as in program files. They are not dat files they are exe.

[Droopy]

I made a restore to a restore point near when the problem began.

I made MBAM and HJT scans :

Malwarebytes' Anti-Malware 1.30

Database version: 1329

Windows 6.0.6000

28/10/2008 0:12:33

mbam-log-2008-10-28 (00-12-33).txt

Scan type: Quick Scan

Objects scanned: 47608

Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 0:17:20, on 28/10/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16711)

Boot mode: Safe mode with network support

Running processes:

C:\Windows\Explorer.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Users\Pierre\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.7sur7.be/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fen

[Droopy]

I forgot to mention that, after rebooting, it still freeze in normal mode before I can run any program.

[JeanInMontana]

OK so is MBAM scanning in Safe Mode and it removed those items? Can you restore to before the problem? I don't think we can clean the system in Safe Mode. I need to see a HJT log in normal boot, to stand a chance of seeing where and what is running.

[Droopy]

I cannot restore to before the problem?

I restored to the earliest point and I still cannot boot normal mode.

[Droopy]

There is svehost.exe in C:\Program Files directory.

Isn't it a malware ?

[JeanInMontana]

Scan the file at www.virustotal.com and see. It may or may not be. I think you should do a reformat. You have serious system damage and or malware that cannot be removed with out a full boot up.

[Droopy]

2/36 reported Cloaked Malware and Corrupted.Win32File (entry point in import table)

I have created Vista recovery DVDs, I also think that I will have to reformat.

Thank a lot for your help.