TechSpot

Computer restarts out of the blue (moved)

By jckinnick
Sep 19, 2010
  1. I was told to post the files from the 8 steps in this thread.


    Here is the other thread for more on the problem.

    http://www.techspot.com/vb/topic151659-5.html


    I keep getting an error when i tried to update Malwarebytes Anti-Malware. It found 6 items.



    Here are the files.
     

    Attached Files:

  2. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    I should also add, that since last night when i did the 8 steps its restarted twice and the first time right after doing them my mouse/curser kind of went wild and flew all over the screen for a second before it shut down.
     
  3. crunchie

    crunchie Malware Helper Posts: 728

    MBA-M logs shows that no action was taken after the scan. Is that correct, or have you posted the incorrect log?
    What was the MBA-M error when attempting to update?

    ==

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!

    ====

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  4. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    No i fixed the 6 errors i thought. Should i try it again or do the combo step?
     
  5. crunchie

    crunchie Malware Helper Posts: 728

    If you fixed them that's fine. You probably posted the wrong log.

    Do the other two please.
     
  6. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    I haven't got a chance to do the OTL yet but i did do the Combofix.


    When i first ran it i got a pop up that said something about only being compatible with Windows 2000 and XP, I am running XP so i didn't know why it was saying this. It aslo made some weird noises.

    The next warning said that the security program i use Webroot scanning was still on, i had turned everything off and disconnected from the internet so i didn't know what to do so i x out instead of pressing ok but it went on anyway.

    The next one said something like I did not have Microsoft Windows Recovery installed and then it asked me to connect to the internet to install it, i hooked back up to the internet and pressed ok.


    After that it started scanning, i was still hooked up to the internet from the last window so im not sure if i was supposed to be connected while it was scanning. It restarted my computer when it was finished so i hope everything worked.


    Also when i turned my computer back on Webroot starts automatically and while it was doing the log it said to not have any programs running so Webroot ran for a minute or two before i could shut it down.

    On Webroot i have a notification that IE Highjack has been changed do i need to restore that or keep the new setting?



    Here is the log file.
     

    Attached Files:

    • log.txt
      File size:
      27.5 KB
      Views:
      2
  7. crunchie

    crunchie Malware Helper Posts: 728

    How are things now?

    ==

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  8. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    It hasn't restarted since i have done these fixes so im hoping its going fine. On the log did it say that anything was fixed? I thought i saw something about a quarantine on there.

    What about the IE Highjack do i need to restore those settings or keep them the way they are now?

    I will try your above instructions and also run the OTL.

    It might be a couple days before i get back with you so bare with me.
     
  9. crunchie

    crunchie Malware Helper Posts: 728

    Combofix deleted some entries and made other repairs whilst it ran.

    Did you run the fix in my last post?

    About the IE hijack, what did Webroot say the change was? Did it occur subsequent to running one of the tools?
     
  10. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148


    I haven't got to do the OTL or the last Notepad fix yet.

    It didn't happen during the running it was when my computer restarted. Webroot says IE Highjack Sheild User Search Bar changes need attention, its asking me to restore or keep the current changes.
     
  11. crunchie

    crunchie Malware Helper Posts: 728

    Ok. I suggest you keep the changes as I reckon it was one of the tools that made the change.
     
  12. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    Just wanted to fill you in real quick but it restarted again tonight.


    Also just to mention it again, it might be a couple days before i can get back to you and do the other fixes.

    Thanks!
     
  13. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148



    I have uinstalled and reinstalled some browsers since the scan is that goiong to change any of the stuff above that i need to copy and paste?
     
  14. crunchie

    crunchie Malware Helper Posts: 728

    No, that's fine. Go ahead and do the above.
     
  15. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    Here is the log from the Combo Fix, it did about the same thing as last time as far as running. It asked me to connect to the internet to download some missing files from Microsoft then it aborted and went on with scanning while i was still connected.

    It did not do a restart this time but when it was done and i started my programs back up Webroot had quarantined something called EICAR-AV_TEST.
     

    Attached Files:

    • log.txt
      File size:
      23.6 KB
      Views:
      3
  16. crunchie

    crunchie Malware Helper Posts: 728

    EICAR-AV_TEST is a harmless file that is used to test ones AV. It must have been downloaded at some time.

    Do you have your XP CD? If so, do the following:

    Go to Start | Run and type in sfc /scannow and hit the Ok button. Insert your CD if/when requested.

    ====

    How's the OTL scan going?
     
  17. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    Here are the two files from the OTL i couldn't tell by the log if it fixed anything or not.


    Im going to try the XP disc next, just to let you know i had some problems with it 3 or 4 months ago. I accidentally removed some windows components and when i tried to reinstall them using the disc it would get half way to something called NET Framework and then freeze.
     

    Attached Files:

  18. crunchie

    crunchie Malware Helper Posts: 728

    .NET can be downloaded from M$.

    Log looks ok.

    You have a few errors in the event logs regarding memory low. Also been unable to load the registry.
    Hopefully you will be able to get the scannow to run or you may have to do a system repair.
     
  19. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148



    I think the unable to load registry is where the restarts keep coming from because every time it happens i check the log and its an "unable to load registry".

    What could be causing the memory low?
     
  20. crunchie

    crunchie Malware Helper Posts: 728

    It is possible that something is sucking up the memory during startup. Not sure what though.

    Did you manage to run scannow?
     
  21. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148



    No i haven't got a chance to yet. I will post back as soon as i do.
     
  22. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    I ran the scan and it actually made it all the way through this time. Is it supposed to do anything else the bar just completed and disappeared is that right?

    Webroot takes a lot of time during start up could that be causing the memory to be low?
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    Yes, that ran as it should have done.
    Try disabling Webroot from the startup by going into msconfig and disabling it. See if you notice a faster startup.
     
  24. jckinnick

    jckinnick TS Rookie Topic Starter Posts: 148

    Webroot is my main antivirus security program though.

    Is there any thing else i need to do as far as the malware goes?


    I mentioned before that i had accidentally removed some windows components and had trouble installing them back. I installed all of them back that i could but every time i run windows update and it brings up the internet explorer page i get a "Install the ActiveX control required to view the website".
     
  25. crunchie

    crunchie Malware Helper Posts: 728

    When you get the Active x message there should be a drop-down bar that asks you if you want to install the component. You should allow it.

    If you disconnect from the Internet by removing the cable, you can safely disable Webroot to see if the pc starts ok.

    To see if there is anything else lurking, you can do an on-line scan.

    Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on the Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...