Inactive Computer restarts out of the blue (moved)

[jckinnick]

I was told to post the files from the 8 steps in this thread.


Here is the other thread for more on the problem.

https://www.techspot.com/vb/topic151659-5.html


I keep getting an error when I tried to update Malwarebytes Anti-Malware. It found 6 items.



Here are the files.

 

[jckinnick]

I should also add, that since last night when i did the 8 steps its restarted twice and the first time right after doing them my mouse/curser kind of went wild and flew all over the screen for a second before it shut down.

 

[crunchie]

MBA-M logs shows that no action was taken after the scan. Is that correct, or have you posted the incorrect log?
What was the MBA-M error when attempting to update?

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

====

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[jckinnick]

MBA-M logs shows that no action was taken after the scan. Is that correct, or have you posted the incorrect log?
What was the MBA-M error when attempting to update?

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

====

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

No i fixed the 6 errors i thought. Should i try it again or do the combo step?

 

[crunchie]

If you fixed them that's fine. You probably posted the wrong log.

Do the other two please.

 

[jckinnick]

I haven't got a chance to do the OTL yet but I did do the Combofix.


When I first ran it I got a pop up that said something about only being compatible with Windows 2000 and XP, I am running XP so I didn't know why it was saying this. It aslo made some weird noises.

The next warning said that the security program I use Webroot scanning was still on, I had turned everything off and disconnected from the internet so I didn't know what to do so I x out instead of pressing ok but it went on anyway.

The next one said something like I did not have Microsoft Windows Recovery installed and then it asked me to connect to the internet to install it, I hooked back up to the internet and pressed ok.


After that it started scanning, I was still hooked up to the internet from the last window so im not sure if I was supposed to be connected while it was scanning. It restarted my computer when it was finished so I hope everything worked.


Also when I turned my computer back on Webroot starts automatically and while it was doing the log it said to not have any programs running so Webroot ran for a minute or two before I could shut it down.

On Webroot I have a notification that IE Highjack has been changed do I need to restore that or keep the new setting?



Here is the log file.

 

[crunchie]

How are things now?

==

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[jckinnick]

It hasn't restarted since i have done these fixes so im hoping its going fine. On the log did it say that anything was fixed? I thought i saw something about a quarantine on there.

What about the IE Highjack do i need to restore those settings or keep them the way they are now?

I will try your above instructions and also run the OTL.

It might be a couple days before i get back with you so bare with me.

 

[crunchie]

Combofix deleted some entries and made other repairs whilst it ran.

Did you run the fix in my last post?

About the IE hijack, what did Webroot say the change was? Did it occur subsequent to running one of the tools?

 

[jckinnick]

Combofix deleted some entries and made other repairs whilst it ran.

Did you run the fix in my last post?

About the IE hijack, what did Webroot say the change was? Did it occur subsequent to running one of the tools?

I haven't got to do the OTL or the last Notepad fix yet.

It didn't happen during the running it was when my computer restarted. Webroot says IE Highjack Sheild User Search Bar changes need attention, its asking me to restore or keep the current changes.

 

[crunchie]

Ok. I suggest you keep the changes as I reckon it was one of the tools that made the change.

 

[jckinnick]

Just wanted to fill you in real quick but it restarted again tonight.


Also just to mention it again, it might be a couple days before i can get back to you and do the other fixes.

Thanks!

 

[jckinnick]

How are things now?

==

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I have uinstalled and reinstalled some browsers since the scan is that goiong to change any of the stuff above that i need to copy and paste?

 

[crunchie]

No, that's fine. Go ahead and do the above.

 

[jckinnick]

Here is the log from the Combo Fix, it did about the same thing as last time as far as running. It asked me to connect to the internet to download some missing files from Microsoft then it aborted and went on with scanning while I was still connected.

It did not do a restart this time but when it was done and I started my programs back up Webroot had quarantined something called EICAR-AV_TEST.

 

[crunchie]

EICAR-AV_TEST is a harmless file that is used to test ones AV. It must have been downloaded at some time.

Do you have your XP CD? If so, do the following:

Go to Start | Run and type in sfc /scannow and hit the Ok button. Insert your CD if/when requested.

====

How's the OTL scan going?

 

[jckinnick]

Here are the two files from the OTL I couldn't tell by the log if it fixed anything or not.


Im going to try the XP disc next, just to let you know I had some problems with it 3 or 4 months ago. I accidentally removed some windows components and when I tried to reinstall them using the disc it would get half way to something called NET Framework and then freeze.

 

[crunchie]

.NET can be downloaded from M$.

Log looks ok.

You have a few errors in the event logs regarding memory low. Also been unable to load the registry.
Hopefully you will be able to get the scannow to run or you may have to do a system repair.

 

[jckinnick]

.NET can be downloaded from M$.

Log looks ok.

You have a few errors in the event logs regarding memory low. Also been unable to load the registry.
Hopefully you will be able to get the scannow to run or you may have to do a system repair.

I think the unable to load registry is where the restarts keep coming from because every time it happens i check the log and its an "unable to load registry".

What could be causing the memory low?

 

[crunchie]

It is possible that something is sucking up the memory during startup. Not sure what though.

Did you manage to run scannow?

 

[jckinnick]

It is possible that something is sucking up the memory during startup. Not sure what though.

Did you manage to run scannow?

No i haven't got a chance to yet. I will post back as soon as i do.

 

[jckinnick]

I ran the scan and it actually made it all the way through this time. Is it supposed to do anything else the bar just completed and disappeared is that right?

Webroot takes a lot of time during start up could that be causing the memory to be low?

 

[crunchie]

Yes, that ran as it should have done.
Try disabling Webroot from the startup by going into msconfig and disabling it. See if you notice a faster startup.

 

[jckinnick]

Yes, that ran as it should have done.
Try disabling Webroot from the startup by going into msconfig and disabling it. See if you notice a faster startup.

Webroot is my main antivirus security program though.

Is there any thing else i need to do as far as the malware goes?


I mentioned before that i had accidentally removed some windows components and had trouble installing them back. I installed all of them back that i could but every time i run windows update and it brings up the internet explorer page i get a "Install the ActiveX control required to view the website".

 

[crunchie]

When you get the Active x message there should be a drop-down bar that asks you if you want to install the component. You should allow it.

If you disconnect from the Internet by removing the cable, you can safely disable Webroot to see if the pc starts ok.

To see if there is anything else lurking, you can do an on-line scan.

Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on the Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.