Solved My randomly restarting computer

[Eggroll]

So this computer I am fixing randomly restarts and ends programs that are running by itself. Especially, programs that are trying to clean the computer and so on.

It disabled all my services. I had to go into services.msc and turn them on one by one.

It won't let me install any anti-virus, it will say my files are corrupt when I am trying to install patches, and will crash any programs I run that help me try to figure out what is going on.

Gmer never got to the end of it's scan. Windows would always show an error saying windows encountered and error it the program has to end. I saved the log with as far as it could go. I ran it in safe mode without devices too and it still crashed.

Same problem with DDS but it eventually gave me the 2 log files.


Thank you for all your help. You guys are the best.

 

[Bobbye]

Do you have an antivirus program running? I didn't see one. If not, please revisit Step 1 and get some protection on the system.

For GMER, first, try to run it in Safe Mode. If that doesn't work, uncheck "Devices", then try to run it.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=====================================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leaver the logs in your next reply.

 

[Eggroll]

There was no anti virus program installed on the computer when I received it. When trying to install an antivirus, the computer either restarts, or while running setup Windows says the file is corrupt.

I ran GMER in safe mode as well. It didnt get a chance to complete. Ran it in Safe mode with 'devices' unchecked and still the same problem. The problem is that some other executable crashes and so GMER stops.

I ran ComboFix and it got to Step 6A but some executables, grep.exe and pev.exe, continuously kept on crashing and then ComboFix seemed like it stopped running. There was just a blinking cursor at the end after Step 6A. I then tried to check task manager but when I did click on it to start it, the computer restarted. I'll try to run ComboFix again when I get home from work.

I'll run that online virus scan too. Sounds like it might work since I can't install any antivirus software.

Thanks.

 

[Bobbye]

Run this and let me see the log:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

==================
This is not meant to take the place of Combofix. Since you have no antivirus program running, load the programs to a flash drive, then go offline and run them on the problem computer.

 

[Eggroll]

Sorry it's taking me a while. Just found out one of the sticks of ram might be bad. That seemed to have been making all the crashes.

I ran Gmer but it gave me an out of resources error and when I tried to save it, it never produced the log file.

Going to install all the updates and anti virus and I'll let you know what's up.

I ran combofix though. I'll post the log.

 

[Eggroll]

Was too big to copy into this post.

 

[Bobbye]

Before I do anything with Combofix, I would like for you to check the files on VirScan and then run the Eset online AV scan. then it can all be handled according to the results.

Edit: I would like to add this. I see this entry loading from the Registry:
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

The history of the program is:
1. SpySubtract PRO has a new name - Trend Micro Anti-Spyware 3.0.
2. Trend Micro Anti-Spyware has been discontinued in favor of a new Internet Security Suite.
3. Trend Micro Internet Security Pro, formally known as PC-cillin

The .lnk file extension indicates Windows Shortcut File Format. IF you are depending on this to help with security, I think it must be out of date.


See http://internet-security-suite-review.toptenreviews.com/ for comparison

Rated 6 out of 20, $70.00 here

 

[Eggroll]

VirSCAN.org Scanned Report :
Scanned time : 2010/05/09 21:39:04 (CDT)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://virscan.org/report/b7508a088328cddb4aa555745d2a15f2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 1.19 -
AhnLab V3 2010.05.09.00 2010.05.09 2010-05-09 1.30 -
AntiVir 8.2.1.236 7.10.7.67 2010-05-09 0.27 -
Antiy 2.0.18 20100506.4329166 2010-05-06 0.02 -
Arcavir 2009 201005090100 2010-05-09 0.03 -
Authentium 5.1.1 201005091550 2010-05-09 1.32 -
AVAST! 4.7.4 100509-1 2010-05-09 0.01 -
AVG 8.5.793 271.1.1/2864 2010-05-10 0.23 -
BitDefender 7.81008.5853245 7.31588 2010-05-10 3.77 -
ClamAV 0.95.3 10946 2010-05-09 0.01 -
Comodo 3.13.579 4789 2010-05-08 0.96 -
CP Secure 1.3.0.5 2010.05.07 2010-05-07 0.04 -
Dr.Web 5.0.2.3300 2010.05.10 2010-05-10 7.17 -
F-Prot 4.4.4.56 20100509 2010-05-09 1.28 -
F-Secure 7.02.73807 2010.05.09.02 2010-05-09 0.18 -
Fortinet 4.0.14 11.921 2010-05-09 0.14 -
GData 21.120/21.42 20100509 2010-05-09 8.28 -
ViRobot 20100508 2010.05.08 2010-05-08 0.49 -
Ikarus T3.1.01.84 2010.05.10.75819 2010-05-10 6.25 -
JiangMin 13.0.900 2010.05.09 2010-05-09 1.52 -
Kaspersky 5.5.10 2010.05.09 2010-05-09 0.13 -
KingSoft 2009.2.5.15 2010.5.9.20 2010-05-09 2.07 -
McAfee 5400.1158 5974 2010-05-06 0.02 -
Microsoft 1.5703 2010.05.09 2010-05-09 9.09 -
Norman 6.04.12 6.04.00 2010-05-09 6.01 -
Panda 9.05.01 2010.05.09 2010-05-09 3.62 -
Trend Micro 9.120-1004 7.156.09 2010-05-09 0.03 -
Quick Heal 10.00 2010.05.08 2010-05-08 2.25 -
Rising 20.0 22.47.00.01 2010-05-10 1.77 -
Sophos 3.07.1 4.53 2010-05-10 3.25 -
Sunbelt 3.9.2421.2 6283 2010-05-09 6.99 -
Symantec 1.3.0.24 20100509.002 2010-05-09 0.05 -
nProtect 20100506.01 8111082 2010-05-06 8.67 -
The Hacker 6.5.2.0 v00277 2010-05-06 0.40 -
VBA32 3.12.12.4 20100506.1333 2010-05-06 2.55 -
VirusBuster 4.5.11.10 10.126.21/2046965 2010-05-09 2.34 -

 

[Eggroll]

VirSCAN.org Scanned Report :
Scanned time : 2010/05/09 21:41:43 (CDT)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 1033728 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
Online report : http://virscan.org/report/d333828bb3253c657dd366062e4bb4ce.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 0.34 -
AhnLab V3 2010.05.09.00 2010.05.09 2010-05-09 1.14 -
AntiVir 8.2.1.236 7.10.7.67 2010-05-09 0.27 -
Antiy 2.0.18 20100506.4329166 2010-05-06 0.02 -
Arcavir 2009 201005090100 2010-05-09 0.08 -
Authentium 5.1.1 201005091550 2010-05-09 2.29 -
AVAST! 4.7.4 100509-1 2010-05-09 0.05 -
AVG 8.5.793 271.1.1/2864 2010-05-10 0.23 -
BitDefender 7.81008.5853245 7.31588 2010-05-10 3.75 -
ClamAV 0.95.3 10946 2010-05-09 0.18 -
Comodo 3.13.579 4789 2010-05-08 0.88 -
CP Secure 1.3.0.5 2010.05.07 2010-05-07 0.11 -
Dr.Web 5.0.2.3300 2010.05.10 2010-05-10 7.43 -
F-Prot 4.4.4.56 20100509 2010-05-09 2.22 -
F-Secure 7.02.73807 2010.05.09.02 2010-05-09 0.15 -
Fortinet 4.0.14 11.921 2010-05-09 0.14 -
GData 21.120/21.42 20100509 2010-05-09 6.94 -
ViRobot 20100508 2010.05.08 2010-05-08 0.41 -
Ikarus T3.1.01.84 2010.05.10.75819 2010-05-10 6.25 -
JiangMin 13.0.900 2010.05.09 2010-05-09 1.21 -
Kaspersky 5.5.10 2010.05.09 2010-05-09 0.08 -
KingSoft 2009.2.5.15 2010.5.9.20 2010-05-09 0.64 -
McAfee 5400.1158 5974 2010-05-06 0.02 -
Microsoft 1.5703 2010.05.09 2010-05-09 6.52 -
Norman 6.04.12 6.04.00 2010-05-09 6.01 -
Panda 9.05.01 2010.05.09 2010-05-09 1.75 -
Trend Micro 9.120-1004 7.156.09 2010-05-09 0.04 -
Quick Heal 10.00 2010.05.08 2010-05-08 1.86 -
Rising 20.0 22.47.00.01 2010-05-10 1.18 -
Sophos 3.07.1 4.53 2010-05-10 3.25 -
Sunbelt 3.9.2421.2 6283 2010-05-09 5.82 -
Symantec 1.3.0.24 20100509.002 2010-05-09 0.08 -
nProtect 20100506.01 8111082 2010-05-06 7.59 -
The Hacker 6.5.2.0 v00277 2010-05-06 0.39 -
VBA32 3.12.12.4 20100506.1333 2010-05-06 2.57 -
VirusBuster 4.5.11.10 10.126.21/2046965 2010-05-09 2.75 -

 

[Eggroll]

VirSCAN.org Scanned Report :
Scanned time : 2010/05/09 21:43:47 (CDT)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
Online report : http://virscan.org/report/76db865fb211eea48d2626cc32d13125.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 0.29 -
AhnLab V3 2010.05.09.00 2010.05.09 2010-05-09 1.18 -
AntiVir 8.2.1.236 7.10.7.67 2010-05-09 0.25 -
Antiy 2.0.18 20100506.4329166 2010-05-06 0.02 -
Arcavir 2009 201005090100 2010-05-09 0.03 -
Authentium 5.1.1 201005091550 2010-05-09 1.28 -
AVAST! 4.7.4 100509-1 2010-05-09 0.00 -
AVG 8.5.793 271.1.1/2864 2010-05-10 0.22 -
BitDefender 7.81008.5853245 7.31588 2010-05-10 3.73 -
ClamAV 0.95.3 10946 2010-05-09 0.01 -
Comodo 3.13.579 4789 2010-05-08 0.87 -
CP Secure 1.3.0.5 2010.05.07 2010-05-07 0.04 -
Dr.Web 5.0.2.3300 2010.05.10 2010-05-10 7.05 -
F-Prot 4.4.4.56 20100509 2010-05-09 1.27 -
F-Secure 7.02.73807 2010.05.09.02 2010-05-09 0.12 -
Fortinet 4.0.14 11.921 2010-05-09 0.14 -
GData 21.120/21.42 20100509 2010-05-09 6.76 -
ViRobot 20100508 2010.05.08 2010-05-08 0.41 -
Ikarus T3.1.01.84 2010.05.10.75819 2010-05-10 6.27 -
JiangMin 13.0.900 2010.05.09 2010-05-09 1.18 -
Kaspersky 5.5.10 2010.05.09 2010-05-09 0.08 -
KingSoft 2009.2.5.15 2010.5.9.20 2010-05-09 0.63 -
McAfee 5400.1158 5974 2010-05-06 0.02 -
Microsoft 1.5703 2010.05.09 2010-05-09 6.54 -
Norman 6.04.12 6.04.00 2010-05-09 6.01 -
Panda 9.05.01 2010.05.09 2010-05-09 1.72 -
Trend Micro 9.120-1004 7.156.09 2010-05-09 0.03 -
Quick Heal 10.00 2010.05.08 2010-05-08 1.50 -
Rising 20.0 22.47.00.01 2010-05-10 1.18 -
Sophos 3.07.1 4.53 2010-05-10 3.27 -
Sunbelt 3.9.2421.2 6283 2010-05-09 5.91 -
Symantec 1.3.0.24 20100509.002 2010-05-09 0.05 -
nProtect 20100506.01 8111082 2010-05-06 8.11 -
The Hacker 6.5.2.0 v00277 2010-05-06 0.39 -
VBA32 3.12.12.4 20100506.1333 2010-05-06 2.46 -
VirusBuster 4.5.11.10 10.126.21/2046965 2010-05-09 2.34 -

 

[Eggroll]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1a481710fc156547847eeb2700b0ecca
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-05 05:27:19
# local_time=2010-05-05 10:27:19 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 100 100 0 13189790 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=161386
# found=3
# cleaned=0
# scan_time=15245
C:\Cleaning Tools\ComboFix.exe a variant of Win32/Kryptik.AT trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
D:\rejoice101.exe probably a variant of Win32/Hupigon trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1a481710fc156547847eeb2700b0ecca
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-10 08:56:31
# local_time=2010-05-10 01:56:31 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 100 100 0 13596739 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=167602
# found=3
# cleaned=0
# scan_time=9644
C:\Cleaning Tools\ComboFix.exe a variant of Win32/Kryptik.AT trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
D:\rejoice101.exe probably a variant of Win32/Hupigon trojan 00000000000000000000000000000000 I

 

[Eggroll]

I am not use trend-micro for security on this machine. I just posted the results for which you asked for. Thanks! Sorry for the slow reply. been busy

 

[Bobbye]

The scan I had you do was a specific check for a Virut infection. I'm glad to see you don't have it.

There are entries in Combofix for the Threatfire antivirus program drivers, which it appears you are not running. It also shows the installation of Avast on 5/4 and now you have added Eset. Multiple antivirus programs make the system more vulnerable, not less and they also slow the system down. Please decide whether you want Avast, Eset Nod32 or Threatfire and remove the others.
============================
Please get the antivirus program settled first. Then before you run the script below disable all of the security as instructed here:
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::

DDS::
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearchAssistant = 
mSearchAssistant = 
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
Hosts: 127.0.0.1	www.spywareinfo.com
Hosts: 127.0.0*1	vaginpics.com

Registry::

DirLook::
C:\b8015f3786318c19c4
C:\a7c724bb81849baa05fbadc02019d873
C:\found.000	

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
==========================
Try to run GMER now.
=============================
Leave all logs and reports in next reply.
====================

 

[Bobbye]

Sorry- I missed this:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\Cleaning Tools\ComboFix.exe
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip
  D:\rejoice101.exe 
   
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[Eggroll]

ComboFix log

ComboFix.txt was too big.

 

[Eggroll]

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Cleaning Tools\ComboFix.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip moved successfully.
D:\rejoice101.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Compaq_Owner
->Temp folder emptied: 793278 bytes
->Temporary Internet Files folder emptied: 2777127 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 405 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 4570 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3154 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05122010_200049

Files moved on Reboot...
File C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\fla1.tmp not found!
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\IYFLTWS0\ads[1].htm moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\DARTIframe[1].htm moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\DARTIframe[2].htm moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\sh16[1].html moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\topic146692[2].html moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

 

[Eggroll]

As far as I can see, I uninstalled all of the antivirus programs. No other antivirus is in add/remove programs. I installed Microsoft Security Essentials and am only using this one.

Running Gmer somehow ends with just the desktop, no explorer, no icons. Only the mouse and the computer does not seem to be frozen. I can't do ctrl+alt+delete or any functions or commands except for moving the mouse cursor around. I did it with 'devices' unchecked as well.

 

[Bobbye]

Please describe any remaining problems from the malware.

You have custom named some folders in the Directory. at least one of them, C:\Cleaning Tools had malware. It was on Combofix.exe which I had you remove, but has returned. I'm going to give you some script to run and hopefully remove any remaining malware files. Your first post with a description of problems does not seem= all malware related:
=============================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\TfFsMon.sys
c:\windows\system32\drivers\TfSysMon.sys
c:\windows\system32\drivers\TfNetMon.sys
c:\program files\Spyware Doctor\TFEngine\TFService.exe 
c:\windows\system32\drivers\ACEDRV08.sys
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_a5c.dat
C:\ComboFix.exe
Folder::
C:\7c6154278172e0bb417121487b
C:\b8015f3786318c19c4
C:\a7c724bb81849baa05fbadc02019d873
c:\documents and settings\Compaq_Owner\Application Data\Avira
C:\Cleaning Tools
C:\found.000
Registry::

Driver::
TfFsMon
TfSysMon
TfNetMon
ThreatFire
ACEDRV08

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please disable the Microsoft Error Reporting Service:
Start> Run> type in services.msc> find Error Reporting and double click on it> change Startup type to Disabled> Stop the Service> Exit Services.
============================
When you have finished with the script, please run a new scan with HijackThis which is already on the system and leave a new log along with the Comboffx report in your next reply.

 

[Eggroll]

Thank you Bobbye. You've been a big help to me. I'll post up the results later tonight and hopefully we'll be done and we can work on the other thread I started.

 

[Bobbye]

Okay. Later, then.

 

[Eggroll]

ComboFix.txt was too big again.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:24:25 PM, on 5/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 4817 bytes

 

[Eggroll]

Everything looks pretty good so far. Thanks for helping me clean this computer up. Let me know what you think from the logs.

 

[Bobbye]

Eggroll, I need to check on something. Please do not remove and files yet.

 

[Eggroll]

What should I do now?

 

[Bobbye]

My goodness! It's Saturday- I slept later!

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Folder::
c:\program files\Alwil Software
c:\documents and settings\All Users\Application Data\Alwil Software
	
Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leave the log.
====================
If the original malware problems have been resolved, you can remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of further help.