My randomly restarting computer

Solved
By Eggroll
May 4, 2010
Topic Status:
Not open for further replies.
  1. So this computer I am fixing randomly restarts and ends programs that are running by itself. Especially, programs that are trying to clean the computer and so on.

    It disabled all my services. I had to go into services.msc and turn them on one by one.

    It won't let me install any anti-virus, it will say my files are corrupt when I am trying to install patches, and will crash any programs I run that help me try to figure out what is going on.

    Gmer never got to the end of it's scan. Windows would always show an error saying windows encountered and error it the program has to end. I saved the log with as far as it could go. I ran it in safe mode without devices too and it still crashed.

    Same problem with DDS but it eventually gave me the 2 log files.


    Thank you for all your help. You guys are the best.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Do you have an antivirus program running? I didn't see one. If not, please revisit Step 1 and get some protection on the system.

    For GMER, first, try to run it in Safe Mode. If that doesn't work, uncheck "Devices", then try to run it.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leaver the logs in your next reply.
  3. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    There was no anti virus program installed on the computer when I received it. When trying to install an antivirus, the computer either restarts, or while running setup Windows says the file is corrupt.

    I ran GMER in safe mode as well. It didnt get a chance to complete. Ran it in Safe mode with 'devices' unchecked and still the same problem. The problem is that some other executable crashes and so GMER stops.

    I ran ComboFix and it got to Step 6A but some executables, grep.exe and pev.exe, continuously kept on crashing and then ComboFix seemed like it stopped running. There was just a blinking cursor at the end after Step 6A. I then tried to check task manager but when I did click on it to start it, the computer restarted. I'll try to run ComboFix again when I get home from work.

    I'll run that online virus scan too. Sounds like it might work since I can't install any antivirus software.

    Thanks.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Run this and let me see the log:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe

    ==================
    This is not meant to take the place of Combofix. Since you have no antivirus program running, load the programs to a flash drive, then go offline and run them on the problem computer.
  5. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    Sorry it's taking me a while. Just found out one of the sticks of ram might be bad. That seemed to have been making all the crashes.

    I ran Gmer but it gave me an out of resources error and when I tried to save it, it never produced the log file.

    Going to install all the updates and anti virus and I'll let you know what's up.

    I ran combofix though. I'll post the log.
  6. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    Was too big to copy into this post.

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Before I do anything with Combofix, I would like for you to check the files on VirScan and then run the Eset online AV scan. then it can all be handled according to the results.

    Edit: I would like to add this. I see this entry loading from the Registry:
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
    backup=c:\windows\pss\SpySubtract.lnkCommon Startup


    The history of the program is:
    1. SpySubtract PRO has a new name - Trend Micro Anti-Spyware 3.0.
    2. Trend Micro Anti-Spyware has been discontinued in favor of a new Internet Security Suite.
    3. Trend Micro Internet Security Pro, formally known as PC-cillin

    The .lnk file extension indicates Windows Shortcut File Format. IF you are depending on this to help with security, I think it must be out of date.


    See http://internet-security-suite-review.toptenreviews.com/ for comparison

    Rated 6 out of 20, $70.00 here
  8. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/09 21:39:04 (CDT)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://virscan.org/report/b7508a088328cddb4aa555745d2a15f2.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100508053127 2010-05-08 1.19 -
    AhnLab V3 2010.05.09.00 2010.05.09 2010-05-09 1.30 -
    AntiVir 8.2.1.236 7.10.7.67 2010-05-09 0.27 -
    Antiy 2.0.18 20100506.4329166 2010-05-06 0.02 -
    Arcavir 2009 201005090100 2010-05-09 0.03 -
    Authentium 5.1.1 201005091550 2010-05-09 1.32 -
    AVAST! 4.7.4 100509-1 2010-05-09 0.01 -
    AVG 8.5.793 271.1.1/2864 2010-05-10 0.23 -
    BitDefender 7.81008.5853245 7.31588 2010-05-10 3.77 -
    ClamAV 0.95.3 10946 2010-05-09 0.01 -
    Comodo 3.13.579 4789 2010-05-08 0.96 -
    CP Secure 1.3.0.5 2010.05.07 2010-05-07 0.04 -
    Dr.Web 5.0.2.3300 2010.05.10 2010-05-10 7.17 -
    F-Prot 4.4.4.56 20100509 2010-05-09 1.28 -
    F-Secure 7.02.73807 2010.05.09.02 2010-05-09 0.18 -
    Fortinet 4.0.14 11.921 2010-05-09 0.14 -
    GData 21.120/21.42 20100509 2010-05-09 8.28 -
    ViRobot 20100508 2010.05.08 2010-05-08 0.49 -
    Ikarus T3.1.01.84 2010.05.10.75819 2010-05-10 6.25 -
    JiangMin 13.0.900 2010.05.09 2010-05-09 1.52 -
    Kaspersky 5.5.10 2010.05.09 2010-05-09 0.13 -
    KingSoft 2009.2.5.15 2010.5.9.20 2010-05-09 2.07 -
    McAfee 5400.1158 5974 2010-05-06 0.02 -
    Microsoft 1.5703 2010.05.09 2010-05-09 9.09 -
    Norman 6.04.12 6.04.00 2010-05-09 6.01 -
    Panda 9.05.01 2010.05.09 2010-05-09 3.62 -
    Trend Micro 9.120-1004 7.156.09 2010-05-09 0.03 -
    Quick Heal 10.00 2010.05.08 2010-05-08 2.25 -
    Rising 20.0 22.47.00.01 2010-05-10 1.77 -
    Sophos 3.07.1 4.53 2010-05-10 3.25 -
    Sunbelt 3.9.2421.2 6283 2010-05-09 6.99 -
    Symantec 1.3.0.24 20100509.002 2010-05-09 0.05 -
    nProtect 20100506.01 8111082 2010-05-06 8.67 -
    The Hacker 6.5.2.0 v00277 2010-05-06 0.40 -
    VBA32 3.12.12.4 20100506.1333 2010-05-06 2.55 -
    VirusBuster 4.5.11.10 10.126.21/2046965 2010-05-09 2.34 -
  9. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/09 21:41:43 (CDT)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 1033728 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    Online report : http://virscan.org/report/d333828bb3253c657dd366062e4bb4ce.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100508053127 2010-05-08 0.34 -
    AhnLab V3 2010.05.09.00 2010.05.09 2010-05-09 1.14 -
    AntiVir 8.2.1.236 7.10.7.67 2010-05-09 0.27 -
    Antiy 2.0.18 20100506.4329166 2010-05-06 0.02 -
    Arcavir 2009 201005090100 2010-05-09 0.08 -
    Authentium 5.1.1 201005091550 2010-05-09 2.29 -
    AVAST! 4.7.4 100509-1 2010-05-09 0.05 -
    AVG 8.5.793 271.1.1/2864 2010-05-10 0.23 -
    BitDefender 7.81008.5853245 7.31588 2010-05-10 3.75 -
    ClamAV 0.95.3 10946 2010-05-09 0.18 -
    Comodo 3.13.579 4789 2010-05-08 0.88 -
    CP Secure 1.3.0.5 2010.05.07 2010-05-07 0.11 -
    Dr.Web 5.0.2.3300 2010.05.10 2010-05-10 7.43 -
    F-Prot 4.4.4.56 20100509 2010-05-09 2.22 -
    F-Secure 7.02.73807 2010.05.09.02 2010-05-09 0.15 -
    Fortinet 4.0.14 11.921 2010-05-09 0.14 -
    GData 21.120/21.42 20100509 2010-05-09 6.94 -
    ViRobot 20100508 2010.05.08 2010-05-08 0.41 -
    Ikarus T3.1.01.84 2010.05.10.75819 2010-05-10 6.25 -
    JiangMin 13.0.900 2010.05.09 2010-05-09 1.21 -
    Kaspersky 5.5.10 2010.05.09 2010-05-09 0.08 -
    KingSoft 2009.2.5.15 2010.5.9.20 2010-05-09 0.64 -
    McAfee 5400.1158 5974 2010-05-06 0.02 -
    Microsoft 1.5703 2010.05.09 2010-05-09 6.52 -
    Norman 6.04.12 6.04.00 2010-05-09 6.01 -
    Panda 9.05.01 2010.05.09 2010-05-09 1.75 -
    Trend Micro 9.120-1004 7.156.09 2010-05-09 0.04 -
    Quick Heal 10.00 2010.05.08 2010-05-08 1.86 -
    Rising 20.0 22.47.00.01 2010-05-10 1.18 -
    Sophos 3.07.1 4.53 2010-05-10 3.25 -
    Sunbelt 3.9.2421.2 6283 2010-05-09 5.82 -
    Symantec 1.3.0.24 20100509.002 2010-05-09 0.08 -
    nProtect 20100506.01 8111082 2010-05-06 7.59 -
    The Hacker 6.5.2.0 v00277 2010-05-06 0.39 -
    VBA32 3.12.12.4 20100506.1333 2010-05-06 2.57 -
    VirusBuster 4.5.11.10 10.126.21/2046965 2010-05-09 2.75 -
  10. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/09 21:43:47 (CDT)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://virscan.org/report/76db865fb211eea48d2626cc32d13125.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100508053127 2010-05-08 0.29 -
    AhnLab V3 2010.05.09.00 2010.05.09 2010-05-09 1.18 -
    AntiVir 8.2.1.236 7.10.7.67 2010-05-09 0.25 -
    Antiy 2.0.18 20100506.4329166 2010-05-06 0.02 -
    Arcavir 2009 201005090100 2010-05-09 0.03 -
    Authentium 5.1.1 201005091550 2010-05-09 1.28 -
    AVAST! 4.7.4 100509-1 2010-05-09 0.00 -
    AVG 8.5.793 271.1.1/2864 2010-05-10 0.22 -
    BitDefender 7.81008.5853245 7.31588 2010-05-10 3.73 -
    ClamAV 0.95.3 10946 2010-05-09 0.01 -
    Comodo 3.13.579 4789 2010-05-08 0.87 -
    CP Secure 1.3.0.5 2010.05.07 2010-05-07 0.04 -
    Dr.Web 5.0.2.3300 2010.05.10 2010-05-10 7.05 -
    F-Prot 4.4.4.56 20100509 2010-05-09 1.27 -
    F-Secure 7.02.73807 2010.05.09.02 2010-05-09 0.12 -
    Fortinet 4.0.14 11.921 2010-05-09 0.14 -
    GData 21.120/21.42 20100509 2010-05-09 6.76 -
    ViRobot 20100508 2010.05.08 2010-05-08 0.41 -
    Ikarus T3.1.01.84 2010.05.10.75819 2010-05-10 6.27 -
    JiangMin 13.0.900 2010.05.09 2010-05-09 1.18 -
    Kaspersky 5.5.10 2010.05.09 2010-05-09 0.08 -
    KingSoft 2009.2.5.15 2010.5.9.20 2010-05-09 0.63 -
    McAfee 5400.1158 5974 2010-05-06 0.02 -
    Microsoft 1.5703 2010.05.09 2010-05-09 6.54 -
    Norman 6.04.12 6.04.00 2010-05-09 6.01 -
    Panda 9.05.01 2010.05.09 2010-05-09 1.72 -
    Trend Micro 9.120-1004 7.156.09 2010-05-09 0.03 -
    Quick Heal 10.00 2010.05.08 2010-05-08 1.50 -
    Rising 20.0 22.47.00.01 2010-05-10 1.18 -
    Sophos 3.07.1 4.53 2010-05-10 3.27 -
    Sunbelt 3.9.2421.2 6283 2010-05-09 5.91 -
    Symantec 1.3.0.24 20100509.002 2010-05-09 0.05 -
    nProtect 20100506.01 8111082 2010-05-06 8.11 -
    The Hacker 6.5.2.0 v00277 2010-05-06 0.39 -
    VBA32 3.12.12.4 20100506.1333 2010-05-06 2.46 -
    VirusBuster 4.5.11.10 10.126.21/2046965 2010-05-09 2.34 -
  11. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=1a481710fc156547847eeb2700b0ecca
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-05-05 05:27:19
    # local_time=2010-05-05 10:27:19 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5891 16776869 100 100 0 13189790 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=161386
    # found=3
    # cleaned=0
    # scan_time=15245
    C:\Cleaning Tools\ComboFix.exe a variant of Win32/Kryptik.AT trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    D:\rejoice101.exe probably a variant of Win32/Hupigon trojan 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=1a481710fc156547847eeb2700b0ecca
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-05-10 08:56:31
    # local_time=2010-05-10 01:56:31 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5891 16776869 100 100 0 13596739 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=167602
    # found=3
    # cleaned=0
    # scan_time=9644
    C:\Cleaning Tools\ComboFix.exe a variant of Win32/Kryptik.AT trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    D:\rejoice101.exe probably a variant of Win32/Hupigon trojan 00000000000000000000000000000000 I
     
  12. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    I am not use trend-micro for security on this machine. I just posted the results for which you asked for. Thanks! Sorry for the slow reply. been busy :(
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The scan I had you do was a specific check for a Virut infection. I'm glad to see you don't have it.

    There are entries in Combofix for the Threatfire antivirus program drivers, which it appears you are not running. It also shows the installation of Avast on 5/4 and now you have added Eset. Multiple antivirus programs make the system more vulnerable, not less and they also slow the system down. Please decide whether you want Avast, Eset Nod32 or Threatfire and remove the others.
    ============================
    Please get the antivirus program settled first. Then before you run the script below
    disable all of the security as instructed here:
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    
    DDS::
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
    uSearchAssistant = 
    mSearchAssistant = 
    TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
    Hosts: 127.0.0.1	www.spywareinfo.com
    Hosts: 127.0.0*1	vaginpics.com
    
    Registry::
    
    DirLook::
    C:\b8015f3786318c19c4
    C:\a7c724bb81849baa05fbadc02019d873
    C:\found.000	
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ==========================
    Try to run GMER now.
    =============================
    Leave all logs and reports in next reply.
    ====================
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- I missed this:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files 
      C:\Cleaning Tools\ComboFix.exe
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip
      D:\rejoice101.exe 
       
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  15. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    ComboFix log

    ComboFix.txt was too big.

    Attached Files:

  16. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Cleaning Tools\ComboFix.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip moved successfully.
    D:\rejoice101.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Compaq_Owner
    ->Temp folder emptied: 793278 bytes
    ->Temporary Internet Files folder emptied: 2777127 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 405 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 4570 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3154 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 3.00 mb


    OTM by OldTimer - Version 3.1.12.0 log created on 05122010_200049

    Files moved on Reboot...
    File C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\fla1.tmp not found!
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\IYFLTWS0\ads[1].htm moved successfully.
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\DARTIframe[1].htm moved successfully.
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\DARTIframe[2].htm moved successfully.
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\sh16[1].html moved successfully.
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0CR8WY18\topic146692[2].html moved successfully.
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

    Registry entries deleted on Reboot...
  17. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    As far as I can see, I uninstalled all of the antivirus programs. No other antivirus is in add/remove programs. I installed Microsoft Security Essentials and am only using this one.

    Running Gmer somehow ends with just the desktop, no explorer, no icons. Only the mouse and the computer does not seem to be frozen. I can't do ctrl+alt+delete or any functions or commands except for moving the mouse cursor around. I did it with 'devices' unchecked as well.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please describe any remaining problems from the malware.

    You have custom named some folders in the Directory. at least one of them, C:\Cleaning Tools had malware. It was on Combofix.exe which I had you remove, but has returned. I'm going to give you some script to run and hopefully remove any remaining malware files. Your first post with a description of problems does not seem= all malware related:
    =============================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\TfFsMon.sys
    c:\windows\system32\drivers\TfSysMon.sys
    c:\windows\system32\drivers\TfNetMon.sys
    c:\program files\Spyware Doctor\TFEngine\TFService.exe 
    c:\windows\system32\drivers\ACEDRV08.sys
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_a5c.dat
    C:\ComboFix.exe
    Folder::
    C:\7c6154278172e0bb417121487b
    C:\b8015f3786318c19c4
    C:\a7c724bb81849baa05fbadc02019d873
    c:\documents and settings\Compaq_Owner\Application Data\Avira
    C:\Cleaning Tools
    C:\found.000
    Registry::
    
    Driver::
    TfFsMon
    TfSysMon
    TfNetMon
    ThreatFire
    ACEDRV08
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please disable the Microsoft Error Reporting Service:
    Start> Run> type in services.msc> find Error Reporting and double click on it> change Startup type to Disabled> Stop the Service> Exit Services.
    ============================
    When you have finished with the script, please run a new scan with HijackThis which is already on the system and leave a new log along with the Comboffx report in your next reply.
  19. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    Thank you Bobbye. You've been a big help to me. I'll post up the results later tonight and hopefully we'll be done and we can work on the other thread I started.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay. Later, then.
  21. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    ComboFix.txt was too big again.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:24:25 PM, on 5/13/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

    --
    End of file - 4817 bytes

    Attached Files:

  22. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    Everything looks pretty good so far. Thanks for helping me clean this computer up. Let me know what you think from the logs.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Eggroll, I need to check on something. Please do not remove and files yet.
  24. Eggroll

    Eggroll Newcomer, in training Topic Starter Posts: 35

    What should I do now?
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    My goodness! It's Saturday- I slept later!

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    c:\program files\Alwil Software
    c:\documents and settings\All Users\Application Data\Alwil Software
    	
    Registry::
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leave the log.
    ====================
    If the original malware problems have been resolved, you can remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Let me know if I can be of further help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.