Solved Computer shuts down when running AVG scan

[Riles]

1. checkup.txt


Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
STOPzilla!
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java(TM) 6 Update 24
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 11% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

 

[Riles]

2. FSS.txt


Farbar Service Scanner Version: 06-08-2012
Ran by Janet (administrator) on 14-08-2012 at 15:39:03
Running from "C:\Documents and Settings\Janet\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(10) Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) Tcpip(5)
0x0A000000060000000100000002000000030000000400000005000000090000000A0000000700000008000000
IpSec Tag value is correct.

**** End of log ****

 

[Riles]

4. ESET.txt



C:\Documents and Settings\Janet\My Documents\Downloads\1ClickDownloaderRemovalTool.exe probably a variant of Win32/SecurityStronghold application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029185.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029186.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029187.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029188.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029189.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029190.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029191.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029192.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029193.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029198.exe Win32/Adware.1ClickDownload.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029199.exe Win32/Adware.1ClickDownload.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029200.exe Win32/Adware.1ClickDownload.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029201.exe Win32/Adware.1ClickDownload.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029202.exe Win32/Adware.1ClickDownload application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029203.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029204.exe Win32/Adware.1ClickDownload.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP282\A0029205.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP297\A0032676.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\System Volume Information\_restore{91E79622-DB2B-4709-83F9-4FA6BF2022E8}\RP297\A0032684.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\_OTL\MovedFiles\08142012_152524\C_Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll Win32/Adware.Yontoo.B application cleaned by deleting - quarantined

 

[Broni]

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

==================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Riles]

On the ESET window, do I need to select the "Uninstall application on close" box or "Delete quarantined files" box before clicking 'Finish'?

 

[Broni]

You can delete quarantined files but don't uninstall.
You may use it in the future.

 

[Riles]

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Janet
->Temp folder emptied: 193866 bytes
->Temporary Internet Files folder emptied: 2268850 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 24548143 bytes
->Flash cache emptied: 379 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 629 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 26.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: Janet
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default User

User: Janet
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.57.0 log created on 08152012_153731

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Riles]

Thanks Broni. I've followed all the steps and have downloaded everything you advised. Thank you also for the #12 link. I know I need to do some reading and educate myself a little more.

Inquiries:
- My documents folder still says "ounm"

- I.search claro is still the first tab to open up when I open Google Chrome... I know I can adjust the default browser settings, but I want to make sure I don't still have whatever virus that came with.

- Lacking computer literacy, one of the toughest things with Windows is knowing what my computer needs and what I can just delete.... Under all programs tab there's a 'Browse Manager' program that I don't remember being there before I got the virus. Another one I'm not familiar with is 'Media Finder.' When I move the mouse over it, the next tab says "Get the Media Finder License." Can I get rid of both of these?

 

[Broni]

My documents folder still says "ounm"

I'm not sure what you're saying...

Uninstall Chrome...

1. Go to Start > All Programs > Google Chrome > Uninstall Google Chrome.
2. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete browser data" checkbox.
3. Select the default browser you'd like to use.
4. Click OK in the confirmation prompt.

The uninstall process will begin.
Install fresh copy.

Can I get rid of both of these?

I'm not sure. We'll need more info but considering todays hard drives being huge I'd leave those alone.

 

[Riles]

Somehow, the title of the folder that opens to 'My Documents' was changed from "Janet" to "ounm". I know I can just rename it, but I want to make sure whatever caused that folder to be renamed on it's own, has been addressed.

When I right click on a document in this folder then properties, the Location still correctly reads:
"C:\Documents and Settings\ Janet (not ounm)\ My Documents\etc".... However I noticed a couple days ago when I uploaded a file from this folder onto a website using a Browse then Upload feature, the description in the box read something like "C:\fakepath\my documents\ resume"

OK, will do

 

[Broni]

That user name can be changed but make sure to create new restore point before proceeding.
See here: http://windowsxp.mvps.org/userpath.htm

 

[Riles]

Hmmm, I don't think the user name needs to be changed, my user name still says Janet. In fact if I open My Computer, the folder titled Janet's Documents still exists and has all the same files as the 'ounm' folder.

If I click Start and then right click properties on the ounm folder, it says: "The ounm folder is a shortcut to the target folder location shown below." Then below in the box it looks like this.....

Target: C:\Documents and Settings\Janet\My Documents

- I think I have more than one folder that leads to my documents. One of which is titled ounm and I have no idea where it came from. But it's also on my desktop and is shown when you click Start above My Pictures, My Music folders etc.

 

[Riles]

BTW I created a restore point as you advised.

 

[Broni]

Both items in your Start menu and on your desktop are just shortcuts.
You can simply delete them.

Anything else?

 

[Riles]

No I guess that's it for now. Thanks again for all your help!

If I do have more questions in the future, should I create a new thread, or just add on to this one so you can see my history?

 

[Broni]

It depends.
If something comes up in next couple of days you can ask here.
If later new topic will be needed.

Good luck and stay safe