Please help ... Computer turns off during the scan

[evilfantasy]

Look in C:\combofix.txt and see if the log is there. It might have created it.

[--mom--]

In the ComboFix file, I did find one combofix.txt document:

 

ComboFix 10-03-16.03 - Owner 03/16/2010 22:35:33.8.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.189 [GMT -4:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

 

That's all that's there and it's the only one that's there.

[evilfantasy]

Download and install SUPERAntiSpyware Free

 

* Start SUPERAntiSpyware and click Check for updates If you encounter any problems while downloading the updates, manually download and unzip them from here

 

* Once the update is finished, on the main screen, click Scan your computer

* Check Perform Complete Scan

* Click Next to start the scan.

 

* When finished SUPERAntiSpyware will list all the infections found.

* Make sure everything found has a check next to it and press Next

* Then click Finish

 

- It is possible that the SUPERAntiSpyware asks to reboot the PC in order to delete some files, please do so.

 

Locate the SUPERAntiSpyware log as follows:

 

* Click: Preferences

* Click the Statistics/Logs tab

* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log

* The log will open in your default text editor (such as Notepad)

* Post the SUPERAntiSpyware log in your reply.

[--mom--]

Log

 

Sorry it took so long. It downloaded, installed, updated and ran okay, but then the laptop couldn't connect to the internet.

 

The log is as follows:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 03/17/2010 at 01:40 PM

 

Application Version : 4.34.1000

 

Core Rules Database Version : 4690

Trace Rules Database Version: 2502

 

Scan type : Complete Scan

Total Scan Time : 00:49:29

 

Memory items scanned : 571

Memory threats detected : 0

Registry items scanned : 5050

Registry threats detected : 0

File items scanned : 20058

File threats detected : 4

 

Trojan.Agent/Gen-Nullo[short]

C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP543\A0206180.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP543\A0206182.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP543\A0207285.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP543\A0207286.DLL

[evilfantasy]

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.

* Now type Combofix /Uninstall in the runbox

* Make sure there's a space between Combofix and /Uninstall

* Then hit Enter

 

* The above procedure will:

* Delete the following:

* ComboFix and its associated files and folders.

* Reset the clock settings.

* Hide file extensions, if required.

* Hide System/Hidden files, if required.

* Set a new, clean Restore Point.

----------

 

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the <<Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

[--mom--]

I uninstalled ComboFix. A 'notice' that a new restore point was set didn't show up, but I am assuming a new restore point WAS set and I just wasn't notified.

 

I downloaded the ESET Free Online Virus Scanner and it was scanning when the laptop shut down. I have downloaded and started it again and am waiting for it to finish (or shut down).

[--mom--]

The laptop just shut down again. The scan was in progress with 25% finished.

[evilfantasy]

Download WhoCrashed to your desktop.

 

* Double click on the file you just downloaded and run it.

* Put a tick in Accept then click on Next

* Put a tick in the Don't create a start menu folder then click Next

* Put a tick in Create a Desktop Icon then click on Install and make sure there is a check mark in Launch Whocrashed before clicking Finish

* Click Analyze

* It will want to download the Debugger and install it, choose Yes

 

WhoCrashed will create report but you have to scroll down to see it.

 

Copy and paste the report into your next reply.

[--mom--]

WhoCrashed

 

The program never gave me an option for 'Don't create a start menu folder' while it was installing and it never gave me the option to download the

"Debugger", but here is the log it created:

 

 

 

 

--------------------------------------------------------------------------------

Home Edition notice

--------------------------------------------------------------------------------

 

This version of WhoCrashed is free for use at home only. If you would like to use this software at work or in a commercial environment you should get the professional edition. The professional edition of WhoCrashed also allows analysis of crashdumps on remote drives and computers on the network and offers more detailed analysis.

 

 

--------------------------------------------------------------------------------

Analysis

--------------------------------------------------------------------------------

 

Crash dump directory: C:\WINDOWS\Minidump

 

Crash dumps are enabled on your computer.

 

 

No valid crash dumps have been found on your computer

 

 

--------------------------------------------------------------------------------

Conclusion

--------------------------------------------------------------------------------

 

Crash dumps are enabled and no valid crash dumps have been found on your computer. In case your computer does experience sudden reboots it is likely these are caused by malfunctioning hardware, power failure or a thermal issue. To troubleshoot a thermal issue, check the temperature using your BIOS setup program, check for dust in CPU and motherboard fans and if your computer is portable make sure it's located on a hard surface. Otherwise it's suggested you contact the support department of the manufacturer of your system or test your system with a memory test utility for further investigation.

[evilfantasy]

Well that didn't produce anything useful.

 

I'm beginning to think this is more of a computer issue then it is a malware issue.

 

Do you need a shortcut to IE on the desktop? Right click on Desktop, and then go to Properties -> Desktop -> Customize Desktop, and tick or untick Internet Explorer in Desktop Items section.

 

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

 

Restart the computer and let me know how it's running now.

[--mom--]

Thank you!

 

I have just finished creating a working IE icon on the laptop desktop. Thank you! :-)

 

I have used this new IE connection to go to Microsoft Update to download the latest critical updates. The only update was the Windows Genuine Advantage Validation Tool (KB892130). (The laptop seemed to get updates often while I have been working on it, so it was probably up-to-date.)

 

A few random comments:

 

The laptop has been running extremely well since You have been guiding me with all these fixes. When we started, the laptop wouldn't even stay on a whole minute. Now it can run for hours without shutting down. It still has a few problems, which, I agree, are probably not malware-related (like all the connection options in the "Network Connections"), and it still seems to be getting Trojans here and there; but, for all practical purposes, I would say that it appears that it's fixed!

 

IObit Security 360 Full Scan can now completely run its course to finish. That was impossible when we first started. The laptop wouldn't even allow me to go to any anti-spyware site, remember?

 

We have deleted more than 250 viruses/Trojans/etc. since we started.

 

The laptop only shuts down now when I tried to run ESET Free Online Virus Scanner (so, we're not going to use that program! :-). When the laptop is just 'on', it doesn't shut down.

 

I could NEVER have done this without you! My daughter (and her friends) thought she needed to completely erase everything in the whole computer and start over. She is thrilled that she will be able to keep her document files, music, pictures, etc. AND use the laptop!!!

 

Thank you SOOOOO much for all the hours of help and advice you have shared with me. :-) (I have learned a lot!) You're awesome!!!

[evilfantasy]

Lets get one more scan to double check for rootkits.

 

RootRepeal - Rootkit Detector

 

* Download the following tool: RootRepeal - Rootkit Detector

* Direct download link is here: RootRepeal.zip

 

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.

* Click this link to see a list of such programs and how to disable them.

 

* Extract the program file to a new folder such as C:\RootRepeal

* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.

* Select ALL of the checkboxes and then click OK and it will start scanning your system.

* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

* When done, click on Save Report

* Save it to the same location where you ran it from, such as C:RootRepeal

* Save it as rootrepeal.txt

* Then open that log and select all and copy/paste it back on your next reply please.

* Close RootRepeal.

 

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in Safe Mode

[--mom--]

RootRepeal Report

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/03/17 21:16

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEFAFF000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8C72000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEF5E0000 Size: 49152 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

 

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6ac56

 

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6ab12

 

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6b0c6

 

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6aff0

 

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6a6e8

 

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6abec

 

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6a628

 

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6a68c

 

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6ad0c

 

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6b194

 

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6accc

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefb6ae4c

 

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xefc7d320

 

==EOF==

[evilfantasy]

Hi again.

 

I'm not seeing anything to indicate any remaining malware. Let's finish cleaning up our mess and then see how things are.

 

Download OTC by OldTimer and save it to your desktop.

 

1. Double-click OTC to run it.

2. Click the CleanUp! button.

3. Select Yes when the "Begin cleanup Process?" prompt appears.

4. If you are prompted to Reboot during the cleanup, select Yes

5. OTC should delete itself once it finishes, if not delete it yourself.

 

----------

 

Use the Secunia Software Inspector to check for out of date software.

Click Start Scanner

Check the box next to Enable thorough system inspection.

Click Start

Allow the scan to finish and scroll down to see if any updates are needed.

Update anything listed.

 

----------

 

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

 

----------

 

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.

* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Learn more about how to protect yourself while on the Internet from the following link. So how did I get infected in the first place? by Tony Klien.

[--mom--]

Wow .. quite a list! It's okay, though ... I'll get through it. Thank you very much for caring enough to continue making the laptop the best it can be!

 

I used the OTC CleanUp.

 

The Secunia Software Inspector won't work. It says the laptop has no Sun Java and that "There might be a problem loading the Jave Applet in your browser."

[evilfantasy]

The Secunia Software Inspector won't work. It says the laptop has no Sun Java and that "There might be a problem loading the Jave Applet in your browser."

 

That happens with some computers and I have not figured out why. You can use the installable version, Secunia Personal Software Inspector (PSI). It's free and you can have it run all of the time or just launch it whenever you want to use it.

 

After you get everything updated please try this. If you have your XP install CD then place it in the disk drive before starting. If not then try it anyway and let me know what happens.

 

* Click on Start > Run and type sfc /scannow then press Enter on your keyboard. (note the space between scf and /scannow)

* Let this run undisturbed until the window with the blue progress bar goes away.

[evilfantasy]

Before I forget. You need to run this on the computer also to help prevent the autorun worms that were part of the problem.

 

Panda USB and AutoRun Vaccine

 

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

 

Download Panda USB and AutoRun Vaccine and save it to your desktop.

 

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.

* Open that folder and double-click on USBVaccine.exe to start the program.

* Click Run

* Click the button to Vaccinate computer.

* Insert your USB flash drive.

* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).

* Exit Panda USB and AutoRun Vaccine when done.

 

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

[--mom--]

I’m sure you wondering if I have been slacking off since I haven’t posted anything, but I haven’t. I’ve been working (though maybe not as hard as I should be because I have been running across little problems).

 

I read the “So how did I get infected in the first place” first. This is all just SO complicated! I don’t even know what some of these things (like ‘activex control’ or ‘flash player’) are, but I will keep re-reading the article in the hope of learning more about all of this.

 

After I wrote and before you replied, (and because I am insecure in my own ability sometimes to follow instructions with computer-related stuff), I uninstalled (from the Add/Remove Programs) the Java program and reinstalled it. I tried running it again and, of course, got the same message. But, when I read your post, I downloaded Secunia Personal Software Inspector (PSI) and ran it. It came up with 5 outdated programs (which, of course, this morning I can't remember the name of!), and I followed the 'Solutions' and hopefully updated them.

 

IE6 will not complete the upgrade to IE8 regardless of what I do. It says I am missing some sort of Microsoft update that allows it to update, but the laptop is up-to-date on updates as far as I can tell.

 

Another huge project was finding the Operating System cd that came with the laptop. I finally found it late last night … unopened … and I will run that sfc /scaannow as soon as I download and install the SpywareBlaster, WOT, and Spybot. Question: Can you ever have too many spyware/virus/malware programs on a computer?

 

Okay…I am off to work on it again. Thank you, again, for all the help!!! 

[evilfantasy]

I download and install the SpywareBlaster, WOT, and Spybot. Question: Can you ever have too many spyware/virus/malware programs on a computer?

 

Those are all passive protection and are just an added layer of security.

 

For the update issues. Try Dial-a-fix.

 

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

 

• Open the folder and run Dial-a-fix.exe
   
  
• 2 windows will open. Close the one in the background labeled Restrictive Policies
   
  
• Check the box in section 1, Empty temp folders.
   
  
• Check the box in section 2, Fix Windows Installer.
   
  
• Check the box in section 3, Fix Windows Update.
   
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
   
  
• Check all boxes in section 5, labeled Registration Center.
   
  
• Click Go
   
  
• OK any error messages if received, but write them down and post them here.
   
  
• Restart the computer when done.

 

Is the problem fixed?

[--mom--]

Next step

 

I downloaded the SpywareBlaster.

 

I just put the Windows cd in and it is running.

[evilfantasy]

Let that finish before trying anything else.

[--mom--]

Does this sfc /scannow give you some sort of report? There is no 'blue bar' on the screen. I saw the program start, but I either missed when it ended or it runs with no sign on the screen?

[evilfantasy]

You can get a report on what was changed but I don't remember where it is located.

 

Here is a more detailed page on how sfc works. http://www.updatexp.com/scannow-sfc.html