Help- Computer restarts itself

You are using very old outdated versions of GetRunKey and ShowNew. You must always work from the current online version of the READ & RUN ME. Please try to get the current versions on your PC some how and attach new logs from them if possible.

If you ran CounterSpy in safe mode, try running it in normal mode and see if you can fix problems. Or has your free trial period already expired??

Also see if you can get the below downloaded onto your PC? We are going to need it.

Pocket KillBox

Then also see if you can follow the directions in this link: ChodeFix - How download and run

If you could, then attach a new log from GetRunKey after running ChodeFix.

 

You may be infected by Rootkit.DialCall which is a form of the Gromozon Rootkit. Please run the below tool and save the log and attach it when you come back:

Gromozon Rootkit Removal Tool

The actual infection may try to confuse you in an attempt to block the above tool from running. If you see a popup window that looks anything like below, just clost the window by click the X and allow the Rootkit Romoval Tool to run.




After running the Gromozon Rootkit Removal Tool. Navigate, with Windows Explorer, to the folder where you extracted ChodeFix. Locate the fixChode.reg file and double click on it. Allow it to be added to the registry. Tell me if you receive a success message.


Now uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\iexplorer32.dll
C:\WINDOWS\mdm32.dll
C:\WINDOWS\scrss32.dll
C:\WINDOWS\spoolvs32.dll
C:\WINDOWS\syshost.dll
C:\WINDOWS\syst32.dll
C:\WINDOWS\winsmgr32.dll
C:\WINDOWS\25135121248.exe
C:\WINDOWS\systpro32.exe
C:\WINDOWS\systempro32.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now attach the below new logs and tell me how the above steps went.

1. the log from Gromozon Rootkit Removal
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Program Files\Sunbelt Software


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O1 - Hosts: ECHO is off.
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\Documents and Settings\Toscano\418204829.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Toscano\418204829.dll
C:\WINDOWS\system32\drivers\etc\hosts
C:\WINDOWS\system32\drivers\etc\NetAR.wlt
C:\WINDOWS\system32\drivers\etc\NetFlt.cfg
C:\WINDOWS\system32\drivers\etc\SmsFlt.cfg

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot, download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!


If you are still having problems with reboots, get the answers to the below

• if you never open a browser or otherwise connect to the internet, does your PC still reboot on its own
• if you boot in safe mode, does your PC remain running
• what happens if you connect to the internet in safe mode
• if you are using Internet Explorer for browsing, what happens if you run Mozilla FireFox instead

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

I'm starting to think you are not having malware problems! It may be due to some other software you are running. I want to try a few things. Below is the first to try.

• Click Start, Run and enter msconfig and click OK. This will start the System Configuration Utility.
• Click the Startup tab
• Locate each the below items. Note the name in bold brackets is what you should see in the column labeled Startup Item

• As you locate each item, uncheck it.
• After unchecking all the listed items, reboot your PC into normal mode.
• Now what happens if you connected to the internet.
• If this does not change the problem at all, then run MSconfig again and re-check all items and reboot again.

 

These are used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out

These normally occur due to hardware or software conflicts of some form.

Since disabling the startups did not help, you should then move on to the Sevices tab in MSconfig and experiment with disabling some of the services. I would first suggest that you select the option to hide Microsoft services and then experiment with disabling some of the other services that remain. Only disable one or two at a time, reboot and then see what happens. Just note that disabling certain services will cause inability to access the internet. Some of the non-Microsoft services show in the O23 lines of your HJT log:

disabling these from loading at startup (while still have the other startup processes disabled too) would be your next step.


At anyrate you are really outside the realm of malware. Your problem really appears to be related to certain software or drivers that load in normal boot mode and not in safe mode. That is what my suggestions about using MSconfig are trying to help you determine.

 

With all startups and services disable, your computer will not work the same as in Normal Startup mode which could explain why you cannot see Device Manager. Just run MSconfig and select Normal Startup and everything will be enabled again.

Yes you are going to have to post in another forum but you could try running MSconfig and selecting Diagnostic Startup mode and see what happens. I'm not sure if you network interface card will work in this mode though.

 

While BitDefender found two item, it removed both and neither would cause problems like you are having.

Did you try Diagnostic Startup mode?

 

Sounds like you could be have hardware problems too if your PC was making noises.

Yes it is time to go to either the Hardware or Software Forums. I still feel it is somehow related to software or drivers that load in normal boot mode but not in safe mode. Make sure you explain all the details of your problems clearly.

 

You'r welcome!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!