PC rebooting itself ...?? Malware issue ..?

Hi Guys,

I am hoping someone can help me please ...? Recently my computer has started to behave strangely ... i.e. it just switches itself off without warning ... I have followed the Malware removal first steps guide and I have enclosed the logs as specified ... One issue I had was that I was unable to complete the Pandascan it seemed to abort midway thru. At this stage it had detected some issues ..

many thanks

3 attachments here

 

Additional files ... thanks ...!

 

Hi paperclip!

A Symantec service is running on your computer which may be conflicting with your antivirus program. Is this a left over service or are you still using something of Symantec's?

ShowNew did not run correctly on your computer. Please try running again at the end of the instructions I'm going to give you. Counterspy found and quarantined two keyloggers. If you do online banking and if you did not install the keyloggers yourself you are strongly urged to do the following.

Please let me know about the Symantec and whether you are able to get ShowNew running if you try it again.
Thanks.
abri

 

Hi abri,

thanks for getting back so quick ... keylogger is something I tried myself ... i thought I had removed it but obviously not successfully....

I also thought I completely removed symantec/norton ... they seem to be impossible to get rid of ... :mad

I tried ShowNew again see enclosed ... however I think it has failed to run correctly again ... should I extract it to a different location ...?

Many thanks again ...

 

paperclip,

Please try running this: Norton Removal Tool (SymNRT)

As for ShowNew, if you're running it from the same folder where you have GetRunKeys (or one at the same level), then it should be running. It should be located in a folder you made yourself, located under the root drive, usually C:\
Please uninstall it and I'll give you a newer version which installs itself. Be sure to look for the right instructions for your operating system. This will create an all-in-one MGTools.exe file which you can then run. It will produce a zipped set of logs you can then post to us and I will see if ShowNew can run this way.

USING MG TOOLS

abri

 

Thanks abri ...

I have run the Norton Removal tool (I'm fairly sure that I did this before ...)

I have also used MGTools as directed ... ZIP enclosed ...

Thanks again ...

 

Hi paperclip,
I don't see any evidence of malware, but the Symantec program is still there and you have some old Java versions to get rid of.

1) We need to remove a bad service, please follow the below…

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

Now Click OK until you get back to Windows.

2) We are finished with CounterSpy now. Please go to add/remove programs and uninstall:

J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Counterspy<-- we're finished with this
Symantec Technical Support Web Controls

2) After that, check for the following folders and if found, please delete them from Windows Explorer:

C:\Documents and Settings\Gina\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Documents and Settings\Gina\Application Data\Symantec
C:\Program Files\Sunbelt Software

Please post a fresh HijackThis log so I can see if the Symantec service is now gone.

One of the most common reasons for unexpected shutdowns is overheating, which can be caused by an accumulation of dust in the fans and vents. After you've finished the above, please do the following. If you have a desktop or a tower computer, please unplug it from the electricity and open it and see if there is dust inside the case. Be very careful not to touch anything or to allow the fans to spin if you try to use the vaccuum cleaner.

abri

 

Hi abri,

Followed your instructions below .. with the exception of uninstalling Symantec Technical Support Web Controls ... I was unable to find the uninstall routine (did not appear in the add/remove programs list ...

Folders all deleted ...

You could be right about possible overheating issue. Computer is used a lot now and while I have cleaned inside the case a number of times before I haven't done it recently.

many thanks again ...

New hijackthis enclosed ...

 

Please do this next:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to RdnaoFlSvc
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

After you've completed the above, please do the following:


1) Please go to add/remove programs and uninstall the following:

2) Please go to Windows Explorer and look for these folder which may remain and delete them:

C:\Documents and Settings\Gina\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Documents and Settings\Gina\Application Data\Symantec
C:\Program Files\Sunbelt Software
C:\Program Files\rnamfler


3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

4) After you have completed the above, please attach the following logs.

• MGTools.zip

abri

 

Hi abri,

I have done what you suggested ...

Many thanks ...

MGLog on the way .... can't attach now ...

 

Hi Paperclip,
Sorry for the delay!

First some questions:
1) Do you want this on your computer? SC-KeyLog 2.25 If not, please go to add/remove programs and uninstall it.

2) Did any of your problems start in connection with using games from this company? Zylom

Please do the following:

1) Please upload the following file(s) to either VirusTotal or jotti and have it/them scanned. Let me know the results of the scan. (If you've never done this, either of the links will take you to a website where there's a small window with a "Browse" button next to it. Click on the Browse button to find the file you wish to have scanned in your computer and then submit it for a scan. Jotti and virustotal use many different antivirus programs to scan single files and produce a report).

2) If you do not use Windows Messenger (this is not MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Now scan with HijackThis and check the boxes for the following entries. I'll give you two sets. One to fix and one to think about fixing if they are things that don't need to have in startup.( Make sure ALL browser windows are closed when you click FIX )

After clicking Fix, exit HJT.

4) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Please post a fresh set of logs (MGTools.zip)
abri

 

Sorry! I didn't post the sites for Jotti and VirusTotal correctly in my last instructions to you. Here they are:

Please scan the following file(s) with either
jotti or VirusTotal and let me know the results. (VirusTotal may be slightly less busy than Jotti, in case you land in a wait list.)

If you haven't yet done this, please just scan these two rather than all four listed in post #11. The two .tmp files, I'll have you delete with Avenger after I find out your results for these two:

abri

 

Hi abri,

thanks for getting back again ...

1) I scanned both files using VirusTotal ... both came back negative (no problems ... I can attach reseults if you need).

2) Can't remove SC-KeyLog 2.25. Uninstall cannot open "INSTALL.LOG" file ... can I manually uninstall it ...?

3) Windows Messenger now uninstalled

executed steps 3 & 4 below ... MGTools.ZIP enclosed

Many thanks ...

 

Hi paperclip!

Did you start using the gaming company called Zylom do you remember? I wondered if this started at the same time as your computer problems.

Please do the following:

1) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please run ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

4) After you have completed ALL of the above in the correct order, please run the MgTools.exe and attach the following logs.

• Avenger Log
• MGTools log

abri

 

Hi abri,

once again ... thanks for your help ...

not sure how I encountered Zylom, probably downloading a game for the kids ... (pester power does unfortunately work .. )

Followed steps as instructed ...

Not sure avenger worked as expected ...

Thanks again ... :cool

 

:wave

attachments ... sorry sometimes don't have option to add with original post ..??????????????????? :confused

cheers

 

Hi paperclip!

Usually when Avenger doesn't run correctly, it's because something was done wrong in running it. One thing to try is disconnecting from the internet and running it without your antivirus program running. Can you tell me what happened when you ran it? Did you extract it to the Desktop from the zip file or did you put the zip file on the desktop and run it directly out of the zip file? It needs to be extracted. If you did that correctly, did you get the choices listed in the instructions? - the input script manually choice and the magnifying glass? If so, when you copied the text in the box, did you include the words Folders to delete, Files to delete: etc along with the actual file names?

If after all of the above, it doesn't work in normal mode, does it work in safe mode?

abri

 

Hi abri,

sorry for not getting back sooner ... been away ... (work not pleasure)

Successfully run this time (I think) .. disconnected network & disabled AV.

Attached both avenger & new MGLog

thanks again ...

 

Hi paperclip!
Sorry, I was sick.

Both of these programs are listed in your uninstalls list.

- Symantec Technical Support Web Controls
- SC-KeyLog 2.25

If you can't find them in add/remove programs, try this. Open CCleaner and click on tools and look at the uninstalls list there. See if you find either of them, and if so, uninstall them there.

Has anything we've done so far had any influence whatsoever on your computer shutting down unexpectedly? If the problem is still there, does it simply blink out and it's gone? Or does it go to a blue screen? Or something else?

abri

 

Hi abri,

sorry to hear you weren't well ... ... I hope you're doing better now ...

I can only find the - SC-KeyLog 2.25 applications in "uninstall" options but the - SC-KeyLog 2.25 one doesn't run successfully ... Can't find the other one.

To be honest the computer appears to be behaving itself at the moment ... I get the feeling what we have done already may have solved the problem. (famous last words )

Thanks again ... :highfive

 

Hi paperclip!
If the keylogger is something you installed yourself, I wouldn't worry about it. I will add a note to someone to get back to you and let you know if you can simply delete it without uninstallling it.

If your computer is working at the moment, I would not do anything further except to follow our final cleaning instructions which will allow you to get rid of all the logs and tools, set a new restore point and point you at a good read about how to protect yourself from malware. If you find you have further difficulties, just come back.

Here are the last instructions:

abri

 

Hi abri,

Will do as you suggested ...

Many many many thanks for all your help

:clap :clap

 

you're welcome!

Many positive endeavors with your computer!

abri