computer wont boot normally, shuts down randomly, please help

Viruses and worms
1

Thanks for helping me. I unfortunately can’t say much bout this infection, because I really dont know much.
I’m running win7 64 bit.
Here’s how a typical session goes.
I start the computer. I get a bluescreen right after the Windows screen. It says c0000145 or some such, because %hs is missing.
I shut down.
It tells me it didn’t start correctly last time, I agree to let it run startup repair (the other option, start normally, yeilds the same bluescreen)
So it runs startup repair, which immediately asks if I want to restore (I choose yes because no returns a failed repair)
After half an hour, the computer finally retarts, restored to right before I installed avast. Usually I just reinstall it and scan, but regardless it does the next step, which is suddenly shutting down and the whole proscess repeats.

2

Can you get onto your account again? If so, try to attempt these instructions and attach logs in your next post.
http://forum.avast.com/index.php?topic=53253.0

3

Here you are. Thanks again.

4

A qualified removal expert named essexboy is notified. You can rest while you wait for him to assist you. :slight_smile:

5

Thank you very much! And thanks Essexboy, tales of your mastery have spread far and wide through the ansible web.

6

Hi it is the latest variant and as aswMBR has detected all elements GMER assures me this will work… And I trust him

Re-Run aswMBR

Click Scan

On completion of the scan
Click the Fix Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png

Reboot the computer
Save the log as before and post in your next reply

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV:64bit: - [2009/07/13 20:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\tmlisten.dll -- (bcoreusb) NetSvcs:64bit: bcoreusb - C:\Windows\SysNative\tmlisten.dll (Oak Technology Inc.) [2012/03/13 22:38:43 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd[2012/01/15 15:24:28 | 000,008,742 | ---- | C] () -- C:\Users\Stefan\AppData\Roaming\4b730896 [2012/01/15 15:24:28 | 000,008,693 | ---- | C] () -- C:\Users\Stefan\AppData\Local\4b8b299c [2012/01/15 15:24:28 | 000,008,663 | ---- | C] () -- C:\ProgramData\55192851 [2011/01/16 16:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\Stefan\AppData\Local\Temp\RarSFX0\procs\explorer.exe [2011/01/16 16:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\Stefan\AppData\Local\Temp\RarSFX1\procs\explorer.exe [2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Stefan\AppData\Local\Temp\RarSFX0\h\explorer.exe [2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Stefan\AppData\Local\Temp\RarSFX1\h\explorer.exe [2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Stefan\AppData\Local\Temp\RarSFX0\userinit.exe [2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Stefan\AppData\Local\Temp\RarSFX1\userinit.exe [2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Stefan\AppData\Local\Temp\RarSFX0\winlogon.exe [2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Stefan\AppData\Local\Temp\RarSFX1\winlogon.exe @Alternate Data Stream - 1202 bytes -> C:\Users\Stefan\AppData\Local\o9RwvGbsLEewxL:gFjrIl7OhyNRrku4MsRd09

:Files
ipconfig /flushdns /c
netsh winsock reset catalog /c
netsh int ip reset reset.log hit /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

7

I tried the aswMBR and it had the same error, the computer restarted and I had to do a system restore. the bluescreen says “c0000135” because “%hs” is missing. I’m going to try the OTL one and give you a log.

8

Hmm I wonder if the ads is the cause of that

9

Nope, OTL did the same thing. I couldn’t provide a log, unfortunately, because it closed too fast. What is ads? like advertizements?

10

No it is an alternate data stream, this opens a file every time a folder is accessed

OK bigger hammer

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\tmlisten.dll C:\Windows\System32\tmlisten.dll

NetSvc::
bcoreusb

Driver::
bcoreusb

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
11

Works great! I encountered the “marked for deletion” error but like you said, I didn’t panic and rebooted. It works! My computer is now virus free. Still can’t find the log file though. Any tips on how to avoid this in the future?

12

Aww…I’m always happy to see this kind of ending to a terrible problem! ;D

13

Could you run a fresh OTL scan please selecting all users and with the following scan script

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
/md5stop
C:\Windows\assembly\tmp\U*.* /s
Drives
CREATERESTOREPOINT