System Shutdown

[darts44]

Hi,
I am having trouble with the system shutdown.
The message pop up when i am on my PC and after 60 seconds shutdown my PC.
I try start>run type shutdown-a-, but don't work. Should i replace "a" by my name?
I scanned my PC a few time with my antivirals Norton and there is no virus.
I also have on my PC ZoneAlarm Pro.
I scanned with Spybot S&D and nothing.
I also have Acronis Backup Archive, the last backup was 21/08/2008, Acronis 1 to 10 in  EHD .MyBook (E).
My PC is XP , SP3.
Help, Help.... Thanks by anticipation.

[Saving space - attachment deleted by admin]

[cohen]

• That is a weird error, RPC was turminated.... now have you do anything to the OS recently?? installed or uninstalled anything....
• Have you terminated any exe file under task manager prior to this error coming up???
• How often does the error appear???

[evilfantasy]

See here http://sunbeltblog.blogspot.com/2008/09/c.html

Please follow our removal procedure HERE

Post the 3 logs when complete.

[darts44]

Hi,
Thank you for your fast answer, you are better than the MacDonald.
Here for a starter:
If by OS you mean Registry, i didn't do anything there. It is too tricky to touch if you don't knw what to do
and i don't .
Yes, i uninstalled "RegCure.EXE" and "RegCure Program Check job". I found these on my PC by surprise
, i can't remember i downloaded these two. I am very positif , i didn't put these 2 in the "Scheduled Tasks"
where i found them. I never put anything in the Scheduled tasks.
I also got a message from ZoneAlarm when the System Shutdown pop up, sayng "Spooler SubSystem App"
and i click "allow", but make no difference, my PC shutdown in 60 seconds. see screenshot.
The shutdown occur with shorter time (in +/_ 15 minutes ) when i am on the internet and longer (+/_ 45
minutes) not on the internet.
I also downloaded RegistryBooster and scanned my PC, it showed 656 registry errors, but i didn't clicked
on "clean the registry", because i wanted to ask you if it is safe to do it. I don't really trust programs fixing the registry.
Ididn't terminated EXE file under task manager as far as i can remember now.So much to think now...
I also downloaded "Rateku" but uninstalled prior to ask your help.


[Saving space - attachment deleted by admin]

[evilfantasy]

Look under my name and notice it says Malware Removal Specialist.

You can follow the guide and post the logs so we can help, or not. The choice is yours. HERE

Post the 3 logs when complete. Without logs it is all procrastination.

[darts44]

Logs from darts44
SuperAntispyware
Malwarebytes' Anti-Malware
HijackThis

[Saving space - attachment deleted by admin]

[evilfantasy]

Looks OK.

I am concerned with the O15 - Trusted Zone: entries. It is usually not advised to add anything to the Trusted Zone unless absolutely necessary. This leaves an open door for malware to exploit.

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

How is everything now?

[darts44]

Hi,
Since i went into ZoneAlarm>Program>Components and i secured "winspool.drv" (windows Spooler Driver)
the little window "System Shutdown" didn't pop up on my PC.
I was quite surprise the little window "System Shutdown"didn't pop up when i was scanning with the SuperAntiSpyware, because it took such a long time to scan.
After i received your answer there was no virus or malwares, i did a scan with the microsoft " Windows Live One Care" and the result was under Protection:
4 severe issues found
       Trojan:win32/Mesoum.A
       TrojanDownloader:win32/Agent.ZDP
Virus:win32/Patched.B
        issue 1
        C:\windows\system32\spoolsv.exe.tmp
Note: here the "Spooler Subsystem App" of ZoneAlarm???
See screenshots for others.
I don't know what to think of "SuperAntiSpyware", "Malwarebytes" and "HijackThis". Why they didn't
pick up anything???
I also had an window for sometime showing at start up and couldn't remove , the window was from
"DivX" with all the icons of "DivX converter", "DivX player" , etc...
After the scan and clean up from microsoft, the window is not showing anymore in my start up on my PC.
Well, i am very happy my PC is back to normal.
Thanks to everyone.
 

[evilfantasy]

Trojan:win32/Mesoum.A
TrojanDownloader:win32/Agent.ZDP
Virus:win32/Patched.B

These are files that are already in quarantine which is why SAS or MBAM didn't find them...

C:\windows\system32\spoolsv.exe.tmp
Note: here the "Spooler Subsystem App" of ZoneAlarm???

This isn't "Spooler Subsystem App" of ZoneAlarm.



Don't put too much faith into what Windows Live One Care says.

[darts44]

I wish i could understant a bit more of these things!!!!!!
Here are the screenshots anyway.


[Saving space - attachment deleted by admin]

[evilfantasy]

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[darts44]

PC is running very well
#1: ComboFix Log
#2:HijackThis Log
#3: I just want you to have a look at it
regards,

[Saving space - attachment deleted by admin]

[evilfantasy]

I can't tell much from the screenshots. Just names aren't enough, I have to have entire file paths.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

[/list]

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\dts12.exe
EmptyTemp
[start explorer]
3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2
.
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

After posting the OTMoveIt log.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[darts44]

I am having problems with OTMoveiIt2. See screenshots
(return to OTMoveIT2, right click in the "Paste List of Files/Folders to move"
window (under the yellow bar) and choose "Paste", i don't see the paste or copy???

[Saving space - attachment deleted by admin]

[evilfantasy]

You have everything right but you need to remove the [ /list] part.

See pic.

[Saving space - attachment deleted by admin]

[darts44]

OTMoveIT log

[Saving space - attachment deleted by admin]

[evilfantasy]

OK run the Kaspersky scan and post that log.

[darts44]

KScan Log

[Saving space - attachment deleted by admin]

[evilfantasy]

How is everything now?

[darts44]

After I passed the CCleaner, Clean disk with 1 click and defragmented my PC , it is like a new baby....
Thank you very much for your help, i am very grateful for this wonderful and fast help.

[evilfantasy]

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.