Please help ... Computer turns off during the scan

[--mom--]

I'm really hoping someone can help me. My daughter's laptop acquired a virus that looks like roaches crawling out from the sides of the screen. I managed to download IObit Security 360 V1.41 onto her computer.

 

The first time I ran a scan, it ran for about 4 minutes, got halfway through the scan, found over 100 threats and the computer shut down.

 

When I rebooted and tried to scan the computer again, it kept going to a log that said the scan was finished and 0 threats were found. So, I uninstalled it and re-installed it.

 

I started the scan again and it got more than halfway through it with 113 threats found and the computer shut down.

 

Can I delete any of these 113 threats before the scan is finished (and before the computer shuts down)?

 

Could this scan and removal be done in 'Safe Mode'? Do you think that would stop the computer from shutting down?

 

Does anyone know of any way to remove this 'roach' virus from her computer?

 

Thank you for any help anyone can give us. (I am not that good with computers!)

[evilfantasy]

Welcome to the IObit forums --mom--.

 

Please do this.

 

Open IObit Security 360

Click the Tools button.

Click the Hijack Scan button.

Click Scan Save A Log

Close the Warning window.

Copy and paste the entire Report into the next reply.

[MagicHunter]

hi --mom--,

 

Yes this scan and removal can be done in Safe Mode.

While you are doing the scan, press "Stop" will let you be able to remove those 113 threats first.

 

But before you remove those 113 threats, can you please "Save a Report" (Bottom left), and post the Log on here as well?

 

 

Cheers.

[--mom--]

Update on my progress (or lack of progress)

 

Thank you for the 'welcome to the forum', evilfantasy and sorry, again, for sending that private message when I couldn't find my post. (I probably could have found it if I wasn't so frustrated, but thank you for the link to it, too.)

 

Okay, as I said, I have the 'Hijack Scan' in Notepad on her desktop, but I can't get it to my computer to post it here. (I am going to try to copy it to a disk as soon as I post this and see if I can bring the disk to my computer and download the information here from it.) The problem is that she doesn't have IE on her computer ... she has 'Firefox' and I can't get it to connect to any website even though the laptop is connected to the internet. evilfantasy has given me a suggestion which I am going to try. It's just time-consuming because I have to write out all the instructions I am getting longhand. I'll get it done, though.

 

Thank you, Magic[Hunter], for your help. Before you posted, I was still trying to complete some kind of scan and managed to complete a 'SmartScan' that removed the 100+ threats so I didn't 'save a report'. I then tried to do a Full Scan, but the computer has been shutting down during the scan.

 

(I'm going back to the laptop with a disk.)

[evilfantasy]

Have you tried restarting the laptop to see if that fixes the connection issue?

 

If you are going to transfer files then transfer this ComboFix installer over to the infected computer and install then run it.

 

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the laptops Desktop.

 

Link #1

Link #2

 

**Note: It is important that it is saved directly to your Desktop

 

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

 

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

 

Double click combofix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

When finished ComboFix will produce a log for you.

Post the ComboFix log in your next reply.

 

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

 

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

 

If you have problems with ComboFix usage, see How to use ComboFix

[--mom--]

The Hijack Scan

 

Thank you for your last suggestion, evilfantasy. I honestly don't understand exactly what that is supposed to do or how to do it, but I will read it again after I get all these other problems solved. I truly DO appreciate it, though!

 

Hijack Scan

 

Logfile of IObit HijackScan v1.0.0.0

Scan saved at 20:23:41, on 2010-3-9

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Digital Media Reader\shwicon2k.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\AVG\AVG8\aAvgApi.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\AVGTOO~1.DLL

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: []

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: - CmdMapping -

O9 - Extra button: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com Explorer Bar - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}YInstHelper.YInstStarter.1 - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O23 - Service: Adobe LM Service (Adobe LM Service) - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller (Ati HotKey Poller) - Unknown - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: PrismXL (PrismXL) - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: WLTRYSVC (WLTRYSVC) - Unknown - C:\WINDOWS\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe

[evilfantasy]

I don't see anything there that would be blocking the Internet connection.

 

Go back to this post and see if you can get ComboFix onto the infected computer. Running that should help repair the connection issues.

[--mom--]

A new day ... new problems....

 

I apologize for not posting the results of my progress last night before retiring, but I was mentally and physically exhausted at some point and just gave up for the night.

 

I am going to work on that ComboFix suggestion today although now that some of those viruses have been removed, Firefox sometimes connects! (Sometimes it doesn't, though, too.)

 

After reading about disabling her virus protection to use that ComboFix, I tried to open her AVG8 and it wouldn't open ... it would just flash something on the screen that disappeared before I could really read it. I looked in 'Add/Remove Programs' and saw that AVG hadn't been used since 2008, so I was going to uninstall it with the intention of reinstalling it, but it couldn't be uninstalled. I went looking for it in the 'Programs' file and tried manually deleting each of it, but so many of those little files cannot be removed that I gave up. Earlier this morning I turned on the laptop, connected to Firefox and typed 'AVG' into the search engine in the hope of finding an AVG8 free download to install it (hoping that would 'fill in' the corrupted parts of the AVG program that's stuck in the laptop). Every time I type anything that has to do with AVG into the search engine window, Firefox shuts down.

 

The Full Scan on the Security 360 program still shuts down the computer halfway through the scan. Up until that halfway point, however, there are no threats detected.

 

As I went to bed last night, I thought about how nice it is that there are warm-hearted, patient, kind, knowledgeable people like you out here in cyberspace who are helping people like me. Thank you so much again!

 

Off to work on the computer ....

[evilfantasy]

Just run ComboFix anyway. Ignore the warning about an antivirus and just continue on. It will still run.

[--mom--]

Laptop will not allow ComboFix.exe to download

 

Computers are SO frustrating!

 

Firefox IS running (sometimes); however, when I tried to download ComboFix.exe from download.bleepingcomputer.com or any other recommended site, Firefox simply shuts down (but the laptop continues running...which is a MAJOR improvement!). So, I downloaded the application onto a disk via my computer and I tried to open/save the application to the laptop desktop, but the following error message came up: "Some installation files are corrupt. Please download a fresh copy and retry the installation." ... Then a little window remains on the screen that says "Combo Fix" with a smaller box with green and white lines in it (as if it were downloading).

 

I have researched everything I can find on uninstalling avg completely, but every time I type avg in anywhere on the laptop, the window in which I am typing it closes (Firefox, Run, ...). I downloaded the avg removal tools onto a disk and tried to run each of them and the run window disappeared every time with nothing downloading.

 

I tried running the Security 360 full scan again this morning, but it still shuts down when it's a little more than halfway finished. There are no threats found at the time it shuts down.

 

Any new suggestions?

[evilfantasy]

Try restarting the computer in Safe Mode With Networking. Then open Firefox and try downloading ComboFix again.

 

If that doesn't work let me know and we will move on to another method that takes a little longer but should work.

[evilfantasy]

I'm going to go ahead and leave this information so if you need it it's here.

 

I will be sending you a Private Message with some instructions to follow. We are doing this privately to keep the info out of the hands of the malware creators. Please do not mention the name of utility we will be giving you or where you are getting it from. Just try to do what we ask you to do and then post back here with any problems you had. Again in mentioning your problems, please don't refer to the program by name. Just call it "the utility" or "the program". For example, your response could be:

 

The program ran OK. Or the program would not run, I received the following error message...(put your error message here).

 

Check you PM inbox for more information.

[evilfantasy]

The other thing that's really bothering me now is that there is no anti-virus protection on the machine. Do you think that more malware is going to slip in through these 'trojans' that are supposedly still in files somewhere?

 

The damage is already done. Having an antivirus at this point will not make a difference. The malware would just block it also.

 

Since the malware is killing everything we try, including the specialized tools, you are going to need to try a Rescue CD which should work since it is Linux based and does not need Windows to work.

 

Depending on your computer you may need to tap F8, F12 or another key when the computer first starts to get to the boot options. On my laptop I have to tap the ESC key to get to the boot options.

 

You will need a CD. If you have any questions please ask here.

 

Avira AntiVir Rescue System

 

1. Download the Avira AntiVir Rescue System

- If you need a free burning application, CDBurnerXP works on all operating systems from Microsoft Windows 2000 SP4 onwards.

2. Place a blank CD in your burner and double-click on the downloaded file.

3. The program will automatically burn the CD for you.

4. Place the burned CD into the affected computer and start the computer with the CD in the CD tray.

5. On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

6. Click on the Configuration button.

 

- Select Scan all files

- Select Try to repair infected files and Rename files, if they cannot be removed

- Select Scan for dialers

- Select Scan for joke programs (Jokes)

- Select Scan for games

- Select Scan for spyware (SPR)

 

7. Click on Virus scanner

8. Click on Start scanner at the bottom of the screen.

 

9. Let Avira finish it's scan and then remove any threats found and then exit out of the scanner.

10. Take the CD out of the CD/DVD tray and then restart the computer.

 

If needed see this Tutorial for the Avira Rescue CD

 

Let me know how that goes and how the computer is running when it is finished. It does not create a log so don't worry about that.

[--mom--]

Attempt at using Avira AntiVir Rescue System CD

 

Once again, I have spent hours working on this problem before returning here to post my lack of progress. I started last night creating one of those Avira AntiVir Rescue System CDs (actually I made 3 of them because the first one wasn't working and I thought maybe it was the cd, but I find today that none of the cds will work).

 

I followed the instructions, but the computer refused to boot from the cd. I went to the Tutorial (which I have been working with today as well) and followed the instructions for when Windows starts instead of the CD. By tapping the F2 of the laptop, the BIOS Setup Utility came up and I tried it that way ... it didn't work. I also tried tapping the F10 key which brought up the BOOT settings and tried it that way ... it didn't work. I know the cd-rom works because another program on a cd worked earlier.

 

This is probably going to be a stupid question, but, as I was reading the tutorial website, I noticed this information on the left of the first page:

 

Operating System: Windows 7 / Windows Vista SP2 & Ubuntu 9.10 on VMware

 

My daughter's laptop is running Windows XP. Could this not be the right Rescue CD for this laptop?

 

I have also been running the other suggested program and stopping it to quarantine the malware it finds after every detection. That was working well as long as I quarantined each item as soon as it was detected. The program would then close, and I would start the program over again. I have done this at least 15 times so far today and quarantined a number of malware viruses. But, the last time I ran it, it had been running for almost 30 minutes and had detected 0 infections when it shut down the computer anyway. :-(

 

Are you almost ready to give up?

[evilfantasy]

Are you almost ready to give up?

 

Me? Never!! :-P

 

My daughter's laptop is running Windows XP. Could this not be the right Rescue CD for this laptop?

No it should work fine with XP and in fact I have run it on XP a few times.

 

Try this please. Do you still have ComboFix on the infected computers desktop? If not you will need to put it there. Remember when transferring ComboFix to just transfer the download. Don't run it until it is on the infected computer.

 

Now on the infected computer. Enable viewing of hidden system files & folders XP

 

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
  
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

Now right click on ComboFix and choose Rename. Name it to Combobatch.bat

 

You will need to type in the below red text.

 

Go to Start > Run > then type the red text into the run box, beginning with the then click OK. Be sure to type everything in red and also make sure there is a space between Combobatch.bat" and /stepdel

 

"%userprofile%\desktop\Combobatch.bat" /stepdel

 

ComboFix should now run. Please post the log it creates.

 

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

[--mom--]

ComboFix problem

 

I just finished doing everything exactly as you suggested in your last post and ComboFix started. :-) (I had to mouseclick to a few things at the beginning ... like an agreement ... then a download of some sort of Microsoft Recovery Console that it said that the laptop didn't have and which the program could not continue without. I never touched the mouse again, though, during the entire time it was running.) The program started running ... the blue screen was filling with "Completed stages' and it was on 30-something when the computer shut down.

 

What should I do now? What will the computer do if I turn it back on? Should I change those 'Hidden File' settings back to what they were?

 

I won't turn the computer back on until I hear from you.

[--mom--]

Combofix Log ... but with "hidden files" settings back to original

 

 

[evilfantasy]

Should I change those 'Hidden File' settings back to what they were?

 

No leave them like they are for now.

 

Start teh computer again and try to do the ComboFix procedure again please. This time try it with the computer started in Safe Mode.

[--mom--]

How do you send a 41.4 KB bytes ComboFix Log?

 

Since you weren't here, I turned the computer back on and changed the settings back in the 'hidden files' and tried to run ComboFix again. It ran and it produced a log ... which I have!

 

The laptop actually allowed me to log into the forum and I am trying to post the log, but I am getting an 'Upload Error' that says, "Your file of 41.4 KB bytes exceeds the forum's limit of 19.5 KB for this filetype."

[evilfantasy]

You can just copy and paste it into the reply. It might take two posts to get it all in but that's okay as long as it's all posted.

 

Or save it to your desktop and then upload it online and give me the link.

 

Go to 2shared.com and upload the file.

 

1. Click Browse

2. Locate the file and double click it.

3. Next click UPLOAD IT!

4. When you see Your upload has successfully completed! click OK

5. Copy the link under Here is your download link: and post it back here.

[--mom--]

What an awesome little tool that 2shared.com is!

 

The link is http://www.2shared.com/file/12043402/4fd531c/log.html

 

This scan did not include the hidden files. I have since tried to run ComboFix with those hidden files unhidden, and it finished the scan and was in the process of writing out the log when the computer shut down. When I rebooted it, there was no log for the second scan anywhere.

 

I don't see how people type on these laptops!!!

[evilfantasy]

We are making progress now. Don't run ComboFix again until I need you to please.

 

This might be my last post tonight. I need to sleep.

 

 

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

 

* Copy the file path in the below Code box:

c:\windows\system32\cfcb.sys

* At the upload site, click once inside the window next to Browse.

* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.

* Next click Submit file

* Your file will possibly be entered into a queue which normally takes less than a minute to clear.

* This will perform a scan across multiple different virus scanning engines.

* Important: Wait for all of the scanning engines to complete.

* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

 

Also scan this file and post the link to the results.

 

c:\windows\EC742B1EC038C02AA1D876FA63EF80CE.exe

 

 

 

Download the latest version of Kaspersky GetSystemInfo (GSI) and save it to your desktop.

 

* Close all other applications running on your system.

* Double click GetSystemInfo.exe to open it.

* Click the Settings button.

* Set it to Maximum

* IMPORTANT! Click Customize - choose Driver / Ports tab and

* Uncheck Scan Ports.

* Click Create Report to run it.

* It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your desktop.

 

* Upload the zip folder to the Kaspersky GetSystemInfo (GSI) and click the Submit button.

 

Copy and paste the URL (link in the address bar) of the GSI Parser report (not the log) in your next reply.

[--mom--]

Results from Jotti's Scan

 

When I entered the first file name and submitted it, there was a message that the file was empty ... so there was no scan.

 

The second file, however, scanned and had all sorts of malware in it. The address is: http://virusscan.jotti.org/en/scanresult/465f09949b4cd8a0b725b680b47d45fbf7d95ade

[evilfantasy]

We will deal with those after I see the Kaspersky log.

[--mom--]

Kaspersky url

 

http://www.getsysteminfo.com/read.php?file=24f2eff96b588abd77337cec526237d4