Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer won't shut down properly - hangs on Windows Shutting Down


  • Please log in to reply
9 replies to this topic

#1 livesism25

livesism25

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 27 April 2009 - 10:27 AM

Hi, I should start out by saying that I have posted this on a different forum/web site, but was not able to find a solution to my problem yet. My Post

For you convenience I've pasted in the post below:

I have a very basic knowledge of computers, so please bear with me. I have an older laptop, HP Pavilion ZE4610US, with the following specs:

mobile AMD Athlon XP2500+ 1.86 Ghz
704 MB RAM
60 GB HD
Windows XP Home Ed. SP3

OK, here's the deal. About 18 months ago I replaced the factory installed 40 GB HD, with a slightly larger 60 GB Seagate HD. At the time, I was planning to do a dual boot with linux partition being the dominant one, but knew I might have to use WinXP at some point. Initially I set it up with about 6 GB for the WinXP, a "swap" drive and about 25 GB for the linux partition. Well, I'm not sure about the last part, it's been awhile now, so it could have been more (I know I left some unallocated/free space - but I don't think it was 20-25 GB). Well, everything was working fine for a while (with the dual boot), but since I couldn't find the appropriate drivers for the modem (and other important devices), I ended up using the winXP partition as my primary one. After some time, I believe the mbr was messed up somehow, because I didn't get to choose which partition I wanted to log into. That was really not a big deal, since I wasn't really using the linux partition. At some point I decided to "cannibalize" the Linux partition, to a second partition (E) in my WinXP setup. As you can imagine, soon I was running out of space on my small WinXP partition (C;6 GB), and I decided to merge some of the unallocated (free) space to the C drive using Partition Manager. That went well, so now I had the following split:

15 GB C Partition
15 GB Unallocated
25 GB E Partition

However, the following day things went bad, the computer automatically shut down, and when I tried to start it up I got the following message: NTFS.SYS could not be found or is damaged Naturally, I immediately thought it must have been due to my recent actions, but since I couldn't even get it to boot in "Safe Mode" or from the install disc(s), I couldn't verify this (it kept asking for an administrator's password even though I'd never - to my knowledge - set one up, and when I entered "blank" it would simply reboot after three tries). Eventually it was decided that the error message might be due to a faulty RAM module (weird coincidence). After replacing the faulty memory module I was able to get into the repair console, and do a repair install of XP. Since my original install disc was Win XP Home SP1a, I had to do the update to SP2 (have disc) and SP3 (from DL) and all intermediate/subsequent updates were lost too. After having updated to SP3, I went to MS to check for updates manually (even though I have it set up for automatic updates), and it found 30+ (about 250 MB worth) updates. What a pain with dial-up (I know I'm a dinosaur).

After I was able to get Win XP to boot up, I went in the directory and renamed NTFS.SYS to NTFS.XXX. I then copied the NTFS.SYS file from the Win XP install cd. So far, so good. The computer seemed to work flawlessly thereafter for a while.

I can't tell exactly how long thereafter, maybe 2 weeks max., my computer was no longer able to "Stand By", "Restart" or "Shut Down" properly. It would simply hang on "Windows is Shutting Down". I've tried logging in in "safe mode", but even there it won't "Restart" or "Shut Down". I've installed the latest versions of the following SW:

AVG 8.5 Free
Lavasoft Ad-aware
Malwarebytes Anti-Malware

and I've run scans without any infections being reported.

Well, here I must make a comment that I didn't include in my previous post. The first time I noticed the problem of it not being able to suspend properly, I was trying to put it into "Stand By" mode, but it started up automatically right away, and from that point on the problem persisted. The day after I ran MWR's Anti-Malware and it found one infection (AntivirusXP2008) to a registry key, which it quarantined and I subsequently deleted. The file was in the E drive, as far as I recall, so I didn't think it was that important. (I still have the mbam log)

On a side note, I'm embarrassed to say that although I thought I had run Ad-Aware as stated in my previous post(s), the program log says otherwise (apparently I had only run scans with AVG and Anti-malware). I updated the definitions and ran a smart scan, where it found 24 infections, of which 23 were tracking cookies (level 3 threat) and one major infection in a program called BurnAware, which I don't remember ever having downloaded or installed. It appears to have been a trojan virus called Win32.TrojanSpy.Banker (level 10 threat). The file has been quarantined, but it may already have done its damage. I haven't had time yet to look into what exactly it does, or how/if it can affect the power settings or possibly some important registry keys. Even though it's quarantined it seems to be able to change the settings in ad-aware. The automatic updates was disabled, so I reset it to default settings, but when I restarted the program, the automatic updates was disabled again!!! I also noticed that I'm not able to schedule updates in AVG to every 4 hours (box is grayed out), so I can only schedule updates once a day.


I've tried to restore the computer back to a point when I knew it was working, and even though it appears to restore it, the problem persist. I've tried to do another repair install, but nothing appears to change, so I therefore conclude that the files that are responsible for power management must be at a "different level" than a normal WinXP level. Otherwise I would assume that a repair install would have fixed the problem. I've been trying to do some more research, and found a site that recommended dl'ing a small program from MS called dumppo.exe, which I did.

I changed the min. sleep mode from S1 to S3, but again nothing changed. I should say, I don't know if these changes are made since the pc never shuts down/restarts correctly (I have to physically power it down). I also read about another program GMER, which I dl'ed, to see if there were any hidden programs running that prevented a proper shut down, but I'm not sure what I'm looking for, so that didn't help a whole lot.

Finally, I read about the possibility of having a virus in your mbr, and there is tool that might be able to fix it called "MBRFix". I haven't run this yet, as I'm not sure that's what I need to do.

I have also dl'ed Seagate's HD tool, Seatools for Windows, and it passed all tests with flying colors, so I don't believe it's a failing HD. I should also mention that the laptop actually works fine, apart from the shut down issue (I'm posting on it now). There are no error messages on boot up as far as I can tell. This is what I've observed:

Stand By/Hibernate : the screen goes black, but the led lights are still on (HD spinning and fans running). Solution: "hard" power down.

Restart/Shut Down: Screen (blue) hangs on "Windows shutting Down". Again solution: "hard" power down.

After 5-10 mins on screensaver (winxp stock) the screen goes completely black and is unresponsive to anything. Solution: "hard" power down.

I suppose I could learn to live with the fact that the computer will never be able to Restart/Shut Down/Stand By the way it was supposed to, but it is a pain. I still think it has something to do with power management somehow, but I'm nowhere near "Hi-tech" enough to know what to look for. I was naive to think that a WinXP repair install would solve this issue, but that apparently doesn't change anything, so how would one go about to fix it?

I suppose I could always back up my data and reformat the whole drive, but maybe that wouldn't make any difference anyways? Also, that would mean I'd lose some nifty little programs I've DL'ed over the past couple of years (mainly DotD type ones - where the license/activation is good for one day only).

I'm really starting to lose my mind here, so if you have any suggestions I would be very grateful. Thanks in advance for your help, and sorry about the length of this post.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:39 PM

Posted 27 April 2009 - 09:24 PM

Let's see what shows up



The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 livesism25

livesism25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 28 April 2009 - 12:22 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.

-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


I know my first post was a long one, but I did mention that I have Malwarebytes installed. I've got several logs, the latest run I did was this morning, with the following result:

Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 3

4/27/2009 12:34:46 AM
mbam-log-2009-04-27 (00-34-46).txt

Scan type: Quick Scan
Objects scanned: 91396
Time elapsed: 23 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I also mentioned that I did encounter a problem earlier (April 14), where the log was:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/14/2009 7:17:10 AM
mbam-log-2009-04-14 (07-17-10).txt

Scan type: Quick Scan
Objects scanned: 77850
Time elapsed: 35 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc1b3j0e39c (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I was able to update the database earlier this morning (or last night), but after that the program started acting strange. As I was trying to do an update of the definitions file, it got stuck in "searching for updates". This afternoon I tried to do a full scan without having the computed hooked up to the internet. After about 2 hrs it looked like it was halfway through, it got stuck and nothing seemed to change for about an 1.5 hrs. with about 160,000 objects scanned. Nothing stuck out in the mbam log (the scan didn't complete, so it was only a partial full scan).

However, just now I was able to update to the latest definitions file (2051) with no problem.

The other strange thing I noticed was that after I'd updated Ad-Aware I ran a scan this morning, it found 24 infections, as I noted in my previous post. Of those, 23 were tracking cookies, and there was one serious malware, which the program quarantined. It took a long time, where nothing seemed to happen. I closed the program and reopened it, and the file was quarantined, but nothing had happened to the tracking cookies. Right after that I noticed something strange. The automatic updates has been disabled, and I had to go in manually to reset it to default settings (automatic update on start up). After closing the program and restarting it, automatic updates was again disabled!!! I also got a couple of error messages when I tried to use the update button:

System Error 1814 has occurred. Description: Could not log in to service. Are you running this application as another user? Application terminates. [press OK]

Service Error 6100 has occurred.

I'm afraid it has my pc by the throat, as there seems no way around it. According to the program this is the version I have installed:

0148.0017

but who know if that's correct? Maybe it's able to "fool" the program to believe that.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:39 PM

Posted 29 April 2009 - 08:21 AM

Have you tried to fix the MBR per Ms instructions?

http://support.microsoft.com/?scid=kb;en-us;314503
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:39 PM

Posted 29 April 2009 - 02:51 PM

You can also try these two tools
--------------------------


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
------------------------------------


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 livesism25

livesism25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 30 April 2009 - 07:32 PM

OK, so these are the results of the SAS and Dr. Web CureIT scans, and it appears that it was primarily tracking cookies they found. I've pasted in both logs below. The first time I ran SAS it found 296 infections, but they were all tracking cookies (that I deleted). Aren't tracking cookies a common, but unfortunate, byproduct of surfing the web these days? I'm not sure what's going on, but ever since I ran all these various Anti-program my computer has become super slow (in particular on this site). Could it be a key logger, or am I being paranoid now? I keep getting an hour glass, so eventually I had to disconnect from the net while typing this post, and it's still painfully slow. Also, I'm still not able to update Ad_Aware, but I did manage to scan in Safe mode, but it didn't find anything. The computer was actually working fine before, apart from the shut down issue. It's almost as if, when I didn't do anything about the infections "it was happy to let me do my thing", but now it's taking control of my pc. Is there such a thing as a "smart" virus, or is some cyber troll who's toying with me? I've also noticed that my daily scheduled AVG scans are taking a ridiculous amount of time to complete (3-4 days) and as a consequence, most of the scans were interrupted. The last completed scan I did was on 04.28.09, and before that the last time I was able to get a complete scan was 04.15.09, around the time the problems started. It's almost as if it's running an endless loop of files that the malware has "OK'ed" to be scanned (so it appears that it is actually running a real AVG scan).

I'm about to lose my mind here, what else can I do?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2009 at 08:13 AM

Application Version : 4.26.1000

Core Rules Database Version : 3872
Trace Rules Database Version: 1820

Scan type : Complete Scan
Total Scan Time : 00:58:16

Memory items scanned : 241
Memory threats detected : 0
Registry items scanned : 4430
Registry threats detected : 0
File items scanned : 44504
File threats detected : 0

and:

Dr.Web Scanner for Windows v5.00.3 (5.00.3.04220)
© 1992-2009 Igor Daniloff. All rights reserved.
Log generated on: 2009-04-30, 00:15:54 [Administrator]
Command line: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.exe" /lng /ini:setup_XP.ini
Operating system: Windows XP Home Edition x86 (Build 2600), Service Pack 3
=============================================================================
DwShield started
Engine version: 5.00 (5.00.0.12182)
Engine API version: 2.02
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2a498c09 - 2210 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\acf55724 - 5098 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b8bbd583 - 4891 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\85e8fa14 - 5033 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\034841a4 - 3254 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\5bba6351 - 5241 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\1b6031b8 - 7585 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7e6cdce5 - 5298 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2e150b0e - 5947 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7a0b0d3c - 6039 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\e1353628 - 5309 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f22151f5 - 3511 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\e4542e66 - 2495 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\4d9d708e - 4565 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\fccd286f - 4467 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\1427330f - 5196 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\95b8fcb2 - 2359 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\9451fcda - 1938 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\235fcd8f - 3335 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\6852228e - 3185 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\e32e1abb - 1468 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\dd31c5d2 - 280 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\a78e8177 - 567 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8240f1bf - 1194 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8455ec09 - 423328 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\50758c55 - 355 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\6f8f6bf0 - 626 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\65b2a1de - 311 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\da64c29c - 925 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\d4941fbb - 840 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\c757a750 - 3316 virus records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\41d482b9 - 19303 virus records
Total virus records: 539469
[Self-checking] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.exe
Key file: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.key
License key number: 0010537607
Registered to: A User
License key activates on: 2008-12-05
License key expires on: 2009-06-07
Process in memory: System:4 - OK
Process in memory: \SystemRoot\System32\smss.exe:140 - OK
Process in memory: \??\C:\WINDOWS\system32\csrss.exe:208 - OK
Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:232 - OK
Process in memory: C:\WINDOWS\system32\services.exe:276 - OK
Process in memory: C:\WINDOWS\system32\lsass.exe:288 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:436 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:484 - OK
Process in memory: C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe:556 - OK
Process in memory: C:\WINDOWS\Explorer.EXE:736 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:828 - OK
Process in memory: C:\WINDOWS\system32\NOTEPAD.EXE:1104 - OK
Process in memory: C:\Documents and Settings\Owner\Desktop\launch.exe:1256 - OK
Process in memory: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\_start.exe:1268 - OK
Process in memory: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.exe:1280 - OK
[Memory scanning] No viruses found
Master Boot Record HDD1 - OK
Active OS/2 or WinNT Boot Sector HDD1 - OK
OS/2 or WinNT Boot Sector HDD1 - OK


-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 122729
Infected: 1
Modifications: 0
Suspicious: 0
Adware: 2
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 1
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 101 Kb/s
Scan time: 02:26:00
-----------------------------------------------------------------------------

C:\Sandbox\LB\DefaultBox\user\current\My Documents\My Downloads\couponprinter.exe
C:\Sandbox\LB\DefaultBox\user\current\My Documents\My Downloads\couponprinter.exe
C:\Sandbox\LB\DefaultBox\user\current\My Documents\My Downloads\couponprinter.exe
C:\Sandbox\LB\DefaultBox\user\current\My Documents\My Downloads\couponprinter.exe
C:\Sandbox\LB\DefaultBox\user\current\My Documents\My Downloads\couponprinter.exe
C:\Sandbox\LB\DefaultBox\user\current\My Documents\My Downloads\couponprinter.exe - deleted

=============================================================================
Total session statistics
=============================================================================
Scanned: 123790
Infected: 1
Modifications: 0
Suspicious: 0
Adware: 2
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 2
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 116 Kb/s
Scan time: 02:27:46
=============================================================================

OK the Dr. Web file was just too large to paste in (~12 MB), so I ony put in the first and last part, but again it doesn't look too bad (2 adware files) and 1 other bad file (which was sandboxed - and therefore shouldn't have had any affect - but I deleted just in case since it's a program I never used anyways). If someone can tell me how to post the entire log please let me know.

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:39 PM

Posted 01 May 2009 - 07:24 PM

Is this your computer?

Key file: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.key

http://www.threatexpert.com/report.aspx?md...54acf9f797635eb

Quit using it on any secure sites, immediately

I would consider a reformat/reinstall

--------------------------------------------------------



Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Edited by garmanma, 01 May 2009 - 07:27 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 livesism25

livesism25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 01 May 2009 - 11:21 PM

Is this your computer?

Key file: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.key

http://www.threatexpert.com/report.aspx?md...54acf9f797635eb

Quit using it on any secure sites, immediately

I would consider a reformat/reinstall

--------------------------------------------------------


I assumed that was part of the DrWeb CureIt database, since it's diagnosis only claimed one file was infected (and that was a sandboxed one). I checked for anything in:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

but it's empty (either because one of the antivirus programs deleted them or possibly when I ran ATF(safe mode)). As I mentioned in my first post Ad-Aware did find a serious Trojan:

Win32.TrojanSpy.Banker

and according to the program it was quarantined. After that I was having all kinds of problems with Ad-Aware, as documented earlier (not being able to update and scan). However, this morning I was able to both update and run both a quick scan and a full scan. Again it found the same Trojan:

Win32.TrojanSpy.Banker

which leads me to believe that it wasn't actually quarantined in the first place. This time around I deleted it and ran another full scan, which came back clean.

I'm still thinking my power down issue has something to do with power management. At times the screen goes black (not screensaver) but is reactivated with any keystroke or mousepad movement. I read something about enabling enhanced power management, but I don't see that as an option in the control panel:

Start>Control Panel>Perfomance and Maintenance>Power Options

On normal startup I also notice it doesn't come up with the icon for me (owner), but when I boot up in safe mode I'm given the option of logging in as owner or administrator (in normal startup owner is the administrator). I've also noticed that after having booted into safe mode, and the booting up in normal mode, the "connect to (the internet)" has disappeared from the startup menu. If I shut down and boot up again it's there, go figure.

This is what I found using regedit:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Default
ASPNET
HelpAssistant
IUSR_
IWAM_
NetShowServices
SQLAgentCmdExec
TsInternetUser
VUSR_

Should I be concerned about this? Shouldn't there be a file for owner and/or administrator? And why is it SpecialAccounts, is that normal? Since the computer hangs on "Windows is shutting down" I'm wondering if I'm getting the full effects of the antivirus/malware programs (ie full removal). Is it far enough in the shut down process?

#9 livesism25

livesism25
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 02 May 2009 - 10:12 PM

I'm still concerned that I can't use Ad-Aware on a regular basis. I was able to do an update and ran a couple of scans, as I mentioned in a previous post. Now I can't update or run scans, but keep getting these pop-up error messages:

System Error 1814 has occurred. Description: Could not log in to service. Are you running this application as another user? Application terminates. [press OK]

Service Error 6100 has occurred. Description: Lost connection with Ad-Aware service. Please try running after a few minutes. [press OK]

When I close the windows for these pop-up messages the program closes automatically. I've tried to rename the program, the folder it's hosted in, but nothing changes, in terms of the non-performance. Anybody got an idea what's going on? Could it be a bad copy of the program? or am I still under attack/foreign control?

The scans I ran from Anti-Malware and SuperAntiSpyware have been clean the last couple of days, but those could be false positives I suppose. As for AVG, I can update but the scans keep looping and takes days (3-4) to complete. The latest development is Dr.Web CureIt won't run now. When I click to start it appears to open, but then a pop-up when comes on top stating:

Attention! Hundreds of new viruses appear daily and globally spread in hours. That is why CureIt! with the newest definitions to the virus bases is re-built several times on a daily basis. The current package was released _ 4 _ days ago and is already outdated.

Download latest CureIt! now?

[OK] [Cancel]

I'm given two options, either I OK it, in which case the program appears to close and nothing happen, or I can cancel. When I choose to cancel the pop-up window closes, and the real program GUI is there with the options to either update or start. When I click update, the program closes and nothing happens. However, just now when I clicked start it actually performed an express scan (took almost an hour), but it came back clean.

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:39 PM

Posted 03 May 2009 - 06:24 PM

I'm sorry, I'm at a loss other than to recommend a HJT log submition
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users