Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer shuts down during virus scans


  • Please log in to reply
10 replies to this topic

#1 bluescreenedagain

bluescreenedagain

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 18 February 2010 - 05:01 PM

My computer has been shutting down without warning at random times, so I decided to scan it. It scanned with a-squared, mbam, and superantispyware just fine, but didn't find any problems other than a trojan downloader that was easily removed(but I'm pretty sure was a false alert anyway). But when trying to scan it with avast, it shuts down in the middle of the scan every single time, even when I tried it in safe mode. I tried AVG as well thinking perhaps it was a problem with the software, but it shut down during that too. I also tried the kaspersky online scanner, and it still shut down. Is my computer infected, or is there something wrong with my computer handling antiviruses?

BC AdBot (Login to Remove)

 


#2 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 18 February 2010 - 05:52 PM

First, use either ATF Cleaner or CCleaner. (Both programs are free.)

ATF Cleaner:
http://www.atribune.org/index.php?option=c...5&Itemid=25
Instructions (copied/pasted from atribune's web page):
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.


Notes for Windows Vista users:

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.

-------------------------------------------------------------------------------------------------------
CCleaner is an alternative to ATF Cleaner.
(There is nothing wrong with ATF Cleaner. I used to use ATF Cleaner until I found CCleaner and it is only a matter of my personal preference.)

The CCleaner website has a tour, including screen shots, so you can see what the program does.
It not only cleans your computer, it also has a Registry tool that will check for/fix registry errors, and it also has an "uninstall programs" tool and a "startup" tool (you can remove items from Startup).
The website for CCleaner is: http://www.ccleaner.com/

--------------------------------------------------------------------------------------------------------
Try running Rkill BEFORE running any scans.
http://www.technibble.com/rkill-repair-tool-of-the-week/
"Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools.
Rkill is made by a Microsoft MVP “Lawrence Abrams” and is available in 4 different extensions. An .EXE, .COM, .SCR and a .PIF file.
The reason why Rkill comes in 4 different versions is because some malware will block .EXE files in an attempt to prevent you from running other malware removal tools, so this gets around that problem." (copied/pasted from technibble's web page)

It doesn't matter which of the Rkill files you download. They are all the same program. They just have different file extensions: (.exe, .com, .scr and .pif). If you are unable to download the first one, work your way down the list.

-------------------------------------------------------------------------------------------------------------
Now try scanning with Malwarebytes' Anti-malware.


Please report back with results.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#3 bluescreenedagain

bluescreenedagain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 19 February 2010 - 03:57 PM

After doing that, malware bytes found nothing, but while trying to run other antiviruses a few more times, it still shut down in the middle. I tried each of the versions of rkill, and tried scanning with avast and a squared again a few more times, but the computer still continued to shut down without warning.

#4 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 20 February 2010 - 01:04 PM

Are you running Rkill before you run any scans with Avast or AVG?

Autoruns:
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
"shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys.
To disable an auto-start entry uncheck its check box."


SUPERAntiSpyware:
http://www.superantispyware.com/

Please report back and let me know whether SUPERAntiSpyware found/fixed any infections.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#5 bluescreenedagain

bluescreenedagain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 20 February 2010 - 06:45 PM

That still didn't work, after disabling the autorun, then running rkill, then trying to scan with superantispyware and also trying to scan with avast after following the same steps, it shut down both times. I'm sure it can't be an issue with the time that the computer has been on though, because during normal use of my computer it does not shut down that frequently without warning like that.

#6 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 20 February 2010 - 08:26 PM

Hello :thumbsup:

I do not know the answer.

I asked a member of the Malware Response Team to help you, and gave them the link to this topic.
Please be patient, because they have lots of people to help.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:48 PM

Posted 20 February 2010 - 08:33 PM

Hi,

Sashacat has asked me to take a look. :thumbsup:

I'm dealing with this type of problem elsewhere, no scanner wants to play, so I am expecting not to get too far with what I'm proposing at this stage.

I will try a few other options and I may then refer you to the malware logs forum to take a proper look.


Can you try the following:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks
Posted Image
m0le is a proud member of UNITE

#8 bluescreenedagain

bluescreenedagain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 21 February 2010 - 12:47 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-21 12:38:12
Windows 5.1.2600 Service Pack 2
Running: sfuxjxrj.exe; Driver: C:\Users\comp\AppData\Local\Temp\pxldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8F533320]

INT 0x51 ? FFFFFFFF
INT 0x51 ? 87586000
INT 0x61 ? FFFFFFFF
INT 0x61 ? 8707B5F0
INT 0x62 ? FFFFFFFF
INT 0x62 ? 87062E90
INT 0x71 ? FFFFFFFF
INT 0x71 ? 8707B5F0
INT 0x72 ? FFFFFFFF
INT 0x72 ? 00000072
INT 0x82 ? FFFFFFFF
INT 0x82 ? 87062E90
INT 0x92 ? FFFFFFFF
INT 0x92 ? 00280026
INT 0xA2 ? FFFFFFFF
INT 0xA2 ? 87062E90
INT 0xB1 ? FFFFFFFF
INT 0xB1 ? 5F534750
INT 0xB2 ? FFFFFFFF
INT 0xB2 ? 87062E90

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 854 820FAF18 4 Bytes [20, 33, 53, 8F]
.text C:\Windows\system32\drivers\ACEDRV08.sys section is writeable [0x80C0C000, 0x328BA, 0xE8000020]
.pklstb C:\Windows\system32\drivers\ACEDRV08.sys entry point in ".pklstb" section [0x80C50000]
.relo2 C:\Windows\system32\drivers\ACEDRV08.sys unknown last section [0x80C6C000, 0x8E, 0x42000040]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\a-squared Free\a2service.exe[348] kernel32.dll!CreateThread + 1A 776546E2 4 Bytes CALL 0045495D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\a-squared Free\a2service.exe[348] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [00454AB4] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[348] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [00454AB4] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Windows\system32\services.exe[664] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00130002
IAT C:\Windows\system32\services.exe[664] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00130000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentVersion 6.0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@ProductName Windows Vista ™ Home Premium
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CSDVersion Service Pack 1

---- EOF - GMER 1.0.15 ----

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:48 PM

Posted 21 February 2010 - 01:14 PM

Did Gmer run first time?

Can you run Junction, which will check permissions on your programs

We need to scan the system with this special tool:
  • Please download and save:
Junction.zip

  • Unzip it and place Junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the Run box and click OK:
cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 bluescreenedagain

bluescreenedagain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 21 February 2010 - 02:22 PM

Gmer crashed the first few times, but it ran after about the 3rd time when I put it into windows xp compatibility mode
junction isn't working, I see a command prompt pop up really fast and then disappear, and it tells me "access is denied"

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:48 PM

Posted 21 February 2010 - 02:28 PM

I think we need to take this problem to the malware logs forum.

Please follow the instructions and post to this forum. Then PM me and we can continue.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users