Shutdown during Virus Scan(RESOLVED)

**AUHDGAUHD** · 13-02-2008

when I tried running ComboFix, it said "The copy of ComboFix has expired, Please download an updated copy". And then it deleted itself, it wasn't in my recycle bin. Is it normal for it to delete itself? Or did it go somewhere in my drive? I also did a search on ComboFix and other forums warn of ComboFix's possible dangers. Let me know what the risks are because if it involves risking data loss then I would prefer to not run it. And if we've come down to where I might possibly need to re-format, wouldn't doing a recovery console re-install critical system files and flush out the virus?

**Neal** · 13-02-2008

I don't understand why that happened, below are links to the un-renamed version try one if you want to, or we can call it quits if you want. Your choice.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

If instructions are followed that I layed out there should not be any problems.

**AUHDGAUHD** · 13-02-2008

OKAY, I TRIED IT AGAIN AND IT WORKED. TO CLEAR UP THAT THING ABOUT THE COMBOFIX EXE FILE DELETING ITSELF. IT ACTUALLY TURNED ITSELF INTO AN INTERNET EXPLORER ICON AND WHEN I DELETED THAT, IT WASN'T IN THE RECYCLE BIN. SO I DON'T KNOW IF THATS A NORMAL THING BUT THATS EXACTLY WHAT OCCURRED. BELOW IS MY COMBOFIX LOG FILE:

ComboFix 08-02-13.2 - Administrator 2008-02-13 1:11:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1480 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\RewardNet
C:\Program Files\RewardNet\makeguid.dll
C:\Program Files\RewardNet\rnutil.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-13 01:06 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-11 17:45 . 2008-02-11 17:45 <DIR> d-------- C:\Deckard
2008-02-11 15:30 . 2008-02-11 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-11 15:26 . 2008-02-12 03:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-11 15:26 . 2008-02-11 15:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-10 02:11 . 2008-02-10 02:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 02:11 . 2008-02-10 02:27 6,456 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-13 09:15 2,923,296 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-13 09:14 64,533,536 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-13 09:14 --------- d-----w C:\Program Files\GetRight
2008-02-13 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-02-13 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-02-13 08:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-02-13 00:54 872,168 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-13 00:54 277,904 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-11 23:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 23:28 5,826,560 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-02-10 23:16 5,826,048 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-10 23:16 2,685,952 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-10 11:01 512 ----a-w C:\ScanSectorLog.dat
2008-02-10 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 10:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 10:15 4,922,368 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-02-10 03:56 5,807,104 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-09 03:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SolidDocuments
2008-01-28 10:31 5,783,552 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-01-26 03:45 14,219,376 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-24 23:53 5,778,432 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-01-24 23:44 3,806,720 ----a-w C:\WINDOWS\Internet Logs\xDB69.tmp
2008-01-20 11:43 --------- d-----w C:\Program Files\Winamp
2008-01-18 04:42 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Applicati on Data\SolidDocuments
2008-01-12 12:13 3,844,096 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-01-06 01:46 4,835,840 ----a-w C:\WINDOWS\Internet Logs\xDB63.tmp
2007-12-31 05:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-31 02:52 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-31 02:52 --------- d-----w C:\Program Files\Bonjour
2007-12-31 02:29 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-14 09:06 3,815,936 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
2007-12-13 10:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Arcsoft
2007-11-22 10:56 62,344 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-11-22 00:14 3,887,104 ----a-w C:\WINDOWS\Internet Logs\xDBF7.tmp
2007-11-19 20:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-10-05 07:10 2,833,408 ----a-w C:\WINDOWS\Internet Logs\xDB9E.tmp
2007-08-03 09:44 2,696,192 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-07-07 23:00 5,095,424 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-06-03 05:38 315,904 ----a-w C:\WINDOWS\Internet Logs\xDBBE.tmp
2007-05-27 10:07 109,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-05-26 03:14 324,096 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-05-26 02:19 4,868,608 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-05-21 03:36 18,181,860 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_19_22_36_34_full.dmp. zip
2007-05-20 05:36 1,849,856 ----a-w C:\WINDOWS\Internet Logs\xDB81.tmp
2007-04-06 21:48 18,101,484 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_06_01_25_39_full.dmp. zip
2007-04-06 08:25 1,059,840 ----a-w C:\WINDOWS\Internet Logs\xDBAC.tmp
2007-03-22 21:13 18,054,361 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_03_27_31_full.dmp. zip
2007-03-22 10:27 3,132,928 ----a-w C:\WINDOWS\Internet Logs\xDBE2.tmp
2007-03-22 10:25 4,648,960 ----a-w C:\WINDOWS\Internet Logs\xDBE3.tmp
2006-08-23 01:03 2,694,656 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-06-24 00:29 2,036,736 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]
"Second Copy"="C:\Program Files\SecCopy\SecCopy.exe" [2006-01-09 12:45 915456]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-04-29 09:22 1990703]
"ÆÇµµ¶óTV¹Ì´Ï"="C:\Program Files\PandoraTVMini\MiniUpdate.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 01:40 544768 C:\WINDOWS\sm56hlpr.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 15:28 790528]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 08:42 585728]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 15:24 86016]
"NWEReboot"="" []
"Ptipbmf"="ptipbmf.dll" [2003-06-19 23:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2000-02-14 16:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 19:36 446464]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-18 11:55 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 23:02 919280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2005-04-25 12:45 36040]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-17 17:50:26 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-10-31 16:24:24 49254]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-07 16:43:05 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-12-19 02:29:07 118784]
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [2007-07-12 00:23:00 2301952]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54 2080768]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 CloneCD;CloneCD I/O Driver;C:\WINDOWS\system32\drivers\CloneCD.sys [2000-08-25 14:52]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 16:36]
S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-01 23:37]
S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\system32\DRIVERS\atipcxxx.sys [2001-08-17 04:49]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\system32\DRIVERS\atirtcap.sy s [2001-08-17 04:49]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\system32\DRIVERS\ativxbar.sy s [2001-08-17 04:49]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 17:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 08:16:45 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 01:15:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-02-13 1:18:39
ComboFix-quarantined-files.txt 2008-02-13 09:18:36

**AUHDGAUHD** · 13-02-2008

TAKE A LOOK AT THE SCREEN CAPTURE, IS IT OKAY IF IT DIDN'T ACCESS C:\ComboFix\DirRoot ???

I RE-TRIED GETTING UPDATES FOR WINDOWS DEFENDER AND I STILL GET THE SAME ERROR CODE (0x8024402F).

**Neal** · 13-02-2008

Your fine. Combofix found some adware and got that killed.

Are you behind a router? If so take PC off router and try updateing then.

Stop zonealarm and try the updates.

If no go lots of reading here:

http://www.google.com/search?q=ERROR...n&start=0&sa=N

Time for some housekeeping

* Click START then RUN
* Now type Combofix /u in the runbox and click OK
* Notice the space between combofix and the /

The above procedure will:

* Delete the following:
o ComboFix and its associated files and folders.
o VundoFix backups, if present
o The C:\Deckard folder, if present
o The C:_OtMoveIt folder, if present

* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Reset System Restore.

**AUHDGAUHD** · 14-02-2008

Wow, I'm Able To Do Virus Scans Now. Thanks A Ton For Your Help!

-omar

**Neal** · 14-02-2008

Great news.

If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.

http://www.d-a-l.com/help/showthread.php?t=32403

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: http://vil.nai.com/vil/SystemHelpDoc...ysRestore.aspx

Explained Here
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Please download ATF Cleaner by Atribune to desktop.
http://www.atribune.org/public-beta/ATF-Cleaner.exe

Double-click ATF-Cleaner.exe to run the program, to clean junk files off your PC.

If you would like to keep your cookies don't check that item

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

RegProtect

This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.

You have the option of allowing(good) items or blocking(bad)items.

http://www.diamondcs.com.au/index.php?page=regprot

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html

3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Windows Defender

http://www.microsoft.com/athome/secu...e/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio

Sunbelt

Comodo Personal Firewall:

Comodo

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

http://www.javacoolsoftware.com/spywareblaster.html

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

Shutdown during Virus Scan(RESOLVED)

Re: Shutdown during Virus Scan

Similar Threads

virus scan says im clean, but im not so sure

Virus Scan?????

Computer shutdown during virus scan

Computer shutdown during virus scan

Computer shutdown during virus scan