My computer shuts down durin full virus scan

August 24, 2013 at 16:30:34
Specs: Windows Vista
I am able to run a quick scan, computer also shut down during full system scan with windows defender, today ran full windows defender in safe mode and no problems were discovered. Ran the house call from trend, no problems, however am still unable to run a full scan. could it be a virus

See More: My computer shuts down durin full virus scan

Report •

#1
August 24, 2013 at 16:53:52
" could it be a virus"
Lets do some deeper checks.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
Copy & Paste the contents of the log. Let me know if it doesn't produce a log please.

2: Reboot

3: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
Official tutorial
http://tigzyrk.blogspot.fr/2012/11/...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller.


Report •

#2
August 25, 2013 at 08:51:39
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 08/25/2013 11:45:22 AM
Windows Version: Windows Vista

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 160669 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 879 files processed.

Processing the E:\ drive
Finished processing the E:\ drive. 12057 files processed.

The C:\Users\laptop\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Log from Unhide
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 08/25/2013 11:47:23 AM
Execution time: 0 hours(s), 2 minute(s), and 1 seconds(s)


Report •

#3
August 25, 2013 at 17:19:37
Just wondering, is it only on a long MSE scan that this computer shuts down? If it does it with any other significant activity (such as defrag) it could be due to overheating.

Always pop back and let us know the outcome - thanks


Report •

Related Solutions

#4
August 25, 2013 at 17:20:46
Still waiting on 3: Run RogueKiller

Report •

#5
August 26, 2013 at 23:47:06
Have you checked automatically shut down after full scan?

Report •

#6
August 27, 2013 at 06:41:18
RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/rog...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : laptop [Admin rights]
Mode : Scan -- Date : 08/26/2013 11:54:12
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[64] : NtCreateKey @ 0x82223168 -> HOOKED (Unknown @ 0x88D387EC)
[Address] SSDT[67] : NtCreateMutant @ 0x82254993 -> HOOKED (Unknown @ 0x88D384FC)
[Address] SSDT[72] : NtCreateProcess @ 0x822C600D -> HOOKED (Unknown @ 0x88D021E4)
[Address] SSDT[73] : NtCreateProcessEx @ 0x822C6058 -> HOOKED (Unknown @ 0x88D3A13C)
[Address] SSDT[77] : NtCreateSymbolicLinkObject @ 0x821F4349 -> HOOKED (Unknown @ 0x88D384C4)
[Address] SSDT[78] : NtCreateThread @ 0x822C5E40 -> HOOKED (Unknown @ 0x88D385A4)
[Address] SSDT[123] : NtDeleteKey @ 0x821E6749 -> HOOKED (Unknown @ 0x88D3877C)
[Address] SSDT[126] : NtDeleteValueKey @ 0x821E1CEA -> HOOKED (Unknown @ 0x88D386D4)
[Address] SSDT[129] : NtDuplicateObject @ 0x8222C579 -> HOOKED (Unknown @ 0x88D3848C)
[Address] SSDT[165] : NtLoadDriver @ 0x8219FE12 -> HOOKED (Unknown @ 0x88D38534)
[Address] SSDT[194] : NtOpenProcess @ 0x8225512F -> HOOKED (Unknown @ 0x88D388CC)
[Address] SSDT[197] : NtOpenSection @ 0x8224578C -> HOOKED (Unknown @ 0x88D38614)
[Address] SSDT[201] : NtOpenThread @ 0x8225062B -> HOOKED (Unknown @ 0x88D38894)
[Address] SSDT[267] : NtRenameKey @ 0x82288864 -> HOOKED (Unknown @ 0x88D38744)
[Address] SSDT[280] : NtRestoreKey @ 0x82286F6A -> HOOKED (Unknown @ 0x88D3870C)
[Address] SSDT[317] : NtSetSystemInformation @ 0x8221AF1E -> HOOKED (Unknown @ 0x88D38454)
[Address] SSDT[324] : NtSetValueKey @ 0x82212405 -> HOOKED (Unknown @ 0x88D387B4)
[Address] SSDT[334] : NtTerminateProcess @ 0x8222516B -> HOOKED (Unknown @ 0x88D3885C)
[Address] SSDT[335] : NtTerminateThread @ 0x82250660 -> HOOKED (Unknown @ 0x88D38824)
[Address] SSDT[358] : NtWriteVirtualMemory @ 0x82241A27 -> HOOKED (Unknown @ 0x88D385DC)
[Address] SSDT[382] : NtCreateThreadEx @ 0x82250115 -> HOOKED (Unknown @ 0x88D3856C)
[Address] SSDT[383] : NtCreateUserProcess @ 0x821FDC47 -> HOOKED (Unknown @ 0x88D3A104)
[Address] Shadow SSDT[572] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x84CBC13C)
[Address] Shadow SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x84D49904)

¤¤¤ External Hives: ¤¤¤
-> E:\windows\system32\config\SYSTEM | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\windows\system32\config\SOFTWARE | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\windows\system32\config\SECURITY | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\windows\system32\config\SAM | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\windows\system32\config\DEFAULT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\Users\Default\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


here is the report from rogueliller

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SSD RBX Series 1 +++++
--- User ---
[MBR] eb72f7179b242c5b96038147d60c090d


Report •

#7
August 27, 2013 at 15:10:01
Just to clarify post #5
Microsoft Security Essentials - Installation Checklist and Frequently Asked Questions
http://experts.windows.com/w/expert...
43. Can MSE shutdown my PC once a scan is finished?

This cannot be accomplished from the GUI. However, you can accomplish this using the task scheduler or batch scripts.


Report •

#8
August 27, 2013 at 15:14:00
"RogueKiller V8.6.6 [Aug 19 2013] by Tigzy"
Thanks.

Now run, chkdsk please, then Copy & Paste the contents of the log into your next reply.
Using CheckDisk the GUI Way
http://www.howtogeek.com/howto/wind...

Viewing your chkdsk report Windows Vista & Windows 7 (W7)
http://janetalkstech.com/2009/windo...
Viewing the system log for the scan results of Check Disk (Wininit)
http://www.sevenforums.com/tutorial...
Administrative tools - Event viewer - Windows logs - Application - Click on 'source' at the middle top to sort by ascending/ descending order. Locate 'wininit' and click on it to view.

message edited by Johnw


Report •

#9
September 2, 2013 at 06:48:34
am unable to understand/copy info gathered from check disk have read and attempted to follow directions above and obviously do not have the needed computer expertise. will continue to try as only by working through issues can you really learn. i want to thank everyone for their help-gail

Report •

#10
September 3, 2013 at 10:39:53
have been unsuccessful with event viewer, however following microsoft suggestion downloaded a cim program to read event viewer. no luck so i did a little copy paste today, seems my registry has been compromised
Event 10 (per event viewer)
Windows (windows definition)
Operating System
ID: 10
Source: Microsoft-Windows-WMI
Version: 6.0
Symbolic Name: WBEM_MC_CANNOT_ACTIVATE_FILTER
Message: Event filter with query "%2" could not be activated again in namespace "%1" because of error %3. Events may not be delivered through this filter until the problem is corrected.
WINDOW SAID TO DOWN LOAD CIM HOWEVER WAS UNABLE TO USE THIS TO VIEW ISSUES.


+event 1530 System
- Provider
[ Name] Microsoft-Windows-User Profiles Service
[ Guid] {89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}
[ EventSourceName] profsvc

- EventID 1530
[ Qualifiers] 32768

Version 0

Level 3

Task 0

Opcode 0

Keywords 0x80000000000000

- TimeCreated
[ SystemTime] 2013-09-03T00:25:48.000Z

EventRecordID 25116

Correlation

- Execution
[ ProcessID] 0
[ ThreadID] 0

Channel Application

Computer laptop-PC

- Security
[ UserID] S-1-5-18

- EventData


Report •

#11
September 3, 2013 at 12:03:35
If your computer is working properly you should be able to type event viewer from the start orb. It will normally show after just typing the first few letters. You then click the entry to go there.

It often displays many errors that are of little consequence - it is a matter of finding the relevant ones to your issue.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#12
September 3, 2013 at 15:00:24
"and obviously do not have the needed computer expertise"
Hi Gail, can you get someone who is savvy to show you?

Report •

#13
September 4, 2013 at 06:19:49
Now that cruel-but then truth always is-too right about computer expertise, however son is a programer and the next time he is in town will get him to check things out.I want to thank everyone for their assistance.

Report •

#14
September 4, 2013 at 06:33:57
"a programer and the next time he is in town will get him to check things out"
If he wants to carry on in this thread/post, he is quite welcome.

Report •

Ask Question