Virus Please Help!

Learn about Computer Security Virus/Malware Removal Assistance
1

I have scanned my computer using about 5 programs all 5 programs says my computer is ok. I have used Hitman Pro, Comodo Anti-virus, AVG full version, regrun reanimator, and Malware bytes.
When i first got the virus it would shutoff my computer completley, but after a few tries i was able to start up my computer. My computer will shutoff if i scan my computer in safe mode with avg. If i scan it in normal mode my computer will not shut off, but the virus wont be found. Once the virus shuts off my computer it takes multiple attempts to start my computer up again.
When I installed comodo Anti-virus it gave me the option to block rpcnetp.exe from starting up an svchost execution.(maybe this stopped the virus? but once it was scanned nothing was found)
I will attach my processes+ startup programs along with the log from the malware bytes scan.
Any help would be much appreciated. I have been trying to get rid of this virus for weeks and have finally caved in.

Startup Programs:
Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Yes HKCU:Run ehTray.exe C:\Windows\ehome\ehTray.exe
Yes HKCU:Run WMPNSCFG C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
No HKCU:Run 1160881140 C:\Program Files (x86)\Toshiba Registration\Registration.exe /r “C:\Program Files (x86)\Toshiba Registration\Registration.rpd”
No HKCU:Run dsclogff C:\Users\owner\AppData\Local\Temp\dxdkdcecc\ncdarwxusbs.exe
Yes HKLM:Run Adobe Reader Speed Launcher “C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe”
Yes HKLM:Run QuickTime Task “C:\Program Files (x86)\QuickTime\QTTask.exe” -atboottime
Yes HKLM:Run iTunesHelper “C:\Program Files (x86)\iTunes\iTunesHelper.exe”
Yes HKLM:Run AVG_TRAY C:\Program Files (x86)\AVG\AVG10\avgtray.exe
Yes HKLM:Run Windows Defender %ProgramFiles%\Windows Defender\MSASCui.exe -hide
Yes HKLM:Run COMODO Internet Security “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
No HKLM:Run 00TCrdMain %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
No HKLM:Run a-squared “C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2guard.exe” /d=60
No HKLM:Run Apoint C:\Program Files\Apoint2K\Apoint.exe
No HKLM:Run BlackBerryAutoUpdate C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
No HKLM:Run Camera Assistant Software “C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe” /start
No HKLM:Run cfFncEnabler.exe cfFncEnabler.exe
No HKLM:Run CLMLServer “C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe”
No HKLM:Run COMODO C:\Program Files\COMODO\COMODO livePCsupport\CLPSLA.exe
No HKLM:Run CPA C:\Program Files\COMODO\COMODO livePCsupport\Cpa.exe
No HKLM:Run DivXUpdate “C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe” /CHECKNOW
No HKLM:Run HSON %ProgramFiles%\TOSHIBA\TBS\HSON.exe
No HKLM:Run HWSetup “C:\Program Files\TOSHIBA\Utilities\HWSetup.exe” hwSetUP
No HKLM:Run ITSecMng %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
No HKLM:Run jswtrayutil “C:\Program Files (x86)\Jumpstart\jswtrayutil.exe”
No HKLM:Run KeNotify “C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe”
No HKLM:Run MSSE “c:\Program Files\Microsoft Security Essentials\msseces.exe” -hide -runkey
No HKLM:Run NDSTray.exe NDSTray.exe
No HKLM:Run PCMAgent “C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe”
No HKLM:Run RavTRAY “C:\Program Files (x86)\Rising\RAV\RSTRAY.EXE” -system
No HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
No HKLM:Run Skytel Skytel.exe
No HKLM:Run SmoothView %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
No HKLM:Run SunJavaUpdateSched “C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe”
No HKLM:Run SVPWUTIL “C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe” SVPwUTIL
No HKLM:Run ToshibaServiceStation C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TSS.exe /hide
No HKLM:Run TPwrMain %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
Yes HKLM:RunOnce Malwarebytes’ Anti-Malware “C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe” /install /silent
Yes Startup User Stardock ObjectDock.lnk C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe

Malwarebytes’:
Malwarebytes’ Anti-Malware 1.51.0.1200

Database version: 6897

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

6/19/2011 9:15:26 PM
mbam-log-2011-06-19 (21-15-26).txt

Scan type: Quick scan
Objects scanned: 166388
Time elapsed: 27 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Using RegRun There were was one suspicious files:
RES://C:\PROGRA~2\MICROS~1\OFFICE12\EXCEL.EXE/3000 ( I deleted this file)

[attachment deleted by admin]

2

I have also used COMODO cloud scanner and nothing came up as well. The annoying part is that I am 100% sure that I have a virus, or something of that type.

3

try kaspersky rescue disk. you will have to burn it on to a cd then boot from it
http://support.kaspersky.com/viruses/rescuedisk

let me know if you need more instruction on how to use a bootable disk

4

What makes you 100% sure that this is virus related? Could it possibly be a hardware problem that when under load (e.g. when scanning) something gets to a point then auto shuts off?

Maybe check event viewer.

5

I’m with Matty here; It sounds like a hardware problem…

I would like to see a export of Windows Logs specifically the “System/Application” Logs; but All the logs would be great…

6

This is true I am not 100% sure. The only thing that really makes me think it is not hardware related is that I am pretty sure I got the virus from a website. I am not sure, but I remember rebooting my computer because it started to act funky. After I rebooted my computer my computer would not startup. After awhile startup repair would become an option. After I tried loading startup repair my computer would shutdown before startup repair could start. The only way my computer would start is though normal mode. How would you like me to send you the logs? Via email?

7

You can attach them on your next reply

8

Can you boot from and work for some time with a Linux Live CD, say UBUNTU.

I am just asking to confirm that it is not related to any hardware issues, (mostly SMPS or Processor Over Heat, RAM hard faults, Harddisk Bad blocks, etc.,)

9

I am pretty sure it is a hardware failure. I have tired uploading the logs but I am struggling. Could someone please explain to me how to upload them?(sorry I am new to this!) I am not sure if the upload is even necessary I looked though the log and found this long which probably explains my problems?
“Windows (2864) Windows: A request to write to the file “C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb” at offset 22691840 (0x00000000015a4000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (2526 seconds) to be serviced by the OS. In addition, 0 other I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 88668 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.”

10

I would say check your hard drive with a diagnostics tool from your hd’s manufacturer. Also make sure the wires to your hard drive are ok and connected tightly.

Then run Windiag to test your memory. Let it run for 10 rounds. Before letting it run undo all overclocks you made when you made overclocks. The scanning will take several hours so do it when you are sleeping or away to school or work or so. If it found one or more errors your memory is corrupted and need to get new. You may have warranty you can claim.

11

Hi jf69,

As it was pointed many times here the malware related issues in this forum and spontaneous advices given by users are completely out of touch (diplomatically speaking ) and absolutely unacceptable (less diplomatically speaking) … That can lead only to absolutely crippled system that cannot be recovered – damaged beyond repair way before any expert can have look at your system and provide any assistance

1st , you did not provide any info re: your System Environment
Well, because we can see “…C:\Program Files (x86)\ …" we may assume that’s some x64 flavour
… but

  • is it Vista or win 7?
  • service packs are installed?
  • if you are using CIS …. what components ; version / etc.
    Sure you can be infected badly using CIS…( even using VM) but still some information provided by you can help
  • What other security are in place ?

======= Windows.edb:

As Matty_R said:

What makes you 100% sure that this is virus related? Could it possibly be a hardware problem that when under load (e.g. when scanning) something gets to a point then auto shuts off? Maybe check event viewer.
At the moment I doubt the hardware issue(s) . Event Viewer log can definitely help.
I’m not sure though about “something gets to a point then auto shuts off? - mystery statement (including the fact I have some experience)

In addition, please read (“out there”) about “Windows.edb" and related problems

“MS Search” - are key words and that was never used here – Disabled (service and other related Software if uninstalled. That is pathetic piece of Software & very sloooow ; + creating huge indexing file / etc.

There are much better Software/engines in order to perform search, which will yield results instantaneously ( NTFS format is important, though )

So, just get rid of MS Search and please tell us the result

=======

Why would you remove rpcnetp.exe without any investigation?

That can be False Positive (FP) on behalf of Comodo’s AV (which has many FPs).
That said file can be legit Software (say, Laptop protection from being stolen)
Again… additional info is needed

=======

Same apply to

Using RegRun There were was one suspicious files:
RES://C:\PROGRA~2\MICROS~1\OFFICE12\EXCEL.EXE/3000 ( I deleted this file)
Why? ??? What Software flagged that item? That could be (& most likely) legit as well

Are you confident and experienced enough (at the moment) when using any Registry Cleaning Software?
I wish you would never try Comodo’s CSC Including the latest entry about MS Office read all that section, if you are interested

Anyway I’m “a bit” (softly speaking) sick & tired reading all those spontaneous/dangerous advices in this forum

Please visit dedicated Malware Removal site(s) ; provide decent info; and certified malware fighters will assist you. PM me if you want & I will send you the link(s)

Cheers!

12

i would like you to google for malwarebytes and superantispyware,update them and do a full scan…remove the threats that they find…

Edit by EricJH: reverted all bold text to normal

13

Hi malwarekiller

1st there is no need at all to post in bold font

After all said, as I can see you’ve posted several similar messages here in this (and as a matter of fact in other) forum … the latter was correctly deleted as far as I know

Unfortunately, you do not have neither formal experience no certification, as I can see.
All such “advices” being just picked up by “reading stuff around” in most cases will lead to a complete disaster

I hope that the initial poster will not listen and will not by any means act upon such kind of “advices”,
but rather provide information /investigate / and as a result seek help in appropriate places as suggested , where certified malware fighter will assist properly

Thanks

14

the advice that i gave above uses simple tools so no disaster will be caused :wink:

this is not going to destroy anybodys computer :smiley:

15

At SiberLynx. I see no harm in advising people to use reputable scanners like Malwarebytes Anti Malware, Super Antispyware and Hitman Pro to scan and clean their computers.

16

well,hitman pro can seriously ■■■■■ up your pc since himan pro has the default action to delete infected files and what if a rootkit has infected an important file of windows and hitman pro deletes it then this will regard the pc unbootable again a normal average user would not bother to change the action to repair and will accept everything at face value. :wink:

Please note:
mbam,sas,eset online scanner,trend micro house call and other anti-maware scanners excluding hitman pro cause no harm… :slight_smile:

mbam came up clean try superantispyware.

u will recieve a private message soon by me on how to use superantispyware… ;D

17

Please don’t solve problems with other users by pm. It defeats the purpose of a forum and even more important the malware problem cannot be critically followed by others.

18

sorry…not much famaliar with this forum stuff… :azn:

19

Hi Eric,

Sure, you can use “reputable scanners” & scan … and sometimes clean,
but my message to malwarekiller was different especially considering a contexts of this particular case … and other cases as a matter of fact , where you can see and analyze his inputs :wink:

I’ll refrain myself from other comments at the moment

Cheers!

20

Just a quick story that may (or may not) be relevant to this topic :slight_smile: Twas fixing a computer for a someone who was on the same job as me (wasnt booting/started then shut down straight away), Anyway on getting said box i noticed the power button seemed jammed in! Well that doesnt look right me thinks ill try that first. So i took off the jumper and used a spare and it booted straight away......sorted.... Anyway i realised it had some malware so set it to boot from cd and ran the usual boot cd ;) Anyway the first scan started then bam the computer shut down out of the blue. Tried again same thing! Puzzled at this i took a closer look in the case whereby i noticed that the cpu fan wasnt turning round on power up, one of the cables had been pulled out and the cpu must have been overheating and causing the system to shutdown :frowning:
Anyway re-did the connection, re-booted, all was tickety boo/hunky dory. After a few scans i realised that the infections where that many that nuking the disc and re-installing was the best option…

Moral of the story-“Little things can cause big problems!!!”