message that "SUPERANTISPYWAR" is preventing shutdown

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JanetE, Apr 13, 2011.

  1. JanetE

    JanetE Private E-2

    Have been getting a message last 4-5 nights when trying to shut down, saying that "The following programs are still running: SUPERANTISPYWAR. This program is preventing your computer from shutting down." The message persists for a few moments and then the computer finally shuts down.

    Could not find any such "superantispywar" (note: without the "e"). Hmmm. It feels like I'm being used as somebody's server perhaps.

    I ran the recommended scans, but could not get MGtools to give me anything. I also tried to run GetLogs.bat as administrator and got nothing either. User Account Control is off and AV and firewall are disabled so I'm stumped and need help with that one.

    Please find attached:
    SASlog04132011.txt
    mbamlog20110413.txt
    CFlog20110413.txt
    RRlog.txt

    I appreciate your help. Thanks much,
    Janet
     

    Attached Files:

    JanetE, Apr 13, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

    • Right click the Command Prompt entry and select Run As Administrator.
      • It is critical that you run it this way.

    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GetRunKey<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
     
    TimW, Apr 13, 2011
    #2
  3. JanetE

    JanetE Private E-2

    Thank you TimW. That worked. I don't think it created MGlogs.zip however, so I hope I am doing right by attaching runkeys.txt and newfiles.txt individually.

    FYI, I got the same message last night about the 'SUPERANTISPYWAR' on shutdown. This was after running SAS, MBAM, ComboFix and RootRepeal (and trying unsuccessfully to run MGtools).

    Also I should have thought to alert you that I had an earlier thread in the software forum, dating from 03-31-11, that may point to the first signs of malware. (Some extracts below.) I wasn't sure if it was really sinister or not, and at that time I simply took the advice given me to disable the automatic running of Google Updater Service.

    I have for the present re-enabled User Account Control, turned on AV and scanning, and firewall. I know now from painful experience that I must disable all these again before completing the clean-up when that time comes, and in particular to be able to uninstall the ComboFix.

    Thanks again so much for your attention,
    Janet

    http://forums.majorgeeks.com/showthread.php?t=235221

     

    Attached Files:

    JanetE, Apr 13, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you install this:
    Security Task Manager 1.7h
     
    TimW, Apr 13, 2011
    #4
  5. JanetE

    JanetE Private E-2

    Yes. Security Task Manager 1.7.7.0 from Neuber.
    Last modified, I believe, 2/24/2009 1:42 PM.
    In C:\Program Files\Security Task Manager.
     
    JanetE, Apr 13, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
c:\users\Janet and Thom\AppData\Local\{E1BEC179-730A-40C2-962F-6EEF473DD4F3}
c:\users\Janet and Thom\AppData\Local\{2FF13337-C31D-4930-A384-39AA81F80C16}
C:\Windows\System32\vs08
File::
C:\{FDFB2219-4B79-4607-B55F-4E5C01FEB952}
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Apr 13, 2011
    #6
  7. JanetE

    JanetE Private E-2

    Hello Kestrel13!

    Nice to see you again. Thank you for your helpful response, and hopefully I have done as directed. Please find attached:
    c:\combofix.txt
    c:\MGlogs.zip

    Fingers crossed,
    Janet
     

    Attached Files:

    JanetE, Apr 13, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I still am not finding anything remotely associated with the issue you are having. Is it still happening?
     
    TimW, Apr 14, 2011
    #8
  9. JanetE

    JanetE Private E-2

    The short answer to your question is "not sure yet."
    Here is a recap. Screenshots attached.

    On 29 March the computer refused to shut down. I left it running with "Shutting down" displayed. In the morning I still had the same "Shutting down" screen so I killed the power. When it came back up the cursor seemed to be jumping around. I did a System Restore to set myself back a few days.

    When it rebooted I now got a warning (from Windows I think??) that my anti-virus protection had been turned off. I also got a message from Norton that I was at risk and needed to download virus definitions. When I did this it seemed to download everything from the start of time, but when it was done it seemed OK.

    On 30 March I got a messsage about websites blocked by my hosts file, all with "mcafee" in their names.

    The next morning, 31 March, on bootup it immediately ran a CHKDSK, telling me that it was deleting a couple of index entries. After that it seemed to boot normally.

    But then, on 6 April I believe, I started getting these "SUPERANTISPYWAR is preventing your computer from shutting down" messages.

    Just now I tried shutting down and did not get the "SUPERANTISPYWAR" message, but I wasn't always getting it. It seemed to happen only late at night (U.S. east coast daylight savings time), and not every night. So I can't really be sure yet, although it did seem faster this morning after what I ran from Kestrel13! yesterday.

    So what was it that Kestrel13! had me delete? Can I take it that those logs now look clean? But they don't address my issue as far as you can see?

    Thanks as always for your time and attention,
    Janet
     

    Attached Files:

    JanetE, Apr 14, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Kes didn't remove anything significant. The next time you get that message, Control / Alt / delete to bring up the task manager and look to see what is running. Check processes and see if you can identify this anomaly. Your logs are clean. I couldn't find any trace of that misspelled app.

    Just for safety sake, let's run an online scan:
    Please run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!

    • Follow the Instruction Here for installation.
    • Accept the License Agreement.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply.
     
    TimW, Apr 14, 2011
    #10
  11. JanetE

    JanetE Private E-2

    Do I have to have my UAC disabled, and AV, scanning, and firewall off while I run this scan?

    Also, looking at the F-Secure website, I can't see any text in the dropdown window asking which language to use, nor in the window that should show me their terms and conditions. I tried both blue links you sent me. I'm in IE9.
     
    Last edited: Apr 14, 2011
    JanetE, Apr 14, 2011
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No, you should be able to run it without disabling anything.
     
    TimW, Apr 14, 2011
    #12
  13. JanetE

    JanetE Private E-2

    ActiveX doesn't seem to have installed...? There's just a thing spinning round and round on my screen; unless that's a sign that it's actually scanning? But I never got to anything that said "Full System Scan." Something preventing installation of ActiveX? SpybotS&D? SpywareBlaster?
    Thanks
     
    JanetE, Apr 14, 2011
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Spybot may be blocking it,

    Let's go a different route then:
    eSet Online Scan.
     
    TimW, Apr 14, 2011
    #14
  15. JanetE

    JanetE Private E-2

    Was able to run the ESET scan. Log attached.

    It's usually my first line of defense and I'm pretty sure I tried that, but I think I remember that the message vanished before I could get a bead on it and then the machine was shutting down and out of my control. I'll try to leap on it if it happens again.

    I tried shutting down again just before putting up this post, and no issue.

    Cross fingers and forge ahead with business as usual??? :confused Or do you still have something else up your sleeve?

    Your attention much appreciated as always,
    Janet
     

    Attached Files:

    JanetE, Apr 14, 2011
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nothing else up my sleeves. Just keep an eye on things and let me know if it reoccurs.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Apr 15, 2011
    #16
  17. JanetE

    JanetE Private E-2

    TimW, thank you for your latest efforts.

    Some strange things last night, so not sure if we've eradicated all the bad guys but for now the computer seems a lot snappier and I've had no "SUPERANTISPYWAR" garbage on shutdown since I ran the ComboFix with Kestrel13!'s fix. :confused

    Cleanup successful per your instructions, including toggling System Restore. (Could not find any HijackThis to uninstall in add/remove programs.)

    But then I reset SAS to default options and tried to download new definitions. It hung. Got a message (from where??), something about failure of security options to load. Not sure of wording. I remember something like a white x in a red circle. It disappeared very fast. (I've seen this 2 or 3 times in maybe the last couple weeks.)

    I uninstalled SAS and got new one from SAS website. On download, Norton told me "unable to get info on c:" so I ran Norton Insight Network Scan on the downloaded SAS installer on desktop and was told this time that "Less than 5 people in the Norton community have used this file" but at the same time that the file was "trusted." I went ahead anyway and the installed SAS seemed normal.

    Oddly, though, when I then went to the SAS icon in my dock it didn't launch the program as it usually does. I started it from the Alternate Start (SAS icon in taskbar) and that worked.

    Oddly again, although I had run the update during installation, when I checked again it downloaded more definitions and I got a whole lot this time.

    After that I installed the whole of Patch Tuesday, 20 items from Microsoft. Also new RealPlayer from FileHippo last night and more from FH this a.m.: AdobeAIR and 2 FlashPlayers.

    Odd occurrence again: Norton told me "Less than 5 people in the Norton community have used this file" for all three of these last downloads. I've seen this before. Maybe it's just because I get such early warning from FH.

    So......win or draw? dunno. Is somebody messing with my antivirus software? Maybe I've only succeeded in getting in its way and it will come roaring back. To be continued!

    Much appreciate your help. Thanks so much.
    Janet
     
    JanetE, Apr 16, 2011
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I suggest that you use MajorGeeks to download your programs from. I have never heard of that message from Norton. Perhaps someone in the software forums have. Keep me informed.
     
    TimW, Apr 16, 2011
    #18
  19. JanetE

    JanetE Private E-2

    Will do. Thank you so much!
    Janet
     
    JanetE, Apr 16, 2011
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    At least that way you will know you are not getting programs that may be infected. :)
     
    TimW, Apr 16, 2011
    #20
  21. JanetE

    JanetE Private E-2

    I think I will start over with uninstalling the SAS and download it from MG this time (hoping I haven't already unleashed something). Thanks! You guys are the best.
     
    JanetE, Apr 16, 2011
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Apr 16, 2011
    #22
  23. JanetE

    JanetE Private E-2

    Is this normal?? Cursor suddenly seemed sluggish so I went to Control-Alt-Delete, found a strange-looking process running under the name SuperAntiSpyware. Screenshot attached. CPU cranking at 80%, yet I only have a couple apps open and not really doing anything much.

    Maybe I'm seeing things now, but I'm still a little nervous!

    thanks again,
    Janet
     

    Attached Files:

    JanetE, Apr 16, 2011
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that is how SUPERAntiSpyware runs once you have selected Alternate Start. It uses a random name to try and get around malware blocking it. It was not using 80% of your CPU. It was using 0% in your snapshot.

    Uninstall SUPERAntiSpyware. Reboot, and then reinstall. This time tell it not to run at startup as we stated in the instructions for installing and running it in the READ & RUN ME. I'll repeat the link for you. You should set the options as we reqested.

    SUPERAntiSpyware - running & getting a log
     
    chaslang, Apr 16, 2011
    #24
  25. JanetE

    JanetE Private E-2

    Oh! Hello, chaslang, nice to see you again. Thank you for responding, and so sorry for panicking!!! :-o I didn't know that about the Alternate Start. Got scared when I saw that string! I can uninstall and reinstall, no problem, but I wasn't running SAS for MG now. I think/hope my malware removal is done, and I had set my SAS back to the way I usually run it every day.

    So shall I always leave it set up exactly the same way you describe in this link, even when I'm not performing malware removal? Is that what you're saying?

    One question, though. For everyday purposes, is it ok to leave the check in the box for "Display scan option in Explorer context (right click) menu" because I use that a lot.

    Oh, and come to think of it, it runs a lot longer your way. So do you think that rather than run every day I would be better off to run your longer version even if less frequently? Probably so, but it makes me nervous not to run MBAM and SAS every day.

    And I gather it's up to me whether or not to have SAS running on startup.

    learning curve... thanks a lot,
    Janet
     
    JanetE, Apr 16, 2011
    #25
  26. JanetE

    JanetE Private E-2

    I got another message on shutdown around 4 a.m. New York time. It appeared very briefly and I couldn't capture any shot of it, and Ctl-Alt-Delete could not have helped (though I did try!) because it went by too fast. It said that a program was preventing Windows from shutting down. It did not say 'SUPERANTISPYWAR' this time. It quoted a program name that was a short string of nonsense. After that it went on to show a screen saying "Shutting down" but it did not shut down. Finally I hit the power switch.

    The computer was extremely slow the later it got tonight. I was reading large PDFs, but still it shouldn't be that slow. Forgive me if this is irrelevant, but earlier I had looked in Neuber's Security Task Manager app and saw BCMWLTRY.EXE flagged red (potentially dangerous) and using CPU. This is supposed to be Broadcom Corporation Wireless Network software, but I don't use the wireless network, I'm hardwired. I had Neuber upload the file for analysis on VirusTotal where it scored zero ("This file has never been reviewed by any VT Community member"). Odd? This file is almost 5 MB. Maybe this link will work for you:

    http://www.virustotal.com/file-scan...858bc0665c7b71d071acfa2faa87fdfb91-1303019206

    I did, by the way, uninstall SAS and reinstall with a download from MG after you (TimW) said I should. But I haven't yet done it again after chaslang said to do it again, as I was waiting for answers back before proceeding. But methinks I'm going to have to start all over again with all the diagnostics now not just SAS. I'd still like clarification on the questions in my previous post, but it's looking like I'm not really ready to wrap anything up yet.

    I'm shot. Will check back in the a.m. for further advice. I'm turning the *(!+ computer off and going to sleep now.

    Much appreciate your help,
    Janet
     
    JanetE, Apr 17, 2011
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These are problems with Windows not malware. You should post in the Software Forum for suggestions. Sometimes a system restore can be performed back to a point before the problem began and that may or may not help. A repair install may also be an option. Then comes reinstall.

    This is for your Broadcom network interface card and is not malware. Whether you use the card or not, it is not malware an not a topic for this forum.

    Actually you are since you are not having malware problems. I will address your questions in the next post.
     
    chaslang, Apr 17, 2011
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! But if you don't mind how it slows down you startup, you can have it load when you boot up. That's your decision. Most people complain since it can have a significant effect on startup.

    Yes if you want that feature that's fine.

    If you want to run scans with Malwarebytes and SUPERAntiSpyware every day, that's fine. However just allowing them to load at startup does not run a scan. You have to run the scan. Remember the free versions do not provide active protection. They are after the fact scanners.
     
    chaslang, Apr 17, 2011
    #28
  29. JanetE

    JanetE Private E-2

    OK, great. That's the answer, then. I already run the Malwarebytes and SUPERAntiSpyware every day manually, so I just won't let them run on startup.

    I also figured out that, since SAS names itself randomly, both the misspelled "Superantispywar" and last night's program with the nonsense-string name could simply be truncations and therefore those messages about a program preventing shutdown could in fact be genuine warnings from Windows. I am reassured.

    I will go back to the software forum to take up any further shutdown issues. Many thanks to TimW, Kestrel13! and yourself, chaslang, for all your help. I truly do appreciate it.

    Janet
     
    JanetE, Apr 17, 2011
    #29
  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Again, you are most welcome. :)
     
    TimW, Apr 17, 2011
    #30
  31. JanetE

    JanetE Private E-2

    Looking in the rearview mirror I see that what fixed me up that time was not anything specific we did, it was probably the simple fact of not allowing the SuperAntiSpyware to run on startup (because I was set up to run your scans).

    As soon as I went back to running it on startup I had problems again. So I think that having the SuperAntiSpyware running on startup was the problem all along.

    Thought I should just post this up here for other people to find. Hindsight is 20/20. Thanks again. :wave
     
    JanetE, Apr 18, 2011
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks but the problem is not likely with SUPERAntiSpyware. The problem is more likely due to an issue with your Windows installation or another application that may be corrupted or is causing conflicts. Tens of thousands ( if not many more ) people run SUPERAntiSpyware at startup ( and I have tested it too ) and do not have the problem. You will find many examples of applications that seem to be accused of not allowing Windows to shutdown and in an extremely large percentage of these cases, it is not the application that is the problem. It is Windows or another application.
     
    chaslang, Apr 18, 2011
    #32
  33. JanetE

    JanetE Private E-2

    Makes sense. So at some point I will get some friendly help on the software forum. Again, thank you so much. Your advice is invaluable.
    Janet
     
    JanetE, Apr 18, 2011
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Apr 19, 2011
    #34

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds