I'm listing the symptoms here, as I don't have a clue what's causing this.

1. On Monday I was surfing in Firefox when the desktop just crashed (this almost 
never happened in firefox but usually in IE after long surf sessions). Explorer.exe 
failed to revive it, I had to navigate using Ctrl+Alt+Del for a while, but then I 
decided to reboot to restore the desktop.

2. On reboot, I clicked on stuff and they just won't respond, for instance the internet 
login link would not open, clicking on Start, the button would just look depressed 
without actually opening the Start menu.

3. I rebooted in Safe mode and things worked fine, I tried ccleaner, spybot (results 
were clean), stinger (clean), SDfix, Combofix. Nothing made a normal startup work 
as normal.

4. Finally thought of System Restore -- restored to last Thursday (April 3), things 
went back to normal.

(Things stayed normal for  2 days)

5. Wednesday, was surfing again, opening explorer windows began to look buggy again 
in that the whole menus would not display right, so I rebooted.

6. Same symptoms as (2) above, so I rebooted in Safe mode.

7. In Safe mode, Combofix failed to initialize, used SDfix until it asked for restart, 
restarted but the log failed to show up as the desktop totally hanged midway.

8. Back in Safe Mode again, tried to look for a System Restore point, there was none! 
I thought they are only deleted after 90 days?

9. Still in safe mode, tried running Spybot again, the screensaver kept starting 
after 1 minute, I right clicked on desktop to set it to 15 minutes, it just set itself 
to 1 minute again (malware?). Spybot showed a clean result.

10. Rebooted normally, hanged a few times when opening a folder, clicking on the 
manual internet login link or even right click desktop (will not show desktop settings 
menu).

11. Reconfigured router to auto-login mode to bypass the manual login desktop link, 
managed to connect to internet.

12. Tried to make a HijackThis log, failed on two reboots, each time it shows:

"This action cannot be completed becasue the other application is busy. Choose "Switch 
To" to activate the busy application and correct the problem"

It just stayed that way with the error message, I clicked Switch To and Retry without 
success.

Strangely, the Windows Task Manager's performance tab did not show a high CPU or 
PF usage,

13. I used ccleaner's registry cleaner in Safe Mode, there's a bunch of stuff related 
to Real player, so I deleted them all and uninstalled realplayer.

- combofix could run again
- ran SdFix but the log that appeared on a normal boot can't be saved as it hanged 
when I chose"Save as.." but I saw the words "Trojan Found.." in the log.
-A Spybot scan showed nothing 

(all the above were done while in Safe Mode)

I'm now in Safe Mode, I can't navigate in normal mode as the system will hang upon 
opening anything.

[Reply or follow-up to this message]

It does sound like Malware. It could possibly be a failing HDD and, either 
way, do back up your files in one of the rare moments when the system is working 
at all.

For support I'd post here

[Reply or follow-up to this message]

Possibly a root kit; have you tried root-kit removal?


On Friday, April 11, 2008 at 7:50 am, Gill wrote:
>I'm listing the symptoms here, as I don't have a clue what's causing this.
>
>1. On Monday I was surfing in Firefox when the desktop just crashed (this almost
>never happened in firefox but usually in IE after long surf sessions). Explorer.exe
>failed to revive it, I had to navigate using Ctrl+Alt+Del for a while, but then I
>decided to reboot to restore the desktop.
>
>2. On reboot, I clicked on stuff and they just won't respond, for instance the internet
>login link would not open, clicking on Start, the button would just look depressed
>without actually opening the Start menu.
>
>3. I rebooted in Safe mode and things worked fine, I tried ccleaner, spybot (results
>were clean), stinger (clean), SDfix, Combofix. Nothing made a normal startup work
>as normal.
>
>4. Finally thought of System Restore -- restored to last Thursday (April 3), things
>went back to normal.
>
>(Things stayed normal for 2 days)
>
>5. Wednesday, was surfing again, opening explorer windows began to look buggy again
>in that the whole menus would not display right, so I rebooted.
>
>6. Same symptoms as (2) above, so I rebooted in Safe mode.
>
>7. In Safe mode, Combofix failed to initialize, used SDfix until it asked for restart,
>restarted but the log failed to show up as the desktop totally hanged midway.
>
>8. Back in Safe Mode again, tried to look for a System Restore point, there was none!
>I thought they are only deleted after 90 days?
>
>9. Still in safe mode, tried running Spybot again, the screensaver kept starting
>after 1 minute, I right clicked on desktop to set it to 15 minutes, it just set itself
>to 1 minute again (malware?). Spybot showed a clean result.
>
>10. Rebooted normally, hanged a few times when opening a folder, clicking on the
>manual internet login link or even right click desktop (will not show desktop settings
>menu).
>
>11. Reconfigured router to auto-login mode to bypass the manual login desktop link,
>managed to connect to internet.
>
>12. Tried to make a HijackThis log, failed on two reboots, each time it shows:
>
>"This action cannot be completed becasue the other application is busy. Choose "Switch
>To" to activate the busy application and correct the problem"
>
>It just stayed that way with the error message, I clicked Switch To and Retry without
>success.
>
>Strangely, the Windows Task Manager's performance tab did not show a high CPU or
>PF usage,
>
>13. I used ccleaner's registry cleaner in Safe Mode, there's a bunch of stuff related
>to Real player, so I deleted them all and uninstalled realplayer.
>
>- combofix could run again
>- ran SdFix but the log that appeared on a normal boot can't be saved as it hanged
>when I chose"Save as.." but I saw the words "Trojan Found.." in the log.
>-A Spybot scan showed nothing
>
>(all the above were done while in Safe Mode)
>
>I'm now in Safe Mode, I can't navigate in normal mode as the system will hang upon
>opening anything.
>

[Reply or follow-up to this message]

No, I've never tried root-kit removal before. Where do I start?

[Reply or follow-up to this message]

I'm preparing for the worst but I suspect it's malware monopolizing the resources, 
preventing programs and windows from opening, as they operate without problems in 
safe mode, and previously, a system restore on Monday managed to reverse this.

Should I post a log here?

I've managed to run some logs,

SdFix log (auto saved upon normal boot)
Combofix log (in safe mode)
HijackThis log (in safe mode)

[Reply or follow-up to this message]

No, don't post here.

Go to the link I provided and read their comprehensive instructions :-)

[Reply or follow-up to this message]

Download Sophos anti-rootkit from download.com and run it in safe mode. The only possibility is a root-kit, also run chkdsk.exe as it resolves any disk errors –that may be the case?


On Friday, April 11, 2008 at 1:37 pm, Gill wrote:
>No, I've never tried root-kit removal before. Where do I start?

[Reply or follow-up to this message]

I've been doing the pre-HJT activities for the past few hours, Malwarebytes seemed 
to clear up what I think is the main culprit (below), as I'm in normal mode now and 
the previous probs seem to be gone at the moment.

***

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) 
-> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) 
-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Engine.BackupEngine (Rogue.AntiSpyKit) -> Quarantined 
and deleted successfully.

***

[Reply or follow-up to this message]

I've tried using this, "AVG Anti-Rootkit Free" and scanned twice (safe and normal 
mode) with no root-kit malware found a few hours ago, I'll try Sophos right now just 
to be safe.

By the way, I've been using Avast (4.8) Pro all these years,  should I switch to 
Kapersky Internet Security 7?

Which one is more robust? 

[Reply or follow-up to this message]

Sophos found this entry, but there was no "clean" option for it,

Area:	Windows registry
Description:	Hidden registry key 
Location:	\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vax347s\Config\jdgg40
Removable:	No
Notes:	(no more detail available) 

[Reply or follow-up to this message]

Good :-)

[Reply or follow-up to this message]

Run chkdsk.exe in safe mode, just to be on the safe side, a bad sector might be causing your problem. Other than that, I would suggest you create a restore point and then manually delete the key in regedit. If you encounter no problems after reboot, turn-off system restore and then start a fresh new restore point.


On Friday, April 11, 2008 at 7:35 pm, Gill wrote:
>Sophos found this entry, but there was no "clean" option for it,
>
>Area: Windows registry
>Description: Hidden registry key
>Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vax347s\Config\jdgg40
>Removable: No
>Notes: (no more detail available)

[Reply or follow-up to this message]

Do not download Kapersky Internet Security 7 due to it is a "resource-hog" and leaves your Temp folder in a complete mess. Avast detects some false-positives and doesn’t detect droppers, so I would use AVG Free like the majority do.


On Friday, April 11, 2008 at 6:42 pm, Gill wrote:
>I've tried using this, "AVG Anti-Rootkit Free" and scanned twice (safe and normal
>mode) with no root-kit malware found a few hours ago, I'll try Sophos right now just
>to be safe.
>
>By the way, I've been using Avast (4.8) Pro all these years, should I switch to
>Kapersky Internet Security 7?
>
>Which one is more robust?

[Reply or follow-up to this message]

Once you get this mess sorted out, prevent future problems by operating the computer 
using a Limited User account.

Log on to a Computer Administrator account only when the specific task at hand requires 
admin rights/privileges, do the task, then log off and go back to the LU account.

Or learn how to use the Run As... command.

[Reply or follow-up to this message]

I've done a boot chkdsk and deleted previous restore points. 

In fact, it was the lack of any restore points that made the prob hard to reverse 
in the first place, somehow my comp's restore points would disappear when I most 
need it. Or maybe it's one of the stuff ccleaner deletes..

[Reply or follow-up to this message]

Thanks for the tip, that sounds like a good way for releasing clutter and avoid hijacks, 
I'll try it out and see.

[Reply or follow-up to this message]

Sounds like the Drive is going south,
   I've heard that Spinrite from GRC.com works miracles.  it costs a bit but gets 
you up and going in no time at  all  gives you enough time to back your data 







On Friday, April 11, 2008 at 7:50 am, Gill wrote:

>I'm listing the symptoms here, as I don't have a clue what's causing this.

>

>1. On Monday I was surfing in Firefox when the desktop just crashed (this almost 

>never happened in firefox but usually in IE after long surf sessions). Explorer.exe 

>failed to revive it, I had to navigate using Ctrl+Alt+Del for a while, but then 
I 

>decided to reboot to restore the desktop.

>

>2. On reboot, I clicked on stuff and they just won't respond, for instance the internet 

>login link would not open, clicking on Start, the button would just look depressed 

>without actually opening the Start menu.

>

>3. I rebooted in Safe mode and things worked fine, I tried ccleaner, spybot (results 

>were clean), stinger (clean), SDfix, Combofix. Nothing made a normal startup work 

>as normal.

>

>4. Finally thought of System Restore -- restored to last Thursday (April 3), things 

>went back to normal.

>

>(Things stayed normal for  2 days)

>

>5. Wednesday, was surfing again, opening explorer windows began to look buggy again 

>in that the whole menus would not display right, so I rebooted.

>

>6. Same symptoms as (2) above, so I rebooted in Safe mode.

>

>7. In Safe mode, Combofix failed to initialize, used SDfix until it asked for restart, 

>restarted but the log failed to show up as the desktop totally hanged midway.

>

>8. Back in Safe Mode again, tried to look for a System Restore point, there was 
none! 

>I thought they are only deleted after 90 days?

>

>9. Still in safe mode, tried running Spybot again, the screensaver kept starting 

>after 1 minute, I right clicked on desktop to set it to 15 minutes, it just set 
itself 

>to 1 minute again (malware?). Spybot showed a clean result.

>

>10. Rebooted normally, hanged a few times when opening a folder, clicking on the 

>manual internet login link or even right click desktop (will not show desktop settings 

>menu).

>

>11. Reconfigured router to auto-login mode to bypass the manual login desktop link, 

>managed to connect to internet.

>

>12. Tried to make a HijackThis log, failed on two reboots, each time it shows:

>

>"This action cannot be completed becasue the other application is busy. Choose "Switch 

>To" to activate the busy application and correct the problem"

>

>It just stayed that way with the error message, I clicked Switch To and Retry without 

>success.

>

>Strangely, the Windows Task Manager's performance tab did not show a high CPU or 

>PF usage,

>

>13. I used ccleaner's registry cleaner in Safe Mode, there's a bunch of stuff related 

>to Real player, so I deleted them all and uninstalled realplayer.

>

>- combofix could run again

>- ran SdFix but the log that appeared on a normal boot can't be saved as it hanged 

>when I chose"Save as.." but I saw the words "Trojan Found.." in the log.

>-A Spybot scan showed nothing 

>

>(all the above were done while in Safe Mode)

>

>I'm now in Safe Mode, I can't navigate in normal mode as the system will hang upon 

>opening anything.

>
 

[Reply or follow-up to this message]

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum