Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

windows shutdown broken - just hangs on blank desktop

by anthonology Dec 26, 2008 2:16PM PST

Good day or night,

Earlier today I got a nasty trojan off my computer. And now XP won't shutdown. The shutdown process begins, icons and taskbar disappear, and then it stops, nothing on the screen but my desktop image. The thing even goes into sleep mode this way. But no shutdown.

I have tried some standard troubleshooting. Updated to SP3, updated Dell BIOS (have Vostro 1400). No luck.

Could this have been damage caused by the trojan? Several trojans were removed during safe mode by Malewarebytes [only log with removal info below]. The log means little to me. Not sure if I had a zlob.g, zlob.d or a win32.zafi.b. A fake "windows security alert" was coming up warning about a "win32.zafi.b" and then mozilla stopped working and IE took me to a "safe soft review" website and then shut down.

Anyone have any suggestions? Anything appreciated...

Anthonology

=============================================

Malwarebytes' Anti-Malware 1.30
Database version: 1321
Windows 5.1.2600 Service Pack 2

26/12/2008 2:07:22 AM
mbam-log-2008-12-26 (02-07-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 112020
Time elapsed: 51 minute(s), 35 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvcrtd.exe (Rootkit.Agent) -> Delete on reboot.

Discussion is locked

5 Posts
- Collapse + Expand Details
- Collapse -
Hi. There MAY Be More To Do....
by tobeach Dec 26, 2008 4:46PM PST

which I'll leave to others to explore. You can in mean time, run a Checkdisk R(epair) automatically which should correct any system file errors & repair any damaged areas on the HD disk. This may well solve no shut down status. Worth a try & can't hurt!! Here's how:

Disk/repair (Check Disk) (like SFC)
Left click on My Computer(open)
Right click on "C" or your OS drive if another letter.
Left click Properties and then click Tools Tab.
Left click on "Error Checking"> Check Now.
Left click to enter check mark in BOTH boxes offered.
Left click on "Start".
Computer will have to reboot to begin repairs.
Just leave alone (you're locked out anyway) 'til process finished.
In regular mode will take about 1 Hour (more/less)
In Safe Mode about 2 hours.
If computer normal after process complete you might want to create a new
restore point and Label it POST ERROR REPAIR.
This is based on using an onboard copy of sys
files if copy is ok.
If copy is corrupted, it may tell you to insert XP or SP2/SP3(if patch applied) disk or to indicate location of SP2/3 info to get new,
clean copy inserted. Good to have disk at hand. Good Luck!! Happy

- Collapse -
will try...
by anthonology Dec 28, 2008 2:25AM PST

found the function. will try once i have disks. am traveling at the moments. thanks for the tip.

- Collapse -
(NT) Let Us Know How It Goes!:-)
by tobeach Dec 28, 2008 2:39PM PST
- Collapse -
reinstall worked!
by anthonology Jan 2, 2009 10:53AM PST

thanks for suggestions. sorry getting back to thread so late.

- Collapse -
(NT) Good Work & Happy Computing!! S :D
by tobeach Jan 2, 2009 3:47PM PST
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info