Topic by Nocturnus 2014-11-17 06:29:14

  • From: Texas
  • Registered: 2009-12-08
  • Posts: 4,132
  • User Karma: 1,615

Over the past couple of weeks I've seen a massive amount of craptastic failure on this windows 7 PC which I'm not entirely sure how to respond to.  It started out with a separate instance of explorer.exe running in my taskbar, and I noticed the lag; it almost seemed like this separate instance was using up all resources available to my PC.  I'd kill it and it would return of its own accord.  I thought, virus, malware, and ran MSE and malwarebytes.  Neither program reported anything, so I figured it was something less threatening, more irritating than anything else.  I researched the matter for a fair amount of time and discovered nothing that helped me personally.  A couple of days ago, however, I begin to notice the lag become more impressive, much more intense to the point where sound itself was affected, which has never happened on this PC before.  Upon opening task manager I noticed yet another process had appeared, that being ctfmon.exe.  Again, this seems like a process that shouldn't be much of a bother; researching it turned up results on how it's based on MS office and keyboard and regional language controls and the like.  I uninstalled office to see if that would do the trick, then went into control panel and killed off alternative keyboards... Nothing.  The process kept rearing its ugly head.  Once again I scanned with both programs and couldn't find the answer.

It was during this scanning, however, that I killed my internet connectivity and noticed something interesting; the lag died off.  Still more intriguing was that when I killed the second instance of explorer.exe and did the same with ctfmon.exe neither returned until I reconnected.  that made me dig out superAntiSpyware and run it... Within roughly 10 minutes I had come across nearly 192 possible threats and removed them all.  the problem persisted.  I switched over from MSE to clamwin and discovered another 13 issues that didn't agree with the program and killed them off.  Whatever the matter is related to however is not giving up and continues to reek havoc on this pc. 

Explorer will reappear after roughly a minute of being killed off, followed closely by ctfmon.exe.  Killing off both instances of explorer.exe stalls the issue, but that's not convenient and seems like treating the symptoms and ignoring the disease.  Thoughts?

When life gives you oranges, demand lemons since everyone else is obviously getting them.

Quote Post 1

Thumbs up

Reply by CAE_Jones 2014-11-17 07:18:46

  • Registered: 2010-11-07
  • Posts: 8,475
  • User Karma: 692

Keeping in mind that you are decidedly better at this than me, so this might be useless advice:
I would try and hunt down the source of the EVIL! explorer.exe, et al. If th normal explorer.exe is still running, then there is either another process with the same name, or the malware is screwing with parameters or injecting itself after running or something.
I'm not really sure how to use all the in-depth features of task manager, and those seem to have been changing with each windows version, so I have no idea how hard this would be. Maybe just searching your harddrive for explorer.exe? It will turn up loads of false positives, but if you can find anything that appears out of place, it might be useful.

看過來!
"If you want utopia but reality gives you Lovecraft, you don't give up, you carve your utopia out of the corpses of dead gods."
MaxAngor wrote:
    George... Don't do that.

Quote Post 2

Thumbs up

Reply by Victorious 2014-11-17 07:42:36

  • Registered: 2010-11-08
  • Posts: 1,125
  • User Karma: 28

Try the Free edition of AVG Antivirus if you don't want to pay for an antivirus product. Or, you could try the nortan power eraser, which is a standalone scanner that can be used in conjunction with other antiviruse products.

Quote Post 3

Thumbs up

Reply by cx2 2014-11-17 10:35:02

  • cx2
  • Just another user
  • Offline
  • From: United Kingdom
  • Registered: 2005-08-25
  • Posts: 5,252
  • User Karma: 41

Ugh Norton and AVG. You could also try the demo of NOD32 from eset.com. Yet another option might be to run such an antivirus scan on your hard drive on another computer using a USB to sata or ide adapter as appropriate, that way any virus wouldn't be able to load itself up to mess with scans.

A reformat is always possible but remember backing up your files may also backup the virus if it was slipped in with a piece of software you installed, that said if it was delivered via a web page you can probably backup your files safely so long as it hasn't infected them.

cx2
-----
To live by honour and to honour life, these are our greatest strengths and our best hopes.

Quote Post 4

Thumbs up

Reply by Victorious 2014-11-17 13:31:06

  • Registered: 2010-11-08
  • Posts: 1,125
  • User Karma: 28

I'd personally go with the nuclear approach of reformatting your hard drive, backing up anything important. Your system is already compromised, and reformatting lets you start off fresh.

Quote Post 5

Thumbs up

Reply by Nocturnus 2014-11-17 15:20:26

  • From: Texas
  • Registered: 2009-12-08
  • Posts: 4,132
  • User Karma: 1,615

Soooooooooo, perhaps no one shall believe me, but here we go anyway.

What was the problem?  I don't know.  did I fix it?  I don't know.  do I think I fixed it?  Yes, and I base that on the following information:

As of half an hour ago I logged onto my pc without internet connectivity and killed a few registry entries that were left over from a little project I began before restarting.  We'll call this, "Operation Reversal," and you shall see why if you follow along closely.  these included dead registry links to programs that were uninstalled sometime within the last couple of months as well as other possible nonsense.  all the while I monitored task manager and checked it for possible reappearances of multiple explorer instances.  Nothing.  I proceeded to the next phase of project reversal and deleted all temporary files, then plugged in.  Upon internet connectivity I connected to a mud with VIP, monitoring task manager roughly within five minute intervals.  No multiple explorer.exe or ctfmon.exe abounds.  I launched the largest folders I could think of with windows explorer to test out performance, remembering that this was where I began noticing the issues in the past... Nothing.  Now it's been half an hour.  No dice... so where has the problem gone, you're probably asking?

The answer:  I don't know, and I don't care, so long at it doesn't happen again.  Some stupid load of code that was present on my PC has vanished into the unknown, hopefully never to return, hopefully banished by a simple bit of logic applied on my part by a slight amount of thinking that was put into action.  if files are the issue, then I guess I'll know once I see the problem come back, but as it stands right now, it seems that under most circumstances viruses and malware, those that persist, at any rate, usually take their place within the registry and keep haunting from within that part of the operating system.

the moral of the story seems to be, keep meticulously intact copies of your registry at all times, copies of the registry you know are functioning properly or without much in the way of flaw.  Restore from such a coppy if and when necessary, after scanning for anything and everything you can think of with all of the trusted freeware and paid software you have that you can throw at your machine to at the very least eliminate those things you know probably shouldn't be there to begin with.  Reformating?  Not if I don't have to.  :d
Phase three has begun.  I'm watching programs very closely and noting any changes made to the operating system with WinPatrol and HijackThis.  so far, so good.  I shall indeed, keep you all informed, if need be.  If you don't hear from me again on this topic, assume my computer blew up, or something funnier; you insert the punchline, I guess.  Roughly 45 minutes in and still doing quite nicely.  for the record, I'm used to seeing whatever was causing the issue start in at the ten minute mark of connectivity, so I must have done something right.

When life gives you oranges, demand lemons since everyone else is obviously getting them.

Quote Post 6

Thumbs up

Reply by cx2 2014-11-17 19:51:34

  • cx2
  • Just another user
  • Offline
  • From: United Kingdom
  • Registered: 2005-08-25
  • Posts: 5,252
  • User Karma: 41

Reformatting without sight is a royal pain in the arse, especially if you've no access to sighted assistance. That said if you do ever need to reformat there are ways to backup your windows activation files so at least you won't need to reactivate, just run a google search for something like backup windows 7 activation files. This of course assumes little change in system hardware since the hardware locking still functions.

cx2
-----
To live by honour and to honour life, these are our greatest strengths and our best hopes.

Quote Post 7

Thumbs up

Reply by Ghost 2014-11-17 20:57:54 (edited by Ghost 2014-11-17 20:58:35)

  • Ghost
  • Applied piper
  • Offline
  • Registered: 2010-08-23
  • Posts: 3,011
  • User Karma: 186

hi nocturnus,
it is strange that malwarebytes found nothing
did you update to the latest database before scanning
if the problem persists,  and if you aren't on windows 8 or 8.1 you might want to try combofix
combofix is a truly amazing program
I have no idea how it works but it does
it can effectively kill off at least 70% of all malware on a pc
I use it to put a dent into malware before I run other utilities like malwarebytes
I still recommend you run it to make sure you have no hidden rootkits
though make sure to back up all important data in case of failure
the guide and download link for combofix is below
http://www.bleepingcomputer.com/combofi … e-combofix
hope that helps

A learning experience is one of those things that say, "You know that thing you just did? Don't do that."

Quote Post 8

Thumbs up

Reply by Nocturnus 2014-11-17 22:51:14

  • From: Texas
  • Registered: 2009-12-08
  • Posts: 4,132
  • User Karma: 1,615

So far, so good.  Roughly six hours later, no issues.  Lag free, no separate instances of explorer.exe or ctfmon.exe.  I have noticed something called MSSpellCheckingFacility.exe which intrigues me, but which thus far doesn't seem to be doing anything horrid that I can point to.  I'll probably run combofix in a minute to see what else I might find.  either way, for the time being, I can somewhat, relax.

When life gives you oranges, demand lemons since everyone else is obviously getting them.

Quote Post 9

Thumbs up

Reply by Ghost 2014-11-18 17:08:32

  • Ghost
  • Applied piper
  • Offline
  • Registered: 2010-08-23
  • Posts: 3,011
  • User Karma: 186

hi Nocturnus,
the MSSpellCheckingFacility.exe process is probably malware
microsoft doesn't usually run their spellcheckers in separate processes
even if this process doesn't seem to be causing any issues, I recommend you check it due to the possibility of the file being malware and performing illegal activities on your computer

A learning experience is one of those things that say, "You know that thing you just did? Don't do that."

Quote Post 10

Thumbs up

Reply by Nocturnus 2014-11-18 17:24:06 (edited by Nocturnus 2014-11-18 17:24:53)

  • From: Texas
  • Registered: 2009-12-08
  • Posts: 4,132
  • User Karma: 1,615

Day 2, and counting.

Ran clamwin once again last night and wiped out some more stuff, and the MSSpellcheckingFacility.exe process seems to have gone along with everything else.  I'm noticing too, something I didn't notice in the past which according to my research is actually a good thing, that being that now when I launch internet explorer I get two processes of iexplore.exe.  the reason people give is that when IE crashes the other instance can actually recover itself from where you left off.  I always wondered why this was not possible in the past; indeed when such crashes would occur I would end up back on my homepage and would be given the option to recover my browsing session but was never able to.  It seems I've found the answer.  As usual, thoughts are still appreciated from the forum either way and will be taken into consideration.  for the time being though, I'll just reiterate that in my above post, which is that if you can keep copies of your registry that function more or less properly it is best to do so.  This seems to have saved me a ton of headaches I could still be dealing with had I not decided to take the action of restoring from a backup.  I suggest this over system restore points if only because from everything I've gathered, restore points don't actually wipe out any registry entries and tend to clutter things up a bit more than necessary which could lead to further trouble down the road.  Still, just shooting off the top of my research and notes here, so there are probably people who know this stuff better than I do.

When life gives you oranges, demand lemons since everyone else is obviously getting them.

Quote Post 11

Thumbs up

Reply by crashmaster 2014-11-19 00:37:44

  • Registered: 2010-08-25
  • Posts: 2,012
  • User Karma: 126

I agree with nou nocturnis.
I have erunt on a couple systems.
Viruses can infect restore points.
I found out from experience that restore points will also clean out every folder which is not a document folder unless it was in the other restore point, so dropbox, bt sync, etc.
all programs deleted.
That can really piss off some people that then decide to get in my face and flame me to death.
While that did get my attention and I did actually learn something and realised it was my issue and I do actually back more things up, I still don't care for that type of attention.
I have only used system restore a couple times, once when working with sound cards and another because of some spyware.
However I have had to clear registry a few days ago because one of the games I was testing for realitygaming does not work right.
AAh so that's why there are 2 processes for ie.
My only issue is that ie sometimes crashes reguardless, and then a process is left there waiting either to be ended or will eventually end.
I have firefox to but every time ie gets updated it gets into this crazy mode.
it may be fixed next update but who knows.

Quote Post 12

Thumbs up

Reply by Nocturnus 2014-11-19 04:57:48

  • From: Texas
  • Registered: 2009-12-08
  • Posts: 4,132
  • User Karma: 1,615

Well said, crashmaster.

Usually one of the things I'll do when I'm working with someone else's PC is create a registry backup for them to restore from in the future, given that it's possible for anyone, and I mean anyone to overlook a particular site or file or anything else computer related as a possible threat.  sometimes malware slips in as pointed by above posts through trusted corporations and into bits of software we have come to rely upon.  Websites we visit get infected, and apparently fishing emails and masquerading applications are still rather useful to hackers; more often than not those who are computer illiterate don't learn from their mistakes.  Tell them to be aware of everything they download and every application they run, their children, grandsons or granddaughters shouldn't visit certain websites or install just any toolbar, or that they themselves shouldn't use just any gambling applications or download screensavers and wallpaper that sounds cool... And you're back at square one every single time.
the battle against malware, much like the so-called battle on terrorism is one that cannot be won by shere willpower or action.  It is a battle of creative minds at work, patiently crafting ways to take control of other people's systems, sometimes for revenge, sometimes for financial gain, and many times just for power.  the feel of self-importance and assurance that comes to an individual when he or she believes that one can play God with a simple bit of code is a dangerous mindset and is not what hacking is supposed to be about, but there it is nonetheless.  I'd tell them to go home, but they'd just come back for more, so we fight on, knowing that they will work around every solution we provide and create yet another problem for us to provide another solution to.  I once heard it said that justice without strength is powerless, that strength without justice is tyrannical.  the call to keep justice strong lies upon the shoulders of those who willingly cary the burden, day in, day out, sometimes underappreciated for all of the work they do to keep the internet as functional and safe as they can for one and all, not always because they expect some reward from their work, but for their love of the system, and because doing what's right is simply the right thing to do.

When life gives you oranges, demand lemons since everyone else is obviously getting them.

Quote Post 13

Thumbs up