Server busy – Switch to… This action cannot be completed… - Virus?

Recently an issue has appeared on my laptop, an HP Pvilion G6 running Windows 7 64 bit with SP1 and all latest updates with an Intel Core i5 2.3 processor and 4.Gb RAM.

 

Shortly after booting and arriving at the desktop and before opening any programs a dial up connection window opens with no input from myself, prompting me to choose which service I want to connect to followed soon after by anther window with the title ‘Server Busy’ and the following text. ‘This action cannot be completed because the other program is busy Choose ‘Switch to’ to activate the busy program and correct the problem.’ Beneath this are three buttons, from left to right they’re labelled Switch To… , Retry and Cancel. Cancel is greyed out. Pressing Switch To… opens the start menu, presumably to allow me to select the busy program but there’s no indication of which is the problematic program so I just close the start menu. When the start menu opens the Server Busy window closes briefly but reappears after a second and the loop continues. Pressing the retry button makes the window disappear briefly only to immediately reappear. It seems impossible to get rid of this window.

 

I uninstalled Nokia Ovi Suite which I sometimes use to use my phone as a modem. I thought it was something to do with this because that was the service listed in the Dial Up Connection window. The problem persisted so I performed scans using Avira, Malwarebytes, and Spybot, all up to date. Avira found 1, Malwarebytes 21 and Spybot 19 threats. I removed all the threats except one Spybot found. Access was denied when attempting to fix this one. Further scans with all three program come up clean except for the one Spybot is being denied access to.

 

I did an HJT scan and will post the log from that below.

 

I’d like to know how to tell if this is legitimate message or a symptom of a virus and if it’s a virus how should I go about dealing with it.

The machine usually runs well. I’ve had a couple of issues on which I’ve found help on here. Glad to see you’re still around.

 

HJT log to follow.

 

Thanks for reading.

 

 

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Exit/Close RogueKiller+
• ===
  
  Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
  
  Please download AdwCleaner by Xplode onto your Desktop.
  
• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click the Scan button and wait for the process to complete.
• Click the Report button and the report will open in Notepad.
• 
  IMPORTANT
  
  
• If you click the Clean button all items listed in the report will be removed.
• 
  If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  
  
• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click the Scan button and wait for the process to complete.
• Check off the element(s) you wish to keep.
• Click on the Clean button follow the prompts.
• A log file will automatically open after the scan has finished.
• Please post the content of that log file with your next answer.
• You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
• 
  Please download
  Junkware Removal Tool to your Desktop.
  
• Please close your security software to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete, depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
• Please post the contents of JRT.txt into your reply.
• ===
  
  Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
  Link 1
  Link 2
  
  IMPORTANT !!! Save ComboFix.exe to your Desktop
  
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Do not install any other programs until this if fixed.
  
  How to : Disable Anti-virus and Firewall...
  http://www.bleepingcomputer.com/forums/topic114351.html
  
  Double click on ComboFix.exe and follow the prompts.
  
• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt
• Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall
  
  Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
  
  Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
  ===
  
  HijackThis doesn't handle Windows 7 well. In your case I need to see a final DDS Log.
  You should remove HijackThis using the Add/Remove Programs list. Use the DDS tool from now on.
  
  Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.
  
  Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  
  1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
  2: DDS.pif
  3: DDS.COM
  
  Double click on the DDS icon, allow it to run.
  A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  Notepad will open with the results.
  Follow the instructions that pop up for posting the results.[/list]Please note: You may have to disable any script protection running if the scan fails to run.
  
  
  
  Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
  ===
  
  Please paste the logs in your next reply DO NOT ATTACH THEM.
  Let me know what problem persists.

Hi Nasdaq and thanks for your reply. I'm going to be busy for the next couple of days but I'll go through the steps you've given me as soon a I get time and post back with the logs you asked for and let you know how the machine's running.

 

Cheers :-)

Hi Nasdaq,

 

I’ve started to work through the steps you provided.

 

RogueKiller competed its scan  and I deleted everything it suggested. I’ve copied the log from that scan here.

 

I scanned with ADW and it came up with quite a few things in the registry which I’m not sure about. I had a read through the list and there’s nothing there I recognise that I might want to keep but I’m not really sure what I'm looking at and don’t want to delete anything important. I've copied the log here. Could you have a look through the list please

and tell me if there’s anything that should definitely not be deleted? Anything else that remains I'm happy to take a chance on.

 

The good news is that the Server Busy and Dial Up Connection windows seem to have gone away. I guess RK fixed them. Once I know what to delete from ADW I’ll follow up the rest of your instructions and complete cleaning. That way everything’s getting done in the right order.

 

Many thanks

 

You need to post the logs for my review.

Yes, of course. I thought I'd edited the post earlier. Maybe I got distracted. Sorry.

 

Here are the logs.

 

 

Delete all items from the ADWCleaner log.

Restart the Computer normally.

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

Let me know of the remaining issues with this computer.

Ok, thanks. I'll post that up soon. Do I still need to continue with the original steps following on from deleting the ADW detections?

Ok, I've deleted the ADW detections and scanned with Security check. Further logs as requested below.

 

On restarting after deleting ADW the Server Busy window and Dial up connection windows popped back up. I closed them and they seem to be staying closed rather than immediately reopening so that's already some improvement :-)

Otherwise the machine seems to be running well.

 

Should I carry on with the further steps from your first post?

 

Thanks

 

 

 

 

-------------

 

Click the button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/

Restart the computer normally.
===

You can now continue with the Download and running of the ComboFix tool.

Post also a fresh DDS log for my review.

Ok, after flushing DNS and renewing in Command Prompt I restarted the machine. I wasn't asked to select any elevated privileges so i assume the flush and renew completed properly but upon restarting the Server Busy window appeared again, same as before and is once again proving impossible to close. Should I go ahead with Combofix anyway? 

DDS.txt below...

 

 

This might be relevant... I've just been away from the machine for a few minutes. When I left it the sever busy window was on the screen but when I returned it had gone.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with changes we are try to do. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
In Windows Vista Right click on the ResetTeaTimer.bat and select Run As Administrator.
Please don't forget this step to disable teatimer.
=*=

Repeat the ipconfig command on post No 10.

Restart the computer when completed.
===

Did you set this proxy?

FF - prefs.js: network.proxy.http - 190.92.87.85
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0

===

What are the remaining issues?

Yes, I set the proxy. 

 

I tried to download teatimerreset.bat but the page your link takes me to, http://downloads.subratam.org/ResetTeaTimer.bat says the domain name may be for sale etc and show me a lot of related (sponsored?) links.

 

I had a quick google for Teatimerreset.bat but didn't come up with much, apart from someone else who found the same page I did. Is there an alternative download site?

 

I have tuned off Teatimer.