#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2011
    Posts
    158
    Rep Power
    97

    Odd behaviour, can't find a virus though


    Hello everyone,

    Let me describe the behaviour, what I've done, what has worked, what hasn't and why I think there is still something there.

    SYMPTOMS

    Normal Boot:
    The behaviour is extremely odd. When booting normally, the system ALWAYS tries a chkdsk. I skip it when I catch it. Upon entering, regardless of whether or not chkdsk ran or was skipped. The system will reboot after a few seconds to a few minutes with a BSOD/Stop error 0x8e 0x5 - hardware issue - and some other hex's that I haven't deemed ultra important but I can get them if you want. This happens whether or not you log in.

    Safe Mode:
    When I boot into safe mode, the first time I try it takes about 20 minutes after the last driver has been listed on screen. After this the system reboots from the driver display screen. If I go into safe mode a second time, I can get it and it doesn't take 20 minutes. Safe Mode is stable as a computer should be. I left it sit over night and it didn't reboot.

    Common Symptoms:
    Windows is hidden. There is a winnt_ folder but I suspect this is remnants of a virus. If you manually enter the Windows directory, System32 is hidden. It doesn't seem like I can get any administrator access, even after logging in with Administrator after issuing the command net user administrator /active:yes. There doesn't seem to be any performance degradation.

    WHAT I'VE DONE

    I tried virus scans, I've tried uninstalling EVERY driver while in safe mode. I tried a root kit scan using gmer and I tried using various hard disk checks(SpinRite) and RAM swaps.

    WHAT WORKED
    Using Falcon4's utilities disc, I use the Microsoft's Standalone Virus scanner which is run from a build of recovery console on the Falcon4 disc with MS DaRT. This scan revealed hundreds of trojans, keyloggers, etc. They were all cleaned although a couple were quarantined. I"m going to do another scan to see what it picks up, it just sucks cause the damn thing takes 4 hours to run.

    WHAT DIDN'T WORK
    Panda Safe CD virus scan. Found nothing.

    Trend Micro's House Call virus scan and Hijack This scan. Fount Nothing.

    SpinRite - no defects detected.

    RAM Swap - no difference. Memory works in another system no problem.

    GMER scan. It detected a root kit, said it had to reboot and then it doesn't pick anything up anymore but nothing has changed in the slightest.

    Registry scans don't show anything.

    The command attrib -s -h c: /d /s basically everything comes up as access denied even when I run the command prompt as administrator logged in as administrator.

    Uninstalling all drivers. I mean everything in the device manager that allowed me to uninstall it was uninstalled. When I rebooted, nothing changed except regular user mode is using a basic video driver now.

    exeHelper.com didn't seem to detect anything wrong with exe associations

    ComboFix - detected a root kit and required a reboot but didn't find anything on subsequent scans. This led me to running GMER, which found a root kit after ComboFix did. They both don't give me enough time to read all the information. The system just reboots after about 2 seconds of detection, which I find suspicious.

    WHY I BELIEVE IT'S MORE THAN A HARDWARE ISSUE
    I can use the system for hours, running all the tests I want in Safe Mode but I can't get more than a minute of usage out of regular boot mode. I have resulted into having the boot configuration to boot into minimal Safe Mode except when I do something and want to test regular mode again. If I get into Safe Mode and reboot, I have no problems getting back in. It's when I go into regular boot mode that I have to wait 20 minutes after all the drivers list and have the system automatically reboot to get into safe mode by pressing f8 for two sequential boots.

    [EDIT]
    I should probably mention it's Windows Vista Home Premium installed on a HP G60 laptop.

    [EDIT2]
    I read the "Read this first" thread after posting...

    I will run and post the requested logs.

    [EDIT3]
    I tried to run the Standalone System Sweeper but it would not update. I think it's time to plug the HDD into another system, backup files and re install the operating system.
    Last edited by WrinkledCheese; January 27th, 2012 at 11:00 AM.
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,296
    Rep Power
    7170
    I think it's time to plug the HDD into another system, backup files and re install the operating system.
    Yes. You either have a serious hardware failure or a serious virus infection. In either case, it sounds like your system is so damaged at this point that it is beyond repair. If it is a serious hardware issue then it will certainly happen again at some point.

    It is possible that the problems only occur when booting into regular mode because the drivers for the failing piece of hardware are not activated when booting in safe mode.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. No Profile Picture
    Stumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,409
    Rep Power
    4538
    I agree with E-Oreo. Did you ever run chkdsk /f ? If yes and it found problems more than once I'd be inclined to replace the hard drive.
    ======
    Doug G
    ======
    It is a truism of American politics that no man who can win an election deserves to. --Trevanian, from the novel Shibumi
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2011
    Posts
    158
    Rep Power
    97
    Thanks for the insights.

    Originally Posted by E-Oreo
    You either have a serious hardware failure or a serious virus infection
    There were 100s of viruses found with Microsoft's Standalone System Scanner, part of the MS Diagnostic and Recovery Toolkit available for Recovery Console. As well, ComboFix AND GMER detected a RootKit on their first runs and required a reboot but failed to detect anything on subsequent scans.

    Originally Posted by E-Oreo
    In either case, it sounds like your system is so damaged at this point that it is beyond repair.
    I know... It COULD be fixed but I think it's faster to just wipe and reinstall. Hopefully the virus has been removed from the non-filesystem locations such as MBR.

    Originally Posted by E-Oreo
    if it is a serious hardware issue then it will certainly happen again at some point.
    We shall see.

    Originally Posted by E-Oreo
    It is possible that the problems only occur when booting into regular mode because the drivers for the failing piece of hardware are not activated when booting in safe mode.
    I have a sneaking suspicion that this is not the case as the failure can happen anytime in the boot process - during regular boot - from the Windows loading splash to post login and launching IE. Please note that DHCP does not work, I have to statically set an IP address in order to get network functionality. This is true for both Safe Mode with Networking and regular boot....if I manage to get it running long enough to change it.

    All of the items in Administrative Tools are also missing. Some programs are also disabled from running, IE Event Viewer and Services. Event Viewer gives an invalid IP error when ran manually from the command line.

    I think it's safe to say it's time to give up cleaning this system and to just format and reinstall.

    Oh well, I'll beat the next one.

    Thanks very much for the input! Greatly appreciated.
    Last edited by WrinkledCheese; January 30th, 2012 at 07:19 AM.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2012
    Posts
    29
    Rep Power
    0
    When a computer looks like that, it's time to re-install Windows. If you found hundreds of trojans and other malware, you never know, there could be more you didn't find, and it's best to re-install to be sure.

IMN logo majestic logo threadwatch logo seochat tools logo