Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lock-up on Acer Aspire One Netbook


  • Please log in to reply
18 replies to this topic

#1 Mr Binante

Mr Binante

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 24 July 2009 - 05:32 PM

I am having some trouble with what I think is a persistent virus on my Acer Aspire One
Netbook. I am experiencing frequent lock-ups about every 5-20 minutes, forcing me to shut down with the "hard shutdown" method (holding the power button for 5 seconds). I have defragmented the drive using "Smart Defrag",

run Registry Mechanic v. 8.0.0.900, Malwarebytes AntiMalware v. 1.39, and COMODO System Cleaner 1.1.64946.38. COMODO System Cleaner keeps detecting three files which seem to be suspect to me. It isn't able to delete them.
C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$$yt7.$$
C:\WINDOWS\Temp\$67we.$

I bought the computer new in May. It is an Acer Aspire One ZG5 with a 160GB HD and 1024 MB memory. I have heard of hardware problems caused by the speakers being played too loud on this model, and though I don't remember ever playing them too loud, it seems like that could possibly have something to do with it, so I'd like to rule that out if anyone knows a good way to do that.

other things I have tried are to take out the battery and depress the power button for 30 seconds and to reset the system BIOS to default.

Help would be greatly appreciated,

-Mr Binante

Edit: When the computer locks up I am still able to move the cursor around, but it has an hourglass next to it (background work?) and I am unable to click anything.

Edit: I run COMODO Antivirus and COMODO Firewall, as well as COMODO Defense+. I have updated the virus database but the scanner was still unable to find any viruses.

Edit: When CHKDSK is run it gives the following information:
"Microsoft Windows XP [Version 5.1.2600]
Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>chkdsk
The type of the file system is NTFS.
Volume label is ACER.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

150151522 KB total disk space.
99192228 KB in 81492 files.
28760 KB in 6167 indexes.
0 KB in bad sectors.
164886 KB in use by the system.
65536 KB occupied by the log file.
50765648 KB available on disk.

4096 bytes in each allocation unit.
37537880 total allocation units on disk.
12691412 allocation units available on disk."

When I run it in /F (fix) mode it doesn't fix the error, and the next time I run CHKDSK it gives the same message.

Edited by Mr Binante, 24 July 2009 - 09:03 PM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 43,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:01 AM

Posted 24 July 2009 - 06:59 PM

<>

What message is that? Maybe I missed it, but I see no mention of any error message.

Running chkdsk in read-only mode...is a waste of time. Even though instructed to use the /f parameter, it's better to use /r parameter (/f is included in the functions performed under /r), since /r instructs the system to compensate for data files which may be in bad sectors of the hard drive.

In any case...try Start/Run...type chkdsk /r (with space between k and /) and hit Enter. Type Y in response to onscreen query/notice and hit Enter. Reboot the system and let the command execute to completion...system will boot into XP when done.

You might also take a look in Event Viewer for errors, not information items, which might provide some clues as to what might require attention.

How To Use Event Viewer - http://www.bleepingcomputer.com/forums/t/40108/how-to-use-event-viewer/

Your first line speaks of having a virus...then the rest of your post bespeaks of items which no one could logically conceive of as being appropriate treatment of an infected system.

I have to ask...which is it, in your mind? A Windows/system problem...or a virus?

If freezing of the system is what you consider to be "the problem"....there are many situations that might cause such, with overheating of system the most obvious candidate. Other candidates include malware, corrupt system files, hardware difficulties.

Which is why it's important to check Event Viewer for possibly pertinent error messages.

Louis

#3 Mr Binante

Mr Binante
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 24 July 2009 - 09:02 PM

<<What message is that? Maybe I missed it, but I see no mention of any error message.>>

CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

^^^ That reads even after booting to windows recovery console and running CHKDSK /R
I was running in read only after repairing to see if errors still showed up, since it doesn't require a restart.


<<Your first line speaks of having a virus...then the rest of your post bespeaks of items which no one could logically conceive of as being appropriate treatment of an infected system.>>

Some of the steps I took I was directed to take by Acer Customer Service (BIOS reset to default and 30s power drain). Registry Mechanic I ran thinking it could be a missing/invalid registry entry. MalwareBytes AntiMalware, COMODO System Cleaner, and the scans with COMODO Antivirus were meant to reveal any malware I might have, though COMODO System Cleaner was the only program to find anything potentially meaningful.

Following are the most recent of the errors I found in the Event Viewer.
r
"The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{79FDA380-AF19-42EF-96B1-E04DF5EDC22B}. The backup browser is stopping." Source: Browser

"Generate Activation Context failed for C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll. Reference error message: The operation completed successfully." Source: SideBySide

"Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: Manifest Parse Error : Invalid at the top level of the document." Source: SideBySide

"Syntax error in manifest or policy file "C:\WINDOWS\WinSxS\Policies\x86_Policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.1.policy" on line 0." Source: SideBySide

"The following boot-start or system-start driver(s) failed to load:
cmdGuard
Fips
intelppm" Source: Service Control Manager"


Like I said I'm not sure if it's a virus/software or a hardware problem. I'm thinking it's probably not overheating as it seems to run much better in safe mode, though it does freeze occasionally, and a couple of nights ago I was able to play an online game (with a Windows client) for a few hours without freezing. That only confused me more, which is why I'm here. Thanks for all your help so far and if you have any more ideas please let me know,

Mr Binante

Edited by Mr Binante, 24 July 2009 - 09:38 PM.


#4 hamluis

hamluis

    Moderator


  • Moderator
  • 43,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:01 AM

Posted 25 July 2009 - 05:18 AM

Thanks :thumbsup:.

The notification re chkdsk...is not an error message, it's just a recap of operations. The only error messages I've ever seen when running chkdsk /r are those which indicate that the hard drive or the file system has problems...and the messages go on to indicate an inability to complete the chkdsk /r functions.

Registry Mechanic...is a tool which has dubious value. The value is dubious primarily because users have no control or understanding of what changes are being made...or if such should be made. I've used Registry Mechanic before (I used to experiment with a large number of programs) and I was not convinced that it could anything I wanted done (I have no problem using the innate regedit function of Windows to make specific changes I deem desireable).

You might want to take a look at some opinions (by personnel much more knowledgeable than I happen to be) on registry cleaners and their respective value:

Should I Use A Registry Cleaner - http://aumha.net/viewtopic.php?t=28099

XP Fixes Myth #1 Registry Cleaners - http://www.windowsbbs.com/windows-xp/61015...y-cleaners.html

General references on the registry:

Beginners Guides The Registry Backups, Repairs, and Protection - PCSTATS.com - http://www.pcstats.com/articleview.cfm?art...=263&page=4

Demystifying the Windows Registry - http://www.bleepingcomputer.com/tutorials/...l74.html#backup

In short...users who want to edit the registry can do so safely...by first understanding what it is...what harm they can do by being reckless...and taking all safety precautions (backing up the registry) before engaging in specific, necessary edits to solve a situation.

The registry is not like your residence, it does not require automated "cleaning" by some 3d-party program.

Error messages in Event Viewer:

Browser service error messages...usually I disregard these unless I am experiencing a problem connecting. The ones I receive are usually of an admin nature. Mine normally occur because I have two systems and the first one connecting is usually set up as the master browser. If I change that order or eliminate one of the systems on my network, the message you received is likely to appear. Easily resolved by me...I start the same system first :flowers:.

<>

Generally, these types of errors seem to occur with Microsoft applications (Office, MSN, etc.). From what I see, I would have to guess that something needed updating or reinstallation, either within the named program (possible file corruption/damage) or XP itself. A fair amount of words on the Web about this type of event, but nothing I would consider specific enough to note as a cure or pertinent to every situation.

Resolve Partial Assembly failed for Microsoft.VC90.CRT...I have no idea what this means, but I would interpret it as a coding error. I am not a coder, so I have no clue.

Info on WinSxS folder, http://www.technologyquestions.com/technol...sxs-folder.html

CmdGuard.sys info, http://www.pc1news.com/files/100450-cmdguard-sys.html
Fips.sys info, http://www.file.net/process/fips.sys.html
Intelppm info, http://www.file.net/process/intelppm.sys.html

I can't tell you much about drivers not loading at boot...other than I would be concerned.

You seem to have a number of what I would consider atypical errors noted in Event Viewer. I'm not smart enough to say what might be the causes of this, but I would suggest that you run sfc /scannow or do a repair install of XP...and promptly install all critical updates after that.

Before I did anything, I would run a manufacturer's diagnostic on that hard drive...I like to eliminate the obvious from troublesome equations, might as well start with the hard drive.

Hard Drive Installation and Diagnostic Tools - http://www.bleepingcomputer.com/forums/t/28744/hard-drive-installation-and-diagnostic-tools/

Louis

Edited by hamluis, 25 July 2009 - 05:19 AM.


#5 Mr Binante

Mr Binante
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 25 July 2009 - 02:06 PM

Hey Louis,

I checked out that Hard-drive installation/diagnostics test page, but it seems Toshiba doesn't provide such a tool.
<<Toshiba
N/A (N/A)
Toshiba does not provide diagnostic tools for hard drives, currently.>>

Also, the Event Viewer was run in safe mode, not sure if that matters, I don't imagine it would. Just thought I'd mention that, just incase.

When I run sfc /scannow it gives the following message:

<<Microsoft Windows XP [Version 5.1.2600]
Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>sfc /scannow
Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x000006ba [The RPC server is unavailable.
].>>

As it shows, I am signed on as "Administrator" but in safe mode, will try out of safe mode but I get much more frequent lock-ups when not in safe mode.
Update: tried sfc /scannow out of safe mode and it ran until the very end when it froze and wouldn't complete.

Thanks for your advice on registry cleaners. I read those posts and found them rather informative. I have been using Registry Mechanic since '05 at least & have noticed drastic improvement on systems when it is run the first time. I could probably remove the problem entries manually but since I have never run into perceivable problems with Registry Mechanic and it seems to do some good, I always just used it. I will have to look into this further and consider getting rid of it.
Will update this post with more info as I try your other suggestions.

Thanks again for your time.

Edited by Mr Binante, 25 July 2009 - 10:10 PM.


#6 hamluis

hamluis

    Moderator


  • Moderator
  • 43,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:01 AM

Posted 25 July 2009 - 03:56 PM

FWIW: http://www.windowsbbs.com/windows-xp/36489...06ba-error.html

Louis

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 25 July 2009 - 05:20 PM

Looks like MBR rootkit to me.. Do below..

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 Mr Binante

Mr Binante
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 25 July 2009 - 10:08 PM

Here are the results.

<<Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.>>


Should I try "mbr.exe -f"?

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 25 July 2009 - 11:40 PM

Ok.. copy/paste (not cut and paste) the mbr.exe that you saved on the Desktop to C:\WINDOWS folder..

Then, go to Start >> Run >> copy/paste below >> Press Enter

mbr -f

Then a logfile (mbr.log) will be created on your screen (find it at C:\Windows\mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 Mr Binante

Mr Binante
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 26 July 2009 - 01:00 AM

I copied mbr.exe from the desktop into my C:/WINDOWS folder and I went to start>run>mbr -f
It showed the command prompt but it was too fast to read and when I checked for the log file it wasn't in C:/WINDOWS under mbr.log When I double click the mbr.exe file in the C:/WINDOWS folder it creates a log with the following information:
<<Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
>>

Any ideas?

Edited by Mr Binante, 26 July 2009 - 01:01 AM.


#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 26 July 2009 - 01:09 AM

Good, the log shows the rootkit has been eliminated..

user & kernel MBR OK


That's the important part.. The rest is just leftovers.. Won't harm you, don't worry about it..

Lets do this..

Please download the OTM by OldTimer
  • Save it to your Desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :commands
    [emptytemp]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Mr Binante

Mr Binante
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 26 July 2009 - 01:19 AM

<<Good, the log shows the rootkit has been eliminated.. >> Great news!!!

The computer hasn't frozen up for a good while now (hope I don't jynx it!)

One thing it does is it sometimes boots with the eye candy enabled, even though I have it disabled and most of the time it's not enabled on reboot. Not sure if that has anything to do with anything, as it may have been doing that since before the freezing started.


It asked me to reboot so I did. Here are the results:
<<
All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 151856 bytes
->Temporary Internet Files folder emptied: 3826173 bytes
->Java cache emptied: 0 bytes
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5r05z52i.default\Cache\E4009E29d01 scheduled to be deleted on reboot.
->FireFox cache emptied: 35453761 bytes

User: All Users

User: Charlie Binante
->Temp folder emptied: 30257862 bytes
File delete failed. C:\Documents and Settings\Charlie Binante\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32373003 bytes
->Java cache emptied: 13430106 bytes
->FireFox cache emptied: 19315235 bytes

User: Default User
->Temp folder emptied: 262144 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 7149461 bytes
RecycleBin emptied: 71680 bytes

Total Files Cleaned = 135.84 mb


OTM by OldTimer - Version 3.0.0.5 log created on 07252009_201327

Files moved on Reboot...
File C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5r05z52i.default\Cache\E4009E29d01 not found!

Registry entries deleted on Reboot...
>>

Edited by Mr Binante, 26 July 2009 - 01:23 AM.


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 26 July 2009 - 01:25 AM

Ok.. One last thing.. I will need your verification to confirm these files were no longer exist.. Can you do that please? :thumbsup:

C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$$yt7.$$
C:\WINDOWS\Temp\$67we.$

Does Comodo SystemCleaner still detects it? :flowers:

Edited by fenzodahl512, 26 July 2009 - 01:25 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 Mr Binante

Mr Binante
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 26 July 2009 - 01:29 AM

It does not! Wow to think that it's finally all over. I was moments away from backing up my data and doing a system restore. Thank you guys so much for rescuing me again! I hope this information proves useful for someone else in the future.

Thanks again for all your help, you're geniuses!

Mr Binante

Ps. Is there any way to edit my top post to explain that it's fixed and what the problem was?

Edited by Mr Binante, 26 July 2009 - 01:31 AM.


#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 26 July 2009 - 01:32 AM

Awesome!!.. Now, delete OTM and mbr.exe from the computer.. Also delete C:\_OTM folder if exist..

And back to you hamluis :thumbsup:

----edit----

The computer has had MBR rootkit.. However, if still has any symptom it could be other malware or maybe other factor.. What we just did is removing the MBR rootkit and the files associate with it..

Please continue with hamluis suggestion if any.. Cheers :flowers:

Edited by fenzodahl512, 26 July 2009 - 01:35 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users