Malware-laden Sony Vaio Won't Boot Without Memory Stick Inserted

Hi all, I'm an IT professional that (like the rest of us) has taken on a task for a friend of mine whose original issue is that his PC will not boot up normally or shut down without a memory stick inserted into the front slot of his Sony Vaio laptop. Upon booting up his PC initially, I was immediately notified that he has a malware infection that his Norton Antivirus is detecting as attempting activity every few seconds. Armed with that information, I set out to remove the infection. Now comes the difficult part to describe. I have done SO MUCH WORK on this PC over the last week that I hope I can get across accurately the work that I've done.

So, to take a step back, a little more detail on the memory stick issue. When booting up Windows normally, without the stick inserted, it will get past the POST and to the Windows splash screen with the revolving progress indicator. After the progress indicator makes a couple of passes (not sure on exact number), it will suddenly freeze right in the middle. I have waited some amount of time for it to continue on its own, but never long enough that it has done so. However, at this point, immediately when inserting the memory stick the progress indicator will start moving again and Windows will continue to boot up normally. That has happened on multiple occasions after cleanup work has been accomplished and the PC rebooted. If booting in with the memory stick inserted, the PC just boots as it should; if booting into Safe Mode without the stick inserted, it also boots as it should. When shutting down from regular mode, the memory stick needs to be inserted for the shut down process to complete. So there's a tiny bit of background on what he's looking to have resolved; however, I'm of the belief that I need to get this malware removed first before I can take any steps to work on that. Also, and the kicker of it all... That memory stick is coming up as the E:\ drive. It's showing as 4GB capacity but with 0MB used and 0MB available. I cannot do ANYTHING with the memory stick as far as saving files to it, viewing any files that may be on it, etc. I did notice that he's got a memory stick formatting program in his recently used applications list under the start menu; however, when I go into it and select that memory stick drive, I am not presented with the option to start the format of it - the button is grayed out.

With that said, I've installed McAfee VirusScan Enterprise 8.5 onto the machine as well as Registry Mechanic. Those tools, along with AdAware and the Norton AVG, have identified and seemingly resolved a lot of issues. I can actually see how much better the PC is running, but it's not clean yet. I have also, since yesterday afternoon, run a number of HijackThis scans on the PC and resolved the issues that stuck out to me as being incorrect.

The "sticking" point right now is that some bogus DLL files keep putting themselves back in C:\Windows\system32 - typically under different names each time that one of them is removed. I have been unable to find the source of the infection with full McAfee and Norton scans and it seems that this is the last aspect that I'm being held back on.

Now I write this to you from my home laptop so cannot easily include his HijackThis log, but I'll wait until I'm asked for one and can also run Deckard's System Scanner if it's requested. Please let me know what you think as well as what information I've neglected to include.

Thanks!

Are you serious about trying to remove this infection when it's this bad? Do you have an appropriate windows cd to run as a repair disk?

The one expert who would be able to lead you thru this is away right now

I have had a little personal experience with an infection that moves thru usb drives before

http://www.bleepingcomputer.com/forums/ind...Disinfector.exe

this tool will immunize another flash drive and the computer it's run on


It would seem if it was run on your infected computer it probably would make booting into normal mode impossible

I would use the tool and another usb drive to try and move some tools onto the infected computer and possibly bring back some logs

I would definitely keep that windows cd handy to run as a repair disk

No, I don't have an appropriate Windows disk, unfortunately. The only ones that I have are WinXP Professional vs Home Edition that is on the PC. And, yes, because of that I am serious about trying to resolve the issue.

On a different note, this isn't a USB flash drive that is the issue. It's a "Memory Stick" compartment that's built right into the Sony Vaio laptop. I'm going to be seeing what I can do as far as partitioning the stick because it still comes up as if there is absolutely nothing on it, which may be the case since he had that Memory Stick Formatter program in the recently used apps list. This is what the memory stick looks like - though it's not one solid unit but another memory card inserted into a converter. Anyway, I'm not sure that it matters at all anyway. In regard to USB drives, they seem to work without an issue. I've got an external hard drive that I've plugged into it and installed tools from thus far. What logs would you like me to bring back?

Edited by MrDinga, 04 May 2008 - 03:32 PM.

regarding infections that memory stick would be the same as a usb drive

Please run subs flash disinfector on your computer and immunize your external hard drive

I'll try and find a link for a good scanner and manual updates

http://www.bleepingcomputer.com/forums/ind...st&p=813479

see this post for downloading and installing MBAM

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

the is the latest definition data base that can be applied manually to the program if you can't get online

Thanks for the great assistance!

MBAM seems to have completed the final touches. I started with the quick scan which eventually came back with 127 objects. Most were removed immediately; however, upon reboot, I still had the issue. I then ran the complete scan which went for 26 hours!! However, after finishing that and rebooting, along with 1 more HijackThis run, it seems as if everything is good to go with the machine now.

It boots up without the memory stick inserted, moves along at a good pace now, and his Symantec is not popping up left and right anymore!

Again, thanks much!

keep a close eye on it, some of this stuff keeps coming back, whatever don't leave it connected to the internet any more than necessary until you can get a couple of clean scans done.

Run ATF cleaner also

Superantispyware from safe mode is a good followup to MBAM

Edited by DaChew, 06 May 2008 - 09:02 PM.

keep a close eye on it, some of this stuff keeps coming back, whatever don't leave it connected to the internet any more than necessary until you can get a couple of clean scans done.

Run ATF cleaner also

Superantispyware from safe mode is a good followup to MBAM

This is strange, I have a similar problem with a Sony VAIO VGN-T350 laptop which after rebooting, suddenly hangs at boot time with its memory stick LED light constantly on, unless I insert a memory stick module into its slot.

Once running, Windows XP pro SP2 freezes if I try remove that memory stick.

Full scan with latest Kaspersky or MBAM, found no malware or viruses.

The laptop was running fine and no updates were performed before the reboot

I don't know what to say except that with the system that I was working on I was able to remove the memory stick immediately once it got past the Windows XP splash screen and only needed to have it in again when shutting down. However, I would make sure that it is plugged in and included with the scans that you're doing so that anything on it can be removed also.

To give a comparable problem to MrDinga's post:
Just bought a new Toshiba Equium P200D yesterday, today after making some basic installs and updates there was some weird symptoms to the display (some explorer windows "flashed" continuously like a heartbeat). After rebooting, it failed to restart and the "repair" option didn't work and I was not able to restart vista. Since it was new and nothing much on it I though to get a fresh start again and I tried using the recovery disk that came with the laptop. Recovery was successful and when it tried to reboot it hung on the splash screen and the "memory stick" light was solid on. After trying various things, forced rebooting, re-recovery, startup in "safe-mode" (this would not finish loading due to the incomplete re-install of vista) etc, I found that inserting a memory stick (I had an SD card lying around) that it booted up and works fine. Shutting down produced the same problem. The SD card works fine also, I can see it, save files to it etc. I will attempt the scans as discussed above. If anyone else has this problem or has a good reason for it, please let me know.
Thanks.

did you expose that new laptop to a possibly infected flash memory device before you noticed the problem

that detail would be crucial in trying to analyze this problem