Posted 03 May 2008 - 10:25 AM
Hi all, I'm an IT professional that (like the rest of us) has taken on a task for a friend of mine whose original issue is that his PC will not boot up normally or shut down without a memory stick inserted into the front slot of his Sony Vaio laptop. Upon booting up his PC initially, I was immediately notified that he has a malware infection that his Norton Antivirus is detecting as attempting activity every few seconds. Armed with that information, I set out to remove the infection. Now comes the difficult part to describe. I have done SO MUCH WORK on this PC over the last week that I hope I can get across accurately the work that I've done.
So, to take a step back, a little more detail on the memory stick issue. When booting up Windows normally, without the stick inserted, it will get past the POST and to the Windows splash screen with the revolving progress indicator. After the progress indicator makes a couple of passes (not sure on exact number), it will suddenly freeze right in the middle. I have waited some amount of time for it to continue on its own, but never long enough that it has done so. However, at this point, immediately when inserting the memory stick the progress indicator will start moving again and Windows will continue to boot up normally. That has happened on multiple occasions after cleanup work has been accomplished and the PC rebooted. If booting in with the memory stick inserted, the PC just boots as it should; if booting into Safe Mode without the stick inserted, it also boots as it should. When shutting down from regular mode, the memory stick needs to be inserted for the shut down process to complete. So there's a tiny bit of background on what he's looking to have resolved; however, I'm of the belief that I need to get this malware removed first before I can take any steps to work on that. Also, and the kicker of it all... That memory stick is coming up as the E:\ drive. It's showing as 4GB capacity but with 0MB used and 0MB available. I cannot do ANYTHING with the memory stick as far as saving files to it, viewing any files that may be on it, etc. I did notice that he's got a memory stick formatting program in his recently used applications list under the start menu; however, when I go into it and select that memory stick drive, I am not presented with the option to start the format of it - the button is grayed out.
With that said, I've installed McAfee VirusScan Enterprise 8.5 onto the machine as well as Registry Mechanic. Those tools, along with AdAware and the Norton AVG, have identified and seemingly resolved a lot of issues. I can actually see how much better the PC is running, but it's not clean yet. I have also, since yesterday afternoon, run a number of HijackThis scans on the PC and resolved the issues that stuck out to me as being incorrect.
The "sticking" point right now is that some bogus DLL files keep putting themselves back in C:\Windows\system32 - typically under different names each time that one of them is removed. I have been unable to find the source of the infection with full McAfee and Norton scans and it seems that this is the last aspect that I'm being held back on.
Now I write this to you from my home laptop so cannot easily include his HijackThis log, but I'll wait until I'm asked for one and can also run Deckard's System Scanner if it's requested. Please let me know what you think as well as what information I've neglected to include.