Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Long Boot Time And Cannot Install Any Anti-virus Or Firewall Appz


  • Please log in to reply
12 replies to this topic

#1 FullMJ

FullMJ

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 20 August 2008 - 12:46 PM

Hi there,
I wasn't sure whether to post to the hijack this forum or here.

I have a problem with a machine that is permanently disconnected from the internet and any network.

I scan all files for this machine using my internet machine, which i keep protected with up-to-date anti-virus, spyware, anti-trojan and firewall.

Recently my isolated machine began taking 15 minutes to boot. After completing hardware checks like post and memory, the hard-drive settles into what seems to be a "loop". The drive activity light seems to be flashing in a predictable pattern indicating to me that its attempting to read the same sector over and over again. Eventually, the windows XP logo appears and the machine boots to windows.

After this, the machine functions perfectly.

I thought the cause might be a faulty HDD but "HDDHealth" reported that the drive was fine.

The isolated machine is dual-boot (using the gag boot loader).

The other boot partition boots fine.

I booted to the recovery console, ran chkdsk on the problem boot partition followed by fixboot.

THis seemed to sort things out for a while but ater a few weeks the problem would return. I couldn't swear to this but i think the problem always seemed to return after an interval of four weeks.

It then struck me that this could be a virus or some kind of malware.

I've searched high and low on the net for information on viruses that can cause this type of problem but found nothing.

Now while I'm working in windows, the machine is randomly trying to dial into the internet.

I do have avg 7 installed on this machine but I don't keep it particularly up-to-date because, like i said earlier, i test everything on my net machine before opening on my isolated machine.

I decided to install Avg 7.5 and the latest avg updates as the first stage to investigating the mysterious dialing activity.

After removing the old avg 7 I find that I cannot install either avg or avast. Neither can i install any firewall or anti-trojan like a-squared. The message that interrups the installation is always "corrupt data file".

I did manage to run clamwin from a usb drive. The scan is complete on my boot drive but only partial on my data partitions.

Here is the clamwin log:


Scan Started Mon Aug 11 02:59:07 2008

-------------------------------------------------------------------------------

WARNING: Can't access file A:\
Scanning aborted...

C:\Documents and Settings\Paul\Desktop\Archive Utility Pack\Zip progs\WinRAR v3\wrar300.exe: Trojan.Keygen-8 FOUND
C:\Documents and Settings\Paul\Local Settings\Temp\removalfile.bat: Trojan.Bat.Delete-1 FOUND
C:\WINDOWS\system32\fccdcBSm.dll: Adware.Virtumonde-665 FOUND
C:\WINDOWS\system32\jkkKabcD.dll: Adware.Virtumonde-665 FOUND
H:\Computer & Telecommunications\Data\Zip progs\WinRAR v3\wrar300.exe: Trojan.Keygen-8 FOUND
H:\Machine Setup_Working Folder\Appz\Win RAR 3\wrar300.exe: Trojan.Keygen-8 FOUND
H:\Machine Setup_Working Folder\OS_Setup Docs & Appz\000_APPZ\Keyz & Crackz\XP Cracks\Windows Xp Cracks and helpers\WINXPACTIVATOR.EXE: Trojan.Agent-26117 FOUND
H:\Machine Setup_Working Folder\OS_Setup Docs & Appz\000_APPZ\Keyz & Crackz\XPKeySP2\XPKeySP2.exe: Trojan.Keygen-7 FOUND
H:\Machine Setup_Working Folder\ZZZ_OS_(OLD)\Windows Appz\WinXP\000_Sky-prohosting\oem_key_full_files\Key Utils\XPKeySP2.exe: Trojan.Keygen-7 FOUND
H:\Machine Setup_Working Folder\ZZZ_OS_(OLD)\Windows Appz\WinXP\APPZ\Keyz & Crackz\XP Cracks\Windows Xp Cracks and helpers\WINXPACTIVATOR.EXE: Trojan.Agent-26117 FOUND
H:\Machine Setup_Working Folder\ZZZ_OS_(OLD)\Windows Appz\WinXP\APPZ\Keyz & Crackz\XPKeySP2\XPKeySP2.exe: Trojan.Keygen-7 FOUND
H:\My Documents\000_Backups (NOT DUPED ON OFFICE MACHINE)\Old Win ME (H Partition - Pre-Machine Build)\Identities\78753663-5089-4212-9770-1A71BFF4AF5B\Microsoft\Outlook Express\Inbox.d__: Exploit.IFrame.Gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 392310
Engine version: 0.93.1
Scanned directories: 10239
Scanned files: 90137
Infected files: 12
Data scanned: 63378.42 MB
--------------------------------------Cancelled---------------------


I noticed clamwin detected virtumonde-665 so i ran Hijackthis, but rather than post on the hijack this forum i thought i'd post here first as the booting problem and the blocking of security programs is more pressing than the dialing problem.

For my next step I was planning on creating a bootable usb drive with ntfs4dos and f-prot anti-virus to attempt to scan the system outside of the windows environment.

I was also thinking of running the Avira Boot Sector repair but i can't tell from the instructions if this needs to be run from inside windows or from dos only.

I'd really appreciate any guidance on what you think might be going on and any possible solutions as I'm still unsure if this is malware activity, a hardware problem or a combination of the two.

Thanks for staying with me this far,

Tim(UK)

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:01 AM

Posted 22 August 2008 - 05:01 AM

http://www.bleepingcomputer.com/forums/ind...st&p=913677

You have immunied the usb drive?

http://www.bleepingcomputer.com/forums/ind...st&p=916491

try cureit also, those cracks and keygens are very dangerous, and against forum rulz
Chewy

No. Try not. Do... or do not. There is no try.

#3 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 22 August 2008 - 02:04 PM

Hi,

Thanks for the reply.

Since i posted I've looked deeper into creating a bootable flash drive and my bios (Asus A8V deluxe, Bios v1017
i think) did not offer the option of booting from a usb drive.

Instead I created a boot cd using UBCD4WIN. This allowed me run quite a few up-to-date virus checkers and anti-spyware programs.

This is what i ran:

AVG antivirus
AVpersonal
Mcafee Stinger
aSquared Free
AdAware
EzPCFix
HiJackThis
Spy Bot
Super AntiSpyware

All the virus checkers came up clean.

Adaware, spybot, aSquared and ExPCFix seemed to detect and deal with the trojans that clamwin listed. I think spybot deleted the dlls related to virtumonde and EzPcFix allowed me to remove the BHO entries in the registry.

I rebooted to C: and ran Hijack This. All the BHO entries have gone (except for the acrobat bho which i didn't remove).

I'd appreciate your opinion on whether you think I've cleaned my system adequately.

I can post the hijack this log or anything else you might need.

Unfortunately, I'm still getting the slow boot problem with my boot drive grinding away for 10 mins plus before starting XP but it seems to be getting less likely that a virus is to blame.

Tim(UK)

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:01 AM

Posted 22 August 2008 - 02:09 PM

we can't analyze HJT logs in this forum but if you just posted the running processes we could look for conflicts, maybe you have too much security loading
Chewy

No. Try not. Do... or do not. There is no try.

#5 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 27 August 2008 - 12:28 PM

Hi Chewy,

I'm really sorry for not responding to your post sooner. I've been away from both computers for most of this week as the weather has finally improved after weeks of rain and all my time is being taken up by painting the outside of the house.

I'll post the running processes next time i put the other machine on.

Tim(uk).

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:01 AM

Posted 27 August 2008 - 12:38 PM

here's an example of a computer that's clean of malware but hardly won't boot or respond any more, it has a gig of ram

StartupList report, 8/26/2008, 11:33:25 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Common Files\AOL\1127693833\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
c:\program files\common files\aol\1127693833\ee\services\antiSpywareApp\ve r2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1127693833\ee\aolsoftware.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe


here's one that's still booting fast and runs great after 3 years with only 512 megs of ram

it has no resident protection

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HJT.exe


Edited by DaChew, 27 August 2008 - 12:39 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 29 August 2008 - 03:17 PM

Here's my running processes in a system idle state according to Process Explorer. (I've left the nesting as it appears in the text file). When I built the machine in 2005 I tried to tweak windows to get rid of as much clutter as i could. I suspect the boot process is sticking either before windows loads or at the point of trying to load windows.

Its peculiar that my boot problem began a few weeks after i installed a new monitor. Viewsonic VP930.) You will see a process called "floater" that allows the monitor to swivel into "portrait" mode. I haven't tried deactivating this process but it might be worth a try. What do you think?


Process PID CPU Description Company Name
System Idle Process 0 100
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 436 Windows NT Session Manager Microsoft Corporation
csrss.exe 484 Client Server Runtime Process Microsoft Corporation
winlogon.exe 508 Windows NT Logon Application Microsoft Corporation
services.exe 552 Services and Controller app Microsoft Corporation
ati2evxx.exe 764 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 788 Generic Host Process for Win32 Services Microsoft Corporation
wmiprvse.exe 1452 WMI Microsoft Corporation
svchost.exe 872 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 924 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1004 Spooler SubSystem App Microsoft Corporation
avgamsvr.exe 1080 AVG Alert Manager GRISOFT, s.r.o.
avgupsvc.exe 1120 AVG Update Service GRISOFT, s.r.o.
avgemc.exe 1144 AVG E-Mail Scanner GRISOFT, s.r.o.
DkService.exe 1172 DKSERVICE.EXE Diskeeper Corporation
DTSRVC.exe 1192
svchost.exe 1272 Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 1456 Application Layer Gateway Service Microsoft Corporation
lsass.exe 564 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 464 ATI External Event Utility EXE Module ATI Technologies Inc.
taskmgr.exe 1640 Windows TaskManager Microsoft Corporation
explorer.exe 812 Windows Explorer Microsoft Corporation
atiptaxx.exe 1568 ATI Desktop Control Panel ATI Technologies, Inc.
AsusProb.exe 1684
ATWTUSB.EXE 1784 User Mode Tablet Driver WALTOP International Corp.
wpCtrl.exe 1800 Pivot Software Support Application Portrait Displays, Inc.
Floater.exe 616 Pivot Software Support DLL Portrait Displays, Inc.
PDVDServ.exe 1808 PowerDVD RC Service Cyberlink Corp.
avgcc.exe 1872 AVG Control Center GRISOFT, s.r.o.
ctfmon.exe 1880 CTF Loader Microsoft Corporation
Cacheman.exe 1888 Cacheman Outer Technologies
hddhealth.exe 1908 PANTERASoft
procexp.exe 1668 Sysinternals Process Explorer Sysinternals

Process: System Idle Process Pid: 0

Type Name

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:01 AM

Posted 29 August 2008 - 07:15 PM

there are several junk programs of dubious value, it only takes one or two creating a conflict, possibly with an essential process
Chewy

No. Try not. Do... or do not. There is no try.

#9 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 31 August 2008 - 12:44 PM

Thanks.

As far as I can tell, prior to installation of the viewsonic monitor the system was running fine with most of these processes.

3 things however,

1. Considering this forum is concerned with virus infections, are we still discussing things appropriate to the forum? I don't want to break any rules here.

2. Do you think I should uninstall the "screen pivot" processes?

3. What other of my processes do you consider junk?

Tim(uk)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 31 August 2008 - 01:10 PM

\Win RAR 3\wrar300.exe: Trojan.Keygen-8 FOUND
\Keyz & Crackz\XPKeySP2\XPKeySP2.exe: Trojan.Keygen-7 FOUND

The practice of using crack or keygen tools is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

If you use those kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, these sites are infested with a smörgåsbord of malware. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:01 AM

Posted 31 August 2008 - 02:50 PM

3. What other of my processes do you consider junk?


the ati, cacheman, ctfmon etc

I am an extreme power user and very particular, I have enough problems multitasking with a single core cpu and 512 megs of ram and my video conversions , so any conflict or wasted resource is critical to me
Chewy

No. Try not. Do... or do not. There is no try.

#12 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 04 September 2008 - 08:34 AM

Great,
Thanks for that.
It gives me a better picture of whats necessary/unnecessary.

I'm pretty sure now that my Boot Issue is a Hardware problem
but thanks again for all of the help/advice that you've given.

Tim (UK)

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:01 AM

Posted 04 September 2008 - 09:23 AM

I'm pretty sure now that my Boot Issue is a Hardware problem


dust and dirt and/or a failing power supply would be my best guess
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users