Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Unknown virus


  • This topic is locked This topic is locked
15 replies to this topic

#1 chemeng

chemeng

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 10 February 2010 - 11:47 PM

Please help cure my computer ills. I have an e-Machines T6520 with 3400+ AMD Athlon 64 processor and Windows XP Home Edition OS. I am frequently disconnected from the internet, web pages will not load or computer shuts down unexpectedly. I tried posting at another forum in early January but never received a reply. I am pasting in the DDS.txt log and attaching the Attach.txt and ark.txt files as requested. However, the ark.txt file is the original one which I acquired in early January. When I tried to create a new GMER log, the computer shut down in the middle of the scan. It did this on several tries. Rebooting the computer takes 10-20 minutes. I would appreciate any help that you can offer.


DDS (Ver_09-12-01.01) - NTFSx86
Run by John at 22:06:05.90 on Mon 02/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.243 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: investors.com\www
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {E95E3668-74C8-4E03-8FCA-6CBA286476EE} = 206.246.180.200 209.43.20.115
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-1 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-1 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-1 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-1 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-1 40552]
RUnknown pavboot;pavboot; [x]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-31 34248]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2007-4-4 38272]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2007-4-4 38272]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys [2007-4-4 21376]

=============== Created Last 30 ================

2010-02-09 02:56:39 0 ----a-w- c:\documents and settings\john\defogger_reenable
2010-02-07 01:52:33 0 d-----w- c:\windows\system32\NtmsData
2010-01-20 04:45:00 0 d-----w- c:\program files\Panda Security
2010-01-19 00:55:25 0 d-----w- c:\windows\pss
2010-01-17 14:09:33 0 d-----w- c:\docume~1\john\applic~1\Registry Mechanic
2010-01-16 17:01:10 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-15 23:56:38 0 d-----w- c:\program files\CCleaner
2010-01-15 04:22:39 9551872 ----a-w- c:\documents and settings\john\s-1-5-21-2915283609-2809917397-229974435-1007.rrr
2010-01-15 04:06:52 0 d-----w- c:\program files\common files\PC Tools

==================== Find3M ====================

2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2005-08-14 00:43:07 0 --sha-w- c:\windows\sminst\HPCD.sys
2008-12-24 22:54:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat

============= FINISH: 22:09:06.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:45 PM

Posted 17 February 2010 - 05:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
[We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 chemeng

chemeng
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 20 February 2010 - 02:20 AM

myrti,

Thank you so much for replying to my post; I appreciate the help. My computer problems have not been resolved and actually appear to be getting worse. I ran the scan that you requested (resultant reports are attached). I walked away from the computer during the scan and apparently after the scan finished, there appeared a blue screen with white lettering which I tried to copy:

"A problem has been detected and windows has been shut down to prevent damage
to your computer.

KERNEL_STACK_INPAGE_ERROR

If this is the first time you've seen this stop error screen,
restart your computer. If this screen appears again, follow
these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer
for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.

If you need to use safe mode to remove or disable components, restart
your computer, press F8 to select Advanced Startup Options and then
select safe mode.

Technical information:

*** STOP: 0x00000077 (0xC000000E, "

There was more to the message; about 4 more alphanumeric strings like the 0xC000000E and a last line stating that a memory dump was starting. However, the screen changed to the following black screen with white lettering before I had a chance to copy it.

"Intel UNDI, PXE-2.0 (build 082)
Copyright © 1997-2000 Intel Corporation

For Realtek RTL 8139(X)/8130/810X PCI Fast Ethernet Controller v2.13 (020326)
PXE-E61: Media test failure, check cable
PXE-M0F: Exiting PXE ROM.

Intel UNDI, PXE-2.0 (build 082)
Copyright © 1997-2000 Intel Corporation

For Realtek RTL 8139(X)/8130/810X PCI Fast Ethernet Controller v2.13 (020326)
PXE-E61: Media test failure, check cable
PXE-M0F: Exiting PXE ROM.

DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER."

At that point, I did a hard reboot and the computer started (took about 10 minutes for everything to start). The two screens that I have copied above are new in the last couple of days; however, the slow startup has been a recurring problem for awhile. Also, I have experienced slow internet speeds and frequent disconnection from the internet. Also, I noticed that when the windows operating system starts the tone is intermittant rather than the normal startup tone.


In the past month I have tried several free scans (Malware Bytes, Spybot Search & Destroy and others that I have forgotten) all of which tell me that the computer is clean. Of course my McAfee virus scan runs every week and it also says that the computer is clean. I have run CCleaner and my McAfee cleaner to clean up temporary files and cookies. In desperation, (before I learned of the "bleeping computer forum") I ran a free Registry Mechanic scan which found over 1000 issues but required a purchase of their $59.95 software to fix the issues. I didn't trust them, so I did not purchase the software. A friend told me about your forum and that he had received help on several occasions with fantastic results.

In your reply you asked that I refrain from applying updates. Does that include the automatic updates from McAfee?

Again, thank you for your help.

regards, chemeng

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:45 PM

Posted 20 February 2010 - 08:05 AM

Hi,

your log looks clean. Your problems may not be malware related. They quite probably aren't.
Just to be safe I will run a couple of scans with you, and once we made sure nothing is hiding on your PC, I'll suggest that you state your problem on another part of the bleepingcomputer, where people are more familiar with software problems or hardware failure.
The text from the crash you are showing suggests that your hardware, maybe your hard drive, is failing. If I were you I would backup all my important data to another drive (or an external drive) now, just to be safe.

Lets check for malware:
First please run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Then, please run chkdsk:
1. Run Chkdsk
Running chkdsk may take some time to complete. Please be patient and do not use the computer, press any keys, or try to stop the chkdsk scan once it has started.
  • Right-click the Start button and select Explore
  • Navigate to your C: Drive, then right-click the drive and select Properties
  • In the Properties window that pops-up, click the Tools tab and then click on the button that says Check Now
  • If the User Account Control window pops-up asking for permission to run Check Disk, please click on Continue
  • In the Check Disk Options window that pops-up, place a check-mark in both boxes:
    • Automatically fix file system errors
    • Scan for and attempt recovery of bad sectors
  • Now click on Start.
  • A new window will pop-up saying, Windows can't check the disk while it's in use, click schedule disk check
  • Now shut-down your computer, not restart, and then turn on your computer.
  • When your computer turns on, you will see a blcak screen with white lettering, this is chkdsk running.
  • Let chkdsk run through its 5 Stages. When it is finished, your computer will boot to the desktop.
2. Chkdsk Log
  • Click on Start, then Run.
  • Copy and paste the following bold text in to the Open: box:
      eventvwr.msc /s
  • This will bring up the Event Viewer window
  • In the left panel click on Application
  • The chkdsk log should be the first entry, with a source of Wininit. If it is not the first log:
    • Click on View, and then on Newest First
    • This should place the chkdsk log at the top of the list.
  • Click on the entry once
  • Now right-click on the entry and choose Properties.
  • In the window that pops-up, click on (this will copy the log).
  • Paste the log in a Reply to this topic.

Finally I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
QUOTE
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 chemeng

chemeng
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 21 February 2010 - 01:48 PM

Hi,
Thanks again for your quick response. I am writing this reply from a different computer. Saturday was an interesting day. When I turned on the computer, it started running CHKDSK right away without prompting. After about three hours, it completed stage 3 of 3 (don't know why there were three instead of 5 stages). Unfortunately, it left no record in the event viewer. I wrote down some notes while it was running, since at the time I had not seen your reply and didn't know that CHKDSK was supposed to generate a log.
Notes from CHKDSK run from 8:30 am to 12: 15 pm on 2/20,2010:
In stage 1 (verifying files) it deleted corrupt attribute records from 2 file record segments. Then it gave a list of 34 record segments that were unreadable. File verification completed in ~1 hour. Stage 2 (verifying indexes) took about 70 minutes and ended with a statement that verification was complete and that CHKDSK was recovering lost files. Stage 3 (verifying security descriptors) took about 15 minutes. For the next hour it repaired unreadable security descriptors data stream, index entries, and security file record segment. It cleaned up 397 unused index entries and unused security descriptors. At this point a lot of information was printed on the screen but disappeared before I could copy any of it. Some of it looked like it might have contained information on disk space. The computer immediately went through the normal boot up (still very slow).

When I finally logged on to the forum and saw your message I tried to run eventvwr.msc /s to obtain the chkdsk log. However, there was nothing in the viewer for Saturday's date or which had a Wininit source. I followed the link that you gave to download GMER, disconnected from the internet and shut off my security program. The initial attempt to run GMER resulted in an immediate shut down of the computer. After rebooting, a second attempt at scanning ran for about an hour before the computer shut down. I rebooted in Safe Mode and tried the scan. The result was two more shutdowns. As the computer began to start, it prompted me to run a CHKDSK scan. This time it said that there were 5 stages. The scan started at about 3:00 pm and went through the first three stages in about three hours. The fourth stage (verifying file data took a while but completed. The fifth stage went to about 17% complete by midnight and was no further at 8:00 am on Sunday morning. There was no evidence of life in the computer; no fans, no hard drive spinning, no sound at all. I did a hard reboot this morning and the computer prompted that CHKDSK was scheduled to run. It started at about 8:30 and has been going ever since. First three stages went quickly and showed no issues. It is currently (1:40 pm) in the fourth stage (verifying file data; 19% complete) and is proceeding at about 1% per 30 minutes. I am at a loss as to whether I should do a hard reboot, refuse the CHKDSK scan and try a system restore or just wait it out.

As I said above, I am writing from another computer and have access to e-mail and the internet. I appreciate any advice that you have, but I agree with your previous post that it looks more like a software/hardware issue than a virus.

Regards, chemeng

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:45 PM

Posted 21 February 2010 - 02:04 PM

Hi,

I'm gonna have a hardware person have a look at this thread. But I suspect that your hard disk is dead. (But before jumping to any conclusions, lets wait for confirmation)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:45 PM

Posted 21 February 2010 - 03:08 PM

Go to the support site for your hard drive manufacturer
In the drivers and download section, they will have a utility you can download to a CD/DVD
In the BIOS, be sure to change the boot order so the CD/DVD drive is first

If you are not sure what brand of drive, download System Information for Windows - SIW. It will tell you
Free version w/installer:
http://www.gtopala.com/siw-download.html

Edited by garmanma, 21 February 2010 - 03:16 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 chemeng

chemeng
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 23 February 2010 - 08:31 AM

myrti and garmanma,
Thanks for all of your help. I downloaded SIW as you suggested and found that the hard drive manufacturer is Seagate. I went to the Seagate site and found the download. A friend burned a CD for me and we will run the tool later this afternoon. My friend actually has a Seagate hard drive and had to do the same thing to recover bad sectors; however, I fear that my hard drive might be too far gone. If all goes well, I will post the results tonight.

#9 chemeng

chemeng
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 25 February 2010 - 09:15 PM

Hi,

I ran the SeaTools for Windows software from Seagate. The drive passed the Short Drive Self Test; however, when I ran the Long Drive Self Test it failed and gave test code: A1A4D4F2. I tried to run the SeaTools for DOS from the bootable CD to repair the bad sectors but when I got to the first screen to accept the End User License Agreement, I couldn't move the cursor. Nothing on the mouse or keyboard worked. All I could do was hit Ctrl/Alt/Delete and reboot. So I haven't been able to attempt to fix bad sectors on the drive. I tried several times and noticed as the SeaTools for DOS booted that something called CuteMouse v.2 briefly flashed on the screen. I tried several different mouses but none worked. So I am at a loss as to what to try next.

I would appreciate any suggestions.

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:45 PM

Posted 26 February 2010 - 04:06 PM

QUOTE
CuteMouse is a DOS based, open source mouse driver, which supports many protocols of serial and PS/2 mice. It can search for a serial mouse at all COM ports

It's the driver for the mouse
QUOTE
I couldn't move the cursor. Nothing on the mouse or keyboard worked.

You might need to download the diagnostic tool again
The first one might have been corrupted

I am going to need some time to research this
Nothing comes up with that error code, but I'm not too optimistic
One suggestion was to zero out the drive

What is the model number of the drive?
You get get that from the BIOS without opening the unit

Edited by garmanma, 26 February 2010 - 04:07 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:45 PM

Posted 26 February 2010 - 10:00 PM

I'm waiting for a response from a Seagate tech, but while searching the site I found this:

QUOTE
8-digit (eight digit) diagnostic error code: Sometimes Maxtor OneTouch software or FreeAgent software gives an 8-digit (eight digit) diagnostic error code after a diagnostic test.

Unfortunately, an 8-digit code from either the Maxtor OneTouch Manager software or the FreeAgent diagnostic/Test My Drive software signals a drive failure.

Note: FreeAgent Pro drives can give false diagnostic failures when tested using the FreeAgent Tools and connected via the eSATA interface.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 chemeng

chemeng
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 27 February 2010 - 11:31 AM

garmanma,
Thanks for all of your research on this. I also tried searching for the error code on the seagate site and found nothing. The model number of the drive is ST3200021A. I have copied a log of the tests that I have run using SeaTools.

--------------- SeaTools for Windows v1.2.0.1 ---------------
2/24/2010 12:05:18 AM
Model: ST3200021A
Serial Number: 4LJ0ZJ8M
Firmware Revision: 3.01
Short DST - Started 2/24/2010 12:05:18 AM
Short DST - Pass 2/24/2010 12:09:25 AM
Long DST - Started 2/24/2010 6:06:10 PM
Long DST - FAIL 2/24/2010 6:10:39 PM
SeaTools Test Code: A1A4D4F2
SMART - Pass 2/25/2010 6:31:52 PM
Short DST - Started 2/25/2010 6:32:28 PM
Short DST - Pass 2/25/2010 6:34:32 PM
Identify - Started 2/25/2010 6:35:26 PM
Short Generic - Started 2/25/2010 6:36:19 PM
Short Generic - Pass 2/25/2010 6:58:39 PM
Long DST - Started 2/25/2010 7:02:49 PM
Long DST - FAIL 2/25/2010 7:06:16 PM
SeaTools Test Code: A1A4D4F2

#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:45 PM

Posted 27 February 2010 - 08:08 PM

From what I have read on the Seagate site and going over your posts here, I think it is reasonable to assume the the drive is failing
I would not take the chance of running until it finally quits
I would retrieve all of the info now that you wish to save
The less you run the computer until you do that, the better
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:45 PM

Posted 27 February 2010 - 11:03 PM

Got a reply back from the tech that basically says what I said

QUOTE
I suspect that your drive has bad sectors. Try a more comprehensive SMART diagnostic tool.

HD Sentinel (DOS / Windows / Linux):

http://www.hdsentinel.com/

HDDScan for Windows:

http://hddscan.com/

Look for reallocated, pending, or uncorrectable sectors.

See this article for SMART info:

http://en.wikipedia.org/wiki/S.M.A.R.T.

To "repair" any bad sectors, you could use SeaTools to zero fill your drive, and then run the test again.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#15 chemeng

chemeng
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 05 March 2010 - 09:11 PM

Hi garmanma,
Sorry for the delayed response. Along with the failing hard drive, the past week of work has been a disaster; lots of layoffs.
I downloaded Hard Disk Sentinel and ran the diagnostics. A partial text is copied below. Bottom line is the hard drive's Health is Critical; rated at 4%. Fortunately, I was able to back up all of the data. We will be shopping for a new computer this weekend. Thanks for all of your help.

-- Physical Disk Information - Disk: #0: ST3200021A --

Hard Disk Summary
-------------------
Hard Disk Number . . . . . . . . . . . . . . . . : 0
Interface . . . . . . . . . . . . . . . . . . . : IDE/ATA
Disk Controller . . . . . . . . . . . . . . . . : ATI IDE Controller (ATA)
Disk Location . . . . . . . . . . . . . . . . . : 0, Device: 0
Hard Disk Model ID . . . . . . . . . . . . . . . : ST3200021A
Firmware Revision . . . . . . . . . . . . . . . : 3.01
Hard Disk Serial Number . . . . . . . . . . . . : 4LJ0ZJ8M
Total Size . . . . . . . . . . . . . . . . . . . : 190779 MB
Power State . . . . . . . . . . . . . . . . . . : Active
Current Temperature . . . . . . . . . . . . . . : 39 C
Power On Time . . . . . . . . . . . . . . . . . : 517 days, 5 hours
Estimated Remaining Lifetime . . . . . . . . . . : 4 days
Health . . . . . . . . . . . . . . . . . . . . . : -------------------- 4 % (Critical)
Performance . . . . . . . . . . . . . . . . . . : #################### 100 % (Excellent)

There are 1049 bad sectors on the disk surface. The contents of these sectors were moved to the spare area.
The drive found 45 bad sectors during its self test.
There are 45 weak sectors found on the disk surface. They may be remapped any time in the later use of the disk.
At this point, warranty replacement of the disk is not yet possible, only if the health drops further.
It is recommended to examine the log of the disk regularly. All new problems found will be logged there.
It is recommended to backup immediately to prevent data loss.


S.M.A.R.T. Details
--------------------
Off-line Data Collection Status . . . . . . . . : Successfully Completed
Self Test Execution Status . . . . . . . . . . . : Successfully Completed
Total Time To Complete Off-line Data Collection : 430 seconds
Execute Off-line Immediate . . . . . . . . . . . : Supported
Abort/restart Off-line By Host . . . . . . . . . : Not supported
Off-line Read Scanning . . . . . . . . . . . . . : Supported
Short Self-test . . . . . . . . . . . . . . . . : Supported
Extended Self-test . . . . . . . . . . . . . . . : Supported
Conveyance Self-test . . . . . . . . . . . . . . : Not supported
Selective Self-Test . . . . . . . . . . . . . . : Supported
Save Data Before/After Power Saving Mode . . . . : Supported
Enable/Disable Attribute Autosave . . . . . . . : Supported
Error Logging Capability . . . . . . . . . . . . : Supported
Short Self-test Estimated Time . . . . . . . . . : 1 minutes
Extended Self-test Estimated Time . . . . . . . : 111 minutes
Last Short Self-test Result . . . . . . . . . . : Successfully Completed
Last Short Self-test Date . . . . . . . . . . . : 2/28/2010 12:39:34 AM
Last Short Self-test Duration . . . . . . . . . : 3 minutes
Last Extended Self-test Result . . . . . . . . . : Never Started
Last Extended Self-test Date . . . . . . . . . . : Never Started


S.M.A.R.T.
------------
No. Attribute Thre.. Value Worst Data Status Flags
1 Raw Read Error Rate 6 51 45 00000CB690A8 OK Error-Rate, Performance, Statistical, Critical
3 Spin Up Time 0 96 96 000000000000 OK (Always passing) Statistical, Critical
4 Start/Stop Count 20 98 98 000000000982 OK Self Preserving, Event Count, Statistical
5 Reallocated Sectors Co.. 36 74 74 000000000419 OK Self Preserving, Event Count, Statistical, Critical
7 Seek Error Rate 30 87 60 00002595BFFE OK Error-Rate, Performance, Statistical, Critical
9 Power On Time Count 0 86 86 00000000307D OK (Always passing) Self Preserving, Event Count, Statistical
10 Spin Retry Count 97 100 100 000000000000 OK Event Count, Statistical, Critical
12 Drive Power Cycle Count 20 98 98 00000000097A OK Self Preserving, Event Count, Statistical
194 Disk Temperature 0 39 49 000000000027 OK (Always passing) Self Preserving, Statistical
195 Hardware ECC Recovered 0 50 45 00000CB690A8 OK (Always passing) Event Count, Error-Rate, Statistical
197 Current Pending Sector.. 0 100 100 00000000002D OK (Always passing) Event Count, Statistical
198 Off-Line Uncorrectable.. 0 100 100 00000000002D OK (Always passing) Event Count
199 Ultra ATA CRC Error Co.. 0 200 200 000000000000 OK (Always passing) Self Preserving, Event Count, Error-Rate, Performanc..
200 Write Error Rate 0 100 253 000000000000 OK (Always passing)
202 Data Address Mark Errors 0 100 253 000000000000 OK (Always passing) Self Preserving, Event Count, Statistical






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users