Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified reboot problems after attempted viral clean


  • This topic is locked This topic is locked
50 replies to this topic

#1 Agent Cooper

Agent Cooper

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 04 April 2012 - 12:46 PM

Hello all at Bleeping Computer.

First off - I hope I'm posting in the correct area and my apologies for length of post - turned into a 'book' on the way. Secondly, I hope someone can help me with the dire situation I've found myself in regarding my desktop pc. It has shown how much of an amateur I am while trying to deal with viral infections and their removal. I fear I've aggravated the initial problem.

Ok, where to start? I am currently dealing with a pc that won't boot past the POST screen on a restart/reboot. During the few times that it did manage to boot to desktop (currently, it wont after 8+ hours of attempts!)

It is a problem quite similar to this (http://www.bleepingcomputer.com/forums/topic292567.html) in essence, where after the memory check - it restarts, or occasionally runs a little longer and freezes at "detecting IDE's". If I have my system disk in (Windows XP Home) occasionally - after a long pause (90secs+) it would boot past POST to get to the Setup and then prompt a "could not find {random file}" message and then prompt me for a restart.

My pc was operating fine (using XP home edition) till I noticed that Google Chrome wasn't letting me connect to microsoft for updates/downloads. I did some research and found this seemed to be a common problem with alot of users, a problem with Chrome's connection protocols and not "foul play". I then noticed my "show hidden files" in Folder Options was disabled and immediately reverting back to "dont show" when I changed them (-this also affected "hide extensions of known file types" & "hide protected operating system files" too). Also my PC had begun to freeze several times when I was on You Tube. Now I was getting quite suspicious. I had been using IOBit's 360 - which I had upgraded recently to their newer IOBit Malware Fighter. That program's searches rendered nothing. So I went hunting for some more "reputable" anti-viral removal software - I had used Malwarebyte's anti-malware program in the past (and have no idea why I got rid of it for IOBit!). Also, any attempt I made to download programs I trusted from legitimate sites would result in Google chrome not ,being able to find the site. Conveniently any site that provides "known and trusted" anti-viral software. Really suspicious!

So using a combination of what I had at hand: Malewarebytes Anti-Malware (which I had to find through an unofficial site - I feel an idiot now - but hindsights a wonderful thing!); Registry Repair Wizard 2009 & CCleaner I started to try and root out the viral infection. Things started to immediately go wrong. I would experience sudden abrupt system "restarts" (-these were not initiated by me!) during the running of these programs. Also System Restore restarted abrupty before it had completed. And most lethally - another pre-mature unsolicited "restart" during an auslogics defragmentation scan. During this period I also tracked down and downloaded a program I'd never heard of but I'm sure you are familiar with by the name of Combofix! (You must be shaking your heads by now if you weren't already!). I cannot sufficiently state how stupid I NOW feel about running combofix without expert supervision. In the heat of the panic I was experiencing, I wasn't reading the warnings I now find pasted all over your forums about it's use! And due to some ill-advise external advice about combofix, I thought that I would be ok.

So, (you have a "confession box" anywhere on these forums?)..I ran Combofix. And guess what happened? - My system restarted barely 60 seconds into it running! I then tried Malwarebytes Anti-malware after the restart - which showed me several trojans but...another pre-mature RESTART happened before it had completed. These "restarts" were happening quite frequently now and I was noticing a significant slow down on pc. Long pauses on desktop where the mouse would freeze/no response (also noticed in Task Manager during this time that the usage would flicker up to 49/50% when nothing but explorer was running!). The system would restart itself on it's own accord somewhere between 2-10 minutes into desktop, or quicker if I started to run anything.

I then made Bleeping Computer my second home (& friend's laptop!). I started actually "reading" posts here, as opposed to zooming/superficially browsing for solutions, deducing that combofix wasn't too be employed recklessly (it took me another 2 attempts to successfully remove combofix - by re-installing successfully {without a hijacking restart} and using "combofix /uninstall" - with the SPACE in START/RUN). I'm now at the stage mentioned early near the top of this post, where pc wont boot past the first POST screen.

I have no idea how to get my pc back up and running to remove the trojans & co at work in the system files. I'm found myself in a purgatory of doubt: as to what the infection is capable off, how much damage I may have caused to system files(through combofix, failed defragmentation & system restore attempts that have crashed before completing) and where I am doubting the hardware (bad cable, faulty drive, faulty motherboard, etc). I have tried putting in a factory fresh formatted Hard Drive - still exact same problems persist - no boot after BIOS. On rare occasion it does - crashes {restarts} at Setup loading files.

Its at this point that I contact you. I'm out of my depth and don't know where to start to get everything up and running. I'd rather check with experts before replacing potentially faulty hardware - as I'm unsure if this is the issue and not viral or ill-attempted virus removal damage thats led to current malaise - ? I realise I've charged into the whole process of viral-infection removal like a blind bull - too confident with zero experience/expertise in the matter!

Can you help me? Can this system be retrieved? Any insights or guidance would be greatly appreciated, as I'm at my wit's end with this. Got a feeling this will end up a 'pinned' thread or cautionary tale on "Why you shouldn't use powerful anti-viral software without expert instruction".

Please - Any help/insights?

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:41 AM

Posted 04 April 2012 - 02:45 PM

Good evening. :)

Let's start with a few basics and see where that takes us:

Do you have a Windows installation disk? If you do, that provides us with a safety net if the current Windows installation is totally borked, which it may or may not be.
Do you have any files on the hard drive that you really don't want to lose? If you do, we'll dig those out before we do anything else.
Are you really truly sorry that you did what you did in trying to fix the PC?
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
(I've done similar, so you're not the only one that wonders why at times like these. :busy:)

So long, and thanks for all the fish.

 

 


#3 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 04 April 2012 - 02:59 PM

Hi & thank you!

Yes - I have Windows XP Home installation disk

Yes - Stuff I'd like to retrieve/save : Movies, some music, small ammount of documents & game saves (i.e. my girlfriend's beloved Skyrim saves - I risk death with the latter!)

And yes - I am truly sorry for my own misguided efforts. My penance continues....

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:41 AM

Posted 04 April 2012 - 04:25 PM

I'll split this into parts to make it easier on the eye. If you have any questions, please ask before doing something stupid - you know that makes sense! :P

Step 1 - creating a boot disk with an alternative operating system on it.

Download lupu-525.iso from here and save it to your Desktop. It's a 128 Mb file, so it will take some minutes to download.

You then need to burn the .iso file to disk. My personal choice is InfraRecorder, available here, which is a free, GPL version 3, solution.

  • Run the program and select the Write Image option in the main window.
  • Navigate to the .iso file that you downloaded and double click it.
  • Insert a blank disc into the correct CD drive.
  • Click OK and sit back and relax.
  • The disc will be ejected when the task is complete so, unless you uncheck this option, mind the drawer!

Step 2 - change the boot order, if you need to, so that the PC boots from the new OS rather than Windows.

  • There's a handy pictorial guide here.
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

When you boot the PC, the boot order is the order in which the various possibilities of finding an operating system are checked by your system. Normally the hard drive is first in line as it is usually where the OS resides. By checking this one first the PC will boot in the quickest time possible.
By changing the order the PC will check the CD drive first, and if it finds a disk with an OS on, it will boot from it. If it doesn't find one, it then looks at the second device on the list, which should be the hard drive and it will boot from that.

I change the boot order on all my machines so that if ever I need to boot from a disk I can do so without needing to access the BIOS then and there - there's usually a problem that i'm trying to deal with and adding a second or two to the normal boot time is a price worth paying to be able to instantly boot from a disk rather than have to get into the BIOS when i'm already stressed by a sick PC.

Step 3 - boot from disk and recover files.

  • Insert the newly burned disk and reboot the machine.
  • Wait for Puppy to get it's little tail wagging and the Desktop to appear.
  • Once it's up and running, you'll have the opportunity to customise the keyboad and language settings, which is never a bad idea.
  • Allow the restart of the Desktop to finalise any changes, if you've made any, and that part is done.
  • In the bottom left hand hand corner you should see all the partitions that Puppy has found on your hard drive, which on my system are labelled sda1, sda2, etc..., and sr0 which is the disk that you booted from.
  • Left click each of the sda icons and you should see a window open and a green disk appear over the icon to indicate that it is now accessible.
  • This is the equivalent of Windows Explorer or My Computer depending on how you navigate your PC's file system.
  • Insert your flashdrive and it should autodetect and you'll see an icon appear with the others in the bottom left, mine's called sdb1.
  • Left click it, as with the other icons.
  • Now all you need to do is to find the files that you want to rescue and Copy and Paste them to your flashdrive just as you do within Windows.
  • Once done, click the "Puppy" icon in the bottom left hand corner of the Desktop and select Shutdown > Power-off Computer
  • When prompted to save the session, select <DO NOT SAVE> and the PC should shutdown.

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#5 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 05 April 2012 - 06:44 PM

Hello again Noviciate and sorry for delay.

Ok - wish I had good news but...

Managed steps 1 & 2 - PUPPY boot disk created from iso & my BIOs was already in the first boot: CD drive/ second boot: HD / third boot: removable. I opened BIOS again and made sure and saved & rebooted.

Step 3 - System would restart before Puppy completed install - !

A few more details - hope they are of use:

As described in first post - system habitually restarts after POST screen memory check or hangs at "Detecting IDE drives"

It seems to boot beyond the first POST screen after a longer period of being switched off (5+ mins)

So out of say 40-45 attempts to boot tonight, only 5 times did it get past initial POST screen AND always with a long pause/hang.

When Puppy started to load got as far as "searching HD" stage - with "pausing,pausing..." - then crash/restart!

Several times got several steps beyond "searching HD" ....to "kernal loading stage"(?)then restarted back to POST screens. : (

My very first attempt tonight at reboot (before I got puppy disk in CD drive) got me to F8/boot options - tried "boot in safe mode with networking" - crashed to BSOD 20+ secs later.

Here is the Error message :

KERNAL_DATA_INPAGE_ERROR

(The usual 2 paragraphs - followed by..)

TECH INFO:

***STOP:0x0000007A (0xE1BB3FE44, 0xC000000E, 0xBF95FC9E, 0x0F5D3860)

*** WIN32k.sys - Address BF95FC9E base at BF800000, Date Stamp 41107F7A

Don't know if that helps?

Edited by Agent Cooper, 06 April 2012 - 11:43 AM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:41 AM

Posted 06 April 2012 - 03:25 PM

Good evening. :)

Doesn't sound particularly good. We'll try a different boot disk and see if that is any more successful:

Download GETxPUD.exe from here and save it to your Desktop.

  • Find the file and double click it - you should then see a folder called GETxPUD appear.
  • Open it and double click get&burn.bat - this will automatically download the .iso file you need to the same folder.
  • Once done, BurnCDCC.exe will run and burn the file to disk for you, just follow the prompts.
  • Be careful as it will open the drive on it's own, if it can, to be helpful!
  • Insert the disk, if it isn't already in the drive, reboot the PC and all being well, follow the prompts that xPUD gives you.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents your main drive - probably sda1.
  • Double click on the folder and check that you can see the usual Windows folders there.
  • If you insert a flashdrive it should be autodetected and you can copy and paste, as usual, from your main drive to the flashdrive to your heart's content, or until the flashdrive is full.
  • Once done, remove the disk from the drive, click the Home icon on the left and Power off the machine

Let me know if this is any more successful.

So long, and thanks for all the fish.

 

 


#7 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 06 April 2012 - 05:02 PM

[*] Insert the disk, if it isn't already in the drive, reboot the PC and all being well, follow the prompts that xPUD gives you.

- This is the immediate problem: it wont get past this stage.

Booted twice to Xpud language screen - then the abrupt restart kicks in

#8 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 06 April 2012 - 05:13 PM

Subsequent attempts reboot to 3rd POST screen - after PCI device listing (PC has Award BIOS):-

Verifying DMI Pool Data......

NTLDR is missing
Press Ctrl+Alt+Del to restart

-??

EDIT: Just realised I had external HD plugged in when I attempted this - when I unplugged it reverted back to behaviour described in post #7

Edited by Agent Cooper, 06 April 2012 - 06:05 PM.


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:41 AM

Posted 07 April 2012 - 01:43 PM

Good evening. :)

I'm going to try something on my test lappy and, assuming that I can get it work OK, you'll be playing shortly thereafter.

So long, and thanks for all the fish.

 

 


#10 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 07 April 2012 - 01:52 PM

?

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:41 AM

Posted 07 April 2012 - 01:59 PM

I think that your hard drive is poorly sick and that is why your lappy won't fire up. The following may resolve the issue:

Boot the computer using the XP CD.

  • When you see the "Welcome To Setup" screen, you will see the options below:

    This portion of the Setup program prepares Microsoft Windows XP to run on your computer:

    To setup Windows XP now, press ENTER.
    To repair a Windows XP installation using Recovery Console, press R.
    To quit Setup without installing Windows XP, press F3.
  • You want to Press R to enter the recovery console.
  • Once the Recovery Console has loaded and you are at a C:> prompt enter chkdsk /r (note the space between chkdsk and /r) and hit <ENTER>
  • Once complete, remove the disk and enter exit to shut the PC down.

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#12 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 07 April 2012 - 02:47 PM

Hello again & thanks for persevering

(BTW- Its a tower-stack home pc that is "afflicted")


Ok - I have actually tried this before (2 days before contacting Bleeping Computer): the chkdsk /r scan I ran THEN told me I had some errors on the HD. When I tried repair - yup, you guessed it! It restarted back to square one.

I have just tried again - and I'm unable to even reach the "welcome to setup" screen - after long-hang (2mins+) on 1st POST, it moves through another 2 POST screens then it automatically opens the Windows Setup - the blue screen with Windows Setup in top left. I get no choices like I had previously, it just automatically loads this screen and starts to copy files. Then restarts 30-40 seconds in before completing.

#13 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 07 April 2012 - 03:08 PM

I'm thinking more and more - hardware failure (on top of virus afflicted and user/virus-borked HD!)

I checked my pc's hardware this afternoon (I hope you are ok with this-?) - it was for peace of mind to know the hardware's not failing which could be the cause for these 'sudden restarts'.

I have replaced SATA and IDE cables with new ones today. I took the current RAM out - tried my old sticks (that worked fine before being replaced). I have also more importantly tried a BRAND NEW Western Digital HD in place of the "afflicted" one - There is NO CHANGE or DIFFERENCE in the reboot difficulties I have been experiencing. Exactly the same problem.

The only thing I have doubts about after this check is the motherboard - ?

I cannot distinguish if it's Motherboard failure on top of a mashed-up file system on the harddrive - I have no idea what viruses are capable of, if they can afflict Memory, get into the BIOS, etc.

Edited by Agent Cooper, 07 April 2012 - 03:15 PM.


#14 Agent Cooper

Agent Cooper
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 09 April 2012 - 11:53 AM

Hello Again & I have good news! :woot:

It was a faulty motherboard behind the "forced" restarts (bought and replaced old p-965t-a board with ASRock G41m-vs2 - after fannying about putting in m-board, attaching all cables, etc - IT BOOTED UP FIRST TIME!!! :thumbup2: )

So mystery solved, eh? And typical - What a time for a motherboard to fail: "coincidentally" the same time as a major virus purge by the user - !!

So Noviciate you can stop hiding now :P (only kidding!)

Can I humbly ask if you can carrying on helping me fix and clean my reborn pc of evil nasty viruses?

I'm still using friend's laptop for internet & not running any programs on the suspect PC (apart from installing drivers for motherboard)- till I get the official nod from you - is that ok?

Edited by Agent Cooper, 09 April 2012 - 11:57 AM.


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:41 AM

Posted 09 April 2012 - 02:03 PM

Good evening. :)

So Noviciate you can stop hiding now :P (only kidding!)

Given the fact that I was actually hiding, it proves the saying that "Many a true word is spoken in jest"!

Can I humbly ask...

You stripped and repaired a poorly sick PC which I doubt I would be able to do, so there's no need to be humble.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Right, lets start this thread afresh and get all the issues on the table. Please go here, follow steps six, seven and eight as best you can, skipping those that you cannot run for any reason, and then post accordingly into this thread.

Also let me have a description of any problems that you still have and then we will try to fix it between us.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users