Please tell me if I am infected.

C

ClickCardo

n00b
Joined
Jan 23, 2006
Messages
41
Cannot tell if it's hardware or virus/spyware problem.
Have even tried OS clean re-install to later repeat problem.

Thanks since I really need help on this.

I am trying to determine if I have a virus/spyware/etc. on my pc
since it has been acting extremely weird starting as follows.

I run Windows XP SP2 with all updates applied.
I run SpySweeper 5.3 with latest definitions.
I run Zone Alarm Security Suite 6.5.737.000 with
Anti-Virus 30.4.3374.000 Spyware 01.200702.935

ASUS A8N32-SLI Mobo
AMD X2-4800+ cpu
1x 150GB Raptor partitions C/D/M
1x 250GB Maxtor partition E
1x 500GB Seagate partition F


Please note that just last week I had almost exact same
troubles with much more software installed on C partition.
I ran vendor HDD + memtest86 diagnostics with no errors.
I installed XP clean on C partition again and some software
and ran a few days no problems. Then over next few days
added several software a day and forum surfed till I got
these problems described below.

So I'd like to know if everybody thinks I have a hardware or
virus/spyware problem. And for the problem what my solution
might be since reinstalling the OS did not seem to fix it.

1 - Boot into Safe Mode OK
2 - Run SpySweeper Scan on all partitions/drives ok none found.
3 - Boot into Safe Mode OK
4 - Run Zone Labs AV scan on 3-partition drive+other drive.
scan ok. none found.
Note: Scan detection done at byte level and hueristic.
5 - Run Zone Labs AV scan on remaining 2 drives.
During scan message in Red at top said:
"SYSTEM ERROR: PLEASE REBOOT"
moving cursor over message showed tooltip:
"please restart your computer to ensure security coverage"
Note: even with message scan OK. none found.
6 - Soft Shutdown computer for night.

NEXT DAY
7 - Boot machine into Normal mode XP OK.
8 - Remove most temp files in Windows TEMP folder
9 - Clean IE7 temp/history/cookies/etc.
10- Clean Firefox 2.0 temp/history/etc but not cookies
11- Reboot into Normal mode XP OK.
12- Turned off System Restore function on all drives.
13- Tried to reboot into Safe Mode.
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"
14- Tried to reboot into Safe Mode.
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"
15- Tried to reboot into Safe Mode.
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"
16- Booted from Seagate Seatools CD OK.
17- Ran extended disk diagnostic on Seagate+Maxtor drives.
found no errors.
18- Booted from Western Digital Raptor Diag CD OK.
19- Ran diagnostics extended test on Raptor drive.
found no errors.
20- Shutdown pc for the night.

NEXT DAY
21- Boot into Normal mode XP, but first a light blue
system screen doing a chkdsk? showed.
part.1 verify files
part.2 verify indexes
part.3 verify security descriptors
22- Then it booted into Normal mode XP OK.
23- Tried to right-click Zone Alarm tray icon, but
then cursor/mouse/screen froze.
24- After awhile I tried to CTRL+ALT+DEL to Task Manager
but nothing happened until screen went completely blue,
i.e. no icons/taskbar.
25- Did a Hard Boot.
26- Tried F8 into Safe Mode, but got
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"

27- CTRL+ALT+DEL Reboot from Win XP Install disk.
at bottom. "Examining 143087MB Disk 0 at ID 0 on Bus 0
28- ENTER - to setup XP. OK
29- F8 - To agree to License. OK
30- Came back with what appeared to be incorrect partition info.
Partition 1 (C:) 35GB (35GB Free)
Partition 2 Unkown 75GB (0GB Free)
Partition 3 Unknown 31GB (0GB Free)

the other 2 drives showed correctly. I then
31- F3 Quit Setup and powered off pc before reboot.
 
hmm, if the drives are passing diagnostic tests, then i am inclined to think that there is a problem with either your file system or your or winxp install.

either way, i would just reinstall windows at this point.

edit: oh, and i would also try getting rid of that zone alarm shit. i have seen nothing but problems with zone labs products. avg makes a fantastic free antivirus.
 
Thanks for taking the time to answer.

As I stated in my OP I have already reinstalled XP Pro SP2 clean on the C partition and it worked for awhile until I had reinstalled more programs and FF 2.0 surfed forums and Thunderbird e-mail usage. It did not happen right after a single program and I do not remember which was last. What's different this time is the partition info on my Raptor seems off as I started beggining of a reinstall and I did not want to lose data on D/M partitions of that drive.

PS: Thanks for your opinion of ZA.
 
Why reinstall a third (3) time if I'm only going to have the same problem after a very short time elapses?

IT is not in my mind. IT may not be an infection, but if IT is not then please help me figure out what IT is. I still need help to fix IT so please keep those suggestions coming.

PS Why can't I boot into Safe Mode. Why does the partition info look wrong at that point in a XP OS reinstall?
 
What's your event logs telling you?

start -> control panel -> admin tools -> event viewer

If you have a grip of red x's then you are in trouble, but that should provide some information for ya.

Has the drive been abused? If you reformated then reinstalled it might be a bad cluster where the tables are stored. *shrug* Event log!



BTW, thank you I just checked my event log and noticed reporting services going to pot.
 
I would like to say that there is no infection and its hardware, but you state you did a "clean install to the C drive", leading me to think the other drives have not been wiped...........therefore the issue could STILL be coming from the storage drives/partitions.
Take the storage drives out of the loop (ie: disconnected), and move any personal files off the partitions that are on the same drive as the Windows install. Then try again, and run it clean for a while, with windows ONLY, and see what happens.
And for the love of God, don't install any questionable software utilities or programs (I should'nt have to mention warez here....but for what its worth, I did just in case).
 
I'll try to make it clear that I CANNOT BOOT INTO WINDOWS right now. Even in Safe Mode.
Maybe waiting awhile to try will fix that.

If I could or when I can I like the idea of looking at the logs.

Disconnecting the storage drives is an interesting idea that I like, but what would I do without my massive Firefox bookmark/cookie/password list for browsing or my Thunderbird e-mail setup and then having two of them at the end of this test. Also, what do the programs work on if I do not have any of my files available? Maybe just surfing forums, that I would have to list on paper to remember, for a week and installing some programs/drivers and just opening them. These thoughts magnify if you really mean ONLY WINDOWS. What can you do with only windows and how long do you do it?

Please keep these thoughts flowing. They are helping me.
 
but what would I do without my massive Firefox bookmark/cookie/password list for browsing or my Thunderbird e-mail setup and then having two of them at the end of this test. Also, what do the programs work on if I do not have any of my files available? Maybe just surfing forums, that I would have to list on paper to remember, for a week and installing some programs/drivers and just opening them. These thoughts magnify if you really mean ONLY WINDOWS. What can you do with only windows and how long do you do it?
Click to expand...

Analogy: Man has a dumpster full of apples, and wants to find the rotten one in it before they all go bad...........but is unwilling to empty it to get to it on the bottom. He just wants to keep putting good ones on top, and hopefully the bad one wont get noticed anymore.:rolleyes:

I installed XP clean on C partition again and some software
and ran a few days no problems. Then over next few days
added several software a day and forum surfed till I got
these problems described below.
Click to expand...

You are answering your own question..........and therein lies the probable answer young padwan.
I'm guessing that you didn't notice at what point you installed the offending apple.

Sigh......
Suggestion: wipe, re-install XP, and methodically reinstall your apples one at a time (leaving time to test system in-between installs to test for the offender).
BTW: I find it amusing that bad apples usually have WORMS.
 
Monkey34

I loved your analogies. They were fun as well as helpful and will follow.

I have that drive partitioned as C/D/M drives and before this latest problem had about
6GB - C / 28GB - D / 0GB - M

when I went to do a reinstall I was hoping to put the new OS on M to allow me the possible option to get at my ThunderBird and FireFox profiles from C later. What do you think of that?

When I started to try a new install I got to the part where it showed the drive/partition info to choose which partition to place XP on. The 2 single partition data drives showed ok with their drive letters, but the C/D/M partitioned drive now showed

Partition-1 (C) 35GB (35GB Free) How could that be since it had OS+programs on it?
Partition-2 ( ) 71GB ( 0GB Free) It was not full before.
Partition-3 ( ) 44GB ( 0GB Free) It was empty before.

Can I try a second XP on Partition 3 with a format first?
How about that but freeing that partition space first then allocating/format/install?
Should I delete ALL the 1st drive's partitions and start from scratch (YIKES!) ?

Guide me again oh sage.
CC
 
Did you make any changes to the partitions yet, or did you look at the setup, and exit before starting? (I'm guessing you wouldnt have made any changes yet)
Are these drives all NTFS?
Do you have a backup image of your system (I'm guessing no, but you never know), or another rig you can backup to before proceeding?
 
Remove Spysweeper and try scanning with the AV again. Spysweeper has always, and I mean ALWAYS given me problems.
 
Monkey34 said:
Did you make any changes to the partitions yet, or did you look at the setup, and exit before starting? (I'm guessing you wouldnt have made any changes yet)
Are these drives all NTFS?
Do you have a backup image of your system (I'm guessing no, but you never know), or another rig you can backup to before proceeding?
Click to expand...

You are correct. All my drives are NTFS. I just went up to the point of setup seeing what partitions to install on. I also made an image about 3 days before more installs of software and the problem.
 
malingjc said:
Remove Spysweeper and try scanning with the AV again. Spysweeper has always, and I mean ALWAYS given me problems.
Click to expand...

I keep making the point I CANNOT BOOT therefore please tell me how I do the online AV scanning you suggest.
 
After reading over this thread a few times since my first reply, I'm gonna go out on the proverbial limb here and tell you the procedure I've used for over 20 years when it comes to diagnosing hardware and possible software issues. Take it with a grain of salt and do what you will with it.

The purpose is to create the most basic system you possibly can and then work from there with a component at a time till you locate the possible issues that are preventing you from getting a reliable system. You can follow these steps to the letter, and it might help, or you can blow it off and keep right on having issues - the choice is yours.

1) Tear the entire machine apart into its constituent parts. Leave the mobo and the power supply in the case, with the CPU/HSF mounted, but the rest of it, take it out.

I know you can leave the hard drives mounted, and you can leave the CD/DVD drive mounted, the soundcard, etc... but if you're going to do this right, just follow the instructions and be done with it. Disconnect the power connector from the mobo also and unplug the power supply from the AC socket/cord. Pull out all the RAM, pull out all the PCI cards if you have any, etc. When you're done with this step, you should have the case with the power supply mounted in it, the CPU/HSF still mounted on the socket (with the fan power still attached to the mobo), and the mobo mounted in the case with the power supply disconnected, period.

And disconnect the network cable from the NIC and don't connect it again anytime soon; you will not need Internet or LAN access for any of this. Why bother taking the chance of an external infiltration when you're trying to get the system up and running to start with?

2) Take 1 stick of RAM, just one regardless of how many you have (obviously if you just have one well... you figure it out) and insert it into the slot closest to the CPU socket.

3) If you have onboard video capability, attach your monitor to that. Do not use the video card unless absolutely necessary. The point again is to create the most basic system; if your mobo supports onboard video, that's the one to use for the test/starting bed.

4) Attach the keyboard and mouse.

5) Remove the CMOS battery from the motherboard for 15 mins, or if the motherboard has a particular jumper you can short to reset the CMOS, do it. Either method works, just be sure you know what you're doing with the appropriate jumper and that yes it is the correct one for the specific task of resetting the CMOS. If you removed the battery, leave it out for 15 mins, not a minute less. Reinsert it and continue.

6) Reattach the power supply to the mobo connector and verify it's in place. If you think I'm being silly and stupid here with the step by step, that's fine, you can quit anytime you like, but this is a pretty serious procedure to me that's worked for 20+ years on over 15,000 repair jobs, soooo...

7) Attach the AC cord to the power supply and power the machine up. Wait for the video to kick in, and it should because resetting the CMOS earlier would have caused the mobo to default to a PCI video device if possible, or the onboard video.

8) If you get video, great. If you don't get video, you will most likely end up using the video card but only if necessary. If you do, power down and insert it, power back up and see what happens. When you do have video, continue. Take a peek and go into the BIOS setup and set the proper time on the clock if needed, make the most cursory adjustments necessary, but don't go tweak-happy just yet, that's not what we're doing.

9) If everything looks ok, RAM is recognized (that 1 stick), CPU speed and RAM speed is listed correctly, great. Shut down, and then attach the CD/DVD drive and the one single hard drive that you intend to install the operating system on - just that one single hard drive and no others.

10) Power up again, go back into the BIOS and verify the hardware is detected properly and is set to boot from the CD/DVD first and then the hard drive second so you can install the OS. If everything is OK, save the settings when they're correct and reboot again.

11) If it looks ok on the reboot, install the OS with that base test bed system.

Don't install any other hardware until you get the OS installed, up, and running without issues. The only software you should concern yourself with is the possible need for the SATA controller drivers (again, if needed to get the OS installed at all), the chipset drivers (always important and should be the first drivers installed, actually, after the OS is booting to the Desktop), and that's about it.

You don't need to install the video drivers (a common problem maker because the VGA driver or the default Windows driver for the card should be more than enough to do the testing you need for reliability), nor the soundcard drives if the OS doesn't have defaults, etc.

The trick again is to keep it simple - only the most basic components, only the most basic drivers. Start throwing all sorts of third party software and drivers at it, and it'll tumble like a house of cards in a typhoon.

After that, if you can get it done, then you can start adding the other components into the mix one at a time, no more, no less, with reboots between each new piece obviously, spending time with the system in operation with each new piece to verify things are working ok.

Hopefully that'll get you up and running with the step by step methodology. At any point in the process you should be able to notice if a problem is happening pretty easily.

It seems simple on the surface, and it should be. But to have a machine full of hardware, and then try to troubleshoot or repair issues with the installation of an OS or the continued operation of an OS and then random issues start cropping up, or one day you find yourself staring at a machine that won't boot at all, is nearly impossible to "fix" with any reliable results while all that hardware is in the mix.

Tear it apart, put it back together a piece at a time, lay the foundation to work from, and go for it.

Hope this helps...
 
bbz_Ghost

That sounds like the best advice I've received so far.

I really need just a little additional explanation to help me nail it

I'm not sure I feel comfortable carrying it out myself though since I have my systems built for me then add a HDD or two, a sound card, a couple extra sticks of RAM and maybe later upgrade the video card. That's about all I'd attempt myself. I was working over the phone with the builders and they told me it was a virus problem since the RAM/HDD diagnostics passed and I could reinstall XP to start. When it happened again I think I'll have to prove more strongly that it is not malware and then maybe their warranty will kick in and they'll do the real hardware testing you suggest. Do you think I can try your process except for unhooking the mobo and CMOS battery? I would not be comfortable with that.

Do you think following that will help me sort out if it's hardware or not so I can have the builder's do a warranty repair? Also, at your first end point with just the OS installed what do I do to test it's working and for how long? Then what after that since last time it worked for over a week adding the stack of software cards until it fell. Do I add only 1 piece hardware+drivers+it's apps at a time testing for a couple of days leaving the other HDD's for last in the hardware chain. Or do I leave minimal hardware and start adding one card of software at a time using each days between till it falls? Please note I cannot use any apps much without data on the other drives. More advice on testing process would be invaluable

Thanks.
CC
 
So sorry it took me so long to get back to you, but I wanted to try and be somewhat sure my problems were not hardware related. In the mean time I took out my main data drive, disconnected the boot and put a new spare drive to be the boot. I then booted from Windows XP Pro install disk deleted partition then re-created partion and formatted it before clean install of XP. Next I added the chipset drivers and then I installed my Zone Alarm Security Suite all without being hooked up to the web. After turning that on I went to Windows Update and installed evry critical update necessary as well as some optional software/hardware ones including IE7. I installed Speedfan, Nero and a shredder and then the trial version of True Image 10.0. I then made a complete disk image backup of the boot drive and placed it on my second data drive which I had left in the pc. I also successfully burned some CD's. Finally, I was able to boot the trial True Image boot CD and was able to get right up to the last step before doing a restore. Finally I had ZA virus/spy scan my drives with none found.

I surfed a few well known safe websites with IE7 and burned some CD's to communicate with the pc I'm writing this on. Everything very swell. I then reconnected the original boot drive and made sure it was now just another data drive. I could not access it's primary partition, but was able to get some data files off it's extended partition. I next tried to boot off a hard drive diagnostic CD and True Image boot CD's to no avail. I then was able to boot into regular Windows fine. I deleted all the partitions off the original boot drive. I was then able to boot the hard drive diagnostic CD and zero'ed the original boot drive. Rebooting into Windows went fine and I created a primary and extended partition on the original boot drive which I formatted. I was able to copy a file to the original drive.

I tried to boot off the True Image boot CD's to no avail again. This is when I pasted in the HiJack This results below. Can you tell from it if I am infected with malware? Maybe the True Image trial boot CD has a time limit?

More help will be much appreciated.

Rich





Logfile of HijackThis v1.99.1
Scan saved at 5:42:59 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Never used Hijack This as I don't get spyware/malware sooo... only suggestion is to hit:

http://housecall.trendmicro.com

and let it do a complete scan of your system while it seems to be up and running.

Not sure what else to tell you at this point...
 
It seems like Hijack This is fine. Just reinstall Windows and see if that takes care of it. It's probably just corruption of the OS.
 
You must log in or register to reply here.
Back
Top