hummer5963
asked on
vista sp1 virus
Hello
I am working on a laptop that has been hit with a virus. The computer runs extremely slow.
symptoms
slow to boot in all modes
explorer constantly crashes and restarts.
Cannot right click and run as administrator explorer crashes
cannot run sfc /scannow does not administrator permissions
What I've done
created new user with admin permissions with cmd
was able to run combofix
ran superantispyware nothing
tried to do system restore from recovery disk....would not finish
ran chkdsk from recovery disk. no issues
any help would be appreciated. Thanks
I am working on a laptop that has been hit with a virus. The computer runs extremely slow.
symptoms
slow to boot in all modes
explorer constantly crashes and restarts.
Cannot right click and run as administrator explorer crashes
cannot run sfc /scannow does not administrator permissions
What I've done
created new user with admin permissions with cmd
was able to run combofix
ran superantispyware nothing
tried to do system restore from recovery disk....would not finish
ran chkdsk from recovery disk. no issues
any help would be appreciated. Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also new drives can be bad. Use the HD manufacturer's diagnostic utility to test it. Chkdsk won't tell you whether a disk is bad or not, it just gives you the state of it's file-system. You'll find the tools on the UBCD. Also run memtest 86+ (also on that CD):
http://ultimatebootcd.com
http://ultimatebootcd.com
ASKER
thanks I will...will keep you posted.
I would check to see if it is a rootkit causing the issue. Please download and run TDSSKiller.
http://support.kaspersky.com/faq/?qid=208283363
Could you also upload the Combofix log located on the C:\ directory?
Also check to make sure your services are running correctly. You can download your correct version of the default services from this website.
http://www.blackviper.com/2008/01/28/windows-vista-sp1-services-registry-files/
It's about halfway down the page under Default Windows Vista SP1 Services Start Key. This contains a registry file to reset the services to default.
Have you also tried running Malwarebytes' Anti-Malware? You can download that here.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
This program seems to find a lot more infections nowadays then SUPERAntiSpyware.
If you run TDSSKiller and Malwarebytes, also post those logs.
http://support.kaspersky.com/faq/?qid=208283363
Could you also upload the Combofix log located on the C:\ directory?
Also check to make sure your services are running correctly. You can download your correct version of the default services from this website.
http://www.blackviper.com/2008/01/28/windows-vista-sp1-services-registry-files/
It's about halfway down the page under Default Windows Vista SP1 Services Start Key. This contains a registry file to reset the services to default.
Have you also tried running Malwarebytes' Anti-Malware? You can download that here.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
This program seems to find a lot more infections nowadays then SUPERAntiSpyware.
If you run TDSSKiller and Malwarebytes, also post those logs.
Have you tried logging on as administrator as the user name, quite often you can login as the administrator without the need of a password. Sometimes when you create a new user and give them admin rights they may still not have the same admin rights as when you login as administrator as the user name. This could be due to file corruption or also due to a virus. If someone has created a password when you try to log on using the administrator as the user name, you can use a password reset disk to blank out the administrator's password.
These days viruses are economic in nature... they don't GENERALLY infect you to just cause you problems. There would USUALLY be some kind of more obvious thing like ads or suggesting your PC is infected or that someone is coming to arrest you if you don't pay money or that your system is being held hostage. When they aren't that obvious, they are usually there to make your PC a slave to the malware author so that they can use it to attack other web sites and internet sources and send spam - in which case, it's LIKELY they won't be doing anything to cause your PC problems that are so blatantly obvious because then you'd find the problem and clean it making their "ownership" of your computer very short and not useful to their "work".
Could it be a virus? Yes. Is it probable? Not in my opinion with 18 years of experience.
You can spend 2, 4, 6, 8 hours hammering at this and trying to figure out what went wrong (And if you want to learn then ABSOLUTELY, DO THIS!!!), but these days if time is important, it's probably faster to replace the drive and reinstall windows. Or backup the drive and reinstall Windows. But definitely test the drive first to ensure it's not going bad.
Could it be a virus? Yes. Is it probable? Not in my opinion with 18 years of experience.
You can spend 2, 4, 6, 8 hours hammering at this and trying to figure out what went wrong (And if you want to learn then ABSOLUTELY, DO THIS!!!), but these days if time is important, it's probably faster to replace the drive and reinstall windows. Or backup the drive and reinstall Windows. But definitely test the drive first to ensure it's not going bad.
i am also inclined to suspect other problems than virus
i would start by testing ram and disk first - to know their status
best download UBCD, and boot from the cd to run memtest86+ and the disk diag you need
if you have disk problems, here a nice guide how i handle them:
https://www.experts-exchange.com/Storage/Hard_Drives/A_3000-The-bad-hard-disk-problem.html
i would start by testing ram and disk first - to know their status
best download UBCD, and boot from the cd to run memtest86+ and the disk diag you need
if you have disk problems, here a nice guide how i handle them:
https://www.experts-exchange.com/Storage/Hard_Drives/A_3000-The-bad-hard-disk-problem.html
ASKER
okay....wait...it gets better...
leew you were right and there also was a virus but I think the hd was the real problem. managed to do a chkdsk with /f /r and it found a whack of bad clusters...fixed them and was able to boot and get into admin. found a virus but I don't think it had much to do with the problem....did an sfc /scannow but it stopped at 32% and said there were errors that could not be fixed....try a system restore...which i did....it went through it...then tried to boot and now no bcdmgr....I tried to rebuild the bcdmgr but to no avail. check the dir and there is no bcdmgr in c:\windows\boot tried to do system restore from recovery cd but there are no points.....all the other windows files seem to be there....can any one help me rebuild this through cmd?
leew you were right and there also was a virus but I think the hd was the real problem. managed to do a chkdsk with /f /r and it found a whack of bad clusters...fixed them and was able to boot and get into admin. found a virus but I don't think it had much to do with the problem....did an sfc /scannow but it stopped at 32% and said there were errors that could not be fixed....try a system restore...which i did....it went through it...then tried to boot and now no bcdmgr....I tried to rebuild the bcdmgr but to no avail. check the dir and there is no bcdmgr in c:\windows\boot tried to do system restore from recovery cd but there are no points.....all the other windows files seem to be there....can any one help me rebuild this through cmd?
First run the HD manufacturer's diagnostic utility like I asked you to do before.
How many bad sectors did you have? After 4kb in bad sectors, I ALWAYS recommend replacing the hard drive. You might want to actually run the chkdsk /v /x /r again, to see if any more bad sectors are found. This would definitely indicate a failing hard drive.
You say that you can no longer boot into Windows. There is a couple options you can try. First off, if your bootmgr is gone, you can rebuild it. There's a great article about this here.
http://neosmart.net/wiki/display/EBCD/Recovering+the+Windows+Bootloader+from+the+DVD
Don't use the Nuclear Holocaust UNLESS absolutely neccessary.
Also, have you tried using UBCD or some other boot program to boot directly from the Windows partition? Sometimes forcing it to boot from that partition will fix the issue. I would boot from the UBCD, choose HDD, BOOT, Smart Boot Manager. Scroll down to the HDD and which partition you want (usually the second partition), make it active if it is not, and boot from it.
You say that you can no longer boot into Windows. There is a couple options you can try. First off, if your bootmgr is gone, you can rebuild it. There's a great article about this here.
http://neosmart.net/wiki/display/EBCD/Recovering+the+Windows+Bootloader+from+the+DVD
Don't use the Nuclear Holocaust UNLESS absolutely neccessary.
Also, have you tried using UBCD or some other boot program to boot directly from the Windows partition? Sometimes forcing it to boot from that partition will fix the issue. I would boot from the UBCD, choose HDD, BOOT, Smart Boot Manager. Scroll down to the HDD and which partition you want (usually the second partition), make it active if it is not, and boot from it.
ASKER
ok really trying to stumble through this.....thanks pc_solution...but I had already started a Nuclear Holocaust.....
here is where I need some help. I am trying to run sfc offline c:\ is the only drive listed in diskpart list volume aside from the dvd. I have run
sfc /scannow /offbootdir=c:\ offwinddir=c:\Windows
but I am getting Window Resource Protection could not start the repair service
Any help?
here is where I need some help. I am trying to run sfc offline c:\ is the only drive listed in diskpart list volume aside from the dvd. I have run
sfc /scannow /offbootdir=c:\ offwinddir=c:\Windows
but I am getting Window Resource Protection could not start the repair service
Any help?
make sure that C:\ is your Windows partition, otherwise it will not run. I've made that mistake before and got the same error. It is probably D:\
Did you try using the Ultimate Boot CD?
EDIT: Oops. just re-read through your post. Will post another idea when I get one. :) Still try the Ultimate Boot CD though, and let me know if it lets you boot to Windows that way.
Did you try using the Ultimate Boot CD?
EDIT: Oops. just re-read through your post. Will post another idea when I get one. :) Still try the Ultimate Boot CD though, and let me know if it lets you boot to Windows that way.
ASKER
yes...I tried the ultimate boot cd....but it still wouldn't boot. I've been searching online for a solution to circumventing the Windows Resource Protection...but have not been able to find anything...
I also make sure that I put C drive as my windows directory
I also make sure that I put C drive as my windows directory
What did the HD manufacturer's long diagnostic say?
ASKER
there was damage to the drive from excessive vibration. however I have done two chkdsk...first time it found about 20 bad clusters....the second time none. I will replace the drive..but right now I need to get the os back up...I know this can be done....
How can get past the windows resource protection?
How can get past the windows resource protection?
Windows Resource Protection not starting on sfc /scannow offline should not affect the boot issues that you are having. Can you give me the EXACT message you are receiving when trying to boot to Windows? Are you just getting a blinking cursor? Have you slaved the drive and scanned with TDSSKiller for an infected MBR? The more information you can provide us with, the better we can assist you.
ASKER
hi
no I am way past that....there are missing files. This all started when I did the chkdsk the first time and it came back bad clusters which were fixed. I then tried to run a sfc /scannow which stopped at 32% and said it found errors but could not fix them. It said try to do a system restore....which I did....when it tried to reboot, it said there was no boot mgr. I was able to look at the drive through minixp and sure enough the bootmgr was missing. rebuilt that....then the bootloader was missing,...copied that...now hal.dll is missing....cant find that...so trying to do sfc /scannow offline to see if windows can find and replace the files. but I'm getting the protection problem.
no I am way past that....there are missing files. This all started when I did the chkdsk the first time and it came back bad clusters which were fixed. I then tried to run a sfc /scannow which stopped at 32% and said it found errors but could not fix them. It said try to do a system restore....which I did....when it tried to reboot, it said there was no boot mgr. I was able to look at the drive through minixp and sure enough the bootmgr was missing. rebuilt that....then the bootloader was missing,...copied that...now hal.dll is missing....cant find that...so trying to do sfc /scannow offline to see if windows can find and replace the files. but I'm getting the protection problem.
Okay, that might be what the issue is. You are running Vista, correct? If you used MiniXP, I'm assuming the bootmgr is for XP, not Vista. They use different booting system configurations. Windows XP boot will NOT see Vista, but Vista Boot WILL see Windows XP.
If this is Windows Vista, let's go ahead and do this.
Delete boot.ini from the C:\ directory.
Second, make sure there is a C:\boot\ directory. Also make sure there is NO OTHER boot directory, such as D:\boot that it might try to boot off of.
Go to C:\boot
Type in "dir /ah" minus the quotes
if you see BCD, type "attrib BCD -s -h" minus the quotes
if you do NOT see BCD, type "dir" minus the quotes.
If BCD is there AT ALL, delete it, or rename it if you wish.
We need to fix the issues caused by the XP Booting system now.
Type the following.
bootrec.exe /fixboot
bootrec.exe /fixmbr
X:\boot\bootsect.exe /nt60 all /force (where X is your DVD drive)
bootrec.exe /rebuildbcd
Say Yes to add Windows Vista to the boot configuration.
If it does not find any Windows installations, then we need to dive further.
I know this is pretty much the Nuclear Holocaust that you already did, but let's give this a try again. Please let me know the results.
By the way, hal.dll is located in the system32 folder. You can look through command prompt to see if it is there, which I'm guessing it is.
If this is Windows Vista, let's go ahead and do this.
Delete boot.ini from the C:\ directory.
Second, make sure there is a C:\boot\ directory. Also make sure there is NO OTHER boot directory, such as D:\boot that it might try to boot off of.
Go to C:\boot
Type in "dir /ah" minus the quotes
if you see BCD, type "attrib BCD -s -h" minus the quotes
if you do NOT see BCD, type "dir" minus the quotes.
If BCD is there AT ALL, delete it, or rename it if you wish.
We need to fix the issues caused by the XP Booting system now.
Type the following.
bootrec.exe /fixboot
bootrec.exe /fixmbr
X:\boot\bootsect.exe /nt60 all /force (where X is your DVD drive)
bootrec.exe /rebuildbcd
Say Yes to add Windows Vista to the boot configuration.
If it does not find any Windows installations, then we need to dive further.
I know this is pretty much the Nuclear Holocaust that you already did, but let's give this a try again. Please let me know the results.
By the way, hal.dll is located in the system32 folder. You can look through command prompt to see if it is there, which I'm guessing it is.
ASKER
hi
a little confusion...i only use minixp to look at the drives. I do NOT run cmd from there. I am running cmd from the Vista anytime upgrade dvd.
I tried doing what you had minus the xp stuff. It comes up Windows Boot Manager Hal is missing.
a little confusion...i only use minixp to look at the drives. I do NOT run cmd from there. I am running cmd from the Vista anytime upgrade dvd.
I tried doing what you had minus the xp stuff. It comes up Windows Boot Manager Hal is missing.
If the Disk Manufacturer's diagnostic tool showed you had errors on the drive (not chkdsk), then there is no point in trying to get it to boot. You should only, if your backups are damaged, try to get whatever data you still need from that HD, and then replace it. A bad HD is a bad HD is a bad HD.
ASKER
thanks rindi...understood...but still trying to do this.
Try to replace the hal.dll file from the Vista RE command prompt.
copy d:\i386\hal.dl_ c:\windows\system32\hal.dl l
{OR}
expand d:\i386\hal.dl_ c:\windows\system32\hal.dl l
I still don't understand why hal.dll is missing is coming up. I have never seen it for Vista or 7, only for XP. Doesn't mean it can't happen, though. Did you ever try to fix the bootmgr with an XP disc?
Do you get a menu option, like options of Safe Mode, or does the error Message "Windows Boot Manager Hal is missing" come right up?
copy d:\i386\hal.dl_ c:\windows\system32\hal.dl
{OR}
expand d:\i386\hal.dl_ c:\windows\system32\hal.dl
I still don't understand why hal.dll is missing is coming up. I have never seen it for Vista or 7, only for XP. Doesn't mean it can't happen, though. Did you ever try to fix the bootmgr with an XP disc?
Do you get a menu option, like options of Safe Mode, or does the error Message "Windows Boot Manager Hal is missing" come right up?
ASKER
there is no i386 file folder on the anytime updgrade dvd....go figure!
Oops. Sorry, I'm an idiot. Stole that from another website (I know I shouldn't do that) and didn't read the i386. Now I'm at home and don't have a Vista disc handy. Give me a little bit to see if I can find another location of the file.
What size does your hal.dll show up as? Do you have a boot.ini in the root directory?
Had another idea. Use Diskpart to change the drive letter of your Windows Partition. Let's change it to R.
Then run sfc /scannow /offboodir=R:\ /offwindir=R:\Windows
See if that lets it run.
What size does your hal.dll show up as? Do you have a boot.ini in the root directory?
Had another idea. Use Diskpart to change the drive letter of your Windows Partition. Let's change it to R.
Then run sfc /scannow /offboodir=R:\ /offwindir=R:\Windows
See if that lets it run.
ASKER
will try that and let you know.
Did some browsing on my Windows 7 at home. Normally when you update Windows files, it will make a backup of the files it is replacing.
I found a copy of hal.dll here
C:\windows\winsxs\backup\x 86_microso ft-windows -hal_31bf3 856ad364e3 5_6.1.7601 .17514_non e_ad305c8f b7ec5060_h al.dll_f27 9be4d
Yes, that is the name off the file. It is the exact same size as my current hal.dll in the Windows\system32 folder.
You should be able to find it back going to that folder and searching for *hal.dll*
Then copy and rename it to the system32 folder. Make a backup or rename your current hal.dll for safety purposes though.
I found a copy of hal.dll here
C:\windows\winsxs\backup\x
Yes, that is the name off the file. It is the exact same size as my current hal.dll in the Windows\system32 folder.
You should be able to find it back going to that folder and searching for *hal.dll*
Then copy and rename it to the system32 folder. Make a backup or rename your current hal.dll for safety purposes though.
ASKER
when you did your search did you type hal.dll or ??
ASKER
there is nothing in the backup folder ...agggghhhh!
ASKER
will trying to run sp1 from a bootable cd replace the missing files?
No, not that I know of. I'm uploading hal.dll for longhorn (vista), that I got on the internet and ran through a scan with Avast!.
Any luck with the sfc /scannow?
EDIT: Rename the file from hal.zip to hal.dll
EDIT AGAIN: When I did my search, I used the wildcards, hence *hal.dll* . Type it with the asterisks. However, do you have any files in the C:\windows\winsxs\backup folder? Actually, my other search just got done. There is a hal.dll in the folder C:\Windows\winsxs\x86_micr osoft-wind ows-hal_31 bf3856ad36 4e35_6.1.7 600.16385_ none_aaff4 8c7bafdccc 6
Search your winsxs by typing in "dir *hal*" without the quotes
if that doesn't work, try "dir /ah *hal*" without the quotes
hal.zip
Any luck with the sfc /scannow?
EDIT: Rename the file from hal.zip to hal.dll
EDIT AGAIN: When I did my search, I used the wildcards, hence *hal.dll* . Type it with the asterisks. However, do you have any files in the C:\windows\winsxs\backup folder? Actually, my other search just got done. There is a hal.dll in the folder C:\Windows\winsxs\x86_micr
Search your winsxs by typing in "dir *hal*" without the quotes
if that doesn't work, try "dir /ah *hal*" without the quotes
hal.zip
ASKER
one step forward...two steps back....put in your hal.dll now it says ntosnkrnl is missing found one when I did a search of windows directory. put it in system32 and tried....can't load because ntoskrnl is not digitally signed...
trying the rename now.
trying the rename now.
I found a dozen copies of ntoskrnl.exe in my winsxs folder. I'm sure you will have one or two. The folder name will start out x86_microsoft-windows-os-k ernel
Find the latest one.
Find the latest one.
ASKER
okay thanks...taking a bit of break...been at this for a while. will check back soon.
ASKER
okay passed the hal.dll now I am getting ntoskrnl windows cannot verify the digital signature for this file....tried to boot without signatures...no go.
Did you find another ntoskrnl on the drive?
ASKER
yes tried it....same response....i have another computer that I forgot has vista...manage to copy it from there....but the same thing. I should state these are legit copies of vista
ASKER
curious what would happen if I copied all system 32 files from the on computer to the other?
ASKER
just realized the computer that I am copying from is sp2 the one that needs repair is spa
I generally don't recommend copying files from another computer if you can get them from the current computer. Mainly because of the issue you just listed. The sp2 file would be too new for the current sp1 system. Can you take a picture of safe mode loading? Does it show a file list of files loading, or just comes up with ntoskrnl issue?
ASKER
yes just comes up with the ntoskrnl issue
Okay, just found this on the internet. Apparently it only works 'once', then you have to do it again.
bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
I'm assuming you do this in the Recovery Environment. Try this and see if you can get it to boot. If you can, do you have a Vista disc? Try to run sfc /scannow ASAP when you get loaded in.
EDIT: Is there an error or status code when it fails?
bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
I'm assuming you do this in the Recovery Environment. Try this and see if you can get it to boot. If you can, do you have a Vista disc? Try to run sfc /scannow ASAP when you get loaded in.
EDIT: Is there an error or status code when it fails?
ASKER
doesn't work...says it cannot find the file specified.
ASKER
trying to find someone with a vista sp1 install disk.....still this has been interesting.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
okay...there is a lot more missing than I realized....the system restore that was first attempted way back...wiped out a lot of the files........
It sucks you don't have an installation with SP1. I suppose you could copy the system32 folder from SP2 drive to SP1 drive, and tell it NOT to overwrite files. That way it just copies the missing ones. But that is a LONGSHOT.
ASKER
okay...would this work....how about a dual boot vista and vista. using the upgrade cd to install the same os. then install sp1. then copy files from the new installation to the old problem installation...
am i just fishing here?
am i just fishing here?
I do not see why that would be a problem. I've done that with XP before :-) no promises though
if you need vista repair cd - here they are http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
http://www.mydigitallife.info/64-bit-x64-windows-vista-official-direct-download-links/
http://www.mydigitallife.info/64-bit-x64-windows-vista-official-direct-download-links/
ASKER
Thank you for the help....It was a combination of several issues.
ASKER
thanks...it could possible be disk problems...but it is a relatively new hd. what leads me to believe it's a virus is that I can't run sfc /scannow because I don't have administrator permissions and yet I am logged in as administrator. I have run chkdsk and it seems to be fine.
I have tried to run sfc /scannow from all modes. with the same result. before I was able to create the additional user account, I couldn't run combofix because I didn't have administrator permission. again leads me to think it's a virus.