vista sp1 virus

hi

thanks...it could possible be disk problems...but it is a relatively new hd.  what leads me to believe it's a virus is that I can't run sfc /scannow because I don't have administrator permissions and yet I am logged in as administrator.   I have run chkdsk and it seems to be fine.

I have tried to run sfc /scannow from all modes.   with the same result.   before I was able to create the additional user account, I couldn't run combofix because I didn't have administrator permission.    again leads me to think it's a virus.

Also new drives can be bad. Use the HD manufacturer's diagnostic utility to test it. Chkdsk won't tell you whether a disk is bad or not, it just gives you the state of it's file-system. You'll find the tools on the UBCD. Also run memtest 86+ (also on that CD):

http://ultimatebootcd.com

thanks I will...will keep you posted.

I would check to see if it is a rootkit causing the issue.  Please download and run TDSSKiller.
http://support.kaspersky.com/faq/?qid=208283363

Could you also upload the Combofix log located on the C:\ directory?

Also check to make sure your services are running correctly.  You can download your correct version of the default services from this website.
http://www.blackviper.com/2008/01/28/windows-vista-sp1-services-registry-files/
It's about halfway down the page under Default Windows Vista SP1 Services Start Key. This contains a registry file to reset the services to default.

Have you also tried running Malwarebytes' Anti-Malware?  You can download that here.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
This program seems to find a lot more infections nowadays then SUPERAntiSpyware.

If you run TDSSKiller and Malwarebytes, also post those logs.

Have you tried logging on as administrator as the user name, quite often you can login as the administrator without the need of a password. Sometimes when you create a new user and give them admin rights they may still not have the same admin rights as when you login as administrator as the user name. This could be due to file corruption or also due to a virus. If someone has created a password when you try to log on using the administrator as the user name, you can use a password reset disk to blank out the administrator's password.

These days viruses are economic in nature... they don't GENERALLY infect you to just cause you problems.  There would USUALLY be some kind of more obvious thing like ads or suggesting your PC is infected or that someone is coming to arrest you if you don't pay money or that your system is being held hostage.  When they aren't that obvious, they are usually there to make your PC a slave to the malware author so that they can use it to attack other web sites and internet sources and send spam - in which case, it's LIKELY they won't be doing anything to cause your PC problems that are so blatantly obvious because then you'd find the problem and clean it making their "ownership" of your computer very short and not useful to their "work".  

Could it be a virus?  Yes.  Is it probable?  Not in my opinion with 18 years of experience.

You can spend 2, 4, 6, 8 hours hammering at this and trying to figure out what went wrong (And if you want to learn then ABSOLUTELY, DO THIS!!!), but these days if time is important, it's probably faster to replace the drive and reinstall windows.  Or backup the drive and reinstall Windows.  But definitely test the drive first to ensure it's not going bad.

i am also inclined to suspect other problems than virus
i would start by testing ram and disk first - to know their status
best download UBCD, and boot from the cd to run memtest86+ and the disk diag you need
if you have disk problems, here a nice guide how i handle them:

https://www.experts-exchange.com/Storage/Hard_Drives/A_3000-The-bad-hard-disk-problem.html

okay....wait...it gets better...

leew you were right and there also was a virus but I think the hd was the real problem.  managed to do a chkdsk with /f /r and it found a whack of bad clusters...fixed them and was able to boot and get into admin.   found a virus but I don't think it had much to do with the problem....did an sfc /scannow but it stopped at 32% and said there were errors that could not be fixed....try a system restore...which i did....it went through it...then tried to boot and now no bcdmgr....I tried to rebuild the bcdmgr but to no avail.   check the dir and there is no bcdmgr in c:\windows\boot   tried to do system restore from recovery cd but there are no points.....all the other windows files seem to be there....can any one help me rebuild this through cmd?

First run the HD manufacturer's diagnostic utility like I asked you to do before.

How many bad sectors did you have?  After 4kb in bad sectors, I ALWAYS recommend replacing the hard drive.  You might want to actually run the chkdsk /v /x /r again, to see if any more bad sectors are found.  This would definitely indicate a failing hard drive.

You say that you can no longer boot into Windows.  There is a couple options you can try.  First off, if your bootmgr is gone, you can rebuild it.  There's a great article about this here.
http://neosmart.net/wiki/display/EBCD/Recovering+the+Windows+Bootloader+from+the+DVD
Don't use the Nuclear Holocaust UNLESS absolutely neccessary.

Also, have you tried using UBCD or some other boot program to boot directly from the Windows partition?  Sometimes forcing it to boot from that partition will fix the issue.  I would boot from the UBCD, choose HDD, BOOT, Smart Boot Manager.  Scroll down to the HDD and which partition you want (usually the second partition), make it active if it is not, and boot from it.

ok really trying to stumble through this.....thanks pc_solution...but I had already started a Nuclear Holocaust.....

here is where I need some help.  I am trying to run sfc offline   c:\  is the only drive listed in diskpart list volume aside from the dvd.   I have run

sfc /scannow /offbootdir=c:\ offwinddir=c:\Windows

but I am getting Window Resource Protection could not start the repair service

Any help?

make sure that C:\ is your Windows partition, otherwise it will not run.  I've made that mistake before and got the same error.  It is probably D:\

Did you try using the Ultimate Boot CD?

EDIT:  Oops. just re-read through your post.  Will post another idea when I get one. :)  Still try the Ultimate Boot CD though, and let me know if it lets you boot to Windows that way.

yes...I tried the ultimate boot cd....but it still wouldn't boot.   I've been searching online for a solution to circumventing the Windows Resource Protection...but have not been able to find anything...

I also make sure that I put C drive as my windows directory

What did the HD manufacturer's long diagnostic say?

there was damage to the drive from excessive vibration.   however I have done two chkdsk...first time it found about 20 bad clusters....the second time none.  I will replace the drive..but right now  I need to get the os back up...I know this can be done....

How can get past the windows resource protection?

Windows Resource Protection not starting on sfc /scannow offline should not affect the boot issues that you are having.  Can you give me the EXACT message you are receiving when trying to boot to Windows?  Are you just getting a blinking cursor?  Have you slaved the drive and scanned with TDSSKiller for an infected MBR?  The more information you can provide us with, the better we can assist you.

hi

no I am way past that....there are missing files.   This all started when I did the chkdsk the first time and it came back bad clusters which were fixed.   I then tried to run a sfc /scannow which stopped at 32% and said it found errors but could not fix them.  It said try to do a system restore....which I did....when it tried to reboot, it said there was no boot mgr.   I was able to look at the drive through minixp and sure enough the bootmgr was missing.  rebuilt that....then the bootloader was missing,...copied that...now hal.dll is missing....cant find that...so trying to do  sfc /scannow offline to see if windows can find and replace the files.   but I'm getting the protection problem.

Okay, that might be what the issue is.  You are running Vista, correct?  If you used MiniXP, I'm assuming the bootmgr is for XP, not Vista.  They use different booting system configurations.  Windows XP boot will NOT see Vista, but Vista Boot WILL see Windows XP.

If this is Windows Vista, let's go ahead and do this.

Delete boot.ini from the C:\ directory.

Second, make sure there is a C:\boot\ directory.  Also make sure there is NO OTHER boot directory, such as D:\boot that it might try to boot off of.

Go to C:\boot
Type in "dir /ah" minus the quotes
if you see BCD, type "attrib BCD -s -h" minus the quotes
if you do NOT see BCD, type "dir" minus the quotes.
If BCD is there AT ALL, delete it, or rename it if you wish.

We need to fix the issues caused by the XP Booting system now.

Type the following.

bootrec.exe /fixboot
bootrec.exe /fixmbr
X:\boot\bootsect.exe /nt60 all /force (where X is your DVD drive)
bootrec.exe /rebuildbcd
Say Yes to add Windows Vista to the boot configuration.

If it does not find any Windows installations, then we need to dive further.
I know this is pretty much the Nuclear Holocaust that you already did, but let's give this a try again.  Please let me know the results.

By the way, hal.dll is located in the system32 folder.  You can look through command prompt to see if it is there, which I'm guessing it is.

hi

a little confusion...i only use minixp to look at the drives.  I do NOT run cmd from there.  I am running cmd from the Vista anytime upgrade dvd.

I tried doing what you had minus the xp stuff.   It comes up Windows Boot Manager  Hal is missing.

If the Disk Manufacturer's diagnostic tool showed you had errors on the drive (not chkdsk), then there is no point in trying to get it to boot. You should only, if your backups are damaged, try to get whatever data you still need from that HD, and then replace it. A bad HD is a bad HD is a bad HD.

thanks rindi...understood...but still trying to do this.

Try to replace the hal.dll file from the Vista RE command prompt.

copy d:\i386\hal.dl_ c:\windows\system32\hal.dll

{OR}

expand d:\i386\hal.dl_ c:\windows\system32\hal.dll

I still don't understand why hal.dll is missing is coming up.  I have never seen it for Vista or 7, only for XP.  Doesn't mean it can't happen, though.  Did you ever try to fix the bootmgr with an XP disc?

Do you get a menu option, like options of Safe Mode, or does the error Message "Windows Boot Manager Hal is missing" come right up?

there is no i386 file folder on the anytime updgrade dvd....go figure!

Oops.  Sorry, I'm an idiot.  Stole that from another website (I know I shouldn't do that) and didn't read the i386.  Now I'm at home and don't have a Vista disc handy.  Give me a little bit to see if I can find another location of the file.

What size does your hal.dll show up as?  Do you have a boot.ini in the root directory?

Had another idea.  Use Diskpart to change the drive letter of your Windows Partition.  Let's change it to R.
Then run sfc /scannow /offboodir=R:\ /offwindir=R:\Windows
See if that lets it run.

will try that and let you know.

Did some browsing on my Windows 7 at home.  Normally when you update Windows files, it will make a backup of the files it is replacing.

I found a copy of hal.dll here
C:\windows\winsxs\backup\x86_microsoft-windows-hal_31bf3856ad364e35_6.1.7601.17514_none_ad305c8fb7ec5060_hal.dll_f279be4d

Yes, that is the name off the file.  It is the exact same size as my current hal.dll in the Windows\system32 folder.

You should be able to find it back going to that folder and searching for *hal.dll*

Then copy and rename it to the system32 folder.  Make a backup or rename your current hal.dll for safety purposes though.

when you did your search did you type hal.dll or ??

there is nothing in the backup folder ...agggghhhh!

will trying to run sp1 from a bootable cd replace the missing files?

No, not that I know of.  I'm uploading hal.dll for longhorn (vista), that I got on the internet and ran through a scan with Avast!.

Any luck with the sfc /scannow?

EDIT:  Rename the file from hal.zip to hal.dll

EDIT AGAIN:  When I did my search, I used the wildcards, hence *hal.dll*  .  Type it with the asterisks.  However, do you have any files in the C:\windows\winsxs\backup folder?  Actually, my other search just got done.  There is a hal.dll in the folder C:\Windows\winsxs\x86_microsoft-windows-hal_31bf3856ad364e35_6.1.7600.16385_none_aaff48c7bafdccc6

Search your winsxs by typing in "dir *hal*" without the quotes
if that doesn't work, try "dir /ah *hal*" without the quotes
hal.zip

one step forward...two steps back....put in your hal.dll   now it says ntosnkrnl is missing found one when I did a search of windows directory.   put it in system32 and tried....can't load because ntoskrnl is not digitally signed...

trying the rename now.

I found a dozen copies of ntoskrnl.exe in my winsxs folder.  I'm sure you will have one or two.  The folder name will start out x86_microsoft-windows-os-kernel
Find the latest one.

okay thanks...taking a bit of break...been at this for a while.  will check back soon.

okay passed the hal.dll  now I am getting ntoskrnl   windows cannot verify the digital signature for this file....tried to boot without signatures...no go.

Did you find another ntoskrnl on the drive?

yes tried it....same response....i have another computer that I forgot has vista...manage to copy it from there....but the same thing.   I should state these are legit copies of vista

curious what would happen if I copied all system 32 files from the on computer to the other?

just realized the computer that I am copying from is sp2 the one that needs repair is spa

I generally don't recommend copying files from another computer if you can get them from the current computer.  Mainly because of the issue you just listed.  The sp2 file would be too new for the current sp1 system.  Can you take a picture of safe mode loading?  Does it show a file list of files loading, or just comes up with ntoskrnl issue?

yes just comes up with the ntoskrnl issue

Okay, just found this on the internet.  Apparently it only works 'once', then you have to do it again.

bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS

I'm assuming you do this in the Recovery Environment.  Try this and see if you can get it to boot.  If you can, do you have a Vista disc?  Try to run sfc /scannow ASAP when you get loaded in.

EDIT:  Is there an error or status code when it fails?

doesn't work...says it cannot find the file specified.

trying to find someone with a vista sp1 install disk.....still this has been interesting.

okay...there is a lot more missing than I realized....the system restore that was first attempted way back...wiped out a lot of the files........

It sucks you don't have an installation with SP1.  I suppose you could copy the system32 folder from SP2 drive to SP1 drive, and tell it NOT to overwrite files.  That way it just copies the missing ones.  But that is a LONGSHOT.

okay...would this work....how about a dual boot vista and vista.   using the upgrade cd to install the same os.   then install sp1.   then copy files from the new installation to the old problem installation...

am i just fishing here?

I do not see why that would be a problem. I've done that with XP before :-) no promises though

if you need vista repair cd - here they are  http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/

http://www.mydigitallife.info/64-bit-x64-windows-vista-official-direct-download-links/

Thank you for the help....It was a combination of several issues.