[Resolved] Was BSOD on startup, found malware and drive errors

[Hoov]

Well I guess we need to accept that this is the new normal for your computer. But I suggest that you keep your data backed up daily. When hard drives start having bad sectors , it is on the way to eating itself up. I suggest that one week after we are done, you run Seatools again. If only the same 4 sectors are bad, then go to once a month scanning with Seatools. When the number of bad sectors start increasing, purchase a replacement harddrive.

Moving on, do you ever have problems with the network or internet connections on this computer?

I am assuming that the computer still is booting slowly. Do you know if this computer ever had any other virus scanners installed on it? There is some evidence there was, but I cannot tell which one. If you don't know, please run the following two programs. They remove McAfee and Norton respectively. They seem to be the two programs that most computers ship with.

McAfee Removal Tool
Go to step three on this page, download Norton Removal Tool


After running both of those programs, reboot the computer and see if there is any difference. If not,  can you tell me how this computer is used? Is it a internet machine with light home use? Or is the owner doing lots of Graphics, or just an all around power user?

[JS2]

I believe they have a pretty good backup regiment going right now and might even have too much redundancy. I'll be sure to keep tabs on the drive.

I've never heard them complain of network or internet connection issues since a redirect/rootkit issue last year. I'll be sure to ask in the morning.

The boot up is significantly faster since the selective start and within tolerence considering the amount of startup icons on the taskbar. I only ran the McAfee tool since that was on here at one point, but never Norton.

This laptop is generally used for light home use with occasional light photoshop use.

Thanks for the help,

JS2 - Malwareshack II: the malware is back

_{(these movie titles just aren't working)}

[Hoov]

Go thru the icons in the system tray and anything that is not needed for the secure running of the computer, or that is used often, go into the settings for the program and see if you can stop it from starting with windows. For instance if they use Photoshop infrequently, then there really is no reason to have PhotoshopElementsFileAgent.exe running all the time. It can start when they start Photoshop.

Once you have all of them stopped that you can stop thru the program, check to see if any of them are services (let me know if you need instructions for this) and change startup types from automatic to manual.

If there are any programs left that you really don't need starting, but you can't figure out how to stop them, Get Mike Lin''s Startup Control Panel and install it. Don''t get the standalone version. Install it, and then go to the windows control panel and start the Startup Control Panel. All you have to do is uncheck the box next to the program that you do not want to start with windows.

Just out of curiosity, you did go back into msconfig and set it to do a normal startup?

[JS2]

Hoov,
Just checking in quickly since I haven't had the time to go through the programs yet. I'll most likely get to it tomorrow or Monday night. Yes, I did set it back to normal startup.

Have a good weekend,
JS2

[JS2]

Hello Hoov,
I've gone through the startup icons and either uninstalled the application or set it to not startup with the computer. A couple services were set to manual (no problems there). Adobe Photo Uploader was the only one to cause any issue when it came back up after using Startup Control Panel. Easily solved by deleting the old entry, unchecking and then also deleting the new entry. Has not come back up.

I'd actually forgotten about that app, I had it on a previous machine of mine and more recently had switched to one from sysinternals. I guess not so recently anymore since they've been part of MS for a while.

Thanks,

JS2 - From Russia with Malware

[Hoov]

How is the computer running now? Startup and shutdown? Any other questions, concerns or problems?

[JS2]

The only issue I notice is that it often requires two shutdown or restart attempts. Everything else seems to run pretty well overall. When time permits I'll go through everything installed on there and all the services to see what else can be removed.

As for questions, there is one...
On startup I get the OS selection menu with the choices of:
Microsoft Windows Recovery Console
do no select this [debugger enabled]
Windows XP Medias Center Edition

The menu has been there on startup since before I was asked to look at the laptop, I'm not sure why it is there though or if it even needs to be. Any idea what would trigger this or if there is any concern from it? If there's no harm in leaving it there then I'm fine with that since it goes right into XP MCE after two seconds and the laptop is rarely restarted.

Thanks,
JS2 - The Living Malware

[Hoov]

Looks like someone had run combofix on this computer before. We can tak care of it during the cleanup.

The startuyp and shutdown problem, is something freezing?

[JS2]

Combofix ran on this computer last year to fix another issue; under guidance of course.

On shutdown everything will quit out, but then it seems to stop once the network is disconnected. Nothing is frozen in task manager. The system event log states the reboot attempt has failed. This is followed by a TCPIP event that the network adapter was disconnected and a browser even saying the browser has forced an election on the network because the master browser was stopped. A second attempt at shutdown or restart takes effect immediately.

Apologies for taking so long to reply. Some very long days this week.

Thank you,
JS2 – Malware Never Dies

[Hoov]

Go to the event viewer logs just as you did earlier, but this time instead of saving them, select clear logs. You will be asked if you want to save them or not, that is your choice. I don't need them. Once the logs are cleared out, restart your computer like you normally would. Once the computer is running normally after the shutdown, give me a new set of event viewer logs.

[JS2]

Hi Hoov,
System and application logs attached after having been cleared and restarted.

Thanks,
JS2 - Octo... ya know, i'm just going to leave that title alone.

[Hoov]

Reboot again, don't clear the logs. Pay attention to how it shuts down. Give me new event viewer logs, and tell me how it shuts down. According to the last set of logs you gave me, it only logs that the shutdown/reboot failed. Also watch how it starts and let me know of any problems in the startup as well.

[JS2]

Okay, new logs attached.

Hitting shutdown goes back to the current application, then it loses focus as the current window, followed by a brief flickering of the screen and the current window. In other instances some open windows might close, not in this time. Usually a few program icons on the taskbar will disappear, but not all. Eventually the icon for the Intel ProSet/Wireless will go to yellow, stay that way and another network connection icon will appear at the end of the taskbar stating the network is disconnected on mouseover. At this point moving the cursor over the other taskbar icons will cause them to disappear with the exception of the network disconnected and volume icons. Everything else seems to run normally at this time and the laptop will remain running until re-initiating shutdown/restart. Doing so closes all open programs immediately and goes straight to the windows shutdown screen and accompanying jingle.

Startup is pretty straightforward. When the desktop comes up, it and the taskbar will go black independently and be redrawn independently before the desktop icons come up. The taskbar icon area stays black a little longer. The icons on the taskbar come up as they load. The Intel ProSet/Wireless icon won't get a connection until the another network icon appears (mouseover states something along the lines of another program is using the network controller). The second network icon shows it disconnected when it does appear, then is replaced by one saying it is connected after a few seconds. The intel icon will then connect as well, most of the time the second icon will disappear shortly after. At this point all other taskbar programs seem to load without an issue. Windows needs a minute or so more after this before it is fully functional.

Let me know if you would like me elaborate on anything or pay attention to something else instead.

Thanks,
JS2

[Hoov]

Your event viewer logs are clean except for DHCP problems and a problem that references Xmas2010NZ. Do you know what that is? If you do, and it is no longer used go to the run command and type in net share Xmas2010NZ /delete to get rid of it. If it is still valid, try connecting it and then shutting down the computer to see if that goes better.

Let me know how that goes.

Are you connected to the internet thru a wireless router?

[JS2]

Checked with my parents and that's a share they no longer needed, so it is deleted. Restart still required the double restart.

Yes, this is connected through a wireless router. I can't be sure if the DHCP issues are specific to my network or if they occur on theirs as well.

Thanks,
JS2 - On The Malware's Secret Service