Strange PC problem - possibly virus related

[tfflivemb2]

I have a PC that I am working on for a friend. It is a no name brand with a 20GB HD, 2.56GHz Celeron CPU, 256mb ram. I was asked to look at it, because several things had happened recently to lead the owner to believe that there might be a virus/malware on it. Things such as pop-ups and false warning from unknown programs about viruses.

I came over and started uninstalling a lot of crap that was installed before working on trying to figure out if there was a virus or just spyware on it. I unstalled the following, possibly more, using the Control Panel:

1. Weatherbug (a malware all on its own, as far as I am concerned)
2. Yahoo AntiVirus (didn't know that Yahoo had their own.../sarcasm)
3. MySearch tool bar (listed as being part of weatherbug, but I thought that it was separate)
4. Other "programs" that appeared to be false Anti Virus programs

Now, the computer will not boot. It shows the loading WinXP screen, then the machine turns off. I also tried using the Windows XP Home disk, and tried to get to the Repair Console, but as soon as I press the "R" the machine turns off!?!?!?

Has anyone else seen anything like this?

[jdhurst]

Can you boot it with a Barts PE CD (preferrably) and run chkdsk to see if the hard disk may have gone bad (causing failure to boot when you removed the stuff you did)?

You can always boot with a Linux boot CD, open a command window and do numerous dir /s commands on all the main folders and subfolders. That may show you disk errors as well.
... JDH

[tfflivemb2]

I can boot with my Ultimate Boot CD, and stay on there all day long without the system shutting off. I ran the IBM/Hitachi HD tool on the HD and it was fine.

I tried using the Antivirus programs that are part of the UBCD, but it jumps right through and tells me that it can't run it. I'll have to run it again to find out what exactly it said.

I should also add that I tried using "Last know Configuration", as well as Safe Mode. I CANNOT get back into this system.

I know that I can use NTFS4DOS to get back into the files, if I knew what to do.

[RealBlackStuff]

Just blowing my own trumpet a bit...
Have a look at this thread, if you have any questions, just ask...
http://www.techspot.com/vb/topic17297.html

[fuscob]

Now, the computer will not boot. It shows the loading WinXP screen, then the machine turns off. I also tried using the Windows XP Home disk, and tried to get to the Repair Console, but as soon as I press the "R" the machine turns off!?!?!?

Did you try doing a repair installation ("upgrade-in-place")? Boot from XP disk, press Enter, F8 to agree to license agreement, and then R to repair when presented with the dialog saying that there is an existing installation. This replaces all Windows system files while maintaining applications, documents, etc.

[tfflivemb2]

Now, the computer will not boot. It shows the loading WinXP screen, then the machine turns off. I also tried using the Windows XP Home disk, and tried to get to the Repair Console, but as soon as I press the "R" the machine turns off!?!?!?

Did you try doing a repair installation ("upgrade-in-place")? Boot from XP disk, press Enter, F8 to agree to license agreement, and then R to repair when presented with the dialog saying that there is an existing installation. This replaces all Windows system files while maintaining applications, documents, etc.

I'll have to try that...but I have a sneaking feeling that it won't work....

[fuscob]

I'll have to try that...but I have a sneaking feeling that it won't work....

Also, one question: you said the machine "turns off." Do you mean that it restarts, or do you actually have to hit the power button to get it to turn back on?

[tfflivemb2]

Also, one question: you said the machine "turns off." Do you mean that it restarts, or do you actually have to hit the power button to get it to turn back on?

Yes, it physically turns off. I have to manually push the button to turn it back on...

[fuscob]

Yes, it physically turns off. I have to manually push the button to turn it back on...

That sounds like a hardware problem to me; really strange that it runs fine in UBCD. I thought it might be BSOD-ing and then rebooting before you could see the BSOD, but I guess not.

[tfflivemb2]

That sounds like a hardware problem to me; really strange that it runs fine in UBCD. I thought it might be BSOD-ing and then rebooting before you could see the BSOD, but I guess not.

Initially, I thought that it might have been a heat issue, but because I can let it run UBCD as long as I'd like, it leads me to believe that it isn't hardware related. Furthermore, the odds of spyware and hardware problems popping up at the exact same time. The problem started on the first reboot after removing these programs.

I was thinking that something affected the registry, but would that affect the recovery console when booting from the XP disk?

[fuscob]

I was thinking that something affected the registry, but would that affect the recovery console when booting from the XP disk?

Not sure, but since the recovery console needs the Administrator login to access the Windows installation, it definitely needs to access at least some level of the system files.

Let me know what happens with the repair installation; that fixes a lot of strange problems.

[teetee]

For this kind of problem I would just do three things(in order):
1. backup data(by using recent version linux live cd and a external/internal drive)
2. wipe out that 20 hard drive
3. start a fresh windows system installation.

and if step 3. can't continue, it might be time to start checking the hardware.(it's probably ok since OP's sysytem runs fine on UBCD).

If the original system is Win2000/XP:
I don't want to spend time on working on registry and cleaning up the disk under ntfs4dos command mode because I simply don't think it's worth the effort. But if it requires the original system to be fixed (instead of wipeout), I would first clean up the temp file under each user's local settings folder under Documents and Settings directory. Then I would get into safe mode and watch at which line the machine shuts off. From the previous post it seems the drivers are corrupt as well(that I also don't know how to fix other than extract and copy the files from the installation CD to hard drive). If all the drivers(.sys) files are loaded before the machine shuts off, then I would have no choice but to get the registry out and start cleaning the Run/RunOnce entries under HKLM.

I don't exactly know how or when or how to monitor the NT system loads its services. I only know that some of the malware/virus will run a fake service and it runs DLL files under user temp dir(or anywhere if the user normally logs in as privileged user). I don't know how to find which service(since it won't even allow you to stop it) or which DLL file(because it's not shown on the task manager) that might cause the machine shut-off either. Hijackthis's report and similar programs might not be able to identify them. The only way I know to find those is to use a program called "Process Monitor" from Microsoft and start looking for the suspicious filename(the malware dll file tends to have random filename.) However you need to get into the system to run that monitor program so I don't think it would help much.

I hope all the above info helps.

I just realized things I know are probably less than things I don't know regarding this issue. However I used my method often and had pretty good chance to solve problems that others couldn't simply by locating and removing the culprit/infected files.

[RealBlackStuff]

Can you take that HD out, install it in a USB case and attach to another PC/laptop?
Then do an AV and other scans on that external HD.
Also do a CHKDSK /f on it.

[egibbs]

For this kind of problem I would just do three things(in order):
1. backup data(by using recent version linux live cd and a external/internal drive)
2. wipe out that 20 hard drive
3. start a fresh windows system installation.

I would add:

4. Conduct a damage assesment and remediation. Determine what data, passwords, account numbers, etc. may have been compromised and take steps to mitigate any impact. This might include changing passwords for online banking, email, etc., cancelling credit cards and requesting new credit card numbers, notifying people whose info may have been leaked (if the machine was used for credit card processing, for instance), and signing up for a credit monitoring or ID protection service.

Ed Gibbs

[Kyocera]

It could have some corupted sectors that HD fitness test missed, or the drive is just going bad. Maybe run the HD test a couple times in a row after you do what Ed said above about the damage control.





That's my guess

[tfflivemb2]

Would you believe that the power supply was dying?!? It booted fine this morning in a cold room. The power supply sounded like someone poured rocks into it. It certainly didn't have that sound on Saturday. I just found out that the power supply was already replaced once!!

I was able to boot 3 times in a row with no problems. The only difference aside from the coolness of the room that it is in now, is that it is no longer plugged into a live network connection.

At this point, I am just backing up their information, because I am going to reinstall from scratch and replace the power supply....again!

[teetee]

If the problem(auto shut-off) persists after the PSU is replaced then maybe it's time to check the wiring on the wall power socket. One of my clients kept having different problems with different computers(desktops) in her office. Everything went fine after a 350VA UPS was installed.

[tfflivemb2]

If the problem(auto shut-off) persists after the PSU is replaced then maybe it's time to check the wiring on the wall power socket. One of my clients kept having different problems with different computers(desktops) in her office. Everything went fine after a 350VA UPS was installed.

The socket is fine. The problem was at the friend's house, and then at my house. I am thinking that jostling it while carrying it down to the basement knocked something loose.

The system is still running as we speak...