Please tell me if I am infected.

[ClickCardo]

Cannot tell if this is virus/spyware or hardware.

I really need help on this.

I am trying to determine if I have a virus/spyware/etc. on my pc
since it has been acting extremely weird starting as follows.

I run Windows XP SP2 with all updates applied.
I run SpySweeper 5.3 with latest definitions.
I run Zone Alarm Security Suite 6.5.737.000 with
Anti-Virus 30.4.3374.000 Spyware 01.200702.935

ASUS A8N32-SLI Mobo
AMD X2-4800+ cpu
1x 150GB Raptor partitions C/D/M
1x 250GB Maxtor partition E
1x 500GB Seagate partition F


Please note that just last week I had almost exact same
troubles with much more software installed on C partition.
I ran vendor HDD + memtest86 diagnostics with no errors.
I installed XP clean on C partition again and some software
and ran a few days no problems. Then over next few days
added several software a day and forum surfed till I got
these problems described below.

So I'd like to know if everybody thinks I have a hardware or
virus/spyware problem. And for the problem what my solution
might be since reinstalling the OS did not seem to fix it.

1 - Boot into Safe Mode OK
2 - Run SpySweeper Scan on all partitions/drives ok none found.
3 - Boot into Safe Mode OK
4 - Run Zone Labs AV scan on 3-partition drive+other drive.
scan ok. none found.
Note: Scan detection done at byte level and hueristic.
5 - Run Zone Labs AV scan on remaining 2 drives.
During scan message in Red at top said:
"SYSTEM ERROR: PLEASE REBOOT"
moving cursor over message showed tooltip:
"please restart your computer to ensure security coverage"
Note: even with message scan OK. none found.
6 - Soft Shutdown computer for night.

NEXT DAY
7 - Boot machine into Normal mode XP OK.
8 - Remove most temp files in Windows TEMP folder
9 - Clean IE7 temp/history/cookies/etc.
10- Clean Firefox 2.0 temp/history/etc but not cookies
11- Reboot into Normal mode XP OK.
12- Turned off System Restore function on all drives.
13- Tried to reboot into Safe Mode.
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"
14- Tried to reboot into Safe Mode.
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"
15- Tried to reboot into Safe Mode.
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"
16- Booted from Seagate Seatools CD OK.
17- Ran extended disk diagnostic on Seagate+Maxtor drives.
found no errors.
18- Booted from Western Digital Raptor Diag CD OK.
19- Ran diagnostics extended test on Raptor drive.
found no errors.
20- Shutdown pc for the night.

NEXT DAY
21- Boot into Normal mode XP, but first a light blue
system screen doing a chkdsk? showed.
part.1 verify files
part.2 verify indexes
part.3 verify security descriptors
22- Then it booted into Normal mode XP OK.
23- Tried to right-click Zone Alarm tray icon, but
then cursor/mouse/screen froze.
24- After awhile I tried to CTRL+ALT+DEL to Task Manager
but nothing happened until screen went completely blue,
i.e. no icons/taskbar.
25- Did a Hard Boot.
26- Tried F8 into Safe Mode, but got
** pc froze with following message
"a disk read error has occured"
"ctrl+alt+del to restart system"

27- CTRL+ALT+DEL Reboot from Win XP Install disk.
at bottom. "Examining 143087MB Disk 0 at ID 0 on Bus 0
28- ENTER - to setup XP. OK
29- F8 - To agree to License. OK
30- Came back with what appeared to be incorrect partition info.
Partition 1 (C🙂 35GB (35GB Free)
Partition 2 Unkown 75GB (0GB Free)
Partition 3 Unknown 31GB (0GB Free)

the other 2 drives showed correctly. I then
31- F3 Quit Setup and powered off pc before reboot.

 

[Robor]

I had a flaky hard drive causing random freezes on my system before. Do you have any red 'bangs' in Event Viewer | System that are related to the disk? Something about a bad block maybe?

 

[ClickCardo]

Robor

Thanks for taking the time and effort to read my OP.

I tried to make clear in my description that I cannot boot into XP in any mode to tell what you ask. Perhaps it might later do so but I am reluctant to try until I know more what might be wrong so I know what to do with what would be limited time available or not allowing infection to spread.

I ran vendor diagnostics twice on the system drive over the last two weeks with no errors.

 

[crimson117]

If you have the means, I would remove all your existing hard drives, buy a new hard drive (or reformat an extra one you have around), install XP on it, and see how it works.

You can always recover your files later. Clean install is your best bet.

 

[ClickCardo]

crimson117

That approach sounds plausible, but what do I do with just a new windows hard drive and not all my data files, Firefox bookmarks/cookies/passwords files, Thunderbird e-mail accounts/files, etc. to work with? In other words what do I work on? I really need to get to my e-mail soon and would like to copy my TB profile over so there is no duplicate accounts, but that seems to defeat the purpose of your suggestion correct? Do I just install a fresh FF 2.0 and hand enter a few forum links I know good and just surf those? For how long do I do whatever you suggest in more detail? Finally how would this help me if it works, but I've done/used 0.0001% of my software/data?

I'm hoping you'll see and respond to my concerns.

Thanks for helping me.

CC

 

[Robor]

Install on a new hard drive and copy all of your data files from your old one. You can put it in as a slave or stick it in a USB enclosure.

To prevent losing your bookmarks in the future try out 'FoxMarks'. It is awesome!

 

[merk]

You might want to try removing the 2 extra drives and just keep your boot drive in there. Also remove any cd/dvd drives. You can just unplug the data cables.

Then see how that works. Also, check all the jumpers. If these are PATA drives, then make sure you have them correctly set for master and slave. And make sure you are using an 80wire cable and not 40. I've seen the 40 wire cables cause weird things before.

Also, see if the bios correctly detects the drive(s).

 

[ClickCardo]

Originally posted by: Robor
Install on a new hard drive and copy all of your data files from your old one. You can put it in as a slave or stick it in a USB enclosure.

To prevent losing your bookmarks in the future try out 'FoxMarks'. It is awesome!

I use MozBackup because I want saved passwords and cookies as well as bookmarks. I could possibly loose the cookies if I absolutely had to but the others it would be hard to live without.

 

[ClickCardo]

Originally posted by: merk
You might want to try removing the 2 extra drives and just keep your boot drive in there. Also remove any cd/dvd drives. You can just unplug the data cables.

Then see how that works. Also, check all the jumpers. If these are PATA drives, then make sure you have them correctly set for master and slave. And make sure you are using an 80wire cable and not 40. I've seen the 40 wire cables cause weird things before.

Also, see if the bios correctly detects the drive(s).

All 3 drives are SATA with one of those being a 10k Raptor (boot) thats partitioned 3 ways.

Disconnecting the non-Raptors sounds like it might be a good idea but what's disconnecting the DVD drives do for me?

 

[merk]

Well, you dont know where the problem is correct? So you want to eliminate as many variables from the system as possible. The fewer parts you have in your system the fewer options there are to consider as to where the error is. And if you open the case to disconnect the other hard drives, its not like its much more effort to disconnect the dvd/cd drives as well. If the dvd drive is PATA and the hard drives as SATA then yeah, the dvd drive probably doesnt have anything to do with it. but probably isnt the same as definitely 🙂

With problems like this, where you are trying to avoid just reinstalling windows, you want to keep the system as simple as possible. If you remove everything thats not absolutely critical to boot, and the problem goes away, then you can start adding things back in a few at a time until the problem re-occurs and you'll know which item is causing the problem.

And if you remove everything non-critical and the problem is still there, then you know that all those extra items werent the cause and its something more critical, such as a failing hard drive or maybe something on the motherboard.

 

[ClickCardo]

So sorry it took me so long to get back to you, but I wanted to try and be somewhat sure my problems were not hardware related. In the mean time I took out my main data drive, disconnected the boot and put a new spare drive to be the boot. I then booted from Windows XP Pro install disk deleted partition then re-created partion and formatted it before clean install of XP. Next I added the chipset drivers and then I installed my Zone Alarm Security Suite all without being hooked up to the web. After turning that on I went to Windows Update and installed evry critical update necessary as well as some optional software/hardware ones including IE7. I installed Speedfan, Nero and a shredder and then the trial version of True Image 10.0. I then made a complete disk image backup of the boot drive and placed it on my second data drive which I had left in the pc. I also successfully burned some CD's. Finally, I was able to boot the trial True Image boot CD and was able to get right up to the last step before doing a restore. Finally I had ZA virus/spy scan my drives with none found.

I surfed a few well known safe websites with IE7 and burned some CD's to communicate with the pc I'm writing this on. Everything very swell. I then reconnected the original boot drive and made sure it was now just another data drive. I could not access it's primary partition, but was able to get some data files off it's extended partition. I next tried to boot off a hard drive diagnostic CD and True Image boot CD's to no avail. I then was able to boot into regular Windows fine. I deleted all the partitions off the original boot drive. I was then able to boot the hard drive diagnostic CD and zero'ed the original boot drive. Rebooting into Windows went fine and I created a primary and extended partition on the original boot drive which I formatted. I was able to copy a file to the original drive.

I tried to boot off the True Image boot CD's to no avail again. This is when I pasted in the HiJack This results below. Can you tell from it if I am infected with malware? Maybe the True Image trial boot CD has a time limit?

More help will be much appreciated.

Rich





Logfile of HijackThis v1.99.1
Scan saved at 5:42:59 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe