Author Topic: Computer Advice (Read 8225 times)

Larrythepoet · « **on:** April 20, 2010, 07:10:21 PM »

OK, I had left my computer for about 15 minutes to go do something and when I came back the tower was on but the monitor was black. I left again to show my dad and it was in the middle of rebooting. After displaying the windows splash screen the monitor went black just like before. I shutdown the computer, booted it in safe mode with command and restarted the computer. When it got to the desktop it was almost frozen for about 4 minutes then all the programs that usually start upon logging in opened. I check Norton's logs and didn't see anything out of the ordinary. Does this sound like a virus? If not, what do you think happened?

CK9 · « **Reply #1 on:** April 20, 2010, 07:51:54 PM »

1) dump Norton and get something better (Norton = crap)
2) there is one virus I have heard of that does something similar, but if you have it, you have no choice but to reformat the hard drive.

Larrythepoet · « **Reply #2 on:** April 20, 2010, 07:58:33 PM »

What was the viruses name? Also, I don't think I have it... What else could it have been?

CK9 · « **Reply #3 on:** April 20, 2010, 09:08:04 PM »

I don't remember the name of the virus, but it's a fairly new one. It is the ultimate proof that anti-virus companies are making computer viruses to stay in business, as it bypasses the detection processesof almost all programs. There's no way to permanantly remove it without reformatting because of the way it embeds itself in your system.

Larrythepoet · « **Reply #4 on:** April 20, 2010, 09:13:16 PM »

Ok, how destructive is it and what does it do?

Simpsonboy77 · « **Reply #5 on:** April 20, 2010, 11:33:53 PM »

I could be of help here, i fix my friend's and sisters computers all the time.

CK9 you are thinking of a rootkit, and they are still removable. I have never had to reformat because of a virus. I use GMER and rootkit revealer to find them. Avast is a great free antivirus. I use MBAM for on demand scans.

I can recall an instance SIMILAR to what you describe. A trojan replaced a file, userinit.exe.

First let me ask you a few questions.
1. Did this problem just occur after a hardware change?
2. Have you run a chkdsk ?
3. Do you have your recovery discs so you could get to recovery console?
4. Do you use a bootloader? Some are LILO and GRUB, and are used to multiboot. If you don't know what a bootloader is or don't multiboot, say no.
5. Did norton's logs say anything about removing a file(s) recently? If so which files.

6. Can you afford a reformat, as in data loss?

EDIT: I reread your post and it seems like you can actually boot to a desktop. If you could run hijackthis, and attach the log to your next reply, I could help you a lot easier. Download Hijackthis here. Hijackthis is a program that does a dump of most things set to run at startup. I suppose I should have this disclaimer that there could be information in the log that I could use to identify you, such as what programs you have, and your homepage. You can always view it before posting it, the logs are small.

If you don't want to go through the trouble of virus removal then reformatting is an option.

Kayedon · « **Reply #6 on:** April 20, 2010, 11:37:42 PM »

Quote

1) dump Norton and get something better (Norton = crap)
2) there is one virus I have heard of that does something similar, but if you have it, you have no choice but to reformat the hard drive.

I will take this moment to flaunt my knowledge about Norton.

Up until roughly 2008 and 2009, Norton was a highly inefficient and completely crap product that ate more resources than Crysis. With the release of Norton 360 and Norton 2010, they've completely rebuilt from the ground up (I can personally attest to this fact). 360 and 2010 are or were very resource-efficient, and scored amongst the top paid products (I forget which rank, it's been a while).

All in all, OLD Norton = crap, new Norton is actually a leading contender and a decent project (and it's capable of finding viruses and rootkits in a particular section of x64 computers, which no other anti-virus even looks at (or did look at)).

Now, on to the main topic:

1) What anti-virus are you currently using? (developer, release date, version, last update)
2) When did this problem occur? (Time & date, to the best of your ability)
3) What operating system are you using? Last update?
4) Have you engaged in any "suspicious activity" lately? (Torrents, dodgy sites, etc)
5) Do you have a firewall? (developer, release date, version, last update)

Any other questions people can think of?

Simpsonboy77 · « **Reply #7 on:** April 20, 2010, 11:49:11 PM »

Kayedon,

4) Have you engaged in any "suspicious activity" lately? (Torrents, dodgy sites, etc)

I know where you are going with this, but I learned to stop asking this question. If they did go to a dodgy site, its too late and they are already infected. There is little to gain by knowing this. In fact a legit site can be compromised by XSS or other attacks.

Kayedon · « **Reply #8 on:** April 21, 2010, 12:35:38 AM »

Quote

Kayedon,

4) Have you engaged in any "suspicious activity" lately? (Torrents, dodgy sites, etc)

I know where you are going with this, but I learned to stop asking this question. If they did go to a dodgy site, its too late and they are already infected. There is little to gain by knowing this. In fact a legit site can be compromised by XSS or other attacks.

I am not accusing them of anything if that is what you are thinking. It's a diagnostically-sound question, and is a perfectly legitimate thing to ask. Yes, if they went, they're infected and it's too late, but it's still nice to know because MORE OFTEN THAN NOT someone else went to the site and got infected by the same virus and is publicly seeking help about it on an accredited forum.

And yes, I know it's possible to compromise a legitimate site.

While you may believe it to be a useless question, it is at the very least an A) plausible and B) reasonable thing to ask.

CK9 · « **Reply #9 on:** April 21, 2010, 01:32:38 AM »

Quote

CK9 you are thinking of a rootkit, and they are still removable. I have never had to reformat because of a virus. I use GMER and rootkit revealer to find them. Avast is a great free antivirus. I use MBAM for on demand scans.

The fact that there is software designed specificly to detect and remove it tells me that you and I are thinking of two very different virus types. I'll have to ask my dad what it was and where it hides.

as to Kayedon's Norton talk:

antivirus software is like a sine wave. When it first starts out, it's average and gets the job done. As it progresses, the developers make it better until it peaks, and then it returns to being average before they're trying to add too much to the same thing and it drops out. When Norton had to be 100% uninstalled and all files tracked down and deleted, I stopped using it and switched to MacAffe. Now MacAffe is going into crap and I'm trying out Microsoft Security Essentials (hoping that having the same coding experience behind the anti-malware and os will reduce the compatability issues that forced specific install orders)

Larrythepoet · « **Reply #10 on:** April 21, 2010, 06:20:22 AM »

@Simpsonboy
No
I don't know what that is.
...
No
They don't say anything about removing files no...
Probably not.

@Kayedon
Norton internet security 2010
the 20th around 7:30 pm
The thing at the top of safemode says: Windows XP®(Build 2600.xpsp_sp3_gdr_.100216-1514:Service Pack 3)
Probably a few...
Yes, windows firewall and Norton's firewall

Larrythepoet · « **Reply #11 on:** April 21, 2010, 06:35:29 AM »

I forgot to mention, I tried the same thing I did last night to get windows running normally, and the screen went black again, I can only get into safe-mode now as far as I know...

Also, I just tried to install HiJackThis and it said "The system administrator has set policies to prevent this installation." Which shouldn't be happening because I AM the administrator

CK9 · « **Reply #12 on:** April 21, 2010, 09:20:25 AM »

That's sounding more similar to a virus I had on my desktop when someone managed to hijack it (but I never got the screen going blank...) It prevented me from installing anything that would allow me to regain control, and even corrupted my antivirus and antispyware software...I couldn't identify it, so I just did a reformat for the hell of it. Sometimes it's just a lot faster.

AmIMeYet · « **Reply #13 on:** April 21, 2010, 10:39:43 AM »

And if your only option left is a reformat, use a linux livedisk (ubuntu might be the easiest) to save as many files as possible.

Kayedon · « **Reply #14 on:** April 21, 2010, 02:54:46 PM »

If you're unable to install extremely useful tools like that, the best advice I can give is manually go through everything and find things "out of place."
One of the ways I did this on one of my old computers (it was like 2000 though so things have changed) was to open Search and find every file created since infection. It is a flawed (and by flawed, I mean you might as well put out a fire with a match) method but people have reported it as being useful...

But yes, at this point it may seem that reformatting is the best choice unless you can get help from one of the dedicated virus forums.
Also, don't use Windows Firewall. Or two Firewalls at the same time. Same with two anti-viruses.

Simpsonboy77 · « **Reply #15 on:** April 21, 2010, 07:53:30 PM »

Quote

Also, I just tried to install HiJackThis and it said "The system administrator has set policies to prevent this installation." Which shouldn't be happening because I AM the administrator

You were currently logged in as administrator?
Was this in safemode or normal mode?

I'll guide you through how to get to the common places that a virus hides.

Registry[/u]

The registry holds a bunch of values, which your computer uses. It also holds some keys that will run at startup.

Boot into windows (safe or normal)
Click start then run then type in "regedit" without quotes
A window should appear that has 2 panes. On the left it should look something like folders, called keys. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Now on the right side it will have different values. Those values will most likely be file paths, and all of those will start at startup. We would need the stuff in the 'Data' column to see if a virus is hiding. This could be a screenshot (be sure to get the full path or just you typing it out.

Here are the rest of the places in the registry viruses could hide.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Do not modify anything in there yet, you could cause damage to your system.

Services[/u]

There is a simple method to dump via command line.

Click start then run
type in "net start >> C:\services.txt" without quotes

What this does is will envoke the net start command which lists all your services running, and then pipe (redirect)the output to a file which I specified as C:\services.txt. You can change the filepath to whatever you want. Then attach it to your next post. Again this could tell us what you have installed.

Startup in the start menu

Click start then all programs. Anything in the startup folder in the list will start at startup. Take note of what is there and report anything relevant. I know java and adobe stick stuff there and they are legitimate programs.

Additionally try to run rootkit revealer made by sysinternals. http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx Download link at the bottom. While this is running NOTHING else can be opened, that includes even a windows explorer window and solitaire. Save the file once it is complete, and post it.

Larrythepoet · « **Reply #16 on:** April 22, 2010, 03:23:57 PM »

Good news! My dad took it to his computer guy and it turns out the monitor just had the wrong driver O_o Thanks for your help though

CK9 · « **Reply #17 on:** April 22, 2010, 03:34:36 PM »

...the hell? The generic-default is supposed to work for all monitors...

Kayedon · « **Reply #18 on:** April 22, 2010, 05:54:01 PM »

Someone's been messing with stuff they shouldn't be, perhaps?

Simpsonboy77 · « **Reply #19 on:** April 22, 2010, 07:12:45 PM »

Or maybe the computer guy made up the problem because people would rather hear of a real problem than "the cable was unplugged".

Oh well, glad it's fixed.

CK9 · « **Reply #20 on:** April 22, 2010, 08:10:35 PM »

heh, or that the cable was faulty (5 new computers in the engineering computer lab, 3 of them had faulty monitor cables >.<)

Sirbomber · « **Reply #21 on:** April 22, 2010, 10:38:13 PM »

Perhaps Tankn[size=0] [/size]00b transformed the cables in 2 TE[size=0] [/size]H ME[size=0] [/size]S HA[size=0] [/size]L.

Hidiot · « **Reply #22 on:** April 23, 2010, 05:40:23 AM »

I think that's the official sign that the topic's point has been fulfilled.

Larrythepoet · « **Reply #23 on:** April 23, 2010, 04:09:24 PM »

Bad news... I had to delete a bunch of useless programs and I accidently deleted the driver for my sound card... The name was REALTEK AC 97' AUDIO, I reinstalled it but there is a #10 error code. I'm at a loss...

Kayedon · « **Reply #24 on:** April 23, 2010, 05:05:33 PM »

http://forums.techarena.in/hardware-peripherals/1094805.htm

News:

Author Topic: Computer Advice (Read 8225 times)