# Major PC problem, help needed



## Lord Vader (Sep 20, 2004)

Here's the scoop... 

I'm with my old man out of town visiting my brother and his family. Last night when I went to bed, the PC was fine. No issues. This morning, it's a completely different scenario. The PC in question, BTW, is an HP Pavilion P6000 series. It's running Windows 7 Home Premium with 8GB of RAM, and a 1TB hard drive. It's a mere 15 months old. 

So my father this morning turns the thing on and the screen shows this list menu with several items saying, "infected" and "corrupt". (The PC is running an antivirus program, so it's not like it wasn't protected.) After that screen very quickly disappeared, the system wouldn't restart. We get to a blank, black screen with a blinking cursor in the upper left corner and that's it. 

I've run several diagnostics checks, including on all the hardware. Everything passed. I also was able, via HP's diagnostic tools setup screen, to do a system restore, but then when the PC restarts, it will go through the blue HP screen normally, the one that has the various Fn choices, then it very quickly flashes the customary DOS screen with startup info, and next ends up, once again, on the blank, black screen with just the cursor. No matter what I do, I can't get the system to load Windows and take me to my desktop. 

Any suggestions? I'm trying to avoid using the HP recovery disks, because that would mean all the files and programs my brother had would be wiped out, but if that's the only way to get it up and fully running again, I'll do it.


----------



## Stuart Sweet (Jun 19, 2006)

Quick question:

Can you restart in safe mode? 
Obviously you have some internet access. I recommend going to malwarebytes.org and downloading their free program. It's really good. If you can start in safe mode, do so and run malwarebytes.



> Starting in safe mode using the F8 Method:
> 
> Restart your computer.
> When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key on your keyboard repeatedly until you are presented with the Windows 7 Advanced Boot Options screen as shown in the image below.
> ...


If you can't boot into safe mode, can you boot to a command prompt? If so, type *%systemroot%\system32\rstrui.exe* and that will take you to the system restore utility. Try restoring back to last month and see if that gets you further.


----------



## Lord Vader (Sep 20, 2004)

We were able to do a system restore to a point a month ago by using HP's recovery mode (the startup recovery mode), but once the system rebooted, it got stuck on that blank, black screen with the blinking cursor. That seems to be where the whole problem lies. 

BTW, just an FYI—last night before I hit the sack, I was doing a Google search for something, and every time the search results of a legitimate website came up, they came up in something called "Scour." Google didn't show the results. This "Scour" did. Weird.


----------



## Herdfan (Mar 18, 2006)

Lord Vader said:


> trying to avoid using the HP recovery disks, because that would mean all the* files and programs* my brother had would be wiped out, but if that's the only way to get it up and fully running again, I'll do it.


How much are the files worth to him? If they are irreplaceable pictures and stuff, then I would suggest removing the drive and replacing it. Use the recovery disks and once the system is up and running like new, use a disk enclosure like the MX-1 to see if the files on the old drive are recoverable. If so, copy them to the new drive and run a complete virus scan.

Then reformat the old drive in the enclosure and teach your brother to make regular back ups of important files to this drive and store it offsite if possible.

That is what I would do. No way would I take it to the Geek Squad or any big box outfit. If there is a small computer shop, maybe if they are willing to do everything they can to save the files.

As for the programs, he can reload them.


----------



## dpeters11 (May 30, 2007)

You say it had Antivirus, but what Antivirus did it have, and even more importantly, was it current? I've run into systems before where users didn't keep it up to date or it wasn't getting Windows Updates.


----------



## Lord Vader (Sep 20, 2004)

I installed Webroot on his PC when I visited him in August. As far as I know, it's up to date.


----------



## Lord Vader (Sep 20, 2004)

Stuart Sweet said:


> Quick question:
> 
> Can you restart in safe mode?
> Obviously you have some internet access. I recommend going to malwarebytes.org and downloading their free program. It's really good. If you can start in safe mode, do so and run malwarebytes.
> ...


Stu, I'm unable to start in safe mode, and I cannot get a command prompt. The system just keeps booting past the HP intro screen that has a few Fn options on it (I've gone through all of those to no avail), then it goes to the blank, black screen with the blinking cursor, and if I try to type something in, nothing is acknowledged.


----------



## TBoneit (Jul 27, 2006)

The problem is that the computer is infected with a nasty virus. Most likely with a MBR infection and rootkit component. If it is the one I think it is it has most likely hidden all you files and program shortcuts and desktop items too.

There are a couple of viruses out there that tell you exactly what you mentioned. Corrupt files hard drive problems etc.



Lord Vader said:


> I installed Webroot on his PC when I visited him in August. As far as I know, it's up to date.


So no good Antivirus then. I get infected computers in here all the time that are running McAfee & Webroot or have expired antivirus. Less so with Norton A/V for example.

The best antivirus BTW needs a user with common sense that doesn't open everything or click on everything.

Once you get it running properly back everything up. I also second the use a new hard drive then once it is running with a good Antivirus plug the old drive in with a external case. It may take setting windows to show hidden and system files to see the old drives contents.


----------



## Lord Vader (Sep 20, 2004)

To which nasty virus are you referring, TB?


----------



## TBoneit (Jul 27, 2006)

One is called Windows recovery for example. There are more than one however.

One thing to try mssstool32.exe for 32bitwindows mssstool64.exe for 64bit windows.

You can get these from Microsoft. They create a bootable disk you can use to clean viruses. They are basically the Microsoft Antivirus in bootable form. I believe Kaspersky has one too.

Hopefully this will get it booting so you can run TDSSKiller, Malwarebytes and SuperAntivirus
Good Luck


----------



## David Ortiz (Aug 21, 2006)

If you choose to do a true recovery, you can possibly save files by installing a new hard drive for the recovery. Keep the original drive out of the computer while you recover and install an antivirus program.

Once that is done, you can attach the old hard drive either internally or with a usb/ide/sata adapter and check it for viruses. This way it's not the boot drive and you have a clean system that will actually run the antivirus program. After cleaning the old drive, you can look for files that might still be there and copy them to your new drive.


----------



## TBoneit (Jul 27, 2006)

With the Virus you appear to have caught you are better off restarting that computer from scratch rather than cleaning it.


----------



## la24philly (Mar 9, 2010)

I would also suggest carbonite or some off site online backup. If something ever does happen and a PC needs to be replaced, or formatted, your files can be sent to the new PC.


----------



## jerry downing (Mar 7, 2004)

I've used Norton Power Eraser. There is some risk of it deleting non-infected files, but it has worked for me.


----------



## dpeters11 (May 30, 2007)

"jerry downing" said:
 

> I've used Norton Power Eraser. There is some risk of it deleting non-infected files, but it has worked for me.


Don't think this would help if a root kit is involved.


----------



## P Smith (Jul 25, 2002)

Use bootable CD what allow to w/r access to NTFS and clean the goofy thing.


----------



## Lord Vader (Sep 20, 2004)

TBoneit said:


> With the Virus you appear to have caught you are better off restarting that computer from scratch rather than cleaning it.


That seems to have been the easiest way to do this. HP's recovery process first backed up all the files and programs to 4 disks (4 DVD disks). The computer's only 15 months old, so there was only about 14GB of stuff to back up. I then restored it from scratch. Norton's on it now under their 60-day full program free trial. I think I'm going to see if anything in those restored files or programs was infected. Regardless, I'm slowly returning his system back to normal.



la24philly said:


> I would also suggest carbonite or some off site online backup. If something ever does happen and a PC needs to be replaced, or formatted, your files can be sent to the new PC.


I've told him this for months, especially since *I* use Carbonite at home. However, he uses one excuse after another, the latest one being, "Why should I spend money when Microsoft lets me backup up to 10,000 files free to Skydrive?"


----------



## Marlin Guy (Apr 8, 2009)

TBoneit pretty much has it covered.
I'll just add that some rootkits can also transfer to flash memory drives like camera cards and thumb drives, then reinfect the computer or another computer.

If you've plugged in any such devices, be sure to check them as well, but disable any autorun functions.


----------



## Lord Vader (Sep 20, 2004)

Fortunately, no such devices were connected or used lately, so I don't think that will pose problem. 

Many of the original programs on the system do not have the original disk, so it will be a chore trying to get those back.


----------



## Drucifer (Feb 12, 2009)

Well you can pull the HD and get the files off it later. And put in a new HD. Then restore with the HP CD Restore Disc.


----------



## Lord Vader (Sep 20, 2004)

The files I can get off, but the _ programs_ I'm unable to transfer.


----------



## Drucifer (Feb 12, 2009)

Lord Vader said:


> The files I can get off, but the _ programs_ I'm unable to transfer.


True. And coping all Windows files never works.


----------



## Lord Vader (Sep 20, 2004)

I know.


----------



## Cholly (Mar 22, 2004)

Once you get the system back up, I'd recommend installation of Microsoft Security Essentials as his antivirus program. It's free and robust. Two other programs I'd recommend are Malwarebytes free version (www.malwarebytes.com) and SuperAntiSpyware free edition. Automatic updates of these programs are available, and should be run.


----------



## Lord Vader (Sep 20, 2004)

Thanks. Malwarebytes I already installed; the others I'll do so shortly.


----------



## dpeters11 (May 30, 2007)

Only thing I hate about SuperAntispyware is the name. I know it's legit, but sounds like Betrayware or a fake AV.


----------



## TBoneit (Jul 27, 2006)

I've done that backup using the built-in restore backup function on HPs at work. Nice feature.

For autorun I use the Panda USB Vaccine software to turn off autorun on the PC as well as immunize the usb drives as long as they are fat32 so they can't get infected with certain autorun viruses that spread that way. http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

A couple of free online virus scans 
http://go.eset.com/us/online-scanner
http://www.pandasecurity.com/activescan/index/


----------



## Lord Vader (Sep 20, 2004)

Everything is back up and running, as the restore worked. I reloaded the programs and all. I should have seen this coming, because I think I saw the signs that something was wrong but dismissed it at the time.

I was on his PC late night on the 6th when I wanted to go to a sports forum to check something. I didn't recall the exact URL, and because I was away from home and didn't have the bookmark, I simply typed the name of the forum into Google. Imagine my surprise when everything that popped up was something called "Scour" with various links. Moreover, everytime I did a search in Google, even for legit sites, Scour came up. It was as if everything was being rerouted to Scour with weird results appearing. I had never seen anything like that before.

This was around 1:00 a.m., and I was tempted to run Malwarebytes and/or some other things, but I figured it was too late at night, and I didn't want to run the program and leave the PC on while I slept, so I just shut down the machine and went to bed. The next morning, some 7 or 8 hours later, my old man couldn't reboot it.


----------



## P Smith (Jul 25, 2002)

Known trick - they inject own extension for web browser, mostly for IE, but FF suffer too. Then intercepting anything what you try to do inside of the browser.


----------



## Lord Vader (Sep 20, 2004)

The problem was rampant on all three browsers on his PC--FF, IE, and Chrome. Weird.

Of course, there must have been something additional attached to or contained in that problem, because the entire root or boot-up process of Windows was corrupt. BTW, it also nailed his attached 300GB external drive with all his files on it. THAT he got fixed by running some Microsoft program fix.


----------



## Lord Vader (Sep 20, 2004)

Uh oh. The problem now seems to have appeared on my home PC. Everytime I do a search, I get redirected to some weird search engine called "StarFeedsMixer." (Not the same one as that which plagued my brother's). 

I ran Malwarebytes and it eliminated two things, but the problem remains. I'm running AdAware as I speak, and it so far has found three infected objects. Malware did say that one thing found was in the root and couldn't be deleted. Any recommendations?


----------



## Lord Vader (Sep 20, 2004)

Edited to add: I've got the dreaded Google redirect virus. 

Man! This thing is insidious! After running a couple programs to detect this bug, my system restarted but had major problems. Windows repaired them and rebooted successfully after some time spend repairing the issue. However, the search redirect is STILL present!

When I go to Google to do a search, the results page shows. So far, so good; but when I click on any of the links on this page, instead of going to that specific link/site, everything gets redirected to some spam search page.

I'm running out of options to try and figure out how to eliminate this problem.


----------



## Mark Holtz (Mar 23, 2002)

One place that I would check is the hosts file (and possibly lmhosts) located at C:\windows\system32\drivers\etc\ . If you try to edit it, you will need to run Notepad as an administrator rather than a normal user. Another good editor for the hosts file is HostMan, which will detect if you need to switch to admin mode.

The reason I think of the hosts file is that something can go in there and point google.com to another IP address like 127.0.48.8 (Yes, this is totally fake IP), overriding the DNS lookup on your computer for that site.


----------



## dpeters11 (May 30, 2007)

It is a good idea to check the hosts file, but I'm not convinced it will be there. If Google itself works, but goes elsewhere when you click on a link going to one of the result sites, sounds like something else is going on.

if it were the hosts file, it'd be specific sites that redirect.


----------



## P Smith (Jul 25, 2002)

this sort of things usually hiding inside registry at browser(s) extension ... and in a few more places
I can do clean manually (after many many years experience in IT it still dog chasing process), but I wouldn't teach someone by phone or forums ... the redirectors has many tricks and you must play with the PC in real time, not guide an inexperienced user, sorry.
I'm pretty sure you can do that by yourself, but prepare to spend your time for reading Internet (much more then before) and get better knowledge how the Windows as a system works at pretty low level.


----------



## dpeters11 (May 30, 2007)

Yeah, the registry can be a dangerous place. It's like on those old maps "Here be dragons". Very useful, but can really mess things up.


----------



## Lord Vader (Sep 20, 2004)

dpeters11 said:


> It is a good idea to check the hosts file, but I'm not convinced it will be there. If Google itself works, but goes elsewhere when you click on a link going to one of the result sites, sounds like something else is going on.
> 
> if it were the hosts file, it'd be specific sites that redirect.


Google only partially works. What the redirect virus does is after a Google search brings up the results, clicking on any of them redirects one to some other site, usually ones with malware-infested crap.

My PC will boot up and do other things fine now, but the redirect virus is still present. I've effectively lost any search engine capabilities. Moreover, system restore doesn't seem to be working, either. At around 3:00 a.m. CDT I attempted that, and by 10:00 a.m. the screen still showed "System Restore initializing." I know it doesn't take 7+ hours to do a system restore.

So far I've tried Malwarebytes, Ad Aware, a specific TDSS killer from Symantec that's supposed to remove this bug, and Spy Doctor, the latter two being recommended after I read up on this virus. None of them have been successful. This thing is really nasty and definitely the worst one I have ever experienced.

I just can't seem to get rid of it!


----------



## David Ortiz (Aug 21, 2006)

Lord Vader said:


> Google only partially works. What the redirect virus does is after a Google search brings up the results, clicking on any of them redirects one to some other site, usually ones with malware-infested crap.
> 
> My PC will boot up and do other things fine now, but the redirect virus is still present. I've effectively lost any search engine capabilities. Moreover, system restore doesn't seem to be working, either. At around 3:00 a.m. CDT I attempted that, and by 10:00 a.m. the screen still showed "System Restore initializing." I know it doesn't take 7+ hours to do a system restore.
> 
> ...


I've seen this before and the hosts file was changed. Did you check the hosts file?


----------



## Lord Vader (Sep 20, 2004)

I don't _think _I did. Considering I don't have much (if any) experience in that, what's the proper way to do that? I just want to make sure I get it right and not mess it up.


----------



## David Ortiz (Aug 21, 2006)

Lord Vader said:


> I don't _think _I did. Considering I don't have much (if any) experience in that, what's the proper way to do that? I just want to make sure I get it right and not mess it up.





Mark Holtz said:


> One place that I would check is the hosts file (and possibly lmhosts) located at C:\windows\system32\drivers\etc\ . If you try to edit it, you will need to run Notepad as an administrator rather than a normal user. Another good editor for the hosts file is HostMan, which will detect if you need to switch to admin mode.
> 
> The reason I think of the hosts file is that something can go in there and point google.com to another IP address like 127.0.48.8 (Yes, this is totally fake IP), overriding the DNS lookup on your computer for that site.


Also, check this out: http://support.microsoft.com/kb/972034


----------



## Lord Vader (Sep 20, 2004)

Thanks. I'll give that a shot after this other system scan I'm doing finishes.


----------



## Lord Vader (Sep 20, 2004)

BTW, just out of curiosity, any idea why System Restore didn't work properly? I hadn't heard of this virus damaging _that_, but I do know this virus, of which there are many variations and effects, I've read, can destroy the ability to boot one's system. Fortunately, that was rectified last night when Windows Repair fixed that during one of the post-scan restarts. I'm just wondering if it could have affected System Restore.


----------



## Lord Vader (Sep 20, 2004)

David Ortiz said:


> I've seen this before and the hosts file was changed. Did you check the hosts file?





David Ortiz said:


> Also, check this out: http://support.microsoft.com/kb/972034


No luck, guys. A more thorough scan by Spy Doctor, which found one trojan bug and deleted it, followed by my fixing the hosts file, did NOT help. I'm still getting redirects. What also happens is periodic browser pages opening to malware sites.

Ugh! This is ridiculous!


----------



## David Ortiz (Aug 21, 2006)

Lord Vader said:


> No luck, guys. A more thorough scan by Spy Doctor, which found one trojan bug and deleted it, followed by my fixing the hosts file, did NOT help. I'm still getting redirects. What also happens is periodic browser pages opening to malware sites.
> 
> Ugh! This is ridiculous!


Did you rename the hosts file to hosts.old? If you open the hosts.old file with Notepad, you should see the "redirected" IP addresses for google.com in the file.

In addition to fixing the hosts file, you have to completely exit Internet Explorer to flush the reference to the wrong website. I like to reboot the computer, then double-check the hosts file, and then try the browser.


----------



## Lord Vader (Sep 20, 2004)

I use FF, and yes, I exited it.


----------



## Lord Vader (Sep 20, 2004)

BTW, I'm on a 64-bit Windows 7 system.


----------



## David Ortiz (Aug 21, 2006)

Lord Vader said:


> I use FF, and yes, I exited it.


There is a related content link titled "Hosts file hijacked" that has more information. http://answers.microsoft.com/en-us/...hijacked/f5734e7f-d054-e011-8dfc-68b599b31bf5

The hosts file is hidden and read-only. The first long answer in the Hosts file hijacked" gives a very good description of the issue.

The hosts file is in the etc directory:

C:\windows\system32\drivers\etc


----------



## Lord Vader (Sep 20, 2004)

I did find it in that folder, but it was already renamed "hosts.old" by the aforementioned recommended auto-fix. Seems to me that that didn't work.


----------



## armophob (Nov 13, 2006)

back up what you want while you still can and then reformat the drive. 
I had a nasty one come through the hotmail email account I had to set up to get on Windows Messenger.


----------



## David Ortiz (Aug 21, 2006)

Lord Vader said:


> I did find it in that folder, but it was already renamed "hosts.old" by the aforementioned recommended auto-fix. Seems to me that that didn't work.


If you open hosts.old with Notepad and look for entries with an IP address and google.com references, you can confirm if the hosts file is a problem.

If hosts.old has these references, then the rename and a reboot should have fixed the redirect. If the hosts.old file looks like it hasn't been changed from the default file, then the redirect is happening elsewhere. (assuming that the auto-fix is how hosts was renamed to hosts.old)


----------



## Lord Vader (Sep 20, 2004)

armophob said:


> back up what you want while you still can and then reformat the drive.
> I had a nasty one come through the hotmail email account I had to set up to get on Windows Messenger.


That's a bit extreme and will be my absolute last resort fix.


----------



## armophob (Nov 13, 2006)

Lord Vader said:


> That's a bit extreme and will be my absolute last resort fix.


I hated doing it and it took weeks to get back up and running with all my programs. But there was no way I was risking it.


----------



## P Smith (Jul 25, 2002)

David Ortiz said:


> I've seen this before and the hosts file was changed. Did you check the hosts file?


Didn't help in the case. He need seek professional help, giving the computer in his hands.
[If your car's engine sputtering, kicking tires will not help ]


----------



## armophob (Nov 13, 2006)

Lord Vader said:


> That's a bit extreme and will be my absolute last resort fix.


I had to buy a second hard drive as well to get it done. I booted up on the new one and selectively copied files from the old before I wiped it. Really sucky weekend.


----------



## Lord Vader (Sep 20, 2004)

Here's what a newer Trojan scanner found and sounds an alert on (except the text in red; those are my comments added in this post):



> The Registry Winlogon "Shell" entry loads this file:*C:\Users\NNNNN\AppData\Local\eed9fefe\X
> 
> *("NNNNN" is simply my user name redacted here.) ​A file with this name *has not* been found (it may be hidden).
> 
> ...


----------



## Lord Vader (Sep 20, 2004)

Can someone take a look at this video and let me know what you think?

[YOUTUBEHD]TLVifFbLIso[/YOUTUBEHD]

My only dilemma is that this is for Windows XP and I have Windows 7. Consequently, getting to my LAN settings as explained at the 2:11 mark in the video is different. I've done it many times before, but now dumbass me can't remember. Figures.


----------



## Lord Vader (Sep 20, 2004)

BTW, I think one problem I'm running into is when I manually tried to change the hosts file, I keep getting the "access denied" response, even though I'm the only one who uses this PC and am the admin/user.


----------



## dpeters11 (May 30, 2007)

Windows 7 has a way of thwarting even admins. Does it work if you right click on notepad, run as administrator and open the hosts file from there? Make sure it's set for all files, not just txt.


----------



## Lord Vader (Sep 20, 2004)

I found this recommendation specifically for Windows 7. I didn't even get to its end, because I downloaded the recommended program called ComboFix, which used a DOS CMD window to search and make a bunch of changes to the registry and other areas. After its own reboot then my own reboot, I'm no longer getting redirected to malicious sites.

Keeping my fingers crossed!

[youtubehd]y-O3Nno3P1Q[/youtubehd]


----------



## David Ortiz (Aug 21, 2006)

Lord Vader said:


> I found this recommendation specifically for Windows 7. I didn't even get to its end, because I downloaded the recommended program called ComboFix, which used a DOS CMD window to search and make a bunch of changes to the registry and other areas. After its own reboot then my own reboot, I'm no longer getting redirected to malicious sites.
> 
> Keeping my fingers crossed!


Great news!


----------



## dpeters11 (May 30, 2007)

Combofix can be a powerful tool.


----------



## Lord Vader (Sep 20, 2004)

I sense that. After it finished and rebooted my system, I lost the ability to open any program or browser. It told me the registry keys for that program were no longer present. I'm like, "WTF?!?" So I just rebooted and everything came back to normal, including my Google searches.


----------



## Lord Vader (Sep 20, 2004)

BTW, have any of you guys used Open DNS? I had in the past, was not using it now, but I've heard many, continuous good things about it.


----------



## Davenlr (Sep 16, 2006)

I use it on all my computers


----------



## Lord Vader (Sep 20, 2004)

I used to, took its settings off this one a few weeks ago to do something, but never changed them back to use it. Not that that would have prevented this little bug from infecting me; I was just wondering what people thought of it.


----------

