[ahboy123]

Hi

My computer facing problems resembling a virus attack over the past week or two but I m not sure.
The machine is a Dell XPS Intel i7-Q740 1.73 GHz running on a Windows 7 Home Premium x64 Bit

Symptoms:
- Noticeably high CPU usage - 2.79 GHz (usually below 1.99 GHz)
- Unable to log off, restart, or shut down computer.
- Computer stopped questioning my Administrative rights over it. I downloading more powerful antivirus to try kill the problem. ie: ESET online scanner but the window that usually ask me for my admin password cant be called when I m installing the scanner.

I scanned the computer using McAfee Security Center (paid version) and Spybot Search and Destroy after I've updated them, but both scanners claimed the computer is clean.

Opinion:
- I've downloaded a few software to attempt to mount iso files on my computer, such as MagicISO, PowerISO 8, Mikinho Mount Image v1.9 and Virtual Clone Drive v5.4.5. All but VIrtual Clone Drive v5.4.5 failed so I uninstalled them immediately after I installed them. Some of the software required rebooting to complete installation. I m suspecting a virus could have entered the computer when I was downloading the software.

I followed the 5-step suggestion for diagnosing virus/malware problems. However, it seems that the malware is stronger than I thought. I downloaded OTL but I can't run it. When I double click OTL application icon, it takes forever to load. And when I thought I can bypass the malware by calling Task Manager and create New Task for OTL, something freezes Task Manager and now I can't control or close the Task Manager, the Window where I put the OTL application icon and the Start button. My computer responded when only a chime every time I click on them. To bypass the block of my administrative rights, I opened Safe Mode when I "reboot" my computer after hibernation.

By the way, I looked into the process tab in the Task Manager before it freezes over and I notice about 5 consent.exe processes I've never seen before. And the only way to rest my computer is hibernating it. I haven't shut down my computer since the day it stopped me from doing so, as I was told forcing a shut down by pulling the plug would damage the machine. I love my computer but I am running out of ideas to solve this problem. Please advice. ^^'


Thank you

Edited by ahboy123, 15 November 2011 - 09:17 AM.

[Advertisements]

Consent.exe is the program that asks you if you want to allow something to run with Admin rights. Part of UAC. See http://www.howtogeek...-windows-vista/

I would go into Task Manager and click on each copy and hit End Process. (Ignore the warning.) Then turn off UAC per the instructions. Don't reboot yet.

This is often caused by a corrupt user profile. First let it check the hard drive for errors:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot. The disk check will run and will probably take an hour or two to finish.


Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)


If it still doesn't work then:
http://windows.micro...ed-user-profile

Did you try to run OTL in Safe Mode?

Ron

[RKinner]

Consent.exe is the program that asks you if you want to allow something to run with Admin rights. Part of UAC. See http://www.howtogeek...-windows-vista/

I would go into Task Manager and click on each copy and hit End Process. (Ignore the warning.) Then turn off UAC per the instructions. Don't reboot yet.

This is often caused by a corrupt user profile. First let it check the hard drive for errors:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot. The disk check will run and will probably take an hour or two to finish.


Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)


If it still doesn't work then:
http://windows.micro...ed-user-profile

Did you try to run OTL in Safe Mode?

Ron

[ahboy123]

Hi Ron,

Thank you so much for replying. Yes I tried to run OTL in safe mode but to no vail. Safe mode doesn't allow me to run by saying otl.exe is not compatible. I'm currently in Safe Mode right now and the Start button is working here, but it doesn't have an option to get us to normal mode. Should we perform your suggested steps in safe mode?


ahboy123

[RKinner]

Yes I think they should run in Safe Mode. You might try one of the alternative forms of OTL:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

See if they will run.

[ahboy123]

I downloaded the 2 alternatives for OTL and tried running it on the troubled computer. The computer asked me for my admin password and showed a pop-up saying "F:\OTL.com The extended attributes are inconsistent." after I typed in the password. And then nothing happened.

I also tried to turn off UAC following your instructions. But I'm stuck at step 3 where the computer ask me for my admin password. The computer paused a moment after I typed in the password. And nothing happened. This is remarkably similar to the previous action. Do you think it has somthing to do with the part where we type in the admin password?

P.S. All procedures are done under Safe Mode.

[RKinner]

See if you can run DDS:
Please download DDS from http://download.blee...om/sUBs/dds.com or http://download.blee...om/sUBs/dds.scr
and save it to your desktop.

* Disable any script blocking protection
* Double click dds.pif to run the tool.
* When done, two DDS.txt's will open.
* Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

[ahboy123]

I tried to run DDS.com and DDS.scr on my desktop but the same problem blocked it from doing its job. I wonder what should be done to (Quote) "Disable any script blocking protection". Also, what's (Quote) "dds.pif"?

[RKinner]

See if you can get the unhookexec.inf file and install it per:

http://www.symantec....-050614-0532-99

If that doesn't work then you need to get a friend to create an OTLPE CD:

OK this file is big Print these instruction out so that you know what you are doing

Two programmes to download

First

ISOBurner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system using the boot CD you just created.
  
  Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the C:\OTL.txt file in your reply.

[ahboy123]

I tried to install unhookexec.inf on the infected computer, but it seems that the same problem prevails.

I noticed that my Safe Mode account is not an admin account. I never use the admin account as my main account. Would it help if I "switch user" into the admin account?

I have downloaded ISO.burner into my friend's computer. But the link for OTLPE.iso is not working. The browser says "404 Not Found. The resource requested could not be found on this server!". Is there an alternative?

[RKinner]

Appears there is now a new improved model:

• Download OTLPENet.exe to your desktop
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[ahboy123]

Hi Ron,

I'm sorry for my tardy reply. My friend's computer works on an external disk drive and she lent it to her friend who is still out of town. It's the holiday season over here and she is the only friend I have in town. I was told that there is a way to burn an ISO file to a USB drive and boot it from there. So I did a little research and found out that Windows has this software: Windows 7 USB/DVD Download Tool, and an alternative: WinToFlash. Please advice. Thank you.

[RKinner]

http://forums.majorg...ad.php?t=216844

[ahboy123]

Hi Ron,

I have got a USB installed with your software. I rebooted my computer by pressing F12 and selecting USB drive from the list of devices. The computer showed "Starting Reatogo-X-PE ..." and then showed a blue screen (attached picture). What should we do?

Attached Thumbnails

• 

[RKinner]

I found this advice on another site:

Your BIOS is probably set to SATA/AHCI. Try setting the BIOS to IDE and try again.

Go into your BIOS/CMOS setup and see if you have that option. If not then try just resetting your BIOS to the defaults.

Ron

[ahboy123]

I wasn't sure how to change to SATA/IDE mode, but I opened the BOOT tab in BIOS and selected "Load Setup Defaults". Then I was finding for the SATA/IDE options and arrived here (attached picture). Could ATA be IDE - the one we're looking for?

I did a little reading on changing SATA mode, and I couldn't help but wonder if there is risk of losing important data after performing this change?

By the way, thanks for being patient with me and our little draggy computer problem. You are so kind. (:

Attached Thumbnails

•