TR Forums

I have a customer's laptop in which is worrying me. This is the second time since mid-December that I've seen this laptop, and both for the same reason (though I cannot remember the exact circumstances of what happened last time) - on both occasions, the reason that the customer wanted me to look at the laptop for was that Vista wouldn't boot. I believe a disk check fixed the problem last time, but I can't remember with certainty (though since typing most of this post I think I had to get bcdedit to properly write the boot configuration information again). I certainly would have run a full disk check on that occasion, and I very much doubt I would have concluded the work before running one. I think I'll try to dig out the event log entry to check the results now.

Anyway, on this most recent occasion it was the classic 0x00000024 (UNMOUNTABLE_BOOT_VOLUME) BSOD. The recovery console wouldn't work so I booted from my Vista OS DVD and ran a full disk check from there. The full disk check didn't find anything particularly interesting (like say bad sectors/clusters), and the laptop still wouldn't boot normally but would via recovery console from the hard disk, at which point Vista's automatic repair fixed whatever issue extremely quickly and automatically restarted/booted successfully.

So, the machine boots. No particular problems to speak of, it goes on the Internet fine, Malwarebytes (fully updated) picked up a few bits but nothing that suggested anything was actively screwing up the machine (things like data files for MyWebSearch but no binaries or registry entries to suggest anything could be auto-starting, no CLSIDs, etc). The only niggle initially was that UAC would regard every executable as unsigned, but then a Windows Update fixed that. A few days later however (not the next boot or anything like that), that UAC problem happened again and was fixed after a Windows Update. I had the network cable disconnected before that second UAC problem happened, but I can't believe that Windows is normally that touchy about it.

I also want to run a full disk check on reboot, except Windows just restarts normally with no console-type messages and nothing in the event log. I tried a few suggestions on the Internet for SessionManager edits, but it made no difference. Also, the machine won't boot into the recovery console from the hard disk.

Summarised, my feeling is that there's something not right with this machine, possibly malware, but I can't put my finger on it. Google searches for security sites are working fine, and apart from the chkdsk and recovery console issues, I can't find anything else currently wrong. I could try a full virus scan I suppose, but I don't have a great deal of faith in that finding anything interesting.

Any thoughts/suggestions?

If you suspect malware hit it with MLB (like you did) and Hitman Pro - if they both think it's clean it probably is.

Try running the following command from an elevated command prompt to check the disk: chkdsk /f /r C:

On reboot it should check the disk. If not then you certainly have bigger issues.

Let us know the results of Hitman Pro and the diskcheck and we can go to next steps.

Tried a BIOS update? See if any are available and read the notes to see if any compatibilities issues were addressed. If so then update.

xtalentx wrote:

If you suspect malware hit it with MLB (like you did) and Hitman Pro - if they both think it's clean it probably is.

Try running the following command from an elevated command prompt to check the disk: chkdsk /f /r C:

That's the method I normally use. I haven't heard of Hitman Pro, I'll have a google around for it, thanks.

I've tried a scan with Malwarebytes in safe mode as well, nothing new found. I'm just downloading Hitman Pro.

I've found something interesting though which is a pretty good explanation why the problems causing the machine not to boot were happening in the first place. I'm sure that the SessionManager/BootExecute key is being ignored. First of all, chkdsk /r won't run on startup, secondly, even when I set the file system to dirty, it doesn't run chkdsk, so the filesystem isn't even having the quick check it should get on every startup. I still don't know why this is happening though, but again my first thought is malware. I can't see how this caused by a hard disk problem.

I would run a diagnostic on the PCs HDD and memory. Use the HDD manufacturer's own diagnostic tool (they all usually have them readily available at their website). A lot of times chkdsk can't find problems with defective disks.

Check the ACL of the Session Manager key. System, Full Control. Administrator, Full Control. Users, Read Only.

I haven't tried the vendor's disk check yet, though I've checked the ACL on Session Manager, it's fine.

I've made one bit of headway, a full virus scan found an infected copy of autochk.exe in winsxs. I've renamed that but the volume is still marked dirty as I set it earlier, so autochk still isn't kicking in. I need to give the laptop back as the customer needs it for a while, but I'll advise him not to do anything security-sensitive on it until the problem has been resolved. I checked one last thing before switching it off - the copy of autochk.exe in system32 wasn't showing any company details, though I wonder whether that's related to the unsigned UAC issue. I wouldn't have thought so, but...

How averse would the customer be to pulling all the data off and nuking from orbit? This sounds like a pretty nasty one, possibly with a rootkit.

That's my main thought as well. I broached the topic with the customer, he didn't have any particular issues with it. I'll be talking with them next week about it.

I'm wondering once again what winsxs is for, because I wouldn't have thought that autochk.exe would be hiding out in there and in system32.

mikeymike wrote:

I'm wondering once again what winsxs is for, because I wouldn't have thought that autochk.exe would be hiding out in there and in system32.

http://www.ghacks.net/2010/07/24/the-wi ... explained/

In short, don't mess with it.