possible malware problem, can't restart

Any help is appreciated.
I have an Asus UL80JT-A2. Intel core i3,win7,64 bit.
The other morning my computer was on the start up repair screen. It said it can not repair automatically. Under diagnosis and repair details it says:

Startup Repair diagnosis and repair log

Number of repair attempts: 33

Session details

System Disk =\Device\Harddisk0
Windows directory = c:\Windows
AutoChk Run = 0
Number of root causes = 1

Test Performed:
Name: check for updates
Result: completed successfully. Error code = 0x0
Time taken = 0

Test performed
System disk test
completed successfully. Error code = 0x0
Time taken = 0

Test performed
Disk failure diagnosis
completed successfully. Error code =0x0
Time taken =203 ms

Test performed
Disk meta data test
Completed successfully. Error code =0x0
Time taken =62 ms

test performed
Target OS test
completed successfully. Error code =0x0
Time taken =156ms

Test performed
Volume content check
Completed successfully.error code =0x0
Time taken =312Ms

Test performed
Boot manager diagnosis
completed successfully.error code=0x0
Time taken =0ms

Test performed
System boot log diagnosis
completed successfully.error code =0x0
Time taken =0Ms

Test performed
Event log diagnosis
Completed successfully.error code =0x0
Time taken =16ms

Test performed
Internal state check
completed successfully.error code =0x0
Time taken =62Ms

Root cause found:
Startup repair had tried several times but cannot determined the cause of the problem.

This information is repeated several times with differing time taken values.
I have tried to use the system recovery options with no success:
System restore says no points have been created but I know that I have used that feature in the past.
System image recovery says windows can not find a system image
Windows memory diagnostic got hung up today at about 21% for over an hour do I canceled that
Under command prompt I tried to look around and try to run my antivirus from there but it wouldn't let me change directory or look at the program file directory or program directory <x86>.
I was able to put the Microsoft malicious software program on a disk and find it through command prompt but when I try to run it it days the subsystem needed to support the image is not present
I tried the Microsoft stand alone sweeper and it runs till I get an error code 0x8050800c which I was not able to resolve. I can view all my drives and folders but it won't scan anything.
Lastly,I tried f secure rescue CD. It scanned and said no malware was found.
Any suggestions?

 

Hi,

First, if you haven't already done so, from the list of 5 options use Startup Repair then reboot and then use the Automatic repair again and see it that helps.

If it doesn't help then at the command prompt type diskpart and hit <enter> then list volume and <enter> post the results. Exit gets you out of diskpart and also the command prompt.

 

I tried the "startup repair" twice as suggested with the same results as before.
For the ot her task, here are the results:

Microsoft Windows [Version 6.1.7600]

x:\windows\system32>diskpart

Microsoft diskpart version 6.1.7600
copyright <c>
On computer: MININT-SB84SB8

DISKPART> list volume

volume 0 E DVD-ROM 0 B no media
Volmue 1 C OS NTFS Partition 116GB Healthy
Volume 2 D Data NTFS Partition 327GB Healthy
Volume 3 F Rob's 2G FAT removable 1950MB Healthy


Hope this info helps.

 

Neither C or D is set as system or boot in the last info column of list volume?

 

Go back in Diskpart try:
Select disk 0 (where 0 is zero)
list partition
Get the number for the OS partition.
Select partition x (where x is the number of the OS partition)
Detail partition
Is it set as Active in the first couple of lines of the info?

 

Thanks for the help Sachs2. To answer your first question, C was listed as OS under the Label column. The columns are:

Volume### Ltr Label Fs Type Size Status Info

There was not any information listed under the info column for any of the drives.

For your second request here is what I have:

DISKPART> Select disk 0

Disk 0 is now the selected disk.

DISKPART> list partition

Partition ### Type Size Offset
----------------- ------- ----- --------
Partition 1 Primary 21GB 31KB
Partition 2 Primary 116GB 21GB
Partition 0 Extended 327GB 137GB
Partition 3 Logical 327GB 137GB

I'm not sure which you would consider the OS partition.
so here is the information on all:

Partition 1
Type : 1C
Hidden: Yes
Active: No
Offset in Bytes : 32256
There is no volume associated with this partition

Partition 2
Type: 07
Hidden: No
Active: Yes
Offset in Bytes: 23071910400

Volume ### Ltr Label Fs Type Size Status Info
--------------- ----- ------- --- ------ ----- ------- -----
* Volume 1 C OS NTFS Partition 116GB Healthy


Partition 0
Type: OF
Hidden:No
Active: No
Offset in Bytes: 148095631360

There is no volume associated with this partition

Partition 3
Type:07
Hidden:No
Active:No
Offset in Bytes: 148096679936

(using the labels for partition 2)
* Volume 2 D Data NTFS Partition 327GB Healthy

 

That all looks good. Partition 2 is Active which is correct but I think diskpart usually gives one partition boot and system status but I am unsure since I usually run it from Windows and not from the recovery options. I'll check that out from CD tomorrow.

I guess it can't hurt to run chkdsk c: \r at the command prompt to see if it is a filesystem error.

 

Sach2,
Here are some screen shots of running chkdsk.

 

Again, that looks fine with no errors. I really don't understand what the cause is.

Have you tried advanced boot option (safe mode options) by hitting F8 during the Asus screen? If not try that selecting Last Know Good Configuration before any other option.

 

Safe mode went back to the startup repair screen and cannot repair automatically.
Last known good configuration goes to startup repair with same results.
I have read the read and run section. I cannot do any of the options till number 7 as I cannot get into anything. I will have a second computer avail later.it is avail periodically throughout the day.mostly at night.

 

I'll try to think through things but it isn't file corruption. It appears you have your boot files working because you should get a bootmgr is missing error if it was a problem with them but you don't. So Windows should be trying to start and if it was having a problem it should give a BSOD or some message regarding a particular file causing the problem but again it doesn't.

It looks like you only have three partitions: 1)hidden recovery partition 2) Windows partition and 3) A logical data partition. The Windows partition is active which is correct.

*****
The only thing I can think of is to manually make sure your boot files are there by doing a BCDedit command but I would have to look that up. I'm fairly sure that it isn't the problem because the automatic startup repair pretty much does that step first thing.

It might be worth a look through your manual from the Asus site to see what your recovery options are using the recovery partition. Some manufacturer's include a non-destructive option that would just try to repair just Windows system files rather than factory defaults which would format the whole drive and destroy your data.

I'm going to boot from a Recovery CD later and see if the Info section of diskpart shows boot and system from the recovery environment. If it does that might be a clue as yours doesn't have either of those flags set. Won't get a chance for several hours but I'll post back with the results.

 

Thanks for your help so far. Does any of thus rule out viral infection? Last thing I did before this happened was download some music and a movie. I used to use AVast for my antivirus but thoughtI'd try a new one, panda cloud. I'll try and find out about the recovery option.

 

I don't know about the malware/virus aspect but they rarely keep your system from starting at all. And I still think you would get some error related to a specific file not working correctly.

I did just boot up the recovery environment and it is normal for diskpart not to show boot or system flags when run from that environment so that is not the problem.

I would say try the memory diagnostic again to rule that out. Maybe it is that obvious and you have a problem with your memory. See if it hangs at the same spot. If it does then you can try removing one module if you have more than one. Or if any of the diagnostic CDs you have include memtest86+ you could run that and see if you get any errors.

 

I will try that. Now, I don't know if this matters at all but because I like to know what's going on I ran regedit to see I don't know what and I was able to view all files and drives add though the system were running. I could right click files and was given the option to run as administrator. I didn't run any but just thought you should know. I.ll let you know how I make out with memory diagnostic.

Rob

 

Hmm, what environment are you in that you could right-click files? Is this booting from a CD? I thought we only had a command prompt from the startup options?

If it wasn't from a CD, you are saying you were at the command prompt, typed regedit and a windows interface came up and you eventually got to explorer and could see your files that way?

***continue with the memory test so we can rule that out.

 

Your second thought was correct. No CD, just command prompt. Anyway, here is screen shot of memory diagnosis. At the end it rebooted to startup repair and did not give me the report.I used the standard option this time. The last time I used the extended option which it hung up on. I am off to work so will not be avail till after 10p.m. Thanks again.

 

I WOULD TRY TO SAVE ANY DATA, IF SACH2 CANNOT GET YOU STARTED, before trying the hidden partition recovery.
Perhaps Sach2 will suggest that while in command prompt, you try bootrec.exe , but wait for him to come back, as it sometime stops you accessing the recovery partition to recover to factory setup from the recovery partition. http://support.microsoft.com/kb/927392
Should you need that data that is on the hard drive, you can access it in various ways, but try working through with Sach2 first so as not to jump the gun.

In case its hard to find, Asus recovery usually works as foloows.
Tap on F9 when Asus logo appears
This will wipe all your data ! Unless it is saved on ,say D;, AND THE PROGRAM FILES ARE ON C: These will be replaced with original programs only, if recovery partition works o.k, and any other programs that you have added will need to be re-installed.
OPTIONS SHOULD COME UP AS

1. If none of the following recovery options is selected, the computer will just be rebooted to load Windows (if Recovery is started from the hard drive) or run the bootable disc in the optical drive.

2. The first partition is deleted (THE present C: partition) (the others remain intact) and a new system partition C: will be created.

3. This option removes all the partitions from the hard drive and creates a new system partition C:.

4.This option removes all the partitions from the hard drive and creates two new partitions C: (60% of the drive’s storage capacity) and D: (40%).

 

I'm really at a loss on this problem. It just doesn't seem to be giving us any clues to the problem. When you start the computer it flashes Asus screen and then goes straight to "loading files" for the recovery options--nothing else in between?

The last thing I can think of is hitting F8 to get to advanced/safemode options and choose Enable Boot Logging.

Then at the command prompt switch to C: and type out the C:\Windows\ntbtlog.txt and see what the last couple of drivers it loads are and compare it to this list so we can see if it is doing anything to load Windows at startup.
So at the X:/....> prompt
C: <enter>
cd windows <enter>
type ntbtlog.txt <enter>

 

Sach2,
I'm including a screen shot of the next task you asked me to complete. I tried 3 times all with the same result.
As far as the startup sequence, I have a video of it if I could upload it it but it goes like this:
Asus screen then, starting windows message then, windows loading files then, the microsoft progess bar then, the screen flickers twice you can see a cursor in between the two flickers then the startup repair screen.

Here's a wierd pice of info. In searching through the files trough regedit again, looking for the ntbtlog file I found a file that was changed on 10/7/11 that it seems to me could only be changed if you were in ie. It is:c:\ program files (x86)\ bing bar installer.

Also, any idea what this file would or could be: 0x0304A000.sfl

I also found some system recovery files but when I try that option it says I never turned it on.

Don't know if that means anything.

 

That shows as your Panda antivirus .(chinese version!!)
The other error code
error code 0x8050800c
seems to be an error kicked up by Windows defender.
Now antivirus is not my field, but Sach2 , may be able to help more on that- My experience id that when I tried Panda, some time ago, I had problems, and it is posible that Panda and Windows defender are fighting each other- The error is not, that I can see , usually connected with a bad startup, but usually stops windows defender scanning, and apparenrly it has to do with a registry problem(I have read that Microsoft did an update to fix it, but cannot remember where)
It seems to need work on ProfileImagePath
I have not tried these fixes, so I can only show you from a microsoft forum.
http://social.technet.microsoft.com...l/thread/3f131d2c-7d7e-47a4-ae78-4f2f8acbeb66

Another thought, have you tried the administrator log on that you said you did not do when you went into regedit ?
If not, that could be worth the try, and if you can get into Windows, then either give permissions to Panda, or, Windows defender to correct any possible issue with them.
Next, if no success, I have managed to get windows 7, in my experimenting to start upwith a faulty partition by pressing control, and alt + delete buttons, when the screen shows, and tricking it into going to task manager- then in task manager, I cicked new task, and explorer.exe, clicked o.k, and that got me a start in Windows 7- I will not bore you with the rest, as it was well corrupted, but I did get into windows. Again, worth a try.

 

That was a bit long, and I omitted
DISCONNECT THAT 2GB HARD DRIVE, AND ANY OTHE USB CONNECTIONS, AND CHECK THAT YOU DO NOT HAVE A CD ROM IN THE DRIVE-

 

Definitely remove the USB drive.

One question before you tried to type the ntbtlog.txt did you try "The last thing I can think of is hitting F8 to get to advanced/safemode options and choose Enable Boot Logging." to create the ntbtlog file?

 

USB removed. No cd in drive. Also of note, I can copy files to usb drive and from c: to d: .
Yes I tried the "Last thing I can think of" 3 times. Here's what happens: I press enter, windows loading foles, microsoft progress bar, screen flickers twice and then back to startup repair.
I can not give any programs permissions. I am given an option to *run as administrator* (see pic)
Most programs say *the subsystem needed to support the image type is not present*
I was able to get CCleaner to run. It scanned registry for issues, i did not delete any. It also analyzed for files to clean.( see pic )
Tried the alt+control+delete option without success.
I looked through the microsoft forum fix mentioned below but the values were already in place.
How do you feel about the bootrec.exe option baklogic mentioned?

On another note, I read the READ & Run section, downloaded the files requested. I can not turn off UAC, I have 64bit.
I have a copy of ubuntu if that would help to run anything. I don't know much about linux

 

http://social.microsoft.com/Forums/en/onecareofftopic/thread/6c718bb4-2129-40c5-a8e3-f2a6dfc05f19

 

Thank you for your help. In the end,I was able to access drive c and copy what I wanted to d through the regedit thereby saving my data and then I reinstalled. That was about a week ago. No problem since then.

Robert

 

Reinstalling, when you have the data you need, is always best way. We all try to help avoid it, until no option left.
Good luck, thanks for coming back