Virus, Root-kit, or Hardware Issue?

[brelix]

Okay, where do I start...

Virus, Rootkit, or Hardware Issue? You tell me, because this is something I have never seen before.

I just built a brand new computer over Christmas vacation using parts ordered from newegg.com. I put everything together and there were no problems. I even used an anti-static bracelet to prevent any minor damage coming back to bite me later. I installed Windows XP Pro x64bit edition SP2 and updated it to the latest. Now, aside from a random cold reboots and no blue screen to show for, I hadn't noticed any real problems at all especially since windows never complained of those random reboots.

Note

- I find it worthy to mention that I have overclocked my amd athlon 64 xp2 5000+ black edition processor from 2.6 to 2.8 ghz(my goal was 3.1 as I heard my processor is very stable up to 3.3 but I hadn't gotten the chance to yet).

- I also think it is necessary to mention that I use Kaspersky Anti-Virus 7.0.125 and I've scanned many times for viruses as well as root kits but found nothing.

It is now late january (so, a month or so after installing xp x64) and due to incompatibility between xp x64 bit edition and my favorite recording software I have decided to switch to windows xp pro 32bit. This is when the problem first became noticeable. My plan was to resize my C: drive partition by unallocating the remaining free space, installing windows xp 32bit on that, and then moving all the files off the x64bit install on to the 32. I booted from my Partition Magic cd and attempted to resize. It got to maybe 14% and then stopped and reported an error with the partition (the error message now isn't important because I will go over it later.) I rebooted into windows and everything worked fine, so I ran chkdsk and not only did it take forever, but it found errors while checking indexes and needed to be ran in /f mode or else it couldn't continue. So I ran chkdsk /f and rebooted. It found a few problems with the indexes and fixed them. So I tried partition magic AGAIN. This time resizing it got to 99% and gave me an error having to do with lost clusters. I scanned the harddrive from inside partition magic and tryed to fix the lost clusters but there were too many so I just rebooted. This time windows booted up fine again and the changes made to the partition size in partition magic worked just fine. Worried about parts of my hard disk being corrupted I ran chkdsk /r /f and rebooted. This is when it found many errors while checking indexes, fixed them, and then while checking security descriptors I got these messages: "Replacing invalid security id with default security id for file..." for what appeared to be every file on my hard drive ( maybe 50,000 or so.) I let it finish and when I got into windows nothing worked. No start menu, couldn't use the programs in the control panel, internet explorer crashed and firefox reported to page displayed on attempting to use the internet. Luckily I was already planning to reinstall windows so I did so.

I installed windows xp sp2 32bit on the unallocated space I had just freed, and hoping that the problem was associated with maybe just the 64bit edition of windows xp I rebuilt the system reinstalling all my programs and drivers. I also did frequent chkdsks on this new partition as well as the old and it ran much faster than I had seen before and discovered no problems. However, my antivirus did find a malware virus and a trojan on my harddrive and removed them. Then, last night while I was making a beat in Reason 4 ( a sick one too), I had my first random reboot. I freaked out because I had a feeling this was the same old problem reoccurring. I booted into safemode and ran chkdsk and just as I thought... I found errors similar to before now after that random reboot. Attempting to rule out the possibility of a memory issue, I ran memtest 86+ all night and it successfully made it through 10 passes, so I know it's not a hardware issue. What could it be... a rootkit? A virus?

Here are the logs. If you would like the logs from kaspersky of the virus & trojan it detected I will attach those too.

CHKDSK Log + Notes

Booted in safe mode after first random system reset on brand new windows xp sp2 install after disaster on last install. Crashed around 2:00-2:20AM on Jan, 28, 2008.

Nothing sketchy looking going on besides reset. Everything in run and services looks legit. A certain worm and a trojan were caught and deleted by kaspersky earlier, which are a cause for concern. There are three possible scenarios:
1. Hardware component instability causing reset and corrupt indexes
2. Malicious virus spreading and slowing infecting files and hiding in lost clusters on the HDD. 
3. Some kind of new root-kit f***ing with my hard drive.

E:\Documents and Settings\Brelix>chkdsk
The type of the file system is NTFS.

WARNING!  F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Deleting an index entry from index $O of file 25.
Index verification completed.

Errors found.  CHKDSK cannot continue in read-only mode.


E:\Documents and Settings\Brelix>chkdsk /v
The type of the file system is NTFS.

WARNING!  F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
Detected minor inconsistencies on the drive.  This is not a corruption.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Cleaning up 59 unused index entries from index $SII of file 9.
Cleaning up 59 unused index entries from index $SDH of file 9.
Cleaning up 59 unused security descriptors.
Security descriptor verification completed.

 154015123 KB total disk space.
  55684340 KB in 64809 files.
	 36528 KB in 6035 indexes.
		 0 KB in bad sectors.
	142619 KB in use by the system.
	 65536 KB occupied by the log file.
  98151636 KB available on disk.

	  4096 bytes in each allocation unit.
  38503780 total allocation units on disk.
  24537909 allocation units available on disk.

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:47 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Tools\HiJackThis\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] E:\Program Files\Tools\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201472201859
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 4201 bytes

[brelix]

I am now beginning to think that these problems are attributable to the overclocking I did. Usually, my black editition processor is suppose to be very stable overlcocked up to 3.1ghz from 2.6 without changing any voltages or anything less simple than the unlocked multiplier value that the amd shipped the processor with. It is basically MADE to be overclocked. However, a friend recently brought to my attention the fact that not all dyes are the same and there could be a physical flaw in the cpu which is causing these cold reboots while overclocked. He also how mentioned how when a processor loses power and restarts any data that is being written to or moved around the hard drive will be incomplete or have an inaccurate pointer, which could be the cause for all these lost clusters. So now the question is have these reboots only been happening since I overclocked?

I recently set the multiplier to the default value and am running some prime95 tests in order to check the stability of my processor. Maybe when I'm done I'll overclock it again and try testing it that way in attempt to recreate the problem. Let me know if any of you have any suggestions.

[RJARRRPCGP]

Those file system errors sound like an AC power failure. Did your power go out or your PC shut down?

[DeadDude]

I got a couple of things to say about this...

First- **ALWAYS** run a scandisk/chkdsk BEFORE messing with your partitions!

Second- If you gotta 'fix' a partition so you can install Windows... copy all yer data OFF the beasty and do a REAL, FULL format of the ENTIRE drive. Remove all the existing partitions, create ONE master partition, format that puppy... scandisk, scandisk, scandisk... and even then, I may *STILL* demand replacing the drive.

Third- It seems to me like the initial problem was caused by a power supply that is flaky... or underpowered for the system at peak consumption. The lag in power caused the hard drive to lose juice, which in turn caused the errors on the drive. (Just because Windows doesn't b..ch about the random reboot doesn't mean the hard drive wasn't damaged)

you can only paint over the rust so many times before you gotta actually do some body work.... I would blow out the entire hard drive- kill the partitions and start totally **FRESH**. If the drive takes too many 'hits' like this, it'll never be reliable again.

[DeadDude]

update??

(I hate peeps posting problems and not posting the conclusions... got me in suspense...! )