Hi, I have a problem, this is the third time it happens, the first time I just did a wipe and load, and I made an image after that, then it happened again so I re-imaged my laptop, and now it's happening again. It started with windows being unresponsive after login, the hard drive led staying on while the actual drive doesn't do anything, then services would start failing. I would restart win7 and I wouldn't be able to boot into 7, I'd try to go into safe mode and it stop at classpnp.sys. after that the MBR would get corrupt.
I thought it was a driver issue, now it's happening again. I'm just at the hard drive phase and windows taking too long to boot.
I ran Gmer and found C:\windows\servicing\TrustedInstaller.exe(***hidden***) to be infected, I tried disabling it and Gmer crashed, any way I deleted the file.
I ran Hijackthis! and said "for some reason your system denied write access to the Host file", so I deleted it (I'm not sure if I screwed up there).
Now I ran Eset's servicesrepair.exe and at least it's responding but the HDD comes back from time to time.
edited by moderator: remove unrequested log
Covering bases: Have you tried running chkdsk with bad sector testing, or some other drive checker?
Hello, yes I ran Tune up's hard drive diagnostic tool (which basically runs ms chkdsk) and found no problems, I also ran western digital's hard drive diag. tool and same, found nothing. Thank you for your reply.
Well, I'm not entirely convinced it isn't hardware, but checking the software should be easy enough, assuming you have the tools. Root kits are a part of a larger infection, so you'll want to deal with both parts or risk reinfection. Removing any MBR root kit is easy enough as long as you don't use full drive encryption. Just get your hands on a Windows 7 DVD (and it has to be something external to your HDD), run the recovery console, and run the following:
bootrec /fixmbr bootrec /fixbootAfter that, do not boot into Windows. Instead, boot into some WinPE environment or put the HDD into an enclosure, and run a virus scan on the drive. If you have a recovery CD/DVD made before the infection, use that. The recovery partition on the HDD is possibly infected and thus not valid.