Missing hal.dll and associated virus

Sysman · #1 (**permalink**) 28-07-2006, 08:53 PM

Recently, I have encountered a problem on a client's computer that has me flumoxed and a bit worried.

One of their workstations came up with the message:

Windows could not start because the following file is missing or corrupt:
<windows root>\system32\hal.dll.
Please reinstall a copy of the above file.

I took the computer back to my office and began the pretty much standard procedures for this message. However, when I got into recovery console, and did a "DIR" on the C: drive, there was no Windows directory! I ran chkdsk /r to see if that would fix it, but it did not. The machine was just a workstation ... there was no real data on it, so I reformatted and re-installed Windows. After hours of re-installing software, I took the machine back to the client and re-joined it to the domain, etc.

The next day, the same problem recurred.

When I returned the computer to my office, I ran extensive diagnostics on the hardware. No erros were found. I ran and re-ran the Western Digital diagnostics ... no errors. Finally, I wrote binary zeros to the entire hard disk in preparation for yet another re-install.

Before I wrote binary zeros to the disk, I tried doing a "fixmbr" command. That allowed the computer to partially boot, but it would stop with LSASS issuing the message "an invalid parameter was passed to a service or function". Clicking OK on the message caused a reboot.

Perhaps it is coincidence, but it appears that a virus survived a reformat. That's why I completely cleared the disk with binary zeros.

Before I could finish rebuilding the software on this system, the client called: another system now has the same problem. Now I am really really concerned.

All machines have AVG on them, and Adaware, and Ewido run on them just the weekend before.

Does anyone know of a virus with these symptoms?
How do I prevent infection?
How do I prevent re-infection?

I don't often have to ask for help, but this one is a doosey!

Neal · #2 (**permalink**) 30-07-2006, 02:26 PM

Go here Read This First - IMPORTANT Instructions

Post a hiajckthis log and we will have a look, but sounds like a very difficult situation.

Google hal.dll and you get all kinds of stuff.

Sysman · #3 (**permalink**) 31-07-2006, 06:16 AM

Hmmm.

When a machine will not boot, Hijackthis is pretty useless.

I did google hal.dll and checked out all of the stuff. Almost everything that I read indicated I was dealing with a virus/malware or a bad hard disk. I ran extensive diagnostics on the disk and found nothing. Ditto on the rest of the machine.

I spent all day re-loading this machine (again), and was about to take it back to the client, when I buttoned it up and rebooted just to make sure everything was ok. It happened again. This time it was it was a different system file.

In the morning, I'm going to replace the hard disk and see if that helps. At this point, the objective is to fix the computer. The laptop that failed did so with a corrupted registry. Coincidence? Perhaps. Perhaps not.

What I joined the forum to find out was:

Is there such a thing as a virus that could survive a fdisk/format?

Can a virus actually "infect" a BIOS (my personal opinion is no)?

Could a virus be written that could infect the MBR or some other portion of the disk (NTFS) in such a way as to actually survive the process of repartitioning (kind of the same question as 1)?

Here are the possibilities that I have thought of:

1) Hard disk is beginning to fail.
Perhaps the electronics on the disk itself are failing. Even though I have loaded Windows from scratch, as well as a myriad of other software, two complete times without problems, this has to be considered. How many reboots are involved in a windows install (with updates)? Add to that installing Java, .Net, Nero, Adaware, Ewido, AVG, and a few other things, plus all of the drivers and such ... you'd think that would eliminate the drive being bad.

2) Virus.
Perhaps there is a virus luking somewhere on the machine that re-infects even after the system has been re-loaded. And there are unicorns too.

3) SATA electronics are failing.
Perhaps the controller electronics are failing, but have not totally failed. In this case, it means a motherboard replacement (unfortunately, a Shuttle barebones would have to be RMA'd after 13 months).

4) Memory Chip going bad.
Strange things can occur when a memory chip is intermittant. Memtest86 run for several hours says the chip is ok, though.

5) Processor bad or overheating.
In some ways, it looks like a heat problem. Just weird unpredictable stuff happens. But it's been operating flawlessly for 13 months and now all of a sudden it croaks? I touch the heat sink (you could anchor a boat with it). Cool to the touch. Not overheated at all. Even the heat pipes are pretty cool to the touch. I don't think it's the processor.

6) Outbreak of witchdoctors.
I know, I know. This sounds remote. But in this office, I blocked MySpace from the core router and one girl is extremely upset at me. Maybe she hired a witchdoctor to put a spell on this computer just so my entire weekend would be hosed. Or, maybe not.

Any other ideas?

Neal · #4 (**permalink**) 31-07-2006, 03:46 PM

Can you do any scans at all for malware? I don't see where anyhting could survive a reformat as long as you don't save files from an infected computer and put on reformatted computer.

If you can't do any scans then I can't help you. Try the XPHelp part of this forum.