1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Gateway MX6930 Laptop with slowing, hanging and (finally) infection problems.

Discussion in 'Virus & Other Malware Removal' started by Granisalo, Apr 12, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    Hello!
    This is my first post - and I feel like a young kid on stage at his first Christmas carol concert (aaah!) so your kind indulgence would be much appreciated :))))
    First, thanks very much (Tech guys and gals) for being here for we poor souls lost in computer hell ;-) : your help restores one's faith in human nature and your kind help would be very much appreciated!
    Info:
    O/S = XP SP2
    Comodo, Firewall, Antivirus, Anti-spam and Verification-Engine.
    D:/ (the recovery partition containing the programs and drivers) is supposed to be protected by PC Angel (no help there):
    Comodo AntiVirus says it's infected!
    Gateway, (no help there either), merely "recommended" that this partition be copied: they didn't say that a copy was "essential" to recovery from the hard drive - hence, I forgot to copy, so I can't wipe and recover.
    Problems:
    First, over time, the m/c started to slow, then hang (wouldn't shut down) (Dchp error(s) 1513???) and finally became infected (according to Comodo AV). Aside: how a virus (or rootkit(?) or both) got past Comodo I don't know.
    On the hanging issue (something to do with file handles(?)), I found a prog (Microsoft/Gordon/Uchp(?)) but never ran it: scared I guess :) - and the infection issue subsequently became the main issue.
    Wishes/concerns:
    I would like to wipe the HD, (DBAN?), and start over - but as explained above - that doesn't appear possible, therefore I suppose it's necessary to attempt a clean-up of both C and D partitions?
    I read that if rootkit(s) are on the m/c, a) they may not be discovered or removed with 100% confidence, and b) therefore the computer, (HD(?)), could never be trusted again: your comments would be appreciated :)
    I have access to a friend's machine (which has Norton Internet Security) - together with a USB Stick - for downloading your suggested recovery tools but am concerned lest I infect her computer with swapping the USB stick back and forth. I don't dare put my own infected computer on-line: your recommendations would be most welcome!
    Finally, thanks very much for any help/comment you are able to give: it will be very much appreciated !
    Kind Regards, Granislo (David)
    PS: I was impressed with the clarity and conciseness of the answer that "Cookiegal" gave to "O-Jay" (15th JULY 2005) who had a similar problem, but while my problem is similar, it's somewhat different, therefore this post: sorry it's so long :)
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!


    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  3. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    Thank you very much cybertech for your quick and clear reply :) - (love your cat !)

    A couple of things first please:
    1. you don't comment on my fears/concerns about the possibility of infecting my friend's computer by swapping my USB stick back and forth between my infected m/c and hers from downloading your suggestions. Does this mean my stick will definitely not become infected from my own m/c - hence, that contagion is not possible?
    2. Your kind reply to my post seems to imply that you believe a 'totally clean' m/c is a possibility, i.e. that any/all rootkits can be found and cleaned: do I read this correctly? - (since you don't comment specifically :)

    I'll now proceed to download HJT and wait for your kind reply before 'stick-swapping' and posting the result.

    Kind regards, and thanks for your efforts! :)

    PS: how do I edit a post? - hanged if I can find this info anywhere!
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you are worried about infecting the other person's machine with your stick use their stick for transfering HJT to your computer. Lock the stick before putting it in your computer so if your computer is infected it will not be able to write to the stick.

    Additionally you can get Flash_Disinfector.exe by sUBs from >here< and save it to the other person's desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

    Next using the other person's flash drive, write protected, transfer this to your computer and run it there as well.


    Once I have seen the HJT log I will be better able to make a determination on the cleaning of the machine.

    To Edit your post look at the bottom right of the post. You will see Affero | Edit | Quote | Quick Reply
     
  5. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    cybertech - thanks very much for your reply :)

    1. we have only one stick - and it doesn't have a mechanical lock.
    2. I did look around to see how to switch on/off write-protect but gave up: too many variables/possibilities.
    3. I followed your instructions about "Flash_Disinfector": also copied it to the 'single' stick for downlod to the infected m/c.
    Q: how does this thing get updated? - can't find anyting out about this?
    4. The infected computer will need to write the HJT log to the stick, (so it would have to be 'unlocked' for that purpose I suppose) - hence my original question about the infected machine being able to corrupt the stick - and, subsequently, the clean m/c. The only thing is: will Flash_Disinfector (by then residing on both machines) stop any stick infection jumping to the clean m/c when I download the HJT log?

    On editing my posts: I saw only "Quote" + "Quick reply" - "edit" wasn't there :)

    ...after posting this "quick reply" , "Edit" seems to be there, hmm?

    Thanks for 'bearing' with me thus far !!
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Use flash disinfector on the good machine and it will put in place a defender for the machine. See the blue Note: above.

    Another option is to use a burnable cd instead if you have a cd writer on the sick machine.

    If not does it have a floppy drive?

    Last option would be to backup the data on the sick machine and prepare it for format and reload.
     
  7. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    Thanks again for your reply! - HJT log follows. (transfered using the stick)
    Note 1: prior to the infection problem I tried (only partially successfully apparently) to get rid of McAfee and AOL: I wonder if any of the residue therefrom might be a cause of the initial "hanging": - I'm sure you'll know :)
    - I would like to reliably get rid of anything that McAfee or AOL placed on my m/c.
    Note 2: I could run another a/v scan and report to you the infected files on the 'D' partition - if that would help?

    Ref. your previous message:
    1. Re: the autorun.inf Dir: I found it with cmd and dir but the two directories appeared empty: I hope this is in order?
    2. Q: Wouldn't burning the HJT log to a cd/dvd or copying it to a floppy (don't have) on the infected m/c still transfer the infection to the clean m/c? - or is it that autorun.inf (on the clean m/c) will stand guard over these media as well ?
    3. Re. your last sentence: In my original post, I expressed the desire to "wipe the HD, (DBAN?), and start over" - but that that option didn't appear possible: this, as I said, was because it appears to be (at least) the (supposedly protected) 'D' partition (containing the 'Programs and Drivers') that is infected and I forgot to make the "recommended" copy - so I'm a bit confused as to how this option could be performed? - your comments gratefully appreciated! :)
    Kind regard and thanks!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:17:11 PM, on 17/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
    C:\Program Files\Comodo\VEngine\VEngine.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
    C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/low/world/default.stm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6930
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6930
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6930
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Comodo VerificationEngine Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\ESigil.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
    O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKCU\..\Run: [Power2GoExpress] NA
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk.disabled
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: BigFix.lnk.disabled
    O4 - Global Startup: Comodo AntiSpam.lnk = C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
    O4 - Global Startup: Lotus Organizer EasyClip.lnk.disabled
    O4 - Global Startup: Lotus QuickStart.lnk.disabled
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.bmo.com
    O15 - Trusted Zone: http://www.edwardjones.com
    O15 - Trusted Zone: http://tsedb.globeinvestor.com
    O15 - Trusted Zone: http://www.globeinvestor.com
    O15 - Trusted Zone: http://www.house.co.uk
    O15 - Trusted Zone: http://www.ca.inter.net
    O15 - Trusted Zone: http://www.iunits.ca
    O15 - Trusted Zone: http://www.mcafee.com
    O15 - Trusted Zone: http://www.robtv.com
    O15 - Trusted Zone: http://www.sandisk.com
    O15 - Trusted Zone: http://www.tsx.ca
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
    O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    --
    End of file - 8178 bytes
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O15 - Trusted Zone: http://www.bmo.com
    O15 - Trusted Zone: http://www.edwardjones.com
    O15 - Trusted Zone: http://tsedb.globeinvestor.com
    O15 - Trusted Zone: http://www.globeinvestor.com
    O15 - Trusted Zone: http://www.house.co.uk
    O15 - Trusted Zone: http://www.ca.inter.net
    O15 - Trusted Zone: http://www.iunits.ca
    O15 - Trusted Zone: http://www.mcafee.com
    O15 - Trusted Zone: http://www.robtv.com
    O15 - Trusted Zone: http://www.sandisk.com
    O15 - Trusted Zone: http://www.tsx.ca

    Close all applications and browser windows before you click "fix checked".


    Can this computer access the internet?
     
  9. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    Checked and fixed.
    Yes, the infected computer can access the net, but as I mentioned earlier, since I don't know what any malware present will do ( phone home, do damage, whatever) I am most reluctant to get on-line until I'm sure I'm safe: your best comments appreciated.
    Thanks and regards :)
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I don't see any infection in the log. Can you tell me what you are finding that is infected?
     
  11. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    Comodo Anti-Virus has Quarantined the following files which could not be disinfected. They have not been submitted since this would necessitate a web connection which I'm averse to at the moment - as previously explained.
    I have been reluctant to delete any files since "PCAngel" (which is supposed to be 'protecting' the d partition) and are now owned(?) by "Softthinks" - who are NO help whatsoever) advise that deleting anything on the d partition will compromise any recovery attempt.
    Well, with corrupted files there, trying to recover those "Programs and drivers" would be futile, would it not?
    Since it appears possible to corrupt the partition, wouldn't it have been smarter for Gateway to have supplied those files on a separate CD?


    Path and file name,
    Virus name

    d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp223\A0026065.exe
    Trojan.Win32.LowZones.cc
    d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp225\A0027121.exe
    Trojan.Win32.LowZones.cc
    d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp227\A0027494.exe
    Trojan.Win32.LowZones.cc
    d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp227\A0027517.exe
    Trojan.Win32.LowZones.cc
    d:\i386\apps\app31126\add-gateway.exe
    Trojan.Win32.LowZones.cc
    d:\i386\apps\app20460\imgvemver1.6.exe
    Trojan.Win32.LowZones.cc
    c:\xthinkc\Windows\help\drvspace_result.htm
    Virus.VBS.GaScript
    c:\xthinkc\Windows\help\hwconf_result.htm
    Virus.VBS.GaScript
    c:\xthinkc\Windows\help\lan_result.htm
    Virus.VBS.GaScript
    c:\xthinkc\Windows\help\mdirx_result.htm
    Virus.VBS.GaScript
    c:\xthinkc\Windows\help\mmsn_result.htm
    Virus.VBS.GaScript
    c:\xthinkc\Windows\help\msdos_result.htm
    Virus.VBS.GaScript
    c:\xthinkc\Windows\help\pcmcia_result.htm
    Virus.VBS.GaScript
    c:\xthinkc\Windows\help\print_result.htm
    Virus.VBS.GaScript

    Q: may I ask please: is there some particular reason you have not yet asked me to download and run some rootkit analysers? - just curious :)
    Note 1: "CookieGal" replied to "O-Jay" 15thJuly2005 on a similar problem which I mentioned in my original post. I found this following a Google search for the corrupted file A0026065.exe (above).
    Note 2: Using the DOS Dir command, I still couldn't "see" the contents of the d partition - (just in case this info is usefull :) )
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I am not concerned about what is in system volume information. You can easily remove that by turning off system restore.

    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
      [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
    • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
     
  13. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    Thanks for your reply!
    I don't understand your comment, viz. "I am not concerned about what is in system volume information. You can easily remove that by turning off system restore."
    My understanding is that turning off "WINDOWS Restore" deletes all the "Windows Restore" points extant on the 'c' drive, but the information I've presented indicates that the 'd' partition is infected and that the contents of that partition are essential to any future "restoration" of programs and drivers. Isn't the "d:\system volume information\_restore" talking about the "restoration" of the drivers and programes - NOT the "Windows restore function? I'm afraid I am quite confused - probably because you do not refer to or comment on any of my questions/comments and I am not acheiving any understanding from our dialogue.
    I read your comments about Dr.Web CureIt and will proceed ASAP - but first have tax reporting to attend to . I will be back ASAP. If you could please illuminate your comments for my edification, I would be most grateful :)
    Kind regards, Grani
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Let's see what DrWeb does with the files on the d: drive. It's possible the detection by Comodo is a false positive.
     
  15. Granisalo

    Granisalo Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    13
    Ok - I agree :) and yes, possible false positives!
    But, please, please, please - put me out of my misery - my burning curiosity is killing me!
    It's said that rootkits are used to hide malware, so of course, if a rootkit is present, it may be hiding malware - so of course you will not see it.
    Yet, while I understand you don't want to give info to the "baddies", you have not yet commented on why we haven't before now, FIRST, checked for rootkits!
    I'm just dying to hear your response :)))
    Regards, Grani
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703117

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice