Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Gateway MX6930 Laptop with slowing, hanging and (finally) infection problems.

4K views 24 replies 2 participants last post by  Granisalo 
#1 ·
Hello!
This is my first post - and I feel like a young kid on stage at his first Christmas carol concert (aaah!) so your kind indulgence would be much appreciated :))))
First, thanks very much (Tech guys and gals) for being here for we poor souls lost in computer hell ;-) : your help restores one's faith in human nature and your kind help would be very much appreciated!
Info:
O/S = XP SP2
Comodo, Firewall, Antivirus, Anti-spam and Verification-Engine.
D:/ (the recovery partition containing the programs and drivers) is supposed to be protected by PC Angel (no help there):
Comodo AntiVirus says it's infected!
Gateway, (no help there either), merely "recommended" that this partition be copied: they didn't say that a copy was "essential" to recovery from the hard drive - hence, I forgot to copy, so I can't wipe and recover.
Problems:
First, over time, the m/c started to slow, then hang (wouldn't shut down) (Dchp error(s) 1513???) and finally became infected (according to Comodo AV). Aside: how a virus (or rootkit(?) or both) got past Comodo I don't know.
On the hanging issue (something to do with file handles(?)), I found a prog (Microsoft/Gordon/Uchp(?)) but never ran it: scared I guess :) - and the infection issue subsequently became the main issue.
Wishes/concerns:
I would like to wipe the HD, (DBAN?), and start over - but as explained above - that doesn't appear possible, therefore I suppose it's necessary to attempt a clean-up of both C and D partitions?
I read that if rootkit(s) are on the m/c, a) they may not be discovered or removed with 100% confidence, and b) therefore the computer, (HD(?)), could never be trusted again: your comments would be appreciated :)
I have access to a friend's machine (which has Norton Internet Security) - together with a USB Stick - for downloading your suggested recovery tools but am concerned lest I infect her computer with swapping the USB stick back and forth. I don't dare put my own infected computer on-line: your recommendations would be most welcome!
Finally, thanks very much for any help/comment you are able to give: it will be very much appreciated !
Kind Regards, Granislo (David)
PS: I was impressed with the clarity and conciseness of the answer that "Cookiegal" gave to "O-Jay" (15th JULY 2005) who had a similar problem, but while my problem is similar, it's somewhat different, therefore this post: sorry it's so long :)
 
See less See more
#2 ·
Hi, Welcome to TSG!!

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
#3 ·
Thank you very much cybertech for your quick and clear reply :) - (love your cat !)

A couple of things first please:
1. you don't comment on my fears/concerns about the possibility of infecting my friend's computer by swapping my USB stick back and forth between my infected m/c and hers from downloading your suggestions. Does this mean my stick will definitely not become infected from my own m/c - hence, that contagion is not possible?
2. Your kind reply to my post seems to imply that you believe a 'totally clean' m/c is a possibility, i.e. that any/all rootkits can be found and cleaned: do I read this correctly? - (since you don't comment specifically :)

I'll now proceed to download HJT and wait for your kind reply before 'stick-swapping' and posting the result.

Kind regards, and thanks for your efforts! :)

PS: how do I edit a post? - hanged if I can find this info anywhere!
 
#4 ·
If you are worried about infecting the other person's machine with your stick use their stick for transfering HJT to your computer. Lock the stick before putting it in your computer so if your computer is infected it will not be able to write to the stick.

Additionally you can get Flash_Disinfector.exe by sUBs from >here< and save it to the other person's desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Next using the other person's flash drive, write protected, transfer this to your computer and run it there as well.

Once I have seen the HJT log I will be better able to make a determination on the cleaning of the machine.

To Edit your post look at the bottom right of the post. You will see Affero | Edit | Quote | Quick Reply
 
#5 ·
cybertech - thanks very much for your reply :)

1. we have only one stick - and it doesn't have a mechanical lock.
2. I did look around to see how to switch on/off write-protect but gave up: too many variables/possibilities.
3. I followed your instructions about "Flash_Disinfector": also copied it to the 'single' stick for downlod to the infected m/c.
Q: how does this thing get updated? - can't find anyting out about this?
4. The infected computer will need to write the HJT log to the stick, (so it would have to be 'unlocked' for that purpose I suppose) - hence my original question about the infected machine being able to corrupt the stick - and, subsequently, the clean m/c. The only thing is: will Flash_Disinfector (by then residing on both machines) stop any stick infection jumping to the clean m/c when I download the HJT log?

On editing my posts: I saw only "Quote" + "Quick reply" - "edit" wasn't there :)

...after posting this "quick reply" , "Edit" seems to be there, hmm?

Thanks for 'bearing' with me thus far !!
 
#6 ·
Use flash disinfector on the good machine and it will put in place a defender for the machine. See the blue Note: above.

Another option is to use a burnable cd instead if you have a cd writer on the sick machine.

If not does it have a floppy drive?

Last option would be to backup the data on the sick machine and prepare it for format and reload.
 
#7 ·
Thanks again for your reply! - HJT log follows. (transfered using the stick)
Note 1: prior to the infection problem I tried (only partially successfully apparently) to get rid of McAfee and AOL: I wonder if any of the residue therefrom might be a cause of the initial "hanging": - I'm sure you'll know :)
- I would like to reliably get rid of anything that McAfee or AOL placed on my m/c.
Note 2: I could run another a/v scan and report to you the infected files on the 'D' partition - if that would help?

Ref. your previous message:
1. Re: the autorun.inf Dir: I found it with cmd and dir but the two directories appeared empty: I hope this is in order?
2. Q: Wouldn't burning the HJT log to a cd/dvd or copying it to a floppy (don't have) on the infected m/c still transfer the infection to the clean m/c? - or is it that autorun.inf (on the clean m/c) will stand guard over these media as well ?
3. Re. your last sentence: In my original post, I expressed the desire to "wipe the HD, (DBAN?), and start over" - but that that option didn't appear possible: this, as I said, was because it appears to be (at least) the (supposedly protected) 'D' partition (containing the 'Programs and Drivers') that is infected and I forgot to make the "recommended" copy - so I'm a bit confused as to how this option could be performed? - your comments gratefully appreciated! :)
Kind regard and thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:11 PM, on 17/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/low/world/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6930
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6930
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6930
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Comodo VerificationEngine Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\ESigil.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk.disabled
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Comodo AntiSpam.lnk = C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk.disabled
O4 - Global Startup: Lotus QuickStart.lnk.disabled
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.bmo.com
O15 - Trusted Zone: http://www.edwardjones.com
O15 - Trusted Zone: http://tsedb.globeinvestor.com
O15 - Trusted Zone: http://www.globeinvestor.com
O15 - Trusted Zone: http://www.house.co.uk
O15 - Trusted Zone: http://www.ca.inter.net
O15 - Trusted Zone: http://www.iunits.ca
O15 - Trusted Zone: http://www.mcafee.com
O15 - Trusted Zone: http://www.robtv.com
O15 - Trusted Zone: http://www.sandisk.com
O15 - Trusted Zone: http://www.tsx.ca
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8178 bytes
 
#8 ·
Run HJT again and put a check in the following:

O15 - Trusted Zone: http://www.bmo.com
O15 - Trusted Zone: http://www.edwardjones.com
O15 - Trusted Zone: http://tsedb.globeinvestor.com
O15 - Trusted Zone: http://www.globeinvestor.com
O15 - Trusted Zone: http://www.house.co.uk
O15 - Trusted Zone: http://www.ca.inter.net
O15 - Trusted Zone: http://www.iunits.ca
O15 - Trusted Zone: http://www.mcafee.com
O15 - Trusted Zone: http://www.robtv.com
O15 - Trusted Zone: http://www.sandisk.com
O15 - Trusted Zone: http://www.tsx.ca

Close all applications and browser windows before you click "fix checked".

Can this computer access the internet?
 
#9 ·
Checked and fixed.
Yes, the infected computer can access the net, but as I mentioned earlier, since I don't know what any malware present will do ( phone home, do damage, whatever) I am most reluctant to get on-line until I'm sure I'm safe: your best comments appreciated.
Thanks and regards :)
 
#11 ·
Comodo Anti-Virus has Quarantined the following files which could not be disinfected. They have not been submitted since this would necessitate a web connection which I'm averse to at the moment - as previously explained.
I have been reluctant to delete any files since "PCAngel" (which is supposed to be 'protecting' the d partition) and are now owned(?) by "Softthinks" - who are NO help whatsoever) advise that deleting anything on the d partition will compromise any recovery attempt.
Well, with corrupted files there, trying to recover those "Programs and drivers" would be futile, would it not?
Since it appears possible to corrupt the partition, wouldn't it have been smarter for Gateway to have supplied those files on a separate CD?


Path and file name,
Virus name

d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp223\A0026065.exe
Trojan.Win32.LowZones.cc
d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp225\A0027121.exe
Trojan.Win32.LowZones.cc
d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp227\A0027494.exe
Trojan.Win32.LowZones.cc
d:\system volume information\_restore{4e015214-6bb0-4181-b365-456cf1dec06}\-rp227\A0027517.exe
Trojan.Win32.LowZones.cc
d:\i386\apps\app31126\add-gateway.exe
Trojan.Win32.LowZones.cc
d:\i386\apps\app20460\imgvemver1.6.exe
Trojan.Win32.LowZones.cc
c:\xthinkc\Windows\help\drvspace_result.htm
Virus.VBS.GaScript
c:\xthinkc\Windows\help\hwconf_result.htm
Virus.VBS.GaScript
c:\xthinkc\Windows\help\lan_result.htm
Virus.VBS.GaScript
c:\xthinkc\Windows\help\mdirx_result.htm
Virus.VBS.GaScript
c:\xthinkc\Windows\help\mmsn_result.htm
Virus.VBS.GaScript
c:\xthinkc\Windows\help\msdos_result.htm
Virus.VBS.GaScript
c:\xthinkc\Windows\help\pcmcia_result.htm
Virus.VBS.GaScript
c:\xthinkc\Windows\help\print_result.htm
Virus.VBS.GaScript

Q: may I ask please: is there some particular reason you have not yet asked me to download and run some rootkit analysers? - just curious :)
Note 1: "CookieGal" replied to "O-Jay" 15thJuly2005 on a similar problem which I mentioned in my original post. I found this following a Google search for the corrupted file A0026065.exe (above).
Note 2: Using the DOS Dir command, I still couldn't "see" the contents of the d partition - (just in case this info is usefull :) )
 
#12 ·
I am not concerned about what is in system volume information. You can easily remove that by turning off system restore.

Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
 
#13 ·
Thanks for your reply!
I don't understand your comment, viz. "I am not concerned about what is in system volume information. You can easily remove that by turning off system restore."
My understanding is that turning off "WINDOWS Restore" deletes all the "Windows Restore" points extant on the 'c' drive, but the information I've presented indicates that the 'd' partition is infected and that the contents of that partition are essential to any future "restoration" of programs and drivers. Isn't the "d:\system volume information\_restore" talking about the "restoration" of the drivers and programes - NOT the "Windows restore function? I'm afraid I am quite confused - probably because you do not refer to or comment on any of my questions/comments and I am not acheiving any understanding from our dialogue.
I read your comments about Dr.Web CureIt and will proceed ASAP - but first have tax reporting to attend to . I will be back ASAP. If you could please illuminate your comments for my edification, I would be most grateful :)
Kind regards, Grani
 
#15 ·
Ok - I agree :) and yes, possible false positives!
But, please, please, please - put me out of my misery - my burning curiosity is killing me!
It's said that rootkits are used to hide malware, so of course, if a rootkit is present, it may be hiding malware - so of course you will not see it.
Yet, while I understand you don't want to give info to the "baddies", you have not yet commented on why we haven't before now, FIRST, checked for rootkits!
I'm just dying to hear your response :)))
Regards, Grani
 
#16 ·
Before you run AVG Anti Rootkit you should clean out your temp files to prevent false detections.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.

  • Click here to download AVG Anti Rootkit and save it to your desktop.
  • Double-click on avgarkt-setup-1.1.0.42.exe to install it.
  • Click "I Agree" to agree to the EULA.
  • By default it will install to "C:\Program Files\GRISOFT\AVG Anti-Rootkit".
  • Click "Next" to begin the installation then click "Install".
  • It will then ask you to reboot now to finish the installation.
  • Click "Finish" and your computer will reboot.
  • After it reboots, double-click on the AVG Anti-Rootkit shortcut that is now on your desktop.
  • Click on the Perform in-depth search button to begin the scan.
  • The scan will take a while so be patient and let it complete.
  • When the scan is finished, click the Save result to file button.
  • Save the scan results to your desktop then copy and paste them in your next reply to this thread.
 
#17 ·
Thanks for waiting Cybertech - appreciated :)
'have effected previous instructions, viz. ATF Cleaner and AVG Anti-rootkit.

Result from AVG Anti-rootkit:
"Congratulations - there were no installed rootkits found on your computer" - (hence no log generated apparently).

While that's somewhat comforting, it's not definitive clearance is it ?
BTW - I had also (some days previously) run the Panda Anti-rootkit and the Sybot "rootalyser" anti-rootkit progs - with the same result.

Prior to advising running the ARK detection, you suggested running DrWeb-cureit: I googled that and found that it may now be called simply "Cureit" with the suggestion that "DrWeb-cureit" might be an old file which could need updating: any comment?

What should we do next please ? :)
Thanks, G
 
#19 ·
Thanks very much for your comment and suggestion - but "There's hole in the bucket dear Liza, dear Liza". Re. the very start of this thread, I explained that formating and reloading didn't appear to be a possibility - for the reason cited and I was hoping that Techguy experts might just find a reasonable cure for the problem: are you saying that there is nothing other than this we can do?
While you personally (MVP) are a 'big gun' (and of course respected) is it possible the ship may finally be sunk by bringing further big-guns to bear?
Regards, G
 
#20 ·
You asked for "definitive clearance". Format and reload is that.

Different products, anti-malware and anti-virus, will find faults in the restoration partition. These are such as mywebsearch which is an option that you can remove even if you can not stop it from loading.
 
#21 ·
If I feel that the d: partition is indeed infected - it would be futile to burn this and restore from the resulting disk - so what else can we do please?
Your replies are very cryptic :) and I don't understand your final sentence: could you please elaborate?
Thanks. G
 
#22 ·
If you do not want to use the restore feature built into the machine you would need to purchase a new copy of the OS to put on the machine.

To elaborate further on my final sentence I would first need the information about what is found on the d: drive that is infected. Name of file and infection found by what product.
 
#23 ·
To clarify:
1. I have the O/S on the single CD suplied by Gateway.
2. Apparently Gateway place the "programs and drivers" in a single (iso?) file on the d: partition which is supposed to be protected by "PCAngel" - as previously explained - and which is supposed to be used together with the CD to effect a total (or partial) recovery.
3. You asked me the same question in your post #10 to which I replied in my post #11 - so you have that info.
G
 
#24 ·
All of these files can be deleted unless you know what they are:
c:\xthinkc\Windows\help\drvspace_result.htm
c:\xthinkc\Windows\help\hwconf_result.htm
c:\xthinkc\Windows\help\lan_result.htm
c:\xthinkc\Windows\help\mdirx_result.htm
c:\xthinkc\Windows\help\mmsn_result.htm
c:\xthinkc\Windows\help\msdos_result.htm
c:\xthinkc\Windows\help\pcmcia_result.htm
c:\xthinkc\Windows\help\print_result.htm
 
#25 ·
Thanks - could you please say how these files were generated? - are they usually regenerated?
What of the other files?
I found it's possible to aquire what I think is a complete drive image DVD from Gateway: I will check it out when it arrives and comment back.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top