Precautions needed during scanning?

  • Thread starter Thread starter mm
  • Start date Start date
From: "mm" <[email protected]>

| On Fri, 8 Oct 2010 06:29:56 -0400, "David H. Lipman"

| Well, I don't know much about SATA yet, but it has an L shaped
| connector slot on both ends of the included cable. That means SATA
| iiuc, right?

eSTATA means External SATA and has a different cable that plain SATA which is an internal
cabling. If the cable is a 'L' shape it is just SATA.
 
Dustin said:
Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?

[...]

If Kaspersky is false alarming on a standard MBR, that would be very
embarrassing for them, and I suspect more than one person would be
here asking about it. Even fairly common non-standard MBR's should
have been vetted by the QC process.

Just a thought. :)
 
This just in! Scanning with the Panda Rescue Disk removed 16
instances of malware.
Scanning with Kaspersky Rescue Disk removed 26
but said it couldn't delete or disinfect Rootkit.win32.TDSS.mbr , at the
root level, the MBR iiuc.

What should I do about that one!

For lack of a better idea, I'm thinking of using the Recovery Console
of an XP installation disk and running FixMBR. ??

Follow-up on what has happened since last Wednesday:

AFAICT the computer is fixed now. I'm going to leave it up to my
friend to test more functions, although she uses very few functions.
So this is just let you all know what I did and what happened, since
you were nice enough to help me.

What I did since Wednesday:

After scanning with Panda and Kaspersky, as described above, I scanned
with BitDefender and it found and deleted 5 infected files with four
different trojans.

Then I used the CD version of AVG and found and deleted only 3
tracking cookies.

Sometime during this process, I tried to get into the BIOS, but
couldn't' because a password requirement had suddenly appeared (I'd
entered the BIOS before with no password) but I decided this wasn't' a
critical problem. Later I found software that decoded the hash number,
and I went into the bios and removed the password.

Then I debated about fixing the MBR problem right away or trying to
start Windows. I chose the latter.

Windows partially started, with few error boxes.

One was SVCHOST.EXE Application error. The instruction at "0x00000000"
referenced memory at "0x00000000". The memory could not be "written".
I googled this but didn't find much with both same addresses.

Also, it only got to the Choose Persona screen and I would click on
one, and 3 seconds later it would close the persona with the message
Saving Settings. I could either repeat that failed attempt or exit.

I thought of the mbr problem and even though it now doesn't seem
related, I thought I should fix it. I tried to use XP installation
disk Recovery Console fixMBR to fix the MBR, but it would read the CD
for a couple minutes, the CD light would flash, and then it would
start to boot as if there were no CD. Actually, the first couple
times were worse. This happened very quickly, it paused about 10
seconds, and I didn't even see the light go on, and since I knew I had
deleted parts of windows, I was also scared that I had deleted/ruined
that part of the file system that could use a CD. I didn't know what
I would do then, if it didn't start and wouldn't read a CD. I went to
sleep thinking maybe I had totally ruined her computer.

The next day I tried one of the AV boot CD's again, and it could read
that, even though it still couldn't read my XP CD, a copy admittedly,
but it did work on my computer. Hmmm. Maybe the problem was that it
wasn't HP? But I've read that any WinXP Install CD should be able to
repair an XP installation.


Even though I checked ever infected file before deleting them and
didn't see anything I thought basic to windows, I figured I had
deleted something important**, and decided to install Windows over the
current Windows using the HP XP SP3 CD that came with the computer.

**Indeed I had. By this time I had forgotten what all was on the list
that Panda, the first one I ran, deleted, but I see it includes
C]\windows\system32\winlogon32.exe and wshudh32.dll. I haven't checked
but I think these could be responsible for failure of Windows to
start. At Panda time, I hoped they wouldn't matter that much, and I
deleted them, even if Panda might have -- I don't remember -- offered
to disinfect them. Which should I have done?

Even though MS makes little or no effort to say how to do this, I got
it done but afterwards there were still problems.

Still some problems so I reinstalled Windows again. I had a good
reason at the time, possibly incorrect but good, but I forget what it
was.

So I ran CCleaner, and let it delete almost everything it wanted to.
She goes mostly to 3 or 4 websites and any history that is lost she
can recreate. Fewer errors now and the remaining errors seemed to
have to do with Norton Anti-Virus.

Running Windows, every time I clicked on a file in my windows explorer
equivalent, Norton AV kept trying to install itself, but several steps
in , it couldn't find Symantic Antivirus.msi. None of the AV scanners
tried to delete that, but it wasn't there. I installed AVG because it
had to have something until NAV was fixed. Eventually I talked to my
friend and she had no special affection for NAV, so I uninstalled as
much as I could. I hear there is one file or registry entry that won't
uninstall, but maybe it won't bother her.

I ran TDSSKiller from within windows to fix the MBR problem. I ran it
3 times, rebooting after each time, and each time it said the problem
was still there. The next day it didn't say that. ?

IE6 didn't work, it started and then after 10 seconds told me it had
to close again. I installed Firefox from a copy I keep on my
flashdrive.

Firefox opened and stayed open but didn't work because I couldn't
connect to the internet. The icon in the systray recognized my
wireless network, called it by name, and I plugged in a cable to the
router, but neither method together or alone would connect. I tried
"Wireless Network Wizard" but it looked like it would do more than I
wanted, so I stopped before it did anything.

Also Start/Run would work with some commands, but not MSINFO32.

Task Manager, Cntl-alt-delete, also didn't work, so I dl'd and
installed SuperAntiSpyware, which includes a set of repair tools, one
of which is to repair Task Manager after malware ruins it. It took 5
seconds and TM worked again.

I ran the other repair tools, unless they were clearly meant for
things that I knew worked, or they were for "policy" matters. Maybe I
should have run the policy ones too. I saw no change from these
other tools.

I rebooted more than once during this time.

I went to bed thinking IE, the internet, and msinfo32 didn't work.

The next day they all worked.

I installed AVG Free since I had to have something until Norton
worked. Later she told me she didn't care about Norton so I
uninstalled Symantic AV and also Live Update, and deleted one more
Norton program I came across the start/program list.

I scanned the whole SSD with AVG and found no problems. Earlier I had
rescanned with the PANDA boot CD, which also updates its defs from the
net, and found no problems.

I went through the msconfig startup program box as HP set it up and
found 5 startups related to reading or translating east Asian
languages. She said she never does that so I unchecked them. I found
two related to easily changing video settings, like if one uses a
full-size monitor sometimes. She never does that so I unchecked them.

I found HP mobile broadband, which AIUI she would have to pay extra to
use, like 40 dollars a month?? Nonetheless it was already installed
and running, so I unchecked that.**

She also has nothing that uses Bluetooth, so I unchecked that.

Startups I disabled, some already referred to above, include igfxtray,
igfxpers, IMEKRMIG, IMJPMIG, ImScInst, two copies of TINTSETP, and
Bluetooth.

I also disabled rundllxxxx in msconfig, when I suspected it was
malware. Now I know it is, and in the XP group I learned where
disabled startup entries are kept (It's not run- like in 98) but I
haven't gone there to remove this. Maybe I won't since the file
itself is gone. Isn't this something CCleaner would find and remove
if I ran it again? OTOH, I don't think any of the virus scanners found
rundllxxxxx.

I also found a reference to smss32.exe somewhere, and deleted that. I
think Panda had already deleted the file. This is not to be confused
with smss.exe, which is a valid windows file, though I read it is
often a virus too when found in the wrong directory.

I did, of course, leave a startup I've never seen that enables the
scrolling function of the touchpad. I also left Key Commands, hkcmd,
and 2 sttray entries, and MCCITrappApp, VerizonServicePoint, and
AESTFltr, called Echostop, which came from the factory and seems to be
about improving sound quality. Maybe there was reverb from the
speakers and microphone, and that's what they mean by echo?

Maybe a couple little things I have forgotten, but they would be
obvious to someone who made it this far.

Soon after I started running Automatic Update supplied 32 updates, and
the following day 36 updates, including IE8. I think maybe 3 updates
later. Firefox supplied an update too, but only to v3.5.13 even
though days ago it had provided me with v3.6.10. I wonder why that
is, and if it will upgrade again soon.

And now it works fi... Well, just as I'm patting myself on my back, I
get a bubble that says no AV and AVG says There are no active
components ! It's 1:44, and the computer was started 10 or 15
minutes ago. What's going on. The first thing I did is turn off the
wireless internet connection. Now it's 1:47 and AVG says it is all
working correctly. I've had this in my own computer for 5 or 10
seconds, but here, with a faster CPU, it took maybe 3 minutes to
activate. Hmmm. It seems like it started to update virus definitions
soon after I turned it on, and when it was done but the computer not
restarted, it said AVG wasn't working. I've never had that, but this
is version 11 Free, which I dl'd 2 days ago. Even though I have
automatic updates, it hasn't tried or offered to update my version 10
Free to version 11 Free. Maybe I should do it by hand.

Version 11 Free has an on-demand (and maybe schedulable) rootkit
scanner. It also has PC Analyser which on demand and maybe live finds
Registry Errors, Junk Files, Fragmentation, and Broken Shortcuts.
However I don't think it will fix them unless you buy AVG Pro, haha,
but I can take each one out by hand if I want to. I did remove some.
This computer has a Solid State Drive and there is no point to
defragging it. With older SSDs it was unneeded harmful wear and tear
to defrag the drive.

Okay, despite this interruption, it is working fine now.


**(There is also something called Verizon Wifi, which is iiuc free
for people with Verizon DSL but not the slowest Verizon DSL. However
it has no hotspots in 5 zipcodes in Baltimore, and only one hotspot in
21201, the heart of downtown, I think! In NYC it does better. A
webpage says it has 150 hotspots and they plan 1000 by year end.
Unfortunately, they don't say what year, and there is no date on the
webpage. How typical!)
1) I have a router. If my computer and the laptop with the malware
are both plugged into the router at the same time, can the laptop
infect my computer?


3) Kaspersky had as the default option, Prompt for Action, when an
infected file is found. Wouldn't that mean I'd have to be watching
the entire time the scan ran, and if I were out of the room, it would
wait for me, making the scan take that much longer?

Yes, this appears to be true. I ran Kaspersky again without checking
the settings and indeed, I think it stopped right after it examine the
MBR, which still had a problem. I canceled that scan, changed the
setting, and ran it again.
I changed it to
"Prompt for action at end of scan". Stupid question maybe, but isn't
that better for most people? Yeet it's not the default.

Any other settings I should have changed for a heavily infected pc?
They had one two levels deep in the settings called, "Don't expand
very large files". I've never understood whether files inside zip
files etc. can do harm -- does any malware expand archives etc. after
I have scanned?
Thanks.

Thanks again for all your help.

MM
 
Dustin said:
So AVG and Bit Defender and Panda didnt' find this MBR problem.
That doesn't mean it's not there, right? Just that Kaspersky is
better on mbr's?

Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?

[...]

If Kaspersky is false alarming on a standard MBR, that would be very
embarrassing for them, and I suspect more than one person would be
here asking about it. Even fairly common non-standard MBR's should
have been vetted by the QC process.

Just a thought. :)

I'm pretty sure now it was really a problem, but that means the other
five software things I used fail to notice the problem.
 
So AVG and Bit Defender and Panda didnt' find this MBR problem.
That doesn't mean it's not there, right? Just that Kaspersky
is better on mbr's?

Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?

[...]

If Kaspersky is false alarming on a standard MBR, that would be
very embarrassing for them, and I suspect more than one person
would be here asking about it. Even fairly common non-standard
MBR's should have been vetted by the QC process.

Just a thought. :)

I'm pretty sure now it was really a problem, but that means the
other five software things I used fail to notice the problem.

It would have been nice to be able to acquire a dump of that mad mbr
for a closer inspection... :(
 
From: "Dustin" <[email protected]>

On Sun, 10 Oct 2010 18:39:04 GMT, Dustin
So AVG and Bit Defender and Panda didnt' find this MBR problem.
That doesn't mean it's not there, right? Just that Kaspersky
is better on mbr's?
Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?
[...]
If Kaspersky is false alarming on a standard MBR, that would be
very embarrassing for them, and I suspect more than one person
would be here asking about it. Even fairly common non-standard
MBR's should have been vetted by the QC process.
Just a thought. :)
I'm pretty sure now it was really a problem, but that means the
other five software things I used fail to notice the problem.


| It would have been nice to be able to acquire a dump of that mad mbr
| for a closer inspection... :(


I'm sure Gmer and Ad what like to have it as well :-)
 
From: "Dustin" <[email protected]>

On Sun, 10 Oct 2010 18:39:04 GMT, Dustin


So AVG and Bit Defender and Panda didnt' find this MBR problem.
That doesn't mean it's not there, right? Just that Kaspersky
is better on mbr's?
Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?
[...]
If Kaspersky is false alarming on a standard MBR, that would be
very embarrassing for them, and I suspect more than one person
would be here asking about it. Even fairly common non-standard
MBR's should have been vetted by the QC process.
Just a thought. :)
I'm pretty sure now it was really a problem, but that means the
other five software things I used fail to notice the problem.


| It would have been nice to be able to acquire a dump of that mad mbr
| for a closer inspection... :(


I'm sure Gmer and Ad what like to have it as well :-)

I wish I'd thought of that. If it comes again somewhere, I still
don't know how to copy an mbr.
 
From: "mm" <[email protected]>

| On Fri, 15 Oct 2010 18:26:21 -0400, "David H. Lipman"
| said:
From: "Dustin" <[email protected]>
| news:[email protected]:
On Sun, 10 Oct 2010 18:39:04 GMT, Dustin


So AVG and Bit Defender and Panda didnt' find this MBR problem.
That doesn't mean it's not there, right? Just that Kaspersky
is better on mbr's?
Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?
[...]
If Kaspersky is false alarming on a standard MBR, that would be
very embarrassing for them, and I suspect more than one person
would be here asking about it. Even fairly common non-standard
MBR's should have been vetted by the QC process.
Just a thought. :)
I'm pretty sure now it was really a problem, but that means the
other five software things I used fail to notice the problem.
| It would have been nice to be able to acquire a dump of that mad mbr
| for a closer inspection... :(
I'm sure Gmer and Ad what like to have it as well :-)

| I wish I'd thought of that. If it comes again somewhere, I still
| don't know how to copy an mbr.

There are utilities for capturing it. All you have to do is ask.
 
Back
Top