[greg0r]

Salangubang:

It's now been 4 1/2 hours running the fix. I've got other work I need to do with the computer. When you say 'Let the program run unhindered' do you mean 'don't use any other programs at all'?

I'm guessing that something's gone wrong with it, so I've got to stop it. I'll try it again once I've heard back from you and finished my work. Hopefully that doesn't screw something up.

[Advertisements]

Hi,

I believe it froze. The fix was just to remove the Kasperky drivers - you may skip the fix.

Is the Rebit software still having issues?

[Salagubang]

Hi,

I believe it froze. The fix was just to remove the Kasperky drivers - you may skip the fix.

Is the Rebit software still having issues?

[greg0r]

Salagubang:

Something's really screwed up. After my last message to you, I tried to check my email, and it hanged, saying I had 14 messages that it was downloading, but after a couple of hours it had not progressed. I rebooted, and things froze worse. I rebooted again, and I cannot even get into OE to check my email (the start up window - from when I click on 'start' - stays on the screen for a long time, and then when the log in automatically goes back to the login screen, if I log in again the section of the screen that is usually taken up by the start menu is not refreshed, so that the left half of the screen is still the login screen image.

I can't get on the internet either, so I'm sending this message from another computer. Before this happened, and since, it seems like Rebit is still working. The last time I rebooted I opened Rebit from the status bar and paused it, as it was doing its thing, preparing for a backup, and I didn't want <anything> to interfere with my attempts to connect to OE or IE.

So my assumption is that it is working fine, and that the only option I have is to recover using the Rebit recovery disk to a previous date, and it seems that the most sensible date will be April 8th, before I tried the OTL fix. I will do so, and let you know the results. Should be about 1 - 1/2 to 2 hours from now.

Once I've done that, do you think I should try to run the fix again, or not?

HOw long should it take normally? I would guess that's it's really probably like a 5 minute thing, right? And again, does 'uninterrupted' or 'unhindered' mean 'don't use any other programs at all'?

Edited by greg0r, 10 April 2011 - 12:17 PM.

[greg0r]

Salagubang:

I successfully restored, and I <think> things are working ok. A little sluggish at times. Same big delay when going to google.com; it says 'done' but stays on my home page, then TWICE green progress bars march across the bottom, and finally google.ca loads. A google search from there was fast.

Email now works again.

What do you recommend I do now?

[Salagubang]

Hi,

Lets give it a day to observe the machine.

[greg0r]

Salagubang:

Well, it's been an up and down couple of days. Frustrating. After Recovering to the Rebit snapshot of my system for 4/9/11 @ 8:58am I had multiple problems.

- had some issues with my font manager which are probably not related. A corrupted library.xml file. Uninstalled and re-installed several times with no success.
- could not go to internet -start menu freezes
- restarted, got into IE, did a search, 'IE cannot display the webpage' (my original problem...)
- tried to close it, could not. Ended IE app in task mgr, but it stayed on the task bar
- could not click on anything, selected task mgr shut down, turn off, and it restarted rather than turning off
- this happened several times, each reboot the icons on the task bar were in different order
- tried to get into Outlook Express to save newest emails, got 'Application Layer Gateway Service' error...for info about this error click here> Error Signature szappName: alg.exe szAppVer.5.1.2600.5512 szModName:TFWAH.dll szModVer4.11.2.22 offset 00002dd7 and for technical info click here> and got 2 paths to temp directories to a file called alg.exe.mdmp and another called appcompat.txt

After these problems, and that of font manager, I decided to Recover back to 4/10/11 @2:53 pm (ie to put my system back to what it was prior to my first recovery). From another computer I downloaded an xml editor, and after a successful recovery fixed the font manager issue, worked for several hours using a couple of software packages on the problem computer with no difficulties.

- checked my email on a chatt client used for work, and the default font (ariel) had changed to an uncial font which was nearly unreadable, almost looking like an asian alphabet. Found out how to change it, rebooted and it was fixed.
- opened outlook ok, checked email and it started to download message 1 of 1. had to go to work, came back 10 hours later, it was still 'receiving' that message. Task Mgr said cpu usage was high, fluctuating between 60-70-93%, with 765mb+ PF usage. App tab said OE was 'running', as well as REbit and 2 windows explorer windows. Rebit said the computer was backed up, so it wasn't really doing anything. I terminated OE, opened it again, and it immediately downloaded 10 messages.
- when I clicked on a link in one of those messages, it took several minutes with the hourglass, and then nothing happened. Tried it again, same thing.
- clicked on start button, IE, the window froze. Task mgr said fssm32.exe was using 50-79% cpu, 287,000+ mem usage.
- rebooted (using task mgr shut down, turn off), and it actually did turn off this time
- logging on is pretty fast now...
- clicked on start button, OE, the window froze. no discernible cpu or mem usage. Tried to use task mgr shut down, turn off, 3 times, no result. Manually powered down. Using other computer for this message.

No doubt that's probably more info than you need, but I thought there might be a clue in there somewhere! Clearly I've still got issues with that machine.

What do you suggest I do now?

P.s. I still have some desktop clutter from a previous failed partial install of one of the packages, that left a virus folder and an exe file with a long number on my desktop, and I also have gmer on my desktop which you may remember did not work. At one point I did clean some of that up, but then my recovery operation put it back, and I thought I'd better leave it until I get further instructions...

Edited by greg0r, 13 April 2011 - 12:28 AM.

[Salagubang]

I am sorry you're having so much inconvenience.

Do you have the windows installation CD handy?

[Salagubang]

Go to the Run box on the Start Menu and type in:

sfc /scannow

Make sure to include the space between the first "c" and the "/".

This will run the System File checker and it will scan for corrupt or missing files. It may prompt you to insert the CD if it needs to obtain files.

Please post back when it has finished letting me know what it has reported.

[Salagubang]

P.s. I still have some desktop clutter from a previous failed partial install of one of the packages, that left a virus folder and an exe file with a long number on my desktop, and I also have gmer on my desktop which you may remember did not work. At one point I did clean some of that up, but then my recovery operation put it back, and I thought I'd better leave it until I get further instructions...

We can assume that the nasties was among that was restored. Lets wait and see if SFC can find and correct borked files.

[greg0r]

Salagubang:

I haven't done anything to my system at all, and last night and just now I had no problem going to either IE or OE. Can't figure that out.

Yes, I have the installation CD. Do I put it in to run the sfc /scannow, or would that be for another operation?

[Salagubang]

Yes, I have the installation CD. Do I put it in to run the sfc /scannow, or would that be for another operation?

sfc /scannow may need some files and may prompt you to insert the CD if it needs to obtain files.

[greg0r]

Salagubang:

Tons of questions embedded in this message. I hope you can answer them all!!

I ran sfc /scannow, and while it took about 20 minutes, when it finished there was no message indicating anything at all. So I don't know what the result is. Is that normal for it to just disappear once the progress bar finishes creeping across the little window box?

Something else that happened during this operation is probably worth noting. My CPU fan suddenly started humming/buzzing (I have had the cover off for the last couple of weeks while I trouble shoot this machine), and as I got close to it, it stuttered a few times (ie the buzz stopped very briefly) and continued to buzz for about 5 minutes. Then it faded, and now sounds quiet and normal again.

Is it possible that my CPU fan could be going, and that some of this flaky stuff has been related to that?

Is there a utility which can check hardware components like that?

And of course, the main question, what do you think I should do next? Should I just see how things operate for a while?

Should I clean up by removing the 'setup_9.0.0.722_07.04.2011_08-44.exe','Virus Removal Tool' and 'gmer.exe'?

Are these just things I delete or do I have to uninstall them some other way? I looked through Ctrl Panel/Add or Remove - I see no reference to any of them there.

What I do see there are ERUNT, Malwarebytes, and Spywareblaster, the last two which I had installed before you started helping me. What do you recommend I do with each of those?

Now for some more of the general questions on that topic: I have a utility which I was using (purchased recently) called 'Advanced System Care 3', which does a lot of optimizing things, and I was quite pleased with it as a rather comprehensive maintenance tool. Do you know anything about it, and should I continue to use it?

Is there anything else you recommend that I do on a maintenance basis, such as regularly running any of the things you directed me to use?

And the other questions I asked before, which you said we'd wait and see on the answers:

3. - do we know what the name of this menace was/is?

4. - is there any indication how I got it, or when?

5. - why couldn't other software find it?

6. - specifically the two files that were deleted are of interest to me:
....
the second one deleted - L:\autorun.inf ...on my Rebit backup drive - what you told me to do with it (jotti, I think) seemed to come up clean, but do we know anything else about it? Because the Rebit software seems to be running properly, it must have been an invader, and whether or not this is the case, I'm still wondering how my 'images' got retroactively infected?

I just went back through our correspondence, and tried to go to ESET (http://eset.com/onlinescan, which failed before), and got the same result 'Internet Explorer cannot display the webpage'. This is of course the same problem I started with, so is it still a problem, or is there some other reason I can't go there? Does the link work for you?

[greg0r]

Another thing I forgot to mention. Not sure if it's relevant, but when I ran sfc, I got a message that said 'Insert your Windows Professional Service Pack 3 CD now'

- I am not using Professional on this machine, but Home. I'd think that Windows would know that...
- I don't have a SP3 Cd, and as most people download and update from Windows update I'd expect very few do...
- is it possible that these points might indicate that sfc didn't do what it was supposed to do?

[Salagubang]

Hi,

I ran sfc /scannow, and while it took about 20 minutes, when it finished there was no message indicating anything at all. So I don't know what the result is. Is that normal for it to just disappear once the progress bar finishes creeping across the little window box?

Yes it is normal. System File Checker may only needs user intervention if a required file cannot be replaced/copied/missing.

Something else that happened during this operation is probably worth noting. My CPU fan suddenly started humming/buzzing (I have had the cover off for the last couple of weeks while I trouble shoot this machine), and as I got close to it, it stuttered a few times (ie the buzz stopped very briefly) and continued to buzz for about 5 minutes. Then it faded, and now sounds quiet and normal again.

What you noticed was probably the fan control working. It is a feature common in AMD system and with some motherboard. When the CPU heats up when working at full load the fan automatically adjust the speed to compensate and cool down the processor. This may or may not be true in your case if this the first instance you ever notice the machine doing that.

Is it possible that my CPU fan could be going, and that some of this flaky stuff has been related to that?

Yes, a failing processor fan would fail to cool down a processor under load and may lead to symptoms you are experiencing, i.e., unresponsive and extreme lag.

Is there a utility which can check hardware components like that?

Speedfan is one of my favorite in monitoring hardware temperature. If you notice temps going above 60deg (except for video cards temp) then may have just discovered a hardware failure.

And of course, the main question, what do you think I should do next? Should I just see how things operate for a while?

Since you performed a restore function (and prolly every nasty bugger was also restored) I recommed doing a full scan to have nasties in check.

Download Dr.Web CureIt to the desktop.

• Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, chose the Complete Scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look and see if you can click the following icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer to allow files that were in use to be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Should I clean up by removing the 'setup_9.0.0.722_07.04.2011_08-44.exe','Virus Removal Tool' and 'gmer.exe'?

Are these just things I delete or do I have to uninstall them some other way? I looked through Ctrl Panel/Add or Remove - I see no reference to any of them there.

What I do see there are ERUNT, Malwarebytes, and Spywareblaster, the last two which I had installed before you started helping me. What do you recommend I do with each of those?

I'll help you perform a system wide clean after we're done with the supplementary scan.

Now for some more of the general questions on that topic: I have a utility which I was using (purchased recently) called 'Advanced System Care 3', which does a lot of optimizing things, and I was quite pleased with it as a rather comprehensive maintenance tool. Do you know anything about it, and should I continue to use it?

The company behind Advanced System Care has been accused of stealing proprietary database and intellectual property into their software.
Ref:
http://miekiemoes.bl...tellectual.html
http://forums.malwar...ndpost&p=152610

Is there anything else you recommend that I do on a maintenance basis, such as regularly running any of the things you directed me to use?

I do have some recommendation the the machine and will post when we start the clean up.

And the other questions I asked before, which you said we'd wait and see on the answers:

3. - do we know what the name of this menace was/is?

4. - is there any indication how I got it, or when?

5. - why couldn't other software find it?

6. - specifically the two files that were deleted are of interest to me:
...
the second one deleted - L:\autorun.inf ...on my Rebit backup drive - what you told me to do with it (jotti, I think) seemed to come up clean, but do we know anything else about it? Because the Rebit software seems to be running properly, it must have been an invader, and whether or not this is the case, I'm still wondering how my 'images' got retroactively infected?

No we do not know the name of the menace that hit your machine. My guess is an intrusion by a rouge (fake-alert, scarewares) has occured and your AV has detected and cleaned it (but not without leaving somedamage). Although interestingly some malware intentionally wipe its own traces after wrecking havoc in a machine.

I just went back through our correspondence, and tried to go to ESET (http://eset.com/onlinescan, which failed before), and got the same result 'Internet Explorer cannot display the webpage'. This is of course the same problem I started with, so is it still a problem, or is there some other reason I can't go there? Does the link work for you?

The link is woking for me. Can you try opening ESET Online Scanner using Firefox.

[greg0r]

Salagubang:

Wow, that Dr. Web sure took a long time to scan! No doubt it was because there's almost half a terabyte of backup on my L:Rebit drive. For some reason it asked me on the first virus <and> the fifth one if I wanted to move or cure, and both times I said 'Yes to all' as you directed. It ran from April 18 at 12:20 pm to about 3 am today, April 21, including the times it was waiting for feedback from me on those files.

A few things:

- the interface was not quite like you thought - there was no icon as you indicated before the Move incurable step. Nonetheless I figured out how to do it, and it appeared to save the file properly.
- when I quit dr. Web, all I got was the background image, no desktop. I tried to ctrl-alt-del a couple of times to bring up the task manager, and nothing happened. I was reluctant to power down, but figured I had no option, and when I pressed the power button, the desktop came back, with task mgr open, and a Threatfire notice, but it disappeared in the process of reboot before I could see what it all said. When it rebooted, it felt it was necessary to do a chkdsk of L:, my rebit backup drive, and I let it do so.
- OTL.exe was one of the files it found and quarantined. I assume that the file is actually not a problem, and that the nature of the file's purpose and operation is such that it only appears to be a problem. At any rate, the file has of course disappeared from where it was, and I'm thinking that I'd better wait for your go ahead before I either unquarantine it (if that's possible) or I redownload it to create a new OTL log.

Here's the Dr.Web.csv contents:
2f619dd6-93ae-4b8b-bccd-de3da63bcd0c0.0\data001;L:\Rebit\data\cfs2\C\29\6\2f619dd6-93ae-4b8b-bccd-de3da63bcd0c0.0;Tool.NirCmd.1;;
2f619dd6-93ae-4b8b-bccd-de3da63bcd0c0.0;L:\Rebit\data\cfs2\C\29\6;Container contains infected objects;Moved.;
1e395d7b-05b6-4737-a624-bac235028ef30.0\data001;L:\Rebit\data\cfs2\C\37\62\1e395d7b-05b6-4737-a624-bac235028ef30.0;Trojan.DownLoader2.12660;;
1e395d7b-05b6-4737-a624-bac235028ef30.0;L:\Rebit\data\cfs2\C\37\62;Container contains infected objects;Moved.;
e7910cbd-acd7-4c78-8eed-1af7f8e75f4d0.0\data001;L:\Rebit\data\cfs2\C\81\47\e7910cbd-acd7-4c78-8eed-1af7f8e75f4d0.0;Trojan.Siggen2.25631;;
e7910cbd-acd7-4c78-8eed-1af7f8e75f4d0.0;L:\Rebit\data\cfs2\C\81\47;Container contains infected objects;Moved.;
0cdf1ac0-6bf2-45fe-9313-b9ce08a99e940.0\data001;L:\Rebit\data\cfs2\C\95\34\0cdf1ac0-6bf2-45fe-9313-b9ce08a99e940.0;Probably SCRIPT.Virus;;
0cdf1ac0-6bf2-45fe-9313-b9ce08a99e940.0;L:\Rebit\data\cfs2\C\95\34;Container contains infected objects;Moved.;
OTL.exe;D:\Greg\downloads\technical utilities\troubleshooting\scanners+cleaners\OTL;Trojan.Siggen2.25631;Incurable.Moved.;
nircmd.exe;D:\Greg\Technical\Software\james disk\Windows7++ (J)\Freeware\Nircmd;Tool.NirCmd.1;Moved.;
A0038356.exe;D:\System Volume Information\_restore{991E0322-35B4-4063-A410-BF65C029546B}\RP132;Trojan.Siggen2.25631;Incurable.Moved.;

Edited by greg0r, 21 April 2011 - 10:12 AM.