AVG Virus Scan now reports "error reading boot sector" in safe mode

Hi. I followed all the steps in the Read Me & Run Me thread except the posting of the logs. :-o

Spybot and AVG Antispyware didn't find any infections at all - gave my laptop a clean bill of health. (Gave up on Counterspy; I left it updating the entire night while I went to sleep because it had only progressed about 1/10 after I waited around 30 minutes. When I woke up in the morning, there was an error updating message. Tried to update again but gave up after 30 minutes of painfully slow updating. My internet connection speed is 384kbps.)

The BitDefender online scan found two "infections" or something, but I recognized one of the files as part of the HP stuff that has been running in my Compaq laptop since the very first day it was booted (more or less). cpqset.exe. Bitdefender reported having deleted it after unsuccessfully trying to clean it, but when I rebooted in normal mode, cpqset was still up and running. :-o

Panda online scan reported one sypware, but I recognized the filename as as an HP Total Care online diagnostics tool active X.

I did the getrunkey and shownew and hijack this but didn't know whether I should post after no real malware was found (according to me). Heehee.

Then I tried running AVG Antivirus in safe mode and it reported an error reading boot sector or something like that and a hosts file change. That's all. No threats detected at the end of the scan. What's a hosts file change? I only encountered that result after doing the Read Me & Run Me First procedure; but then again that was the first time I tried to run AVG Antivirus in safe mode.

My laptop still boots up, shuts down, and responds a lot slower than it used to. I discovered CCleaner a few weeks back and it had done wonders the first time I ran it. It got rid of almost 2GB. My laptop was so fast after that. A few days later almost immediately after replacing McAfee Virus Scan with AVG Virus Scanner and running Comodo Firewall Pro and disabling Windows Firewall, the following things happened that made me suspect that my computer was infected by malware:

1) Comodo Firewall Pro (which I had just installed a few hours prior to these occurrences) encountered an error and needed to close.
2) All Microsoft updating failed consistently after that. (I'd only experienced around 3 or 4 failed updates in the three years I've had this computer, so I got alarmed when all of my attempts to update failed.)
3) My computer started responding really slowly. Could count to 10 before a window opened.
4) I got a phony looking error reporting pop up that prompted me to report several errors. When I clicked on "What does this report contain?", there were several identical entries of "Mallware Signeture Update Failed." Seriously, MALLware... like the stuff you find at the mall! And sigNEture!
5) Upon viewing the task manager I found one svchost.exe reaching over 120,000 mem usage. I'd never seen that before.
6) Several minutes after restarting my computer, I accidentally hovered over the Comodo Firewall Pro task tray icon and found that it was still "initializing". I restarted my laptop again to see if that would fix it. It still got stuck at "initializing" and never got to "All systems are up and running."

After uninstalling Comodo Firewall Pro and re-enabling Windows Firewall didn't solve the problem, I wandered into the MajorGeeks Forums and did the malware removal procedure. It seems to have improved my laptop's performance a little, but it's still a bit slow and the "error reading boot sector" report of AVG Virus Scan sounds scary. There's also a hosts file change entry every time AVG Virus Scan runs now. But it reports that there were "No Threats Detected" all the time.

By the way, my hard disk has had 4 bytes in bad sectors for over a year now. It hasn't affected performance at all. I've only experienced one crash and the automatic checkdisk that followed immediately after was how I found out about the bad sectors over a year ago. It hasn't crashed again ever since. But it hasn't been behaving "normally" since a week ago.

Sorry about the jumble of information. If anybody understands any of it, please help. Thanks.

 

By the way, posting this was kind of a spur of the moment thing. I can't provide the logs of the scans because I left my laptop at the office today. But please post suggestions if you have them. I can bring my laptop home tomorrow if necessary.

Thanks.

 

Hi BamBam!
Your name looks familiar. If you've run HijackThis, ShowNew and GetRunKeys, please post the logs and let us look at them. Have you tried to return to a restore point from the time between when you deinstalled McAfee and deactivated the Windows Firewall and installed Comodo and AVG? I think this was the point when your computer was in the best shape and it would help if you could get back to that point!

The names of the logs you'll be looking for are:

- newfiles.txt
- runkeys.txt
-hijackthis.log

abri

 

Hi, Abri. I've posted once before, asked a question about the Read Me & Run Me First procedure.

I forgot that I had previously (actually, more than two years ago already) adjusted the amount of disk space to use for system restore. When I checked the restore points, there was only one and the time on it was after my problems occurred.

For all its life (more than three years now), my laptop has actually been doing quite well with just McAfee Virus Scan, Windows Firewall, and Ad-aware SE Personal protecting it. But I recently read about McAfee being a resource hog and Windows Firewall being inadequate, so I thought I could improve performance by replacing McAfee with a low-resource consuming virus scan and improve protection by using a two-way firewall.

I don't know where I went wrong, but something may have infiltrated my system at the point where I switched. I think I uninstalled McAfee right before installing AVG (read about old virus scanners interfering with new scanner installation even when disabled) and I may have deactivated Windows Firewall right before installing and updating Comodo Firewall Pro.

Anyway, I'll bring my laptop home from work this afternoon so I can post the logs you requested. Thanks.

 

Hi BamBam,
It was not you I was thinking of if you posted two years ago. There was someone with a similar name sometime in the past week or two. From what you describe, it definitely sounds like you have malware. It's unusual for BitDefender to try and delete a legitimate file, so please post that log too. I'd like to see if the file Bit went after is in the correct location.
Thanks!
abri

 

Yikes. I'd have much preferred "mallware". Haha! Anyway, I'm attaching some logs here. The BitDefender log is the one named bdscan, right? :confused

 

Second batch of logs. AVG Antispyware log just says "Nothing Found" so I'm not attaching it.

 

Hi BamBam13!

Sorry I left you sitting! BitDefender did remove two backdoors, but other than that, your logs are pretty clean. I will give you a set of instructions to make your computer less vulnerable. If you still have comodo on your computer, I think you should uninstall it and for the time being, if you're behind a router, put the windows firewall back on. See if that works better with AVG. You may still have some remnants of McAfee on your computer.

To begin with, please do the following:


1) Go to add/remove programs and uninstall the following:
- Java 2 Runtime Environment, SE v1.4.2_05
- Java(TM) SE Runtime Environment 6 Update 1

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Please run McAfee Consumer Product Removal Tool (SymNRT)



4) Did you set the following as your start page? If not, please run the instructions below to remove it. If you want to keep it, skip to step 5.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.


5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) After you have completed ALL of the above in the correct order, please attach the following logs.

• ShowNew Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

Hi, Abri. A couple of days ago, I purged my system of programs that I rarely use anymore. Windows Live Messenger was one of them. I also uninstalled the two older versions of Java; read in one MajorGeeks thread that it's supposed to be uninstalled when a new version is installed.

(Why doesn't Java automatically uninstall the old version when updating, anyway? Or maybe just prompt the user to uninstall the previous version after updating? 200MB is a lot of disk space to waste. Sorry, just ranting. )

By the way, are Windows LIVE Messenger and Windows Messenger the same? I had Windows Live, not Windows Messenger. Windows Live was what I uninstalled a couple of days ago.

Okay, I'll do the above-mentioned (or below-mentioned?) and update you on how things are doing. Thanks.

 

Hi BamBam13!

Windows Messenger is different from Windows Live. It requires a special removal tool (the one I put the link to in your post). The reason I know it's on your computer is because it looks like the following in your hijackthis log:

It can't be removed by HijackThis. It's almost never used by anyone and creates a vulnerability for infections, so that's why we have people take it out.

abri