Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Locking up on startup; Avast found Win32:Rootkit-Gen(RTK)


  • Please log in to reply
No replies to this topic

#1 Woodtroll

Woodtroll

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 26 July 2010 - 07:04 PM

Hello, folks! I originally posted this in the XP forum, but now it seems a malware is involved, so I started a new thread here. The first part below is my original post with description of the problem; the second part is what I figured out so far...

-----------------------------------------------------------------------------
I am barely computer literate at a basic level, so please be gentle !

I have an older Dell 2400 with Windows XP home version, SP2.something. A couple days ago, it began locking up on startup; it would open up the screen that lets you select the user account, then begin to open up the user's page/desktop/account (not sure of the proper term), then would freeze in process after all the desktop, icons, etc. were displayed. The mouse cursor will move around, but that is about it. Nothing "highlights" when the mouse is over it, nothing can be selected, the Avast symbol stops turning, and the hard drive light quits flashing. It acts like it is trying to start a program that just jams the thing to a dead stop. It does this with all users on the computer. The task manager will not open at this point, either.

I started it back up in safe mode, and the accounts opened up fully (with limited programs, of course). I then ran several different virus scans (Adaware, Malwarebytes AW, Avast) and could find nothing.

Thinking it is something in the startup process, I went to run/msconfig/start, disabled everything there with "select all", restarted in normal mode, and it still locked up on the user desktop. Interestingly, the Webroot Spysweeper program that has been on there forever still flashed up; I thought it would have been disabled. But, since it has been on my computer from the start, I do not think it is the problem. No new programs except a Blackberry desktop manager have been added recently (about two weeks ago; when I tried to delete that Blackberry program today through the "add/remove program" feature, it said something like "this option only applies to programs that are installed", but it shows it as installed, with quite a bit of memory used- not sure what is going on here...)

I went back through run/msconfig, and selected the "diagnostic startup" mode, started it up normally, and the account/ desktop loads up without locking up!

So, how do I figure out what is causing the problem? Since I eliminated all of the visible start-up programs and it still locked up, it must be something "behind the scenes", but I have no idea how to find it.

-----------------------------------------------------------------------------------------------------------------------

Another update:

After wrangling with the startup settings, and multiple restarts, Avast has twice alerted to a malware in my C:\windows\system32\ntdll.dll file. It identifies the malware as "Win32:Rootkit-gen(RTK)". It lists a VPS Version 100719-1, 07-19-2010. I do not know what the first part means, but the date seems about right for the onset of my troubles. When the virus alert comes up, I have tried every option available- moving the file to the vault, deleting it, etc., but Avast seems to be unable to do anything with it; I get a failure (read-only) pop-up, and then the screen locks up again. I have gone into safe mode, and tried to delete the file manually, but Windows will not let me do that either.

I find it odd that none of the programs I tried (multiple times) hit on this, even when I isolated this file out in safe mode and scanned it specifically.

I still need to figure out how to delete or repair this file, or otherwise eliminate the malware. Any help would be greatly appreciated!!

Thanks very much!
Regan

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users