I have several pointers that make me believe that I have either malware or a virus. Norton, Kaspersky, AVG, Spybot and Malware bytes do not indicate anything and I know a lot of you would say, "Well why are you writing this question". Well, this is why. Everytime I run sfc /scannow I get a message at the end saying there were some corrupt files that could not be rpaired. So I have looked at various points on my computer and I wonder if anyone can put me straight. In the system32 folder I have 3 drivers folders "drivers", "DriverStore" and "DRVSTORE". The last one is highlighted in blue and contains listings of the GEARAspi driver, all highlighted. My wireless network adapter wont install properly and when I look in Device Manager > Network Adapters > Atheros ........ > properties > tab to details, it shows 1 parent and 16 siblings. I have never seen this reference before. Is it a sign of something malicious or is it a regular entry in the properties of an item. Can anybody also tell me what differences I would see in "Command > BCDEDIT" if somethiing was infecting my bootup.

Hi,

I am willing to try to help. Certain really nasty viruses will not show up until some of them, the bits that hide them, have already been deleted. Can you therefore upload the log files (sfcdetails.txt) of your "sfc /scannow" run. See the yellow box at the top of this tutorial: System Files - SFC Command

Richard

Hi again,

Just answering some of your questions. The System32 driver folders all look fine and the GEAR reference looks OK. Remember that viruses usually overtake a secondary driver and replace it with its own code (a secondary driver is not required for system startup and does not matter too much if it is lost) Therefore, just looking at driver names will not be enough, you need to scan them.

Do tell me if you have any suspicions on what this might be, how you got it, or any files that might be infected. Do not worry about making mistakes, there is no harm in that.

Richard

Hi,

Also, can you please run HiJackThis and upload the log file. Please upload the log file as an attachment, not in the main body of the message. Thanks! HijackThis - Trend Micro USA

Richard

Hi,

Press the Windows Key + R to open the Run dialogue. Type "cmd" and press enter. In Command Prompt, type:

"ipconfig /flushdns"

and press enter. Tell me if this is successful.

Richard

Thanks niemiro, Do you know about the entries in device manager and bcdedit. If i could see what a correct entry should look like then that might be good

Hi, I have flushed dns and I am going to run sfc but I am also going to have some breakfast (8.00 in uk) thanks for your help. Can we pick this up again later?

Originally Posted by dje

Hi, I have flushed dns and I am going to run sfc but I am also going to have some breakfast (8.00 in uk) thanks for your help. Can we pick this up again later?

No problem. It can wait days if you want. There is never an obligation to be online together, and I have just had my breakfast! We sometimes wait for people to go on holiday and then pick up the issue afterwards. You enjoy your breakfast and don't rush it!

Richard

Right, open Command Prompt and type "bcdedit.exe" followed by enter. Once it has loaded, expand the Windows so everything is visible, right click anywhere on the Console and click Mark. Highlight everything (this may take a few attemps to get right, as it is not quite like normal highlighting) and right click within the highlighted area. The highlighting will disappear, but nothing else will look like it has happened. However, it has been copied, so just paste it in your next reply. Here is mine:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Richard>bcdedit.exe

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {82bde735-f669-11de-81e9-bde3a6336df3}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 3
resume No

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {bootloadersettings}
osdevice partition=C:
systemroot \Windows
resumeobject {82bde735-f669-11de-81e9-bde3a6336df3}
nx OptIn

C:\Users\Richard>


Can you also download, run and upload the log of the "Vistax64.com SysInfo Tool". Please do not include the log inline, but as an attachment. VistaForums SysInfo Tool

Richard

Hi,

The Atheros in Device Manager is usually fine. It really depends on whether you have any network cards from Atheros. Do you normally use wireless or wired internet. Is this a Desktop or Laptop? Do you know what your network cards are? If so, what are they? Do not worry if you do not know.

I will now wait for the logs, but there is no rush or urgency. In your own time.

Richard