my friend's thinkpad has a virus or something. I formatted the hard drive and reinstalled XP pro. i installed the university-provided symantec AV. then i installed the ethernet driver. after i installed the ethernet driver and plugged in the ethernet cable, it starts getting non-IE pop-ups for AV software.

formatting the drive doesn't fix this problem. i'm at the point where i want to hand the laptop back to my friend and say "i don't know what you did but it's your problem now." the virus she had before i formatted it (and apparently still has) is hacktool.rootkit http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html

thinkpad or paperweight? someone please give me a hand here.

8/31/2005 12:50:01 PM

I'll take the taptop for $100

8/31/2005 12:50:58 PM

that's a pretty expensive paperweight...

8/31/2005 12:53:14 PM

You need to boot off a read-only media and fully blank the hard drive . . . . I'd reccommend a program like DBAN (Darik's Boot and Nuke) the entire drive to DoD standards. Then you use an XP Pro OEM disk that you know is clean to reformat and do a full restore, install and configure AV and firewall, then connect to the net.

If you need help let me know.

8/31/2005 1:37:59 PM

^ wins

8/31/2005 1:40:35 PM

$110

8/31/2005 2:27:19 PM

thanks, i'll try that out

8/31/2005 2:29:37 PM

$120

8/31/2005 6:28:31 PM

are you sure you actually formatted the drive? the access ibm "restore factory settings" does NOT format the harddrive since the ibm restore files are located on the main partition. if you want, you can take it to the bookstore where they have actual restore cd's for the IBM thinkpad and can reformat. that's always gotten rid of hacktool.rootkit when I've done it in the past.

[Edited on August 31, 2005 at 7:52 PM. Reason : ]

8/31/2005 7:51:30 PM

i used an authentic windows xp cd to remove the ntfs partition and formatted ntfs back over it (if it makes a difference between ntfs and ntfs quick, i did it the non-quick way) twice. i used the program recommended by fregac to format the third time. i used the bootable iso version and set it on automatic once the program started up. after that i formatted the space for xp, blah blah blah and as soon as you connect it to the internet it starts getting pop-ups for AV software of the non-IE variety.

after the DBAN format and windows re-install, symantec quit finding hacktool.rootkit and started finding W32.spybot.worm. i returned the laptop after the most recent xp install but before symantec started flipping out. i'll keep looking at it after i get my hands on it.

i gotta try taking it to the bookstore. i don't suppose i could acquire a copy of the IBM restore cd's? that's a lot eaiser than getting all the drivers from the IBM website...

i think the restore settings are on a separate partition, because after the first format i thought the virus got smart and hid itself in there and formatted that too. that obviously wasn't right.

[Edited on September 1, 2005 at 12:52 PM. Reason : ]

9/1/2005 12:50:59 PM

does the version of XP u have installing SP2? you should download and put zonealarm firewall on a CD then once XP is reinstalled put zonealarm on b4 ever connecting to the internet. if SP2 is not being installed, get the SP2 CD. if u need it, i have it. i cant believe this thing problem is still existent after all this is done. btw, r u connecting to the internet on campus?

9/1/2005 1:04:14 PM

i have xp with SP1. windows won't authenticate unless i call it in (and the virus stops SP2 installs from the internet). i suppose i'll get zonealarm, i have never personally had a need for it so i don't have it, but this seems like a good reason to get a copy.

the laptop is on an on-campus connection. with the way the virus works, i'm surprised resnet hasn't gotten smart and turned off her internet.

9/1/2005 1:11:23 PM

A V G Free

9/1/2005 1:16:49 PM

$125

9/1/2005 2:20:04 PM

well it's in the care of the bookstore now, so bidding is closed

9/1/2005 3:41:44 PM

ah, then you probably know now they can't give you their restore cd's, since they only have one or two copies.

9/1/2005 4:56:56 PM