Solved: rootkit remover | Experts Exchange

Once Rootkit Revealer gives you the path and filename of the rootkit you can just manually delete it, or you could use Killbox or Avenger to delete it.
Can you show us the Rootkit Revealer's log please?

Blacklight and Gmer also removes rootkits.

rpggamergirl

These are all free:

Blacklight:
https://europe.f-secure.com/blacklight/try.shtml

Sophos Anti-Rootkit:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Gmer:
http://www.gmer.net/gmer.zip

BitDefender RootkitUncover 1.0 Beta 2:
http://www.softpedia.com/get/Antivirus/BitDefender-RootkitUncover.shtml

Grisoft AVG Anti-Rootkit Beta:
http://blog.evilissimo.net/2006/08/01/grisoft-avg-anti-rootkit-beta/

drmanno

ASKER

thanks for your prompt response. here's one:
HKLM\S-1-5-21-1097220394-952260082-127275408-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B603235-D8BF-4A9D-1BBB-314FEFDB5C23}* 10/20/2006 6:17 PM 0 bytes Key name contains embedded nulls (*)
according to rootkitrevealer website entry with null characters cannot be deleted from the registry. they recommended their utility regdelnull. i ran that. no effect.

drmanno

ASKER

i ran gmer and here is the log. unfortunately backlight beta expired on sep 1 2006. so the only way i can remove rootkit is by gmer:
GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-30 21:42:51
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SSDT 865CAF30 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT 865CBA60 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT 865CAFA8 ZwQueueApcThread
SSDT 865CAE40 ZwReadVirtualMemory
SSDT 86520D10 ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT 865CB8F8 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT 865100A8 ZwSetInformationKey
SSDT 865CBB50 ZwSetInformationProcess
SSDT 865CB970 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT 865CBAD8 ZwSuspendProcess
SSDT 865CA020 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT 865CB9E8 ZwTerminateThread
SSDT 865CAEB8 ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 857B96F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 857B9608
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 85A084C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 85A08448
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 85A083D0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 85016FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 85016F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 85016EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 859CE5D0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 859CE558
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 859CE4E0
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 859D4CC8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 85012E10
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 85012D98
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 859D2720
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 859D26A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 859D2630
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 859D2D08
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 859D2C90
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 859D2C18
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 859649A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 85964928
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 859648B0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 857B96F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 857B9608
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 85A084C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 85A08448
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 85A083D0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 85016FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 85016F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 85016EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 859CE5D0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 859CE558
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 859CE4E0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 859D4CC8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 85012E10
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 85012D98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 859D2720
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 859D26A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 859D2630
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 859D2D08
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 859D2C90
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 859D2C18
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 859649A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 85964928
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 859648B0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 857B96F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 857B9608
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 85A084C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 85A08448
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 85A083D0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 85016FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 85016F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 85016EB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 859CE5D0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 859CE558
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 859CE4E0
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 859D4CC8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 85012E10
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 85012D98
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 859D2720
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 859D26A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 859D2630
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 859D2D08
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 859D2C90
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 859D2C18
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 859649A0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 85964928
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 859648B0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 857B96F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 857B9608
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 85A084C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 85A08448
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 85A083D0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 85016FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 85016F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 85016EB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 859CE5D0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 859CE558
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 859CE4E0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 859D4CC8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 85012E10
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 85012D98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 859D2720
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 859D26A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 859D2630
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 859D2D08
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 859D2C90
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 859D2C18
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 859649A0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 85964928
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 859648B0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 857B96F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 857B9608
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 85A084C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 85A08448
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 85A083D0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 85016FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 85016F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 85016EB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 859CE5D0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 859CE558
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 859CE4E0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 859D4CC8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 85012E10
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 85012D98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [AA8542A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 859D2720
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 859D26A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 859D2630
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 859D2D08
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 859D2C90
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 859D2C18
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 859649A0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 85964928
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 859648B0

---- Registry - GMER 1.0.11 ----

Reg \Registry\USER\S-1-5-21-1097220394-952260082-127275408-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B603235-D8BF-4A9D-1BBB-314FEFDB5C23}@naogbjiohabpiageplcbpejnokji 0x6B 0x61 0x63 0x6F ...
Reg \Registry\USER\S-1-5-21-1097220394-952260082-127275408-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B603235-D8BF-4A9D-1BBB-314FEFDB5C23}@maahpjockggoabmnmkfmbgppga 0x6B 0x61 0x63 0x6F ...

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----

rpggamergirl

I don't see any rootkits in those logs.
Those registry entries that both scanners found could just be false positive, its a 0 byte and i don't have any info in those registry values.
The report showing them doesn't mean they are malicious. Try going into your registry and look at those values by rightclicking on them and see what it tells you.

The main thing is there is no rootkit.

drmanno

ASKER

you brought the good news that there was no rootkit. i was scared because the other day a fraudulent charge appeared on american express card coinciding with my online order another product. so i was making a connection that the rootkit is leaking that infomation to hackers. i believe you have checked both logs - rootkit revealer and gmer. the revealer says that the null registry value is raises concern and that entry cannot be deleted. that's why i used regdelnull but got no results. thanks again for your help.

orangutang

Registry keys with nulls embedded in them, usually aren't root kits. They're usually for protected some data from being read by other applications. Use http://download.sysinternals.com/Files/Regdellnull.zip. Use "regdelnull hklm -s"

orangutang

Use http://www.security.org.sg/code/SDTrestore-0.2.zip to enable access to APIs that have been hooked by other program but this is usually from harmless programs such as antivirus programs. Also, IceSword(http://downloads.pcworld.com/pub/new/privacy___security/anti_spyware_tools/IceSword1.18en.rar) may help a little, however I highly doubt that you have any root kits.

drmanno

ASKER

orangutang, regdelnull does fails to recognize the null embedded key but rootkitrevealer reports this key:
HKLM\S-1-5-21-1097220394-952260082-127275408-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B603235-D8BF-4A9D-1BBB-314FEFDB5C23}* 10/20/2006 6:17 PM 0 bytes Key name contains embedded nulls (*)

how can icesword help?

orangutang

I think you mean "HKU" instead of "HKLM"

drmanno

ASKER

let me clear the miscommunication. rootkitrevealer identifies a registry with null embedded key. i use the command regdelnull hklm -s to get rid of that null entry. regdelnull fails to detect and ends with the message: scan complete.

i thought perhaps defrag will help. but i got the error that chkdsk was needed. at chkdsk i got error messages but the text flew off the screen. how can i dump chkdsk text at the boot time or stop it flying?

orangutang

But before you said "HKLM\S-1-5-21-1097220394-952260082-127275408-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B603235-D8BF-4A9D-1BBB-314FEFDB5C23}". I don't think it's possible for HKLM to have the "S-1-5-21-1097220394-952260082-127275408-1006" key. You should use "regdelnull hku -s"

orangutang

Also, I found this, http://www.databack4u.com/snc/rtkf_eng.html

drmanno

ASKER

that is what was reported after a scan by rootkitrevealer. i just did the paste from the scan above. now i've done it with hku -s. please see below.
C:\>regdelnull hku -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005 Mark Russinovich
Sysinternals - www.sysinternals.com

Null-embedded key (Nulls are replaced by '*'):

HKU\S-1-5-21-1097220394-952260082-127275408-1006\Software\Microsoft\Windows\Curr
entVersion\Shell Extensions\Approved\{8B603235-D8BF-4A9D-1BBB-314FEFDB5C23}*

Delete? (y/n) y
Scan complete.

btw, regdelnull instruction too says the command line parameter should be hklm. but you solved the riddle by hku and the null entry is deleted! thereafter i ran rootkitrevealer again and here is the scan report:

HKLM\SOFTWARE\Zone Labs\ZoneAlarm\AVFilesScanned 11/2/2006 3:16 PM 4 bytes Data mismatch between Windows API and raw hive data.

any further thought on capturing the chkdsk text? thanks for your help.

drmanno

ASKER

thanks.

orangutang

No problem. Any question that you may have (not involving networking or hardware), I should be able to help.

drmanno

ASKER

alright then please help me in saving my explorer settings. i've posed this question several times in this forum but never got anywhere. the problem: on desktop i right click and then select auto arrange. it works. but then at the next boot the settings are not saved. because i use file manager called servant salamander extensively and never had a problem this issue is very annoying as it has affected the file manager too. i've done rebuild icon trick; gone into saving file properties and applying to all folders. nothing works. what is your opinion?

orangutang

Can you please post the links for each of the posts you've posted so I know what people have already posted?

drmanno

ASKER

https://www.experts-exchange.com/questions/22046128/auto-arrange.html

https://www.experts-exchange.com/questions/22041320/auto-arrange.html

orangutang

Well, have you tried to create a new Windows account as logging into that?

drmanno

ASKER

yes, i did and the problem remained. i deleted the test account.

orangutang

Try http://www.snapfiles.com/download/dliconrestore.html

orangutang

Also, you may be able to find an alternative to Servant Salamander if it's that much of a big deal.

drmanno

ASKER

thanks for icon restore utility. i've installed. i'll report if the problem persists. i know i can find another file manager but by far salamander is the best. you should test out yourself.