Guest g12002 Posted September 6, 2008 Posted September 6, 2008 Recently one of my machines was hit by some malware called "Antivirus XP 2008" forcing me to remove it by doing such things as removing registry entries, disabling processes at startup, deleting most recent files in System32 and Temp, stopping Security Centre under services.msc etc. I finally removed it by running Malwarebytes' Anti-Malware in safe mode & running the full scan overnight. The next morning, I carried out the removal process of the discovered malware. Spybot SD was then able to run after this. I ran Spybot (definitions updated) and it discovered and removed some more malicious items. It now seems as if the malware has been removed except for its startup processes still visible but disabled in MSconfig. The problem now is the system appears to be stuck in safe mode (I've tried accessing normal startup with that F8 stuff but still reverts back) with Windows XP themes disabled, Limited Accounts missing & the ADSL network connection profile in Control Panel missing. It seems to differ from safe mode in that the "safe mode" text is missing, monitor resolution & framerate is at normal. I can't access the internet from that machine or get it back to normal. Please help, this is quite urgent.
Guest nass Posted September 6, 2008 Posted September 6, 2008 RE: Post virus-removal problems "g12002" wrote: > Recently one of my machines was hit by some malware called "Antivirus XP > 2008" forcing me to remove it by doing such things as removing registry > entries, disabling processes at startup, deleting most recent files in > System32 and Temp, stopping Security Centre under services.msc etc. I finally > removed it by running Malwarebytes' Anti-Malware in safe mode & running the > full scan overnight. The next morning, I carried out the removal process of > the discovered malware. Spybot SD was then able to run after this. I ran > Spybot (definitions updated) and it discovered and removed some more > malicious items. It now seems as if the malware has been removed except for > its startup processes still visible but disabled in MSconfig. > > The problem now is the system appears to be stuck in safe mode (I've tried > accessing normal startup with that F8 stuff but still reverts back) with > Windows XP themes disabled, Limited Accounts missing & the ADSL network > connection profile in Control Panel missing. It seems to differ from safe > mode in that the "safe mode" text is missing, monitor resolution & framerate > is at normal. I can't access the internet from that machine or get it back to > normal. > > Please help, this is quite urgent. Did you tried to Restore the Machine to an earlier date before messing with the registry Keys? Try in safe and Restore your system to an earlier date and see if that will take you back to normal and then work your way with malwarebytes or superantispyware with other scanners to remove this Viral infection. HTH, nass http://www.nasstec.co.uk
Guest PA Bear [MS MVP] Posted September 6, 2008 Posted September 6, 2008 Re: Post virus-removal problems I can assure you that you have more work to do. Unexplained computer behavior may be caused by deceptive software http://support.microsoft.com/kb/827315 Run a /thorough/ check for hijackware, including posting your hijackthis log to an appropriate forum. Checking for/Help with Hijackware http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://aumha.net/viewtopic.php?t=5878 http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/data/prevention.htm http://inetexplorer.mvps.org/tshoot.html http://www.mvps.org/sramesh2k/Malware_Defence.htm http://defendingyourmachine2.blogspot.com/ http://www.elephantboycomputers.com/page2.html#Removing_Malware When all else fails, HijackThis v2.0.2 (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in conjuction with some other utilities). HijackThis will NOT fix anything on its own, but it will help you to both identify and remove any hijackware/spyware with assistance from an expert. **Post your log to http://aumha.net/viewforum.php?f=30, http://forums.spybot.info/forumdisplay.php?f=22, http://castlecops.com/forum67.html, or other appropriate forums for review by an expert in such matters, not here.** If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop. -- ~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ g12002 wrote: > Recently one of my machines was hit by some malware called "Antivirus XP > 2008" forcing me to remove it by doing such things as removing registry > entries, disabling processes at startup, deleting most recent files in > System32 and Temp, stopping Security Centre under services.msc etc. I > finally removed it by running Malwarebytes' Anti-Malware in safe mode & > running the full scan overnight. The next morning, I carried out the > removal process of the discovered malware. Spybot SD was then able to run > after this. I ran Spybot (definitions updated) and it discovered and > removed some more malicious items. It now seems as if the malware has been > removed except for its startup processes still visible but disabled in > MSconfig. > > The problem now is the system appears to be stuck in safe mode (I've tried > accessing normal startup with that F8 stuff but still reverts back) with > Windows XP themes disabled, Limited Accounts missing & the ADSL network > connection profile in Control Panel missing. It seems to differ from safe > mode in that the "safe mode" text is missing, monitor resolution & > framerate > is at normal. I can't access the internet from that machine or get it back > to normal. > > Please help, this is quite urgent.
Guest g12002 Posted September 6, 2008 Posted September 6, 2008 Re: Post virus-removal problems Thanks for the help, guys. There are no other system restore points other than the one Spybot made when I ran it in Safe Mode after Malwarebytes Anti-Malware. I have posted the HJT log in one of the forums. HJT seems to have detected that a DLL file, namely pmxfwl.dll is missing and there seems to be some process in documents and settings/all users/application data/detkzwtq called fohqhste.exe.
Guest PA Bear [MS MVP] Posted September 7, 2008 Posted September 7, 2008 Re: Post virus-removal problems You've still got a Vundo infection...which may be accompanied by a ZLOB and/or SDBot infection...all of which may be protected by a rootkit. -- ~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ g12002 wrote: > Thanks for the help, guys. There are no other system restore points other > than the one Spybot made when I ran it in Safe Mode after Malwarebytes > Anti-Malware. I have posted the HJT log in one of the forums. HJT seems to > have detected that a DLL file, namely pmxfwl.dll is missing and there > seems > to be some process in documents and settings/all users/application > data/detkzwtq called fohqhste.exe.
Guest Daave Posted September 7, 2008 Posted September 7, 2008 Re: Post virus-removal problems "g12002" <g12002@discussions.microsoft.com> wrote in message news:6C048C55-3940-4C33-AF6F-64755B391F5B@microsoft.com... > Recently one of my machines was hit by some malware called "Antivirus > XP > 2008" forcing me to remove it by doing such things as removing > registry > entries, disabling processes at startup, deleting most recent files in > System32 and Temp, stopping Security Centre under services.msc etc. I > finally > removed it by running Malwarebytes' Anti-Malware in safe mode & > running the > full scan overnight. The next morning, I carried out the removal > process of > the discovered malware. Spybot SD was then able to run after this. I > ran > Spybot (definitions updated) and it discovered and removed some more > malicious items. It now seems as if the malware has been removed > except for > its startup processes still visible but disabled in MSconfig. > > The problem now is the system appears to be stuck in safe mode (I've > tried > accessing normal startup with that F8 stuff but still reverts back) > with > Windows XP themes disabled, Limited Accounts missing & the ADSL > network > connection profile in Control Panel missing. It seems to differ from > safe > mode in that the "safe mode" text is missing, monitor resolution & > framerate > is at normal. I can't access the internet from that machine or get it > back to > normal. > > Please help, this is quite urgent. Yikes! Removing temp files is fine. However, removing system files and registry entries is not. You may have done irreparable damage to your system. First, back up all your data. The last thing you want to do is to lose it. Note all your settings, too. If possible, back them up. This page may be of help: http://www.aumha.org/win5/a/fast.php Certainly try Nass's suggestions. Since you didn't copy the system files and registry keys you deleted, you *may* luck out with System Restore (assuming that that restore point still exists). Of course, you would have to fight the infection all over again -- but this time, the *proper* way. If the above is not an option, you should just bite the bullet and perform a clean install. In the future, image your hard drive regularly. That way if you ever have another serious infection, all you need to do is restore the image -- very easy and fairly fast (especially compared to everything you have already done and have yet to do!).
Guest g12002 Posted September 7, 2008 Posted September 7, 2008 Re: Post virus-removal problems What gives you the idea my system is still infected, PA Bear [MS MVP]? Is it that process I mentioned in my previous post? Also what do you think of that missing DLL file?
Guest Daave Posted September 7, 2008 Posted September 7, 2008 Re: Post virus-removal problems "g12002" <g12002@discussions.microsoft.com> wrote in message news:39D04EB4-25A3-463A-87B8-12A3C7BB50B6@microsoft.com... > What gives you the idea my system is still infected, PA Bear [MS MVP]? > Is it > that process I mentioned in my previous post? Also what do you think > of that > missing DLL file? Although you responded to my post, you trimmed out *everything* I said as well as the pertinent information you had written. On top of the that, you seem to be addressing PA Bear! From what I understand, Antivirus XP 2008 is a tough infection to fight because it is accompanied by other infections. But I'll let PA Bear answer your question in deeper detail if he wishes. I was merely responding to your post, specifically: > Recently one of my machines was hit by some malware called "Antivirus > XP > 2008" forcing me to remove it by doing such things as removing > registry > entries, disabling processes at startup, deleting most recent files in > System32 and Temp, stopping Security Centre under services.msc etc. and > The problem now is the system appears to be stuck in safe mode (I've > tried > accessing normal startup with that F8 stuff but still reverts back) > with > Windows XP themes disabled, Limited Accounts missing & the ADSL > network > connection profile in Control Panel missing. It seems to differ from > safe > mode in that the "safe mode" text is missing, monitor resolution & > framerate > is at normal. I can't access the internet from that machine or get it > back to > normal. I think the fact that you are stuck in Safe Mode is directly related to your having removed certain system files and registry entries. Of course, it's very possible there could be a lingering infection responsible. That is why I had made the suggestions I did (which you had snipped). Here they are once again: Yikes! Removing temp files is fine. However, removing system files and registry entries is not. You may have done irreparable damage to your system. First, back up all your data. The last thing you want to do is to lose it. Note all your settings, too. If possible, back them up. This page may be of help: http://www.aumha.org/win5/a/fast.php Certainly try Nass's suggestions. Since you didn't copy the system files and registry keys you deleted, you *may* luck out with System Restore (assuming that that restore point still exists). Of course, you would have to fight the infection all over again -- but this time, the *proper* way. If the above is not an option, you should just bite the bullet and perform a clean install. In the future, image your hard drive regularly. That way if you ever have another serious infection, all you need to do is restore the image -- very easy and fairly fast (especially compared to everything you have already done and have yet to do!).
Guest PA Bear [MS MVP] Posted September 7, 2008 Posted September 7, 2008 Re: Post virus-removal problems I have some experience in such matters. g12002 wrote: > What gives you the idea my system is still infected, PA Bear [MS MVP]? Is > it > that process I mentioned in my previous post? Also what do you think of > that > missing DLL file?
Recommended Posts