Jump to content

Post virus-removal problems

Guest g12002

By Guest g12002
in Windows XP

 Share

Recommended Posts

Guest g12002

Guest g12002

Posted
Posted

Recently one of my machines was hit by some malware called "Antivirus XP

2008" forcing me to remove it by doing such things as removing registry

entries, disabling processes at startup, deleting most recent files in

System32 and Temp, stopping Security Centre under services.msc etc. I finally

removed it by running Malwarebytes' Anti-Malware in safe mode & running the

full scan overnight. The next morning, I carried out the removal process of

the discovered malware. Spybot SD was then able to run after this. I ran

Spybot (definitions updated) and it discovered and removed some more

malicious items. It now seems as if the malware has been removed except for

its startup processes still visible but disabled in MSconfig.

 

The problem now is the system appears to be stuck in safe mode (I've tried

accessing normal startup with that F8 stuff but still reverts back) with

Windows XP themes disabled, Limited Accounts missing & the ADSL network

connection profile in Control Panel missing. It seems to differ from safe

mode in that the "safe mode" text is missing, monitor resolution & framerate

is at normal. I can't access the internet from that machine or get it back to

normal.

 

Please help, this is quite urgent.

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest nass

Guest nass

Posted
Posted

RE: Post virus-removal problems

 

 

 

"g12002" wrote:

> Recently one of my machines was hit by some malware called "Antivirus XP

> 2008" forcing me to remove it by doing such things as removing registry

> entries, disabling processes at startup, deleting most recent files in

> System32 and Temp, stopping Security Centre under services.msc etc. I finally

> removed it by running Malwarebytes' Anti-Malware in safe mode & running the

> full scan overnight. The next morning, I carried out the removal process of

> the discovered malware. Spybot SD was then able to run after this. I ran

> Spybot (definitions updated) and it discovered and removed some more

> malicious items. It now seems as if the malware has been removed except for

> its startup processes still visible but disabled in MSconfig.

>

> The problem now is the system appears to be stuck in safe mode (I've tried

> accessing normal startup with that F8 stuff but still reverts back) with

> Windows XP themes disabled, Limited Accounts missing & the ADSL network

> connection profile in Control Panel missing. It seems to differ from safe

> mode in that the "safe mode" text is missing, monitor resolution & framerate

> is at normal. I can't access the internet from that machine or get it back to

> normal.

>

> Please help, this is quite urgent.

 

Did you tried to Restore the Machine to an earlier date before messing with

the registry Keys?

Try in safe and Restore your system to an earlier date and see if that will

take you back to normal and then work your way with malwarebytes or

superantispyware with other scanners to remove this Viral infection.

HTH,

nass

http://www.nasstec.co.uk

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Post virus-removal problems

 

I can assure you that you have more work to do.

 

Unexplained computer behavior may be caused by deceptive software

http://support.microsoft.com/kb/827315

 

Run a /thorough/ check for hijackware, including posting your hijackthis log

to an appropriate forum.

 

Checking for/Help with Hijackware

http://aumha.org/a/parasite.htm

http://aumha.org/a/quickfix.htm

http://aumha.net/viewtopic.php?t=5878

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

http://mvps.org/winhelp2002/unwanted.htm

http://inetexplorer.mvps.org/data/prevention.htm

http://inetexplorer.mvps.org/tshoot.html

http://www.mvps.org/sramesh2k/Malware_Defence.htm

http://defendingyourmachine2.blogspot.com/

http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

When all else fails, HijackThis v2.0.2

(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in

conjuction with some other utilities). HijackThis will NOT fix anything on

its own, but it will help you to both identify and remove any

hijackware/spyware with assistance from an expert. **Post your log to

http://aumha.net/viewforum.php?f=30,

http://forums.spybot.info/forumdisplay.php?f=22,

http://castlecops.com/forum67.html, or other appropriate forums for review

by an expert in such matters, not here.**

 

If the procedures look too complex - and there is no shame in admitting this

isn't your cup of tea - take the machine to a local, reputable and

independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

 

g12002 wrote:

> Recently one of my machines was hit by some malware called "Antivirus XP

> 2008" forcing me to remove it by doing such things as removing registry

> entries, disabling processes at startup, deleting most recent files in

> System32 and Temp, stopping Security Centre under services.msc etc. I

> finally removed it by running Malwarebytes' Anti-Malware in safe mode &

> running the full scan overnight. The next morning, I carried out the

> removal process of the discovered malware. Spybot SD was then able to run

> after this. I ran Spybot (definitions updated) and it discovered and

> removed some more malicious items. It now seems as if the malware has been

> removed except for its startup processes still visible but disabled in

> MSconfig.

>

> The problem now is the system appears to be stuck in safe mode (I've tried

> accessing normal startup with that F8 stuff but still reverts back) with

> Windows XP themes disabled, Limited Accounts missing & the ADSL network

> connection profile in Control Panel missing. It seems to differ from safe

> mode in that the "safe mode" text is missing, monitor resolution &

> framerate

> is at normal. I can't access the internet from that machine or get it back

> to normal.

>

> Please help, this is quite urgent.

Guest g12002

Guest g12002

Posted
Posted

Re: Post virus-removal problems

 

Thanks for the help, guys. There are no other system restore points other

than the one Spybot made when I ran it in Safe Mode after Malwarebytes

Anti-Malware. I have posted the HJT log in one of the forums. HJT seems to

have detected that a DLL file, namely pmxfwl.dll is missing and there seems

to be some process in documents and settings/all users/application

data/detkzwtq called fohqhste.exe.

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Post virus-removal problems

 

You've still got a Vundo infection...which may be accompanied by a ZLOB

and/or SDBot infection...all of which may be protected by a rootkit.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

g12002 wrote:

> Thanks for the help, guys. There are no other system restore points other

> than the one Spybot made when I ran it in Safe Mode after Malwarebytes

> Anti-Malware. I have posted the HJT log in one of the forums. HJT seems to

> have detected that a DLL file, namely pmxfwl.dll is missing and there

> seems

> to be some process in documents and settings/all users/application

> data/detkzwtq called fohqhste.exe.

Guest Daave

Guest Daave

Posted
Posted

Re: Post virus-removal problems

 

"g12002" <g12002@discussions.microsoft.com> wrote in message

news:6C048C55-3940-4C33-AF6F-64755B391F5B@microsoft.com...

> Recently one of my machines was hit by some malware called "Antivirus

> XP

> 2008" forcing me to remove it by doing such things as removing

> registry

> entries, disabling processes at startup, deleting most recent files in

> System32 and Temp, stopping Security Centre under services.msc etc. I

> finally

> removed it by running Malwarebytes' Anti-Malware in safe mode &

> running the

> full scan overnight. The next morning, I carried out the removal

> process of

> the discovered malware. Spybot SD was then able to run after this. I

> ran

> Spybot (definitions updated) and it discovered and removed some more

> malicious items. It now seems as if the malware has been removed

> except for

> its startup processes still visible but disabled in MSconfig.

>

> The problem now is the system appears to be stuck in safe mode (I've

> tried

> accessing normal startup with that F8 stuff but still reverts back)

> with

> Windows XP themes disabled, Limited Accounts missing & the ADSL

> network

> connection profile in Control Panel missing. It seems to differ from

> safe

> mode in that the "safe mode" text is missing, monitor resolution &

> framerate

> is at normal. I can't access the internet from that machine or get it

> back to

> normal.

>

> Please help, this is quite urgent.

 

Yikes!

 

Removing temp files is fine.

 

However, removing system files and registry entries is not. You may have

done irreparable damage to your system.

 

First, back up all your data. The last thing you want to do is to lose

it. Note all your settings, too. If possible, back them up. This page

may be of help:

 

http://www.aumha.org/win5/a/fast.php

 

Certainly try Nass's suggestions. Since you didn't copy the system files

and registry keys you deleted, you *may* luck out with System Restore

(assuming that that restore point still exists). Of course, you would

have to fight the infection all over again -- but this time, the

*proper* way.

 

If the above is not an option, you should just bite the bullet and

perform a clean install.

 

In the future, image your hard drive regularly. That way if you ever

have another serious infection, all you need to do is restore the

image -- very easy and fairly fast (especially compared to everything

you have already done and have yet to do!).

Guest g12002

Guest g12002

Posted
Posted

Re: Post virus-removal problems

 

What gives you the idea my system is still infected, PA Bear [MS MVP]? Is it

that process I mentioned in my previous post? Also what do you think of that

missing DLL file?

Guest Daave

Guest Daave

Posted
Posted

Re: Post virus-removal problems

 

"g12002" <g12002@discussions.microsoft.com> wrote in message

news:39D04EB4-25A3-463A-87B8-12A3C7BB50B6@microsoft.com...

> What gives you the idea my system is still infected, PA Bear [MS MVP]?

> Is it

> that process I mentioned in my previous post? Also what do you think

> of that

> missing DLL file?

 

Although you responded to my post, you trimmed out *everything* I said

as well as the pertinent information you had written. On top of the

that, you seem to be addressing PA Bear!

 

From what I understand, Antivirus XP 2008 is a tough infection to fight

because it is accompanied by other infections. But I'll let PA Bear

answer your question in deeper detail if he wishes. I was merely

responding to your post, specifically:

> Recently one of my machines was hit by some malware called "Antivirus

> XP

> 2008" forcing me to remove it by doing such things as removing

> registry

> entries, disabling processes at startup, deleting most recent files in

> System32 and Temp, stopping Security Centre under services.msc etc.

 

and

> The problem now is the system appears to be stuck in safe mode (I've

> tried

> accessing normal startup with that F8 stuff but still reverts back)

> with

> Windows XP themes disabled, Limited Accounts missing & the ADSL

> network

> connection profile in Control Panel missing. It seems to differ from

> safe

> mode in that the "safe mode" text is missing, monitor resolution &

> framerate

> is at normal. I can't access the internet from that machine or get it

> back to

> normal.

 

I think the fact that you are stuck in Safe Mode is directly related to

your having removed certain system files and registry entries. Of

course, it's very possible there could be a lingering infection

responsible. That is why I had made the suggestions I did (which you had

snipped). Here they are once again:

 

 

 

Yikes!

 

Removing temp files is fine.

 

However, removing system files and registry entries is not. You may have

done irreparable damage to your system.

 

First, back up all your data. The last thing you want to do is to lose

it. Note all your settings, too. If possible, back them up. This page

may be of help:

 

http://www.aumha.org/win5/a/fast.php

 

Certainly try Nass's suggestions. Since you didn't copy the system files

and registry keys you deleted, you *may* luck out with System Restore

(assuming that that restore point still exists). Of course, you would

have to fight the infection all over again -- but this time, the

*proper* way.

 

If the above is not an option, you should just bite the bullet and

perform a clean install.

 

In the future, image your hard drive regularly. That way if you ever

have another serious infection, all you need to do is restore the

image -- very easy and fairly fast (especially compared to everything

you have already done and have yet to do!).

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Post virus-removal problems

 

I have some experience in such matters.

 

g12002 wrote:

> What gives you the idea my system is still infected, PA Bear [MS MVP]? Is

> it

> that process I mentioned in my previous post? Also what do you think of

> that

> missing DLL file?

 Share
Go to topic listing
×
×
  • Create New...