Malware removal

P

peter

To continue from a previous post. It looks like the route of my
problem is malware. I can only start my pc in safe mode and even then
I can't access explorer.exe so I have to hunt out exe files to run
programs like internet explorer. The malware seems to disable my
spybot, spyware, norton etc. AVG doesn't seem to run in safe mode, so
I don't know how to get rid of the problem. Any ideas?

Perhaps I can use system restore? but without the desktop icons how
can I get into control panel to run system restore?

Peter
 
M

Malke

peter said:
To continue from a previous post. It looks like the route of my
problem is malware. I can only start my pc in safe mode and even then
I can't access explorer.exe so I have to hunt out exe files to run
programs like internet explorer. The malware seems to disable my
spybot, spyware, norton etc. AVG doesn't seem to run in safe mode, so
I don't know how to get rid of the problem. Any ideas?

Perhaps I can use system restore? but without the desktop icons how
can I get into control panel to run system restore?
Click to expand...

It would have been better to stay in your original thread since I have no
idea of the history of your postings. That said, System Restore will not
help you. You need to clean up the machine by using tools outside of
Windows. There are various "live" CDs provided by antivirus companies such
as Avira and F-Secure. Since you are using XP, you can make a Bart's PE with
malware removal tool plugins. You can also try getting guided help at one of
the specialty forums listed below.

However, when a computer is so severely infected it is likely that the
operating system itself has been damaged and it will be hard to insure
complete removal of the malware. A better decision might be to back up your
data and do a clean install of Windows.

Malware removal steps:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Some specialty forums:

http://aumha.net/viewtopic.php?t=4075 - Posting FAQ
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-
f37.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5

How to reinstall Windows:

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand

Malke
 
S

SC Tom

peter said:
To continue from a previous post. It looks like the route of my
problem is malware. I can only start my pc in safe mode and even then
I can't access explorer.exe so I have to hunt out exe files to run
programs like internet explorer. The malware seems to disable my
spybot, spyware, norton etc. AVG doesn't seem to run in safe mode, so
I don't know how to get rid of the problem. Any ideas?

Perhaps I can use system restore? but without the desktop icons how
can I get into control panel to run system restore?

Peter
Click to expand...

Try starting in Safe Mode w/ Command Prompt. When the comes up, type in

C:\windows\system32\restore\rstrui.exe

and press Enter. The interface will (should) come up to allow you to pick a
date to restore to. It may take a minute or two. Pick a date from well
before your problems began since they may have actually started before they
manifested themselves to you.

If the interface doesn't come up, or you are not allowed to do a SR, your
only option may be a format and reinstallation of XP. :-(

SC Tom
 
P

Pegasus [MVP]

Malke said:
It would have been better to stay in your original thread since I have no
idea of the history of your postings.
Click to expand...

The OP's original problem was an inability to launch explorer.exe
(permission denied), hence no desktop display. I dealt with it initially but
I have no experience with malware. I was concerned that the OP's initial
thread might fail to attract the attention of suitably qualified
respondents, hence my recommendation to him to start a new thread.
 
R

R. McCarty

Just to re-enforce what Malke said, here's a list of what I had to use
on a severely infected notebook with over 70 different Viruses,Trojans.
Including Vundo, Rogue AntiVirus and on and on....

Detect & Removal Steps:
1.) Safe Mode boot to run Trend-Micro SysCln
2.) Run the SuperAntiSpyware Online scan ( Captured to .Com )
Safe Mode ( no Networking )
3.) Run ESET NOD32 Online scan
4.) Run AutoRuns to block startup replication
5.) Install Malwarebytes and SpyBot ( Multiple Pass w/Boot Time scans )
6.) Install Microsoft Security Essentials ( Full Scan )

Cleanup & Repair:
1.) Reset all Registry Key permissions
2.) Fix or add Permissions to Windows Folders that were modified
Scheduled Tasks in \Windows\Tasks & several others:
*Must be done from Safe Mode as PC uses XP Home Edition.
3.) Repair or modify Hosts
4.) Delete or disable Browser Hijacks
5.) Cleanup \Downloaded Program Files
6.) Purge all Temp locations, Browser Caches, Cookies....

Sound like fun ?: - Nope and it can take a long time to complete all this.
Was customer's PC backed up ? - NO, but it is now. And all this got
onto a PC using AVG Free 8.
 
P

peter

 Just to re-enforce what Malke said, here's a list of what I had to use
on a severely infected notebook with over 70 different Viruses,Trojans.
Including Vundo, Rogue AntiVirus and on and on....

Detect & Removal Steps:
    1.) Safe Mode boot to run Trend-Micro SysCln
    2.) Run the SuperAntiSpyware Online scan ( Captured to .Com )
          Safe Mode ( no Networking )
    3.) Run ESET NOD32 Online scan
    4.) Run AutoRuns to block startup replication
    5.) Install Malwarebytes and SpyBot ( Multiple Pass w/Boot Time scans )
    6.) Install Microsoft Security Essentials  ( Full Scan )

Cleanup & Repair:
    1.) Reset all Registry Key permissions
    2.) Fix or add Permissions to Windows Folders that were modified
         Scheduled Tasks in \Windows\Tasks & several others:
         *Must be done from Safe Mode as PC uses XP Home Edition.
    3.) Repair or modify Hosts
    4.) Delete or disable Browser Hijacks
    5.) Cleanup \Downloaded Program Files
    6.) Purge all Temp locations, Browser Caches, Cookies....

Sound like fun ?: - Nope and it can take a long time to complete all this..
Was customer's PC backed up ? - NO, but it is now.  And all this got
onto a PC using AVG Free 8.













- Show quoted text -
Click to expand...

Sorry for such a basic question: but I'd have to startup in safe mode
+networking in order to run the online scans correct? Will these
destroy the malware as at present won't run spybot and malwarebyte and
so this makes part 5 unworkable
 
R

R. McCarty

You do have to run in Safe Mode with Networking to access the
online scans. The problem is that many online scans require you to
load an ActiveX component to actually run the scan. Many times
the browser is "Polluted" and may not be able to access the site &
load/run the online scan. The SuperAntiSpyware online scan is just
a downloaded component with current defs that you can get from
a non-infected machine and copy/run on the infected one.
Here's the download link:
http://www.superantispyware.com/onlinescan.html
The filename is SAS_418B4.Com ~9.0 Megabytes. You want to
save the file and not Run to use on another PC.
*Don't mistake this for the Free version of SAS - it's a different
product.

Every situation is different and requires different tools, used in a
variable order. It's like a carnival "Whack-A-Mole" game you have
to exterminate one thing to be able to run the next. That's why a
PC may not be able to be cleaned thoroughly and a backup data
and fresh install is the only real solution. Even with a good cleanup
you have to verify no infectors remain, even RootKits.

Just to re-enforce what Malke said, here's a list of what I had to use
on a severely infected notebook with over 70 different Viruses,Trojans.
Including Vundo, Rogue AntiVirus and on and on....

Detect & Removal Steps:
1.) Safe Mode boot to run Trend-Micro SysCln
2.) Run the SuperAntiSpyware Online scan ( Captured to .Com )
Safe Mode ( no Networking )
3.) Run ESET NOD32 Online scan
4.) Run AutoRuns to block startup replication
5.) Install Malwarebytes and SpyBot ( Multiple Pass w/Boot Time scans )
6.) Install Microsoft Security Essentials ( Full Scan )

Cleanup & Repair:
1.) Reset all Registry Key permissions
2.) Fix or add Permissions to Windows Folders that were modified
Scheduled Tasks in \Windows\Tasks & several others:
*Must be done from Safe Mode as PC uses XP Home Edition.
3.) Repair or modify Hosts
4.) Delete or disable Browser Hijacks
5.) Cleanup \Downloaded Program Files
6.) Purge all Temp locations, Browser Caches, Cookies....

Sound like fun ?: - Nope and it can take a long time to complete all this.
Was customer's PC backed up ? - NO, but it is now. And all this got
onto a PC using AVG Free 8.













- Show quoted text -
Click to expand...

Sorry for such a basic question: but I'd have to startup in safe mode
+networking in order to run the online scans correct? Will these
destroy the malware as at present won't run spybot and malwarebyte and
so this makes part 5 unworkable
 
M

Malke

peter wrote:

Sorry for such a basic question: but I'd have to startup in safe mode
+networking in order to run the online scans correct? Will these
destroy the malware as at present won't run spybot and malwarebyte and
so this makes part 5 unworkable
Click to expand...

I don't like to run online scans, so my advice (per the link I already gave
you) is different from Mr. McCarty's.

You can try renaming MBAM to something like 1234.exe. I wouldn't bother with
Spybot. And I repeat - you will probably have to do the initial work from
*outside* of Windows. That means booting with a rescue CD from one of the
antivirus companies and/or a Bart's PE with malware removal tool plugins
installed.

Malke
 
D

db

seems that if you have norton installed
and avg then you may simply have a
below par configuration which is causing
system instability.

the fact that you can boot into safe mode
implies that the windows core files are
not the problem.

so my suggestion is to initiate a clean boot
from the safe mode.

the method I prefer is to click on start>run>
msconfig

then under the startup tab disable/uncheck
all the are listed.

then under services, "hide" all microsoft
and what remains disable / uncheck those
as well.

then reboot into normal mode and analyze
your system.

--
db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- @Hotmail.com
- nntp Postologist
~ "share the nirvana" - dbZen

~~~~~~~~~~~~~~~
 
J

Jose

The OP's original problem was an inability to launch explorer.exe
(permission denied), hence no desktop display. I dealt with it initially but
I have no experience with malware. I was concerned that the OP's initial
thread might fail to attract the attention of suitably qualified
respondents, hence my recommendation to him to start a new thread.
Click to expand...

What the permission denied with explorer.exe you dealt with resolved
and what was the solution?
 
P

Pegasus [MVP]

The OP's original problem was an inability to launch explorer.exe
(permission denied), hence no desktop display. I dealt with it initially
but
I have no experience with malware. I was concerned that the OP's initial
thread might fail to attract the attention of suitably qualified
respondents, hence my recommendation to him to start a new thread.
Click to expand...

What the permission denied with explorer.exe you dealt with resolved
and what was the solution?

=============

Don't know - perhaps the OP can answer the question.
 
P

peter

What the permission denied with explorer.exe you dealt with resolved
and what was the solution?

=============

Don't know - perhaps the OP can answer the question.
Click to expand...

The problem is that the malware stops programs like malwarebytes,
superantispyware, spybot after a few seconds - even when I change the
name of the file I'm saving! Also happens with the online scanners.
Any new ideas?
 
E

Elmo

peter said:
The problem is that the malware stops programs like malwarebytes,
superantispyware, spybot after a few seconds - even when I change the
name of the file I'm saving! Also happens with the online scanners.
Any new ideas?
Click to expand...

The CD's I've mentioned before run independently of the hard drive. You
can literally remove the hard drive, and a Knoppix Live CD will run
anyway. Using the BitDefender or other CD's listed at the following
site WILL take control; no malware can grab control since it's never
run, whether it's a rootkit, or whether it denies program access through
its registry settings, or whatever means it might try.

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no
problem. (BitDefender only has an .ISO at this time.)

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html
 
K

Ken Blake, MVP

Just to re-enforce what Malke said, here's a list of what I had to use
on a severely infected notebook with over 70 different Viruses,Trojans.
Including Vundo, Rogue AntiVirus and on and on....
Click to expand...


You succeeded in cleaning a machine with *70* different infections?
You apparently did a great job on it, but you were also *extremely*
lucky that cleaning it was even possible.

The vast majority of the time, when a computer has multiple infections
(even if considerably fewer than 70), the chances of successfully
cleaning it are extremely low. With as many as 70 (or even fewer) I
wouldn't even bother trying, but just go for a clean reinstallation of
Windows.
 
T

The Real Truth MVP

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://www.ms-mvp.org/

--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
 
L

Leythos

Path: news.astraweb.com!border1.newsrouter.astraweb.com!border2.nntp.dca.giganews.com!nntp.giganews.com!novia!news.netcologne.de!newsfeed-fusi2.netcologne.de!newsfeed.straub-nv.de!feeder.eternal-september.org!eternal-september.org!news.eternal-september.org!not-for-mail
From: "The Real Truth MVP" <[email protected]>
Newsgroups: microsoft.public.windowsxp.general
Subject: Re: Malware removal
Date: Wed, 7 Oct 2009 16:37:56 -0700
Organization: A noiseless patient Spider
Lines: 52
Message-ID: <[email protected]> [snip headers]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://www.ms-mvp.FAKE/
Click to expand...

Notice how butts continues to STALK ME and has been warned to not post
the link to the pirated software from his GIGANEWS account - he has
resorted to creating an account in my name, in a foreign country, in
order to post his pirated works.

Each day he proves he's the unethical hack we've said he is, proving
that the DMCA complaint to Giganews was valid and that he's a stalker by
creating an account in my name - like he did with a domain name.
 
R

Rick

peter said:
To continue from a previous post. It looks like the route of my
problem is malware. I can only start my pc in safe mode and even then
I can't access explorer.exe so I have to hunt out exe files to run
programs like internet explorer. The malware seems to disable my
spybot, spyware, norton etc. AVG doesn't seem to run in safe mode, so
I don't know how to get rid of the problem. Any ideas?

Perhaps I can use system restore? but without the desktop icons how
can I get into control panel to run system restore?

Peter
Click to expand...
David Lipman set this stuff to me when I had a problem, it worked very
well. What I did was to continue trying each item until it worked.

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full
explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

Good luck with your problem
 
P

peter

David Lipman set this stuff to me when I had a problem, it worked very
well.  What I did was to continue trying each item until it worked.

Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full
explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:http://www.bleepingcomputer.com/for...malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:http://www.dslreports.com/forum/cle...ums.security-central.us/forumdisplay.php?f=13

Good luck with your problem
Click to expand...

Quick update on the situation: My pc is now clear!! I managed to get
explorer working (somehow) and so was able to run the pc to a certain
extent. Then I tried avira antivirus in both normal and safe mode.
Every time I ran avira it picked up malware and then after about five
runs nothing. I checked it by trying spybot and now that works too. I
don't mean to sound like a salesman, but I've uninstalled AVG and have
moved over to Avira.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Post virus-removal problems 8
Explorer Problem 1
Explorer keeps closing , please help 1
OT, sort of - Malware scanning 12
XP Bites Me Again 7
using system restore to backtrack malware 3
Messed up my XP boot process 9
Error number 0x80000003 7

Top