Post virus-removal problems

[g12002]

Recently one of my machines was hit by some malware called "Antivirus XP
2008" forcing me to remove it by doing such things as removing registry
entries, disabling processes at startup, deleting most recent files in
System32 and Temp, stopping Security Centre under services.msc etc. I finally
removed it by running Malwarebytes' Anti-Malware in safe mode & running the
full scan overnight. The next morning, I carried out the removal process of
the discovered malware. Spybot SD was then able to run after this. I ran
Spybot (definitions updated) and it discovered and removed some more
malicious items. It now seems as if the malware has been removed except for
its startup processes still visible but disabled in MSconfig.

The problem now is the system appears to be stuck in safe mode (I've tried
accessing normal startup with that F8 stuff but still reverts back) with
Windows XP themes disabled, Limited Accounts missing & the ADSL network
connection profile in Control Panel missing. It seems to differ from safe
mode in that the "safe mode" text is missing, monitor resolution & framerate
is at normal. I can't access the internet from that machine or get it back to
normal.

Please help, this is quite urgent.

 

[nass]

Recently one of my machines was hit by some malware called "Antivirus XP
2008" forcing me to remove it by doing such things as removing registry
entries, disabling processes at startup, deleting most recent files in
System32 and Temp, stopping Security Centre under services.msc etc. I finally
removed it by running Malwarebytes' Anti-Malware in safe mode & running the
full scan overnight. The next morning, I carried out the removal process of
the discovered malware. Spybot SD was then able to run after this. I ran
Spybot (definitions updated) and it discovered and removed some more
malicious items. It now seems as if the malware has been removed except for
its startup processes still visible but disabled in MSconfig.

The problem now is the system appears to be stuck in safe mode (I've tried
accessing normal startup with that F8 stuff but still reverts back) with
Windows XP themes disabled, Limited Accounts missing & the ADSL network
connection profile in Control Panel missing. It seems to differ from safe
mode in that the "safe mode" text is missing, monitor resolution & framerate
is at normal. I can't access the internet from that machine or get it back to
normal.

Please help, this is quite urgent.

Did you tried to Restore the Machine to an earlier date before messing with
the registry Keys?
Try in safe and Restore your system to an earlier date and see if that will
take you back to normal and then work your way with malwarebytes or
superantispyware with other scanners to remove this Viral infection.
HTH,
nass
http://www.nasstec.co.uk

 

[PA Bear [MS MVP]]

I can assure you that you have more work to do.

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[g12002]

Thanks for the help, guys. There are no other system restore points other
than the one Spybot made when I ran it in Safe Mode after Malwarebytes
Anti-Malware. I have posted the HJT log in one of the forums. HJT seems to
have detected that a DLL file, namely pmxfwl.dll is missing and there seems
to be some process in documents and settings/all users/application
data/detkzwtq called fohqhste.exe.

 

[PA Bear [MS MVP]]

You've still got a Vundo infection...which may be accompanied by a ZLOB
and/or SDBot infection...all of which may be protected by a rootkit.

 

[Daave]

Recently one of my machines was hit by some malware called "Antivirus
XP
2008" forcing me to remove it by doing such things as removing
registry
entries, disabling processes at startup, deleting most recent files in
System32 and Temp, stopping Security Centre under services.msc etc. I
finally
removed it by running Malwarebytes' Anti-Malware in safe mode &
running the
full scan overnight. The next morning, I carried out the removal
process of
the discovered malware. Spybot SD was then able to run after this. I
ran
Spybot (definitions updated) and it discovered and removed some more
malicious items. It now seems as if the malware has been removed
except for
its startup processes still visible but disabled in MSconfig.

The problem now is the system appears to be stuck in safe mode (I've
tried
accessing normal startup with that F8 stuff but still reverts back)
with
Windows XP themes disabled, Limited Accounts missing & the ADSL
network
connection profile in Control Panel missing. It seems to differ from
safe
mode in that the "safe mode" text is missing, monitor resolution &
framerate
is at normal. I can't access the internet from that machine or get it
back to
normal.

Please help, this is quite urgent.

Yikes!

Removing temp files is fine.

However, removing system files and registry entries is not. You may have
done irreparable damage to your system.

First, back up all your data. The last thing you want to do is to lose
it. Note all your settings, too. If possible, back them up. This page
may be of help:

http://www.aumha.org/win5/a/fast.php

Certainly try Nass's suggestions. Since you didn't copy the system files
and registry keys you deleted, you *may* luck out with System Restore
(assuming that that restore point still exists). Of course, you would
have to fight the infection all over again -- but this time, the
*proper* way.

If the above is not an option, you should just bite the bullet and
perform a clean install.

In the future, image your hard drive regularly. That way if you ever
have another serious infection, all you need to do is restore the
image -- very easy and fairly fast (especially compared to everything
you have already done and have yet to do!).

 

[g12002]

What gives you the idea my system is still infected, PA Bear [MS MVP]? Is it
that process I mentioned in my previous post? Also what do you think of that
missing DLL file?

 

[Daave]

What gives you the idea my system is still infected, PA Bear [MS MVP]?
Is it
that process I mentioned in my previous post? Also what do you think
of that
missing DLL file?

Although you responded to my post, you trimmed out *everything* I said
as well as the pertinent information you had written. On top of the
that, you seem to be addressing PA Bear!

From what I understand, Antivirus XP 2008 is a tough infection to fight
because it is accompanied by other infections. But I'll let PA Bear
answer your question in deeper detail if he wishes. I was merely
responding to your post, specifically:

Recently one of my machines was hit by some malware called "Antivirus
XP
2008" forcing me to remove it by doing such things as removing
registry
entries, disabling processes at startup, deleting most recent files in
System32 and Temp, stopping Security Centre under services.msc etc.
and

The problem now is the system appears to be stuck in safe mode (I've
tried
accessing normal startup with that F8 stuff but still reverts back)
with
Windows XP themes disabled, Limited Accounts missing & the ADSL
network
connection profile in Control Panel missing. It seems to differ from
safe
mode in that the "safe mode" text is missing, monitor resolution &
framerate
is at normal. I can't access the internet from that machine or get it
back to
normal.

I think the fact that you are stuck in Safe Mode is directly related to
your having removed certain system files and registry entries. Of
course, it's very possible there could be a lingering infection
responsible. That is why I had made the suggestions I did (which you had
snipped). Here they are once again:



Yikes!

Removing temp files is fine.

However, removing system files and registry entries is not. You may have
done irreparable damage to your system.

First, back up all your data. The last thing you want to do is to lose
it. Note all your settings, too. If possible, back them up. This page
may be of help:

http://www.aumha.org/win5/a/fast.php

Certainly try Nass's suggestions. Since you didn't copy the system files
and registry keys you deleted, you *may* luck out with System Restore
(assuming that that restore point still exists). Of course, you would
have to fight the infection all over again -- but this time, the
*proper* way.

If the above is not an option, you should just bite the bullet and
perform a clean install.

In the future, image your hard drive regularly. That way if you ever
have another serious infection, all you need to do is restore the
image -- very easy and fairly fast (especially compared to everything
you have already done and have yet to do!).

 

[PA Bear [MS MVP]]

I have some experience in such matters.