Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help after XP Anti-Spyware 2011 Removal


  • Please log in to reply
21 replies to this topic

#1 kauai

kauai

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 25 May 2011 - 01:45 PM

Hi all, originally posted this in the "Virus, Trojan, Spyware, and Malware Removal Logs" section but never got a reply, and I'm thinking maybe I posted there prematurely as I'm unable to generate any logs to post. Here's my post in its entirety. Hopefully the good folks here can help me.

---------------

Hi, am at about wits end on a coworker's machine here. Machine is a Dell running Windows XP SP3. The PC got hit with XP Anti-Spyware 2011, and I've thrown just about everything I have at it. First used Avira Antivir Rescue Disc, then ran UBCD4Win and ran SUPERAntispyware from there. Cleaned out whatever was found. Restarted the machine and the problem remained, so I ran Emisoft Emergency Kit 1.0 and it found a couple of problems. Cleaned with that and went through the cycle again without booting up the native OS on the PC. When that came out clean, I rebooted the machine only to find it still infected.

At that point, I began searching online and found the self-help steps outlined on this site (http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011). I followed the steps yesterday and rebooted, and the PC appeared to be working fine. However, this morning the machine would not boot up. Unfortunately I don't know the initial screen that showed up as I got called after my coworker tried to restart. When I got there, upon startup I receive the black screen message stating that it couldn't start normally, and gives the options of modes in which to start up Windows (i.e., Restart in Safe Mode, Safe Mode With Networking, etc.). I selected "Start Windows Normally", then the XP loading screen would come up momentarily followed by the BSOD stating that Windows had to shut down to prevent damage to the system.

I restarted and tried selecting Safe Mode but it would take me to the same BSOD. I then decided to try my "boot disk cycle" I described earlier (Avira Antivir Rescue Disc and UBCD4Win). SUPERAntispyware found a couple new infections, and I cleaned those out. I then did a "chkdsk /f" and it came out clean. However, Windows still won't start up.

Since I can't start up Windows, I'm not sure how to generate the log files needed to request help here. I hope someone can still provide me guidance.

(Sorry for the long post, but I figured I should be as thorough as possible in explaining what I've done thus far to try and fix this problem.)

-----------

That's my original post. (Quick note about the UBCD4Win disc that I used: I built it using my original Windows installation discs so it's a legitimate version.) In retrospect, I'm thinking this is probably the better forum to post this issue in as it may be a Windows problem at this point. It's a work PC which is why I'm kind of anxious about finding a potential fix, as the PC has my coworker out of commission for now. I'm thinking of trying to repair the XP installation using the original Windows reinstallation CD, but figured I'd check with the pros here first. Oh, and if I did in fact originally post this in the proper forum please let me know as well. I'll then wait for a response over there. (Got antsy because several requests for help were made in that forum after my post and have already gotten responses, whereas my post has been read numerous times but has not yet gotten a reply.)

Edited by hamluis, 25 May 2011 - 02:06 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,889 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:02 AM

Posted 25 May 2011 - 02:05 PM

Your other post (which occurred yesterday) was deleted when it was seen that you had a duplicate post here in the XP forum. That post was made in the log forum, without any logs...which made it unfit for that forum.

I will move this post to our other malware forum.

Louis

#3 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 25 May 2011 - 02:09 PM

Thank you, Louis! Much appreciated, and I hope someone can help me soon.

#4 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:02 AM

Posted 25 May 2011 - 02:31 PM

Hi kauai,

is it possible that you have any cleaning logs from any of the programs that you have tried already?

Can you possibly give me any more information regarding your Blue Screen?

I may be able to help you and I may not depending on the tools that may be needed to accomplish the cleaning task.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#5 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 25 May 2011 - 03:19 PM

Thanks for the response. I'll go and boot the infected PC and write down the bluescreen message verbatim. I'll also see if I can dig up any of the logs and will post my findings here in a bit.

#6 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 25 May 2011 - 03:36 PM

Okay, here's the bluescreen message word for word:

A problem has been detected and Windows has been shut down to prevent damage to your computer. If this is the first time you’ve seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical information:

*** STOP: 0x0000007B (0xBA4c7524, 0xC0000034, 0x00000000, 0x00000000)


No changes were made to the PC other than running the various software I described in the first post (meaning no hardware changes were made). I'm still working on finding any logs that may be on the machine. Thanks again for the help.

#7 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 25 May 2011 - 03:59 PM

Okay, managed to get the log for the Malwarebytes Antimalware scan that was done. The scan was only done once, and when I rebooted the PC worked. The next morning XP wouldn't boot up and to date there's only the BSOD I described earlier. Here's the log.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6657

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/23/2011 11:01:34 AM
mbam-log-2011-05-23 (11-01-34).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 211962
Time elapsed: 20 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\OO1310T0QS (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SNJQ66R8MU (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sokdrt700.exe (Trojan.Agent.AD) -> Value: sokdrt700.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SNJQ66R8MU (Trojan.FakeAlert.SA) -> Value: SNJQ66R8MU -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Stuart\start menu\Programs\antimalware doctor (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\application data\antivirus antispyware 2011 (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antivirus antispyware 2011 (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Stuart\application data\Sun\Java\deployment\cache\6.0\56\14c6e138-743036ad (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\application data\dqx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\Temp\0.9469312637928446.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\Temp\jar_cache6415034494198583731.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\application data\microsoft\internet explorer\quick launch\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\application data\microsoft\internet explorer\quick launch\antimalware doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\antimalware doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\Startup\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\Temp\0.3081264041712053.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\Temp\ppddfcfux.exxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\Temp\w32rim_mem.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\Temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\local settings\Temp\dfbleep.exe (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antimalware doctor\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antimalware doctor\uninstall.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\application data\antivirus antispyware 2011\icoactivate.ico (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\application data\antivirus antispyware 2011\IcoHelp.ico (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\application data\antivirus antispyware 2011\icouninstall.ico (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antivirus antispyware 2011\activate antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antivirus antispyware 2011\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antivirus antispyware 2011\help antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\start menu\Programs\antivirus antispyware 2011\how to activate antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\Stuart\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#8 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 25 May 2011 - 06:48 PM

Finished searching through the infected PC. Unfortunately this is the only recent log (the rest are all outdated). Hopefully this is enough information for some guidance on what to do next.

#9 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:02 AM

Posted 26 May 2011 - 07:53 AM

Hi kauai,

Might you have a Windows XP CD?
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#10 N.E.

N.E.

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 May 2011 - 08:01 AM

Have you tried using the "last known good configuration" selection in the "F8" startup screen?

Neal

#11 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 26 May 2011 - 12:12 PM

techExtreme, yes I do have the XP reinstallation CD that came with the PC. That's the next step I've been contemplating doing but figured I'd come here first to ask for some input on that. Should I go ahead and try repairing the OS using the CD?

Neal, I did try the "last known good configuration" option and it didn't work. Thank you for the suggestion tho.

#12 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:02 AM

Posted 26 May 2011 - 12:20 PM

Hi kauai,

Actually let's see if we can get it booting first before we go that far.

  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then start the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • When prompted to choose a windows installation, type 1 and press enter.
  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open

At the command prompt I'd like you to type: chkdsk c: /f and press enter.

This is the Check Disk utility that is built into Windows. If you'd like more information on what chkdsk does, you can find it here.

**NOTE** Please do not run any other switches until we have the results from running chkdsk.

Let me know what the messages ( if any ) are when chkdsk finishes.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#13 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 26 May 2011 - 12:34 PM

I'll go ahead and run the chkdsk c: /f as you described, but just wanted to note that I did run the command before via the command prompt through UBCD4Win. I ran it once and it corrected an error (I apologize, I don't remember what it was but it wasn't anything to do with the files themselves), and I ran it again and it came out clean.

I'll do the chkdsk again using the standard Windows reinstallation CD tho, and I'll post the results.

#14 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:02 AM

Posted 26 May 2011 - 12:44 PM

Hi kauai,

Ok. That sounds good. Take your time.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#15 kauai

kauai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 26 May 2011 - 12:49 PM

I followed the instructions as described, but the switch /f wasn't available. The only switches available to me via that route were /p and /r. (FYI, the PC is a Dell and I'm using the Dell XP Reinstallation CD that came with the machine. Not sure if that matters or not but I thought I should mention it.) I didn't run either one and just typed "exit".

Here's the odd thing. The PC went through its standard boot sequence and I decided to try and let it continue. It managed to boot up! It is now at the user login screen (I have 2 profiles set up there, one for the user and one for administrator). I didn't touch anything after that; I just walked away from the machine to post this occurrence. My instincts tell me to log in as the user and try running Malwarebytes Antimalware again, but I figured I'd better check first.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users