My antivirus detected rootkit virus. I tried using the AVG software to remove. I've lost my desktop and startmenu after rebooting. I am running Win XP with SP3. I've booted to safe mode and I still can't see my desktop and startmenu. I am able to navigate through ctrl+alt+del task manager -new task. I can't run explorer from taskmanager, it gives me error. Can someone please help me
Hacktool.rootkit virus
- Thread starter nhelp1
- Start date
- Status
Tmagic650
Posts: 17,233 +234
Go here:
8-step Viruses/Spyware/Malware Preliminary Removal Instructions
Take your time and post the 3 logs required
8-step Viruses/Spyware/Malware Preliminary Removal Instructions
Take your time and post the 3 logs required
momok
Posts: 2,127 +6
The key thing to note would be to ensure mbam has its actions for detected items set to "quarantine and delete".
I do not recommend having two antivirus progams on your system due to the possible conflicts that may arise on your system as well as the crazy resources hogged.. Since AVG did not do the right job, you may choose to uninstall it before you install any of our recommended antivirus programs.
I do not recommend having two antivirus progams on your system due to the possible conflicts that may arise on your system as well as the crazy resources hogged.. Since AVG did not do the right job, you may choose to uninstall it before you install any of our recommended antivirus programs.
Thank you again for your support. I deleted AVG and am running the Avast Free. No viruses were found by Avast. I installed the Advanced SystemCare Free (log file attached).
I looked at mbam quarantine from 10/4/09 shows the following:
Trojan.Agent from folder c:\Program Files\Microsoft Common
Security.Hijack from registry value HKEY_LOCAL_Machine\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\Explorer.exe\debugger (Data: C:\Program Files\Microsoft Common\Svchost.exe
Should I delete the two quarantine?
Reran 1. CCleaner, 2. mbam, 3. SuperAntiSpyware (identified and deleted 19 tracking cookies), 4. Hijackthis
Log files attached. Please guide me on how to remove the baddies from my machine. Thank you again for your time.
I looked at mbam quarantine from 10/4/09 shows the following:
Trojan.Agent from folder c:\Program Files\Microsoft Common
Security.Hijack from registry value HKEY_LOCAL_Machine\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\Explorer.exe\debugger (Data: C:\Program Files\Microsoft Common\Svchost.exe
Should I delete the two quarantine?
Reran 1. CCleaner, 2. mbam, 3. SuperAntiSpyware (identified and deleted 19 tracking cookies), 4. Hijackthis
Log files attached. Please guide me on how to remove the baddies from my machine. Thank you again for your time.
momok
Posts: 2,127 +6
Hi,
You can fix this in Hijackthis.
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Apart from that, all your logs turn up clean.
Yes, you may (in fact you should) proceed to clear all quarantine folders and files from your system.
Next, run system restore:
Turn it off then turn it back on again. < this clears any bad stuff still residing in your old restore points.
After that, I would say you're good to go =)
You can fix this in Hijackthis.
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Apart from that, all your logs turn up clean.
Yes, you may (in fact you should) proceed to clear all quarantine folders and files from your system.
Next, run system restore:
Turn it off then turn it back on again. < this clears any bad stuff still residing in your old restore points.
After that, I would say you're good to go =)
Momok, Tmagic650,
Excellent! thank you for sticking with me.
1. In Hijackthis, I will delete the "O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)"
2. I will delete the 2 files found in the mbam quarantine
3. How do I run system restore? is that through the Advanced System Care Free program
4. How do I Turn it off then turn it back on again?
Excellent! thank you for sticking with me.
1. In Hijackthis, I will delete the "O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)"
2. I will delete the 2 files found in the mbam quarantine
3. How do I run system restore? is that through the Advanced System Care Free program
4. How do I Turn it off then turn it back on again?
Tmagic650
Posts: 17,233 +234
To turn off System Restore go to Control Panel, System, Advanced, System Restore and unckeck the checked drive(s). This will delete all old restore points. Just recheck the box for the hard drive to restart System Restore...
Momok,
Bobbye always got on me for suggesting turning off System Restore, and saying to delete "no name" and "file missing" notations in a Hijack log. Is Bobbye right or wrong?
Momok,
Bobbye always got on me for suggesting turning off System Restore, and saying to delete "no name" and "file missing" notations in a Hijack log. Is Bobbye right or wrong?
momok
Posts: 2,127 +6
Hm.. good question. The recommended action to take with system restore is to leave it until last; after we are more or less pretty sure the user is clean, before we clear the restore points.
The rationale for this is because in rare situations, we may encounter a case so difficult to handle it may even prove a problem just doing simple tasks in windows. Then we still have the option of trying a system restore to an earlier point. Even if that point was infected, it would still most likely be an easier situation to handle.
I guess the issue on the (file missing) entries is pretty subjective depending on experience. If the entry is legit, I usually dont try to fix it more than once if it returns. A common example would be the O2 windows live messenger entry. It is always nameless, and always returns even when fixed in HJT. A good source to check O2 entries would be http://www.downloads.subratam.org/startuplist.html
Some places where legit entries persist in HJT are O2, O9 and O23. I cant recall if there are others though.
The rationale for this is because in rare situations, we may encounter a case so difficult to handle it may even prove a problem just doing simple tasks in windows. Then we still have the option of trying a system restore to an earlier point. Even if that point was infected, it would still most likely be an easier situation to handle.
I guess the issue on the (file missing) entries is pretty subjective depending on experience. If the entry is legit, I usually dont try to fix it more than once if it returns. A common example would be the O2 windows live messenger entry. It is always nameless, and always returns even when fixed in HJT. A good source to check O2 entries would be http://www.downloads.subratam.org/startuplist.html
Some places where legit entries persist in HJT are O2, O9 and O23. I cant recall if there are others though.
Bobbye
Posts: 16,313 +36
Bobbye told you that you do NOT drop the System Restore points at the beginning of the cleaning, but rather at the end. Bobbye also told you that not all files that say "file missing" are actually really missing: for instance, the yahoo Toolbar always shows up as 'file missing'- it isn't.
Feel free to sent me a PM if there is anything else you would like to ask.
Feel free to sent me a PM if there is anything else you would like to ask.
- Status
