[Solved]Can't login to XP following AVG healing
I stupidly got a virus (my own fault) from a P2P network called DC++ (fantastic program, btw). I recognized its presence immediately, as it created a folder called "msview" in my system32 directory full of bogus "keygens" and "cracks", and modified my DC++ settings so this was the only folder I was sharing. It also created a file called magnet.exe in my DC++ directory. I tried manually deleting all the bad files and registry entries I could find, but they kept coming back.
At this time, my entire O/S ran fine, only DC++ was affected.
On a friend's advice, I downloaded AVG Free and ran it. It immediately detected a "PSW Banker" trojan horse and a "Tibick.E" worm. It automatically "healed" them and prompted me for a reboot. Upon reboot, XP did an interesting little dance where it logs me in for about 2 seconds, then logs me back out, then repeats the cycle infinitely. Reboot again, same results - stuck at the "login shuffle". Safe mode - same result.
At some point in all my reboots, my HDD became unrecognizable as a boot device, and then completely. I was toying with BIOS settings for some reason and honestly can't say if this was before or after the HDD recognition issues. I managed to get the hard drive recognized again, booted Windows to "last known settings that worked", got into Windows, and repeated the whole process again (healed virus with AVG, to infinite login/logout shuffle). This time, even if I choose "boot to last known working configuration", I still can't get into the O/S.
There is an AVG forum for support, but you can only get a login account from inside your AVG software. Great, I cannot USE my AVG software (or my O/S). And I'm on a work PC now where I do not have admin right and am sure I cannot install AVG. I really wish I could get this issue posted in their forums... I searched and it's not there.
Any ideas? Thanks in advance for any assistance. I am on the verge of re-formatting but that would be a huge task. My data is all backed up in safe places, but I have a LOT of software and settings that would need to be re-configured.
At this time, my entire O/S ran fine, only DC++ was affected.
On a friend's advice, I downloaded AVG Free and ran it. It immediately detected a "PSW Banker" trojan horse and a "Tibick.E" worm. It automatically "healed" them and prompted me for a reboot. Upon reboot, XP did an interesting little dance where it logs me in for about 2 seconds, then logs me back out, then repeats the cycle infinitely. Reboot again, same results - stuck at the "login shuffle". Safe mode - same result.
At some point in all my reboots, my HDD became unrecognizable as a boot device, and then completely. I was toying with BIOS settings for some reason and honestly can't say if this was before or after the HDD recognition issues. I managed to get the hard drive recognized again, booted Windows to "last known settings that worked", got into Windows, and repeated the whole process again (healed virus with AVG, to infinite login/logout shuffle). This time, even if I choose "boot to last known working configuration", I still can't get into the O/S.
There is an AVG forum for support, but you can only get a login account from inside your AVG software. Great, I cannot USE my AVG software (or my O/S). And I'm on a work PC now where I do not have admin right and am sure I cannot install AVG. I really wish I could get this issue posted in their forums... I searched and it's not there.
Any ideas? Thanks in advance for any assistance. I am on the verge of re-formatting but that would be a huge task. My data is all backed up in safe places, but I have a LOT of software and settings that would need to be re-configured.
0
This discussion has been closed.
Comments
Since AVG found PSW Banker, I strongly advise you do the following:
- Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
- Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
- From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.You can read a bit about the infection here:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39315
If you read half way down the page, it says the following:
Note: Because of the need for 'MPREXE.EXE', the trojan will not function on Windows NT based machines (this includes XP and 2000). It also causes major system errors in Windows XP, causing it to continually restart. This is presumably a consequence of the way in which the driver attempts to hide processes.
At this stage, I would strongly advise to reformat your computer. The reason for this is that the infection contains limited backdoor functionality and can download and execute arbitrary files. This basically means that anything can be added or stolen to or from your computer.
Because of the backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.
To help you make a more informed decision, please read the following articles:
- Danger: Remote Access Trojans.
- When should I re-format? How should I reinstall?
- How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?
Should you have any questions, please feel free to ask.I'm sorry for the bad news.
Thanks for your thorough and prompt reply.
EDIT: One more thing to add. I have 3 external HDD's which I store large amounts of media on (I am a photographer and videographer). They were all disconnected from the PC when it started acting funny, to preserve my data just in case. These drives have no software or O/S installed on them, only data. Is there any way they could have been infected somehow? I'm thinking no, since they have no major system files. As it stands, reformatting them is NOT an option right now, but it would suck if they were infected and somehow reinfected my new clean installation of XP, when re-connected.
Good Luck and let me know how it goes.
Thanks again for your immense help.
Regardless, I am attaching a Hijackthis log that I ran from my C drive.
I completely reformatted and reinstalled my O/S on the primary drive. Hooked up all externals again and ran AVG on all 4 disks... took forever and did find a few threats in "system volume information" folders on the externals, but they were not Banker, and they've been removed.
Thanks.
The other disks should be fine if AVG did not detect the infection on those disks.
______________________________
For this log:
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
I don't see a Firewall in the log. Do you have Windows Firewall active?
I'll mark this thread resolved. Start a new thread, if you need help again.