My Windows XP PC was infected by some viruses, which had changed some registry settings before they were removed. I noticed the infection after I found the malware called “SmartProtection 2012” was unexpectedly installed in my PC. After the virus removal, I now have both McAfee and Malwarebytes up to date and run regular full system scans to check if there is still something lurking around. Nothing suspicious is reported. But two problems remain:
(1)After this, the internet browsers (both I.E & Mozilla) always crash unexpectedly, especially when downloading a file (even just a small 20MB file).
(2)My Windows Security Center has been stopped and there is no way I can find to turn it back on.
You’re not going to like my answer.
And, unfortunately, it’s an answer that I end up giving somewhat often, and in fact, I’ve even written up before.
I’ll give you a thought or two on perhaps dealing with at least one of the issues that you’re facing.
But…
You’ll quickly understand why malware infections are best avoided completely rather than trying to clean up after them.
Become a Patron of Ask Leo! and go ad-free!
The ideal solution
Once you’ve determined that your machine has been infected, the simplest solution by far is to restore your machine to the most recent backup taken immediately prior to the infection.
Poof! Infection gone. Completely.
Pretty cool, huh?
Given how easy and complete that solution is, it’s very disheartening to hear how many people don’t have that as an option.
Because they haven’t been backing up their machine at all.
The bottom-line solution
At the opposite end of the spectrum is the only other way to guarantee that the malware has been completely removed and that all lingering traces are gone as well.
- Backup your data.
- Reinstall Windows and all your applications.
- Restore your data.
I’m tempted to add a fourth step: Start backing up.
The problem is something I’ve mentioned several times before:
Once it’s infected, it’s no longer your
machine.
Even if you think you’ve successfully removed the malware, you have no guarantee – none – that there’s not still something left over. Perhaps it’s malware still quietly doing whatever malware does. Perhaps it’s just a missing file that you won’t realize until you need it some weeks from now.
Perhaps there’s nothing wrong at all.
The problem is you just don’t know.
The only way to know is to wipe the slate clean and start over.
The problem is that no one wants to do that. They’d rather live with the risk of still being infected.
Because, of course, it couldn’t happen to them.
Even though it already did.
Fixing symptoms
What we’re left with is what you’re asking for: fixing the symptoms you notice.
For Firefox, I’d uninstall it and reinstall it.
For Internet Explorer and the security center, I’d start by running the System File Checker, and if that doesn’t clear it up, look into performing a repair reinstall.
I honestly can’t tell if you that will in fact resolve the issue.
But short of the other solutions that I’ve mentioned above, it’s your next best bet.
The real solution
I’m not trying to be a smart-ass, but there’s only one “real” solution.
Don’t get infected in the first place.
As you can hopefully see by now, the cost of getting a malware infection can be very high, particularly when you factor into account properly and completely recovering from it.
Staying safe to begin with is much more effective.
That is a very dramatic answer , a shorter answer would be : Run ComboFix, it will probably clean any leftovers.
24-Mar-2012
ComboFix is not a tool like Malwarebytes for which untrained users can use without supervision.
The scary looking disclaimer on ComboFix is not there for fun.
I’ve had to fix computers a number of times here with similar problems after an infection. My first step is to run malawarebytes. If that doesn’t fix it, I wipe the machine clean and start over. I find that in the end that’s what I do anyway and I can do it in the time that it takes to mess around with alternate solutions that don’t work anyhow.
I was going to point out that ComboFix doesn’t run on 64-bit Windows, but according to BleepingComputer, it has apparently been updated to run on 64-bit Vista and Win7. (Though not 64-bit XP.)
Quick question related to your “most recent backup taken immediately prior to the infection” answer. How can you be sure when the infection happened? Perhaps the original infection happened weeks (months?) before you noticed anything “wrong” with your system. I can certainly tell you that, when someone calls us and says “I think my computer has a virus”, you can be pretty sure that the system is crawling with infections.
28-Mar-2012
Internet Explorer can often be fixed, as I will detail below. But if these steps don’t do it, then there is some left over problem that would be better served by Leo’s answer of a complete Windows reinstall.
The first thing to try for any version of Windows is to use Internet Explorer’s option to reset itself to default values. For Vista or Windows 7, if that doesn’t solve the problem, then uninstall back to the oldest IE you can get to (also resetting that to the original settings), then run it, and finally upgrade again to the latest version from Microsoft.
In Windows XP (not Vista or Windows 7), if resetting IE fails to solve the problem, you can then try Dial-A-Fix. You can find that on majorgeeks.com, along with other good download sites. Before you run Dial-A-Fix, you should first uninstall both IE 8 and IE 7, so you are back to IE 6. Then run Dial-A-Fix, and click the hammer icon on the bottom. In the new Tools Window, first highlight “Flush DNS”, then click “Go”. Next, go down the list and highlight “Repair permissions” and run that. Next highlight and run “Reset networking interfaces”. Finally, highlight and run “Repair/reinstall IE”. Then close the Tools window. For the last step, on the main window, put a checkmark in “Fix SSL/Https/Cryptography” (which selects everything in that section), and then also select everything in the Registration Center section below that. Then click “Go”. When that finishes, reboot, start IE, and make sure that is fine. After that, go download IE 8 from Microsoft.com and reinstall that.
Really only one way..even after running anti malware and seemingly deleting the problem..is to revert to an image backup that you trust..other things like photo’s etc can be backed up separately in the interim..and then just revert..is safest and surest in the long term
Sadly, with a couple of the newest variants of virus/malware such as “System Security 2012” it gets even worse. The nasty program creates one or two partitions on your hard drive with no volume labels. You merrily do a complete wipe and re-install, but unless you go in and delete those partitions, after you format C: and install everything, the virus re-installs itself and you’re back where you started! Like Leo says, imaging, backup and prevention are truly the only smart answers!
28-Mar-2012
This is really just a question for Leo. Can Malware/Malware remnants somehow occupy the free space and then reinfect used space later. I ask, as 4 years ago my Golf Club got 3 items of malware on the yearly disc (What a stink that caused in 4 countries. I still have this trio of nasties and there seems to be no trouble getting rid of them now). Anyway after trying for 3 days to get rid of these unsuccessfully as they just kept coming back, in desperation I ran a “Wipe Free Space” App. (Revo) immediately following the anti-virus. Well it worked. But was I just lucky ???
28-Mar-2012
Whoa! Wait a minute!…There are serious implications of your claim that “you just don’t know” if your system infection has been totally eradicated! If that is true, it means: 1) NO currently available antivirus/antimalware/antispyware or combinations thereof, can detect all infections, and the claims of both reviewers and the companies that they can – is a lie. If you know that they can’t, so do they, and that means that they are purposely deceiving the public.
2) If they can’t find the malware, or evidence of its behavior on your system, then their claims that they can eliminate these infections is also untrue and they are encouraging a false sense of security in the public that their application can clean the customer’s system.
3) If the antivirus, etc. firms cannot find and fix these problems, then it follows that even BRAND NEW systems may be infected with some lurking type of malware (i.e., a trojan) hiding inside the Operating System that even Microsoft, etc., could not find. 4) Your suggestion to not get infected in the first place is nearly impossible, since malware developers can hide their malware in so many ways. Basically, it means you can’t go anywhere because what you think is a”safe” legitimate site may be another deception. 5) So, if nobody can find the infection, how do you know it even exists? So, now what? Junk the whole system? Stop using computers?
28-Mar-2012
Suggestion to original poster: McAfee is nearly worthless protection. As the first line of defense, I suggest researching for better protection. A reliable independent source I’ve relied on for determining the best Antivirus software is http://www.av-test.org (see their: Tests/Test Reports tab). Kind regards,
Sadly, Leo is correct as I have recently learned.
A charity that I am a part of has an infection of Conficker/Downadup. The computer it’s on is old and the harddrive is small and there is no room for an antivirus. But with little contact with the outside world, thought the risk was minimal.
Was first alerted when I used a USB stick to copy a file to my home computer. AVG on my computer identified it upon inserting the USB stick into the computer. I brought my laptop and via a shared c: drive over the network, I scanned the harddrive with AVG running on my laptop. AVG found the infection but had troubles eliminating it.
I found tools on both F-Secure’s website and Symantec’s website. I tried both tools. Both tools reported that they cleaned the infection. Yet seemingly a few days later, the same infection would pop-up on several different USB sticks used to test the machine. Repeated cleaning to the point where the tool said nothing was found, didn’t seem to work either because a day or too later it would reinfect the USB stick.
I recently found an uninstalled Windows update that blocks the autoplay. After running that update, it has stopped infecting USB sticks. But I no longer can trust that the machine is clean, just that the risk of infecting another computer is minimal, provided the AV product on the other networked computers continues to run.
Sadly, I think the only way to solve this one is to reformat the harddrive and start over.
(We’re a charity. If we had the funds to replace the computer, we would. It really needs more RAM and larger harddrive. I don’t really like running with no AV, even though exposure to the outside world is minimal).