can't click start menu

[Kratt]

think I have some virus. there was a popup wanting me to buy some software, which I got rid of, and deleted a rogue avp.exe file and strange folder in \program files\
Deleted these from registry run keys.
but still something wrong, PC very slow, can't click anything on taskbar, and gf who (still) insists on using IE (it's her PC) finds it v.slow.
Found some links on google saying it could be this or that, but can't find a 'cleaner' or instructions for it?:cry2:

 

[bigperm]

Have you tried anti-virus software? That's step number one if you think you have a virus.

 

[Kratt]

AV can't find it. In fact I've found the 2(?) files responsible. Problem is they are 'in use' by winlogon.exe and lsass.exe, both system files. I can't delete them.
Autoruns by sysinternals shows them. Tried to delete the startups, but the winlogon.exe and lsass.exe recreates them every second, as shown by processmon.
Safe mode doesn't help as winlogon.exe and lsass.exe is running even in basic command line only.
No system restore points prior to those files strangely.

 

[Decker]

Your going to have to do it by hand, you need to find the key that keeps recreating them first in the registry, find the trigger file then all the other 'bits' - basically you need to kill the parent virus to stop it respawning.

What messages does your AV throw up?

 

[Kratt]

AV shows nothing, adaware etc shows nothing.

In the end stopped it using recovery console command line.
Disturbed that Safe mode is no longer 'safe' nowadays...

 

[Decker]

In the end stopped it using recovery console command line.
Disturbed that Safe mode is no longer 'safe' nowadays...

So is it fixed :eek3:

 

[Kratt]

It seems mostly fixed. But PC very slow. Sometimes explorer takes 20-30s open new folder. Lots of HD activity sometimes when nothing should be doing anything.

And sometimes, can't click start menu again. Checking autoruns shows nothing.

 

[Kratt]

Also, maybe not related, but fonts stuffed. eg Task manager, the headers instead of 'user name' it would say 'us*****me' where the * seem to be taking characters from wingding or symbol. Seems like fonts corrupted?

 

[TSO]

^^ The only way to get rid of this is to reformat. It sounds like you have some form of this ( http://www.spywareguide.com/spydet_2731_winantivirus.html ), which comes in many forms, some of which are very destructive and impossible to remove.

 

[Schmarvin]

Try this:
http://www.safer-networking.org/

Go there and download Spybot: Search & Destroy. Its excellent for removing spyware.

 

[TSO]

^^ Ah, yes, but it does not remove WinAntivirus. (...if that's the problem). In fact, Norton has a tool that appears to remove WinAntivirus, but it only "hides" for 20 minutes and re-appears. It truly is the malware from hell.

 

[Kratt]

well did reformat. :|

 

[iBrightDev]

sounds like a virus i dealt with a couple months back on a clients computer. it had infected so much of the system files that no anti-virus could fully remove it, so, i went for the manual removal, and it had just corrupted to much. ended up having to format and re-load windows os. good luck