Jump to content

PC Doctor WI

  • Content Count

  • Joined

  • Last visited

About PC Doctor WI

  • Rank

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    Wisconsin, USA
  1. I dealt with this a few weeks back on a clients computer. Same symptoms. During troubleshooting, I found that the DHCP Service was off, and would not start, no matter what I tried. It turns out that the malware had infected a file called "netbt.sys" and removed portions in the registry associated with the NetBTService. Somehow, with the malware installed, the Internet connection continued to work. When the infected file was found and quarantined by another a/v, it left the NetBT service broken, thus no Internet connection, although everything in the network path looked correct. Restoring the infected file did not help, and installing a new copy of the file did not help. The missing registy keys had to be rebuilt, in addition to replacing the netbt.sys file. I was lucky to be able to rebuild the missing registry keys from a registry backup the user had on the system. Once I did this, everything worked again. It would have been much easier to simply reinstall Windows, but I was determined to figure this one out, and my client did not mind me keeping her computer for awhile. It took compiling info from multiple website forums to find the solution, but if anyone just cannot reinstall Windows, drop me a line and I can head you in the right direction. (Note: even with the solution, it is difficult to fix.)
  2. I'm working to remove this from a clients computer as I type this. At least in this instance, XP Home Security 2011 has turned out to be pretty nasty. This started last night with the pop-ups that others have mentioned. Unfortunately, my client panicked and actually paid the $59.95 charge via a credit card. He then had second thoughts and decided to call me for an opinion. Seeing the XP Home Security 2011 name, I instantly new it was a rogue. Below is a listing of what I have found before attempting removal 1) I was able to log into his computer via TeamViewer with no problem. 2) XP Home Security icon runs in the taskbar. 3) The ".exe" file associations for the Firefox and IE web browsers had been broken, so they would not start. Strangely, it did not seem to effect any other programs at that time. 4) The rogue's executable file is eft.exe 5) Blocks some security software from starting. 6) On VirusTotal.com, only 5 of 43 antivirus/antispyware products detected eft.exe as of May 13, 2011. SUPERAntiSpyware was one of them. A couple of additional details about XP Home Security 2011 7) In this case, it was downloaded from hyvinusys(dot)com (I was not able to determine what website had this redirect on it.) 8.) The charge card was billed from Win Micro Clean in Arizona, USA I then ran a QuickScan using SAS. It found the rogue and the broken .exe association. I let SAS remove them and rebooted the computer. The following is what I found after reboot. 9) XP Home Security 2011 had been removed. 10) ALL of the .exe associations were now broken. There were now no programs that would start. (Although TeamViewer would still autostart. Insteresting.) Any program I attempted to start would cause a Windows box to open asking what program I wanted to use to start that program. 11) Avast Antivirus would not autostart. 12) Recreating the EXE file association using Folder Options did not fix this problem. 13) I attempted to try System Restore, but it would not start. 14) Regedit would not start. Further searching and troubleshooting found the following: 15) A work-around for running programs. A) Right-click on a program icon. B.) From the sub-menu select "Run As" C) From the Run As window that opens, uncheck "Protect my computer and data from unauthorized program activity", and click OK. D) The program should now run. Unfortunately, this is not permanent, so further repairing is necessary. 16) Using the above work-around I was able to run System Restore, and restored the computer to the day before the rogue was installed. After the restore, all programs started and ran without trouble. It appears that everything is good again. My client contacted his credit card company and stopped the charge. He also requested a change of account and new cards.
  3. Hi Alice, I've just dealt with this same problem today, for the first time. It was on an older Dell laptop running WinXP. I am not absolutely certain that the following actually solved the problem, but this is all I did via a remote session, and the error message about SAS not being able to shut down did not reappear: In SAS's preferences, select the Hi-Jack Protection tab. Uncheck the box for "Protect home page from being changed. Changes can be made only here." Of course, this assumes the above mentioned checkbox is currently checked. Mike
  • Create New...