Issues after deleting Antivirus Soft virus

Post Reply New Topic

I had the Antivirus soft virus on my computer and was able to remove it (most of it anyway) using Malwarebytes.

http://www.bleepingcomputer.com/virus-r ... virus-soft

I am having some issues after Antivirus soft virus is removed:

1> IE 8 does not work without a proxyserver. When I go into options and "Use a proxy server for your LAN", it does work. I would rather use a proxy server.


2>> In order to remove the folder, I needed to go into msconfig/Startup and disable the virus before it started so I could run Malwarebytes. After running Malwarebytes, the file was still in the Startup list.

The file is:

qvxdpoktssd. The command is located in the folder "lctahartv" which is located in the Apllication Data folder .

The location is: SOFTWARE\Mircrosoft\Windows\current version\run. I go into regedit, but can not find it.

When I start Windows now, I receive the following message:

"You have used the System Configuration Utility to make changes to the way
Windows Starts.

The System Configuration Utility is currently in Diagnostic or Selective
Startup mode, causing this message to be displayed and the utility to run
every time Windows Starts.

Choose the Normal Startup mode on the General tab to start Windows normally."

Last edited by KevinLA on 18 May 2010, 4:10 pm, edited 1 time in total.

Is the file %AppData%\lctahartv\qvxdpoktssd.exe still there? If so, the malware is still there and you'll need to follow Malwarebytes' instructions more closely.

The "You have used the System Configuration Utility to make changes to the way
Windows Starts" message is normal after using msconfig. You either switch back to normal booting (which should be safe if the .exe is already deleted) or you tick the checkbox that tell it not to show it again.

I use the path shown for the qvxdpoktssd.exe file, but it is not in the "lctahartv" folder.

C:\Documents and Settings\Kevin\Locan settings\Application Data\lctahartv"

Could the file be hidden? Is it safe to delete that folder? If I delete that folder, will that file go away?

When I do a search for that file, it does find a variation of the file with the name:

QVXDPOKTSSD.EXE-2F831474.pf

It is located in the folder C:\Windows:\Prefetch

It should be safe and it's a good way to make sure the file is gone too.

"C:\Windows:\Prefetch\QVXDPOKTSSD.EXE-2F831474.pf" is safe to delete too. The files in C:\Windows\Prefetch are created by Windows, they store the list of files open by a program when it's launched. It's used by defrag to optimize file location. Vista also used it to fill the cache at idle.

I picked up the same malware while researching the other day. What I had to do was start windows (XP) in safemode and then do a scan with AVG, followed by a scan with Spybot for good measure. I'm not an expert, but this worked for me.

I deleted all thos folders/ files mentioned above. I restarted the computer, and it still appears on the startup list. If I do "normal" under msconfig, will the virus still activate?

Is this why IE 8 will not run unless I remove the check mark from the proxy server?

Is my computer less secure not using a proxy server?

I am on a home network. If the settings on IE 8 under Internet Options>

Connections> LAN Settings> Proxy server

The box next to "Use a proxy server for your LAN" is not checked.

Do you mean the "System Configuration Utility..." dialog? That will always show up if you've removed startup items with msconfig. Actually there's a checkbox to make it stop showing, but unless you want to disable other programs, you can just switch back to normal startup. If the virus is removed, then it won't load even if you switch back. That will however leave an orphan entry in the registry. You can use regedit to remove that from the startup key.


Basically, using a proxy means that instead of connecting directly to the site you visit, you asked the proxy to do it for you. So the answer depends on what proxy you are using. But first why are you using a proxy? Is it local or remote? Who tell you to use it and who set it up for you?


Well, r u sure the proxy is reachable?