'Internet Security 2010' Virus - Help Needed

MCMT

Last night, after clicking on a link to a boxing website, a strange pop appeared on my lower task bar. It suggested my system was infected; then a 'program' I've never downloaded called 'Internet Security 2010' appeared and ran a 'scan'. Also, it changed my desktop background to a badly spelled and worded warning. Obviously, I've picked up some Malware.

So I followed the instructions laid out in the main sticky. I also referred to a recent thread by someone who appeared to have the same virus.

I downloaded comedian.exe but when I tried to run it it wouldn't work.

Referring to the other thread, I saw that the author had the same trouble - also reporting that when he tried to run the other programs suggested on the sticky that they didn't work.

So I skipped straight ahead to downloading and running SuperAntiSpyware.

It ran a scan for 4 hours and detected 342 threats. I followed the instructions to the letter and when the scan was complete I quarantined the threats and rebooted the computer.

HOWEVER when the computer came back on a text appeared which said something to the effect of "there has been a security breach - you will need to check your system or run it in safe mode'. When I let it choose the default option another text appeared and wouldn't let me proceed to the desktop.

I then chose the "safe mode" - further text appeared and when finally the computer loaded I was back to square one. Before I can get onto the desktop now a pop up appears with the title "Security Alert!" - "Worm.Win32.NetSky detected on your machine..." etc.

Any ideas re what went wrong?

Tips for moving forward and getting this thing off my system?

And can it effect the files and documents I have saved onto my desktop? I have some really important work docs there and I need to get them off in one piece.

Any and all suggestions appreciated. Sorry for length of thread.

jolsen

These instructions should get rid of it.

Your documents should be fine, but if you're worried, make some backups.

ActorSeeksJob

hi

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

MCMT

Cheers. I'll give it a try later and let you know if I have any success.

Right now I'm running the system in safe mode. There's still an initial pop up which I need to click before the desktop loads; and one which pops up when the desktop us up and running. Otherwise the 'Internet Security 2010' has stopped popping up. It appears to have been quarantined with a bunch of other stuff (trojans etc) so I'm surprised I'm still having these problems.

I'll let you know how I get on anyway.

MCMT

Also, forgot to ask:

Is it any use looking through the log produced by SuperAntiSpyware?

ActorSeeksJob

do this instead, no need for that log

Hi

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.





Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Download SysRestorePoint to your desktop and unzip it to it's own folder.

• Double click SysRestorePoint.exe so that we can make a new system restore point.
• A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [Reboot]
  

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of helper32.dll
5. Select every instance of helper32.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

If that file isn't there, move onto the next step




Please download exeHelper to your desktop.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt ( Will be created in the directory where you ran exeHelper.com )

Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).




1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the Avenger folder to your desktop
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
%systemroot%\System32\winlogon32.exe
%systemroot%\System32\smss32.exe
%HOMEDRIVE%\Internet Security 2010.lnk
%systemroot%\System32\AVR10.exe
%systemroot%\System32\helper32.dll
%systemroot%\System32\winlogon32.exe
%systemroot%\System32\smss32.exe
%systemroot%\System32\warning.html
%systemroot%\system32\IS15.exe
%systemroot%\System32\winhelper86.dll
%USERPROFILE%\DESKTOP\Internet Security 2010.lnk
%HOMEDRIVE%\trhh.exe
%systemroot%\System32\41.exe
%systemroot%\System32\153.exe
%systemroot%\System32\292.exe
%systemroot%\system32\2876.exe
%systemroot%\System32\2995.exe
%systemroot%\System32\3902.exe
%systemroot%\System32\4827.exe
%systemroot%\System32\5436.exe
%systemroot%\System32\5705.exe
%systemroot%\System32\6334.exe
%systemroot%\System32\7376.exe
%systemroot%\System32\11478.exe
%systemroot%\System32\11942.exe
%systemroot%\system32\12662.exe
%systemroot%\System32\13931.exe
%systemroot%\system32\14070.exe
%systemroot%\System32\14604.exe
%systemroot%\System32\15724.exe
%systemroot%\System32\16827.exe
%systemroot%\System32\16944.exe
%systemroot%\system32\17125.exe
%systemroot%\System32\18467.exe
%systemroot%\System32\19169.exe
%systemroot%\system32\19905.exe
%systemroot%\system32\21386.exe
%systemroot%\system32\22934.exe
%systemroot%\System32\23281.exe
%systemroot%\system32\24242.exe
%systemroot%\System32\24464.exe
%systemroot%\system32\24478.exe
%systemroot%\System32\26308.exe
%systemroot%\System32\26500.exe
%systemroot%\System32\26962.exe
%systemroot%\system32\27213.exe
%systemroot%\System32\28145.exe
%systemroot%\system32\28466.exe
%systemroot%\System32\29358.exe
%systemroot%\System32\32391.exe
%systemroot%\System32\32439.exe
%systemroot%\system32\ndisdrv.sys

Drivers to delete:
ndisdrv
Folders to delete:
%PROGRAMFILES%\InternetSecurity2010
%systemroot%\System32\lowsec

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply



tell me how its running

homerun_homer

I've the same problem as OP (or my sister does and I'm looking after it) and tried the initial steps in the first link but it's not fully successful. Let me know if I should start a new topic or if I can keep posting in this one. Here is the OTM log file;

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: orl
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTM by OldTimer - Version 3.1.6.0 log created on 01182010_235646

Files moved on Reboot...

Registry entries deleted on Reboot...

homerun_homer

exeHelper by Raktor
Build 20091220
Run at 00:07:15 on 01/19/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\41.exe
Error deleting C:\WINDOWS\system32\41.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

ActorSeeksJob

can you start a new topic please homer, easier for me

MCMT

Apologies for delay replying.

The malware has cut off the internet connection on my system so I've been unable to follow your instructions. I'm having someone look at it. But thanks v much for all your help Actor.