"Your System Is Infected" infection [Closed]

hi

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Download SysRestorePoint to your desktop and unzip it to it's own folder.

• Double click SysRestorePoint.exe so that we can make a new system restore point.
• A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.

Step 2 : The fix


Note : Follow this step exactly as it is laid out. Do not remove anything that isn't mentioned below, for your own safety.


A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

• Please download LSPFix from here.
• Run the LSPFix.exe that you have just finished downloading.
• Check the I know what I'm doing box.
• In the Keep box you should see one or more instances of helper32.dll or winhelper86.dll
• Select every instance of helper32.dll or winhelper86.dll and move each one to the Remove box by clicking the >> button.
• When you are done click Finish>>.

If either file isn't there, move onto the next step anyway. Do not remove any other files that are listed !




Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "Shell"="explorer.exe"
  "Userinit"="C:\\WINDOWS\\system32\\Userinit.exe,"
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  
  :Files
  %HOMEDRIVE%\Internet Security 2010.lnk /s
  
  :Commands
  [purity]
  [CREATERESTOREPOINT] 
  [resethosts]

• Then click the Run Fix button at the top
• Let the program run unhindered, it wont take long.

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the Avenger folder to your desktop
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
%systemroot%\System32\winlogon32.exe
%systemroot%\System32\smss32.exe
%systemroot%\System32\AVR10.exe
%systemroot%\System32\helper32.dll
%systemroot%\System32\winlogon32.exe
%systemroot%\System32\smss32.exe
%systemroot%\System32\warning.html
%systemroot%\system32\IS15.exe
%systemroot%\System32\winhelper86.dll
%HOMEDRIVE%\trhh.exe
%HOMEDRIVE%\sdigdvmg.exe
%HOMEDRIVE%\wgqi.exe
%HOMEDRIVE%\byyk.exe
%systemroot%\lsass.exe 
%systemroot%\odbn0.exe
%systemroot%\System32\sdra64.exe
%systemroot%\System32\41.exe
%systemroot%\System32\153.exe
%systemroot%\System32\292.exe
%systemroot%\system32\2876.exe
%systemroot%\System32\2995.exe
%systemroot%\System32\3902.exe
%systemroot%\System32\4827.exe
%systemroot%\System32\5436.exe
%systemroot%\System32\5705.exe
%systemroot%\System32\6334.exe
%systemroot%\System32\7376.exe
%systemroot%\System32\11478.exe
%systemroot%\System32\11942.exe
%systemroot%\system32\12662.exe
%systemroot%\System32\13931.exe
%systemroot%\system32\14070.exe
%systemroot%\System32\14604.exe
%systemroot%\System32\15724.exe
%systemroot%\System32\16827.exe
%systemroot%\System32\16944.exe
%systemroot%\system32\17125.exe
%systemroot%\System32\18467.exe
%systemroot%\System32\19169.exe
%systemroot%\system32\19905.exe
%systemroot%\system32\21386.exe
%systemroot%\system32\22934.exe
%systemroot%\System32\23281.exe
%systemroot%\system32\24242.exe
%systemroot%\System32\24464.exe
%systemroot%\system32\24478.exe
%systemroot%\System32\26308.exe
%systemroot%\System32\26500.exe
%systemroot%\System32\26962.exe
%systemroot%\system32\27213.exe
%systemroot%\System32\28145.exe
%systemroot%\system32\28466.exe
%systemroot%\System32\29358.exe
%systemroot%\System32\32391.exe
%systemroot%\System32\32439.exe
%systemroot%\system32\ndisdrv.sys
%HOMEDRIVE%\s
%systemroot%\system32\kbdsock.dll
%systemroot%\system32\mshlps.dll 

Folders to delete:
%PROGRAMFILES%\InternetSecurity2010
%systemroot%\System32\lowsec

Drivers to delete:
lmuytnv
ndisdrv

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Time for one final scan


Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot your PC and see if the infection is gone.

Sorry for the late update, but after running MBAM again before reading your reply and re-starting, the "your system is infected" wallpaper is gone, I can now open applications and can also open task manager without the warning. The only problem is that I'm unable to connect to the internet, which I suspect is due to the initial malware issue.

Do I still follow the steps you've given me now that the circumstances have changed?

yes do my steps

also does this fix your net problem


Please go to Start > Control Panel > Network and Internet Connections > Network Connections. Then right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and left-click on the Properties option. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically". Click OK twice, and restart your computer.




Go to Start > Run.... In the Open: field type cmd and press the OK button. This will open a Command Prompt.
Type or copy & paste the entire contents inside the QUOTE box below into the command window:

ipconfig /flushdns

Hit Enter and exit the Command Prompt.



Go to Start then to run
type in Cmd and click Enter
Type in ipconfig /release all then click enter
Now type in ipconfig /renew all and click Enter

In your first reply under Step 2 you said: "In the Keep box you should see one or more instances of helper32.dll or winhelper86.dll"

I've just run LSP-Fix and the only files I can see under "Keep" are:

- mswsock.dll
- winrnr.dll

That's all; none of the 2 that you mentioned

then skip that step like it says

Ah, my bad, I'm sorry for not reading it properly. It's been a struggle switching between computers since the problem one can't access the internet.

I've completed all the removal steps you advised and it seems that it's been cleared, however the desktop is still taking a while to load after the welcome screen. I'm not sure if this is related; it might just be my computer that's slow.

I'm also still unable to connect to the internet - when I try to pull up web pages it just says "Problem loading page". Should I post my internet problem in another thread?

does this fix your net

Do you have a valid XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start and select Run... type sfc /scannow (note the space) (Let this run undisturbed until the window with the blue progress bar goes away)

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.



Boot from the Windows XP installation CD.

At the "Welcome to Setup" screen, press R to start Recovery Console. Choose the installation to be repaired by number (usually 1) and press "Enter".

When you are asked for the Administrator password, leave it blank and press "Enter".

At the command prompt, type chkdsk /r and press "Enter". (Note the space before /r) The disk check operation will start.

This will be a very thorough check of the hard drive and the file system...be patient and let it complete. It may appear to hang or even back up a few times...this is normal. 60 to 90 minutes is not unusual for this check...it may take longer in some cases.

Once the check completes and you are back at the command prompt, type exit and press "Enter". Let your computer boot normally to Windows.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.