[rld123]

Hello. My computer is infected with the "Your system is infected" malware. The desktop is green with a back box containing the red text "YOUR SYSTEM IS INFECTED" with some additional wording about the system being stopped. I have read various threads about this and there doesn't seem to be a one-size-fits all approach, so I decided to start a new thread. When this whole thing started McAfee popped up and said it blocked a bunch of changes to the registry, but that apparently didn't work.

I am unable to open the task manager or do anything meaningful with McAfee. The McAfee scan shows 1 item found, but when I click on it it crashes the program. I have the red circle with a white X that keeps popping up asking me to "use special spyware tools to pevent data loss". I also can not access my Windows Restore so I can't try to go back nor can I disable the restore functionality. I have no internet connection available. The other issue is that when I reboot I get a message saying that my system is intected with Worm.Wind32.NetSky. I downloaded a NetSky removal tool from Symantec on another computer and ran it. The tools reports that NetSky was not found. I also periodically get a message box that says my system is infected. The system hangs whenever I try to shut it down and I can not start the system in safe mode because I get a blue screen saying there is a system error.

I have been to the Malware and Spyware Cleaning Guide page. I ran TFC and it was mostly successful. The only issue was that the system hung while trying to shut down (waited 5 minutes) so I powered the system off and on. After the system powered on, the problems remained. I successfully ran ERUNT and then I installed Anti-Malware and told it lauch automatically from the set up. It came back with a somewhat legit looking error that the file couldn't be found. All of the shortcuts (desktop and the start menu) point to 'mbam.exe'. That file does not exist. The only exe files in the Anti-Malware folder are 'mbamgui.exe' and 'mbamservice.exe'. I tried running 'mbamgui.exe' and I get an hourglass for a few seconds and then nothing. I tried running GMER but the system ran out of memory (yet another symptom) before the scan completed. I have not run OTL because I am not sure how to generate a log and get it onto this site without compromising a clean system.

What is the next step?

Thanks in advance for your help.

BTW...is there an 'offical' name for this insidious beast? I would like to use a proper name when sitting at my desk cursing.

EDIT: (01/12/09 4:55 PM) When I posted this message I had not rebooted the system after GMER failed. After rebooting I only see the desktop after logging in. This no taskbar and the system does not respond to CTRL-ALT-DEL or CTRL-SHIFT-ESC. I tried using the ERUNT backup with the instructions at the end of this thread: http://www.geekstogo...ed-t262978.html, but I still can not log in successfully.

Edited by rld123, 10 January 2010 - 04:15 PM.

[Advertisements]

Well, I finally got my system up and running again today. I was kind of out in the weeds once I started getting kicked out as soon as I logged in and was unable to enter safe mode. I was in the situation where I couldn't run any tools and the Windows Recovery mode was not sufficient because my ERUNT backup was comprimised. If you find yourself in that desperate situation, you may want to try this before wiping the drive. However, I should say that I think the the technique is fairly advanced and can easily kill your system if you do it incorrectly. I am not one of the experts on this site, so make sure you read about this technique very carefully before you use it because I am not providing a step-by-step guide like the those guys do. They are the experts and I will leave the detailed explanations to them. Hopefully somebody will come across this post and find something useful, even if it is only a keyword to use in the searching. Remember, Google is your friend.

My first step was to make a PE (Preinstalled Environment) disk using Bart's PE Builder. That allowed me to at least access the C drive. Once I did that, I was able to load my user and local machine registry hives and start pulling out the offending registry entries and manually deleting the dlls because the dlls weren't in use and no malware was monitoring for changes to the registry. I occasionally have to play with the registry for my job so I knew the basics and the system was already hosed, so I wasn't too worried about making things worse. I used this site as a guide http://oreilly.com/w...p-programs.html to look for all of the places where the programs that were causing the problems could be hiding. Once I went through those very carefully, I unloaded the hives and deleted the registry change logs just to be paranoid. After a few tries/reboots and missing an entry here and there, I was able to get the system running without the malware running. I then used the tools recommended by this site to clean up a few things I missed. I did have to go back to using the PE disk to clean up one entry and dll that nothing else could kill. Basically one app was crashing and deadlocking some other parts of Windows that are loaded late in the logon process. Once that was done, my final issue was that the internet access was down. The weird part was that I could ping anything I wanted, I just couldn't browse the web. Finally remembering that Google is my friend, I did some researching on what was happening in the event logs and realized that the malware had installed a Winsock hook. When I cleaned up the system after I was able to logon, the dll used for the hook was deleted and that left a hole in my LSP chain. I used LSP-Fix to take care of that, which was rather scary considering all of the warnings and talk of rebuilding the entire system, and I was able to get to the internet. Now that I have everything up and running, I think I will follow the steps that the experts on this forum recommend after they help someone fix this problem. I hope this post helps someone.

[rld123]

Well, I finally got my system up and running again today. I was kind of out in the weeds once I started getting kicked out as soon as I logged in and was unable to enter safe mode. I was in the situation where I couldn't run any tools and the Windows Recovery mode was not sufficient because my ERUNT backup was comprimised. If you find yourself in that desperate situation, you may want to try this before wiping the drive. However, I should say that I think the the technique is fairly advanced and can easily kill your system if you do it incorrectly. I am not one of the experts on this site, so make sure you read about this technique very carefully before you use it because I am not providing a step-by-step guide like the those guys do. They are the experts and I will leave the detailed explanations to them. Hopefully somebody will come across this post and find something useful, even if it is only a keyword to use in the searching. Remember, Google is your friend.

My first step was to make a PE (Preinstalled Environment) disk using Bart's PE Builder. That allowed me to at least access the C drive. Once I did that, I was able to load my user and local machine registry hives and start pulling out the offending registry entries and manually deleting the dlls because the dlls weren't in use and no malware was monitoring for changes to the registry. I occasionally have to play with the registry for my job so I knew the basics and the system was already hosed, so I wasn't too worried about making things worse. I used this site as a guide http://oreilly.com/w...p-programs.html to look for all of the places where the programs that were causing the problems could be hiding. Once I went through those very carefully, I unloaded the hives and deleted the registry change logs just to be paranoid. After a few tries/reboots and missing an entry here and there, I was able to get the system running without the malware running. I then used the tools recommended by this site to clean up a few things I missed. I did have to go back to using the PE disk to clean up one entry and dll that nothing else could kill. Basically one app was crashing and deadlocking some other parts of Windows that are loaded late in the logon process. Once that was done, my final issue was that the internet access was down. The weird part was that I could ping anything I wanted, I just couldn't browse the web. Finally remembering that Google is my friend, I did some researching on what was happening in the event logs and realized that the malware had installed a Winsock hook. When I cleaned up the system after I was able to logon, the dll used for the hook was deleted and that left a hole in my LSP chain. I used LSP-Fix to take care of that, which was rather scary considering all of the warnings and talk of rebuilding the entire system, and I was able to get to the internet. Now that I have everything up and running, I think I will follow the steps that the experts on this forum recommend after they help someone fix this problem. I hope this post helps someone.