Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

How to remove Internet Security

- - - - -

  • Please log in to reply
No replies to this topic

#1
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
How to remove "Internet Security" aka trojan spm/lx, worm.win32.netsky


Some signs you may have this infection are if the following entries are present in your OTL log


O4 - HKLM..\Run: [smss32.exe] C:\Windows\System32\smss32.exe (qMrFQuSlWMRGzyuJqaKcd)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\helper32.dll ()
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\winlogon32.exe) - C:\Windows\System32\winlogon32.exe (qMrFQuSlWMRGzyuJqaKcd)


Or if you have any of the following files/folders

C:\Program Files\InternetSecurity2010
%UserProfile%\Desktop\Internet Security 2010.lnk << this is a shortcut on your desktop
C:\windows\System32\helper32.dll
C:\windows\System32\winlogon32.exe
C:\windows\System32\smss32.exe
C:\windows\System32\warning.html


Lets get onto removing the infection now.



Step 1 : Safety precautions



Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference.


Some variations of this infection are known to steal passwords and other login information, usually indicated by this entry which will show up in your OTL/MBAM log

C:\windows\System32\lowsec


As a result, you should follow this precaution.



If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.



Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Download SysRestorePoint to your desktop and unzip it to it's own folder.
  • Double click SysRestorePoint.exe so that we can make a new system restore point.
  • A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.

Note : If ERUNT or SysRestorePoint fail to work, move onto the next step anyway.



Step 2 : The fix



If you experience difficulties connecting to the internet after following all the steps in the fix, there is a possible solution for that at the end which you should try.


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"="explorer.exe"
    "Userinit"="C:\\WINDOWS\\system32\\Userinit.exe,"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoSetActiveDesktop"=-
    "NoActiveDesktopChanges"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoSetActiveDesktop"=-
    "NoActiveDesktopChanges"=-
    
    :OTL
    O15 - HKLM\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: is-soft-download.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: is-software-download.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: is-software-download25.com ([]http in Trusted sites)
    
    :Files
    helper32.dll /lsp
    winhelper86.dll /lsp
    %HOMEDRIVE%\Internet Security 2010.lnk /s
    %systemroot%\System32\winlogon32.exe
    %systemroot%\System32\smss32.exe
    %systemroot%\System32\AVR10.exe
    %systemroot%\System32\helper32.dll
    %systemroot%\System32\winlogon32.exe
    %systemroot%\System32\smss32.exe
    %systemroot%\System32\warning.html
    %systemroot%\system32\IS15.exe
    %systemroot%\System32\winhelper86.dll
    %HOMEDRIVE%\trhh.exe
    %HOMEDRIVE%\sdigdvmg.exe
    %HOMEDRIVE%\wgqi.exe
    %HOMEDRIVE%\byyk.exe
    %systemroot%\lsass.exe 
    %systemroot%\odbn0.exe
    %systemroot%\System32\sdra64.exe
    %systemroot%\System32\41.exe
    %systemroot%\System32\153.exe
    %systemroot%\System32\292.exe
    %systemroot%\System32\491.exe
    %systemroot%\System32\1869.exe
    %systemroot%\system32\2876.exe
    %systemroot%\System32\2995.exe
    %systemroot%\System32\3902.exe
    %systemroot%\System32\4827.exe
    %systemroot%\System32\5436.exe
    %systemroot%\System32\5447.exe
    %systemroot%\System32\5705.exe
    %systemroot%\System32\6334.exe
    %systemroot%\System32\7376.exe
    %systemroot%\System32\9961.exe
    %systemroot%\System32\11478.exe
    %systemroot%\System32\11538.exe
    %systemroot%\System32\11942.exe
    %systemroot%\System32\12382.exe
    %systemroot%\system32\12662.exe
    %systemroot%\System32\13931.exe
    %systemroot%\system32\14070.exe
    %systemroot%\System32\14604.exe
    %systemroot%\System32\14771.exe
    %systemroot%\System32\15724.exe
    %systemroot%\System32\16827.exe
    %systemroot%\System32\16944.exe
    %systemroot%\system32\17125.exe
    %systemroot%\System32\17421.exe
    %systemroot%\System32\18467.exe
    %systemroot%\System32\18716.exe
    %systemroot%\System32\19169.exe
    %systemroot%\System32\19718.exe
    %systemroot%\System32\19895.exe
    %systemroot%\system32\19905.exe
    %systemroot%\System32\19912.exe
    %systemroot%\system32\21386.exe
    %systemroot%\System32\21726.exe
    %systemroot%\system32\22934.exe
    %systemroot%\System32\23281.exe
    %systemroot%\system32\24242.exe
    %systemroot%\System32\24464.exe
    %systemroot%\system32\24478.exe
    %systemroot%\System32\26308.exe
    %systemroot%\System32\26500.exe
    %systemroot%\System32\26962.exe
    %systemroot%\system32\27213.exe
    %systemroot%\System32\28145.exe
    %systemroot%\system32\28466.exe
    %systemroot%\System32\29358.exe
    %systemroot%\System32\32391.exe
    %systemroot%\System32\32439.exe
    %systemroot%\system32\ndisdrv.sys
    %HOMEDRIVE%\s
    %systemroot%\system32\kbdsock.dll
    %systemroot%\system32\mshlps.dll 
    %systemroot%\system32\drivers\kdrhkukb.sys 
    %PROGRAMFILES%\InternetSecurity2010
    %systemroot%\System32\lowsec
    
    :Services
    lmuytnv
    ndisdrv
    qvazdxe
    
    :Commands
    [purity]
    [CREATERESTOREPOINT] 
    [resethosts]
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it wont take long.


Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot your PC and see if the infection is gone.



The infection should hopefully be removed after these steps. If this is not the case, please go to the Virus Removal forum here and follow the steps in this thread here



If you have had trouble connecting to the internet after this fix then run the following step for whichever Windows you have. ONLY run this if you have had network problems.


Windows XP only :

Download WinSockXP and run the programme. Reboot and see if it has fixed your network connection


Windows XP and Vista :

Follow the steps in this link here


If this guide fixes your machine, then please read my guide on how to prevent malware and about safe computing here


Regards

GeeksToGo Team

Edited by Rorschach112, 11 February 2010 - 07:24 AM.

  • 0

Advertisements





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.