Some signs you may have this infection are if the following entries are present in your OTL log
O4 - HKLM..\Run: [smss32.exe] C:\Windows\System32\smss32.exe (qMrFQuSlWMRGzyuJqaKcd)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\helper32.dll ()
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\winlogon32.exe) - C:\Windows\System32\winlogon32.exe (qMrFQuSlWMRGzyuJqaKcd)
Or if you have any of the following files/folders
C:\Program Files\InternetSecurity2010
%UserProfile%\Desktop\Internet Security 2010.lnk << this is a shortcut on your desktop
C:\windows\System32\helper32.dll
C:\windows\System32\winlogon32.exe
C:\windows\System32\smss32.exe
C:\windows\System32\warning.html
Lets get onto removing the infection now.
Step 1 : Safety precautions
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference.
Some variations of this infection are known to steal passwords and other login information, usually indicated by this entry which will show up in your OTL/MBAM log
C:\windows\System32\lowsec
As a result, you should follow this precaution.
If this computer is ever used for on-line banking, I suggest you do the following immediately:
1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Backup Your Registry with ERUNT
- Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php - For version with the Installer:
Use the setup program to install ERUNT on your computer - For the zipped version:
Unzip all the files into a folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Download SysRestorePoint to your desktop and unzip it to it's own folder.
- Double click SysRestorePoint.exe so that we can make a new system restore point.
- A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.
Note : If ERUNT or SysRestorePoint fail to work, move onto the next step anyway.
Step 2 : The fix
If you experience difficulties connecting to the internet after following all the steps in the fix, there is a possible solution for that at the end which you should try.
Download OTL to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Reg [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="explorer.exe" "Userinit"="C:\\WINDOWS\\system32\\Userinit.exe," [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSetActiveDesktop"=- "NoActiveDesktopChanges"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSetActiveDesktop"=- "NoActiveDesktopChanges"=- :OTL O15 - HKLM\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites) O15 - HKCU\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites) O15 - HKCU\..Trusted Domains: is-soft-download.com ([]http in Trusted sites) O15 - HKCU\..Trusted Domains: is-software-download.com ([]http in Trusted sites) O15 - HKCU\..Trusted Domains: is-software-download25.com ([]http in Trusted sites) :Files helper32.dll /lsp winhelper86.dll /lsp %HOMEDRIVE%\Internet Security 2010.lnk /s %systemroot%\System32\winlogon32.exe %systemroot%\System32\smss32.exe %systemroot%\System32\AVR10.exe %systemroot%\System32\helper32.dll %systemroot%\System32\winlogon32.exe %systemroot%\System32\smss32.exe %systemroot%\System32\warning.html %systemroot%\system32\IS15.exe %systemroot%\System32\winhelper86.dll %HOMEDRIVE%\trhh.exe %HOMEDRIVE%\sdigdvmg.exe %HOMEDRIVE%\wgqi.exe %HOMEDRIVE%\byyk.exe %systemroot%\lsass.exe %systemroot%\odbn0.exe %systemroot%\System32\sdra64.exe %systemroot%\System32\41.exe %systemroot%\System32\153.exe %systemroot%\System32\292.exe %systemroot%\System32\491.exe %systemroot%\System32\1869.exe %systemroot%\system32\2876.exe %systemroot%\System32\2995.exe %systemroot%\System32\3902.exe %systemroot%\System32\4827.exe %systemroot%\System32\5436.exe %systemroot%\System32\5447.exe %systemroot%\System32\5705.exe %systemroot%\System32\6334.exe %systemroot%\System32\7376.exe %systemroot%\System32\9961.exe %systemroot%\System32\11478.exe %systemroot%\System32\11538.exe %systemroot%\System32\11942.exe %systemroot%\System32\12382.exe %systemroot%\system32\12662.exe %systemroot%\System32\13931.exe %systemroot%\system32\14070.exe %systemroot%\System32\14604.exe %systemroot%\System32\14771.exe %systemroot%\System32\15724.exe %systemroot%\System32\16827.exe %systemroot%\System32\16944.exe %systemroot%\system32\17125.exe %systemroot%\System32\17421.exe %systemroot%\System32\18467.exe %systemroot%\System32\18716.exe %systemroot%\System32\19169.exe %systemroot%\System32\19718.exe %systemroot%\System32\19895.exe %systemroot%\system32\19905.exe %systemroot%\System32\19912.exe %systemroot%\system32\21386.exe %systemroot%\System32\21726.exe %systemroot%\system32\22934.exe %systemroot%\System32\23281.exe %systemroot%\system32\24242.exe %systemroot%\System32\24464.exe %systemroot%\system32\24478.exe %systemroot%\System32\26308.exe %systemroot%\System32\26500.exe %systemroot%\System32\26962.exe %systemroot%\system32\27213.exe %systemroot%\System32\28145.exe %systemroot%\system32\28466.exe %systemroot%\System32\29358.exe %systemroot%\System32\32391.exe %systemroot%\System32\32439.exe %systemroot%\system32\ndisdrv.sys %HOMEDRIVE%\s %systemroot%\system32\kbdsock.dll %systemroot%\system32\mshlps.dll %systemroot%\system32\drivers\kdrhkukb.sys %PROGRAMFILES%\InternetSecurity2010 %systemroot%\System32\lowsec :Services lmuytnv ndisdrv qvazdxe :Commands [purity] [CREATERESTOREPOINT] [resethosts] [emptytemp]
- Then click the Run Fix button at the top
- Let the program run unhindered, it wont take long.
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Reboot your PC and see if the infection is gone.
The infection should hopefully be removed after these steps. If this is not the case, please go to the Virus Removal forum here and follow the steps in this thread here
If you have had trouble connecting to the internet after this fix then run the following step for whichever Windows you have. ONLY run this if you have had network problems.
Windows XP only :
Download WinSockXP and run the programme. Reboot and see if it has fixed your network connection
Windows XP and Vista :
Follow the steps in this link here
If this guide fixes your machine, then please read my guide on how to prevent malware and about safe computing here
Regards
GeeksToGo Team
Edited by Rorschach112, 11 February 2010 - 07:24 AM.