Anybody delt with Internet Security 2010 malware/virus???

[fj62alex]

Hi,
My friend's PC (Win XP Home)got infected with Internet Security 2010maleware. I searched the internet and found the instructions what to do. I ran HijackThis and Malwarebytes and it seems like it took care of it. After I cleaned all recommended files/registry, I rebooted PC and still have the message on the desktop (Green background with black logo). I searched the and found which file to delete in system32 folder.
PC worked fine for two days and now he has Green background (black logo) on the desktop after he turned the PC on.

Please help, I am I missing something???
Thanks,
Alex

 

[kjv1611]

Is it possible that it just loaded a jpg as a background picture, and that you didn't change it back to normal at the end of all the other work?

Also, it's possible to get reinfected.

What AV is he running? If running Norton or McAfee or even AVG or Avast!, I suggest installing Avira Antivir instead.

Also, what firewall? Try installing Online Armor if a 32 bit system, or else Comodo Internet Security.

Another antimalware app you can give a go with is SuperAntispyware.

Also, there's Combo Fix, seems it's been a popular one here as of late.

--

"If to err is human, then I must be some kind of human!" -Me

 

[goombawaho]

Be careful about using ComboFix. It will hose maybe 1 out of 20 PCs after it runs. If you don't know how to recover from it, you have a non-bootable computer.

I'm not slamming the product, but it's better used by "IT folks" rather than casual users unless you don't mind rolling them dice.

 

[ronin77]

1.) Download Spybot S&D and the manual update -- and LSPFix to a USB drive. (You can get all three from Majorgeeks.com)

2.) Disconnect your Internet connection.

3.) Run LSPFix to delete helper32.dll from your LSP.

4.) Check your Internet connection settings, you will probably find that they have been changed to use a proxy. Remove it.

5.) Install Spybot S&D and update, then run to remove Vundo infection...

 

[goombawaho]

I don't recommend Spybot, it's not nearly as effective or as fast as MBAM. That desktop thing is probably just a leftover background picture - go to the control panel and change your background. There's probably no malware involved.

Instead of using LSPFix, use WinsockXPFix - very simple.

http://www.snapfiles.com/get/winsockxpfix.html

Listen to me - I do this every week of my life.

 

[kjv1611]

Listen to me - I do this every week of my life.

Careful there, goomb. You're not the only one around here who "does this every week.." And unless you're oh, 10 years old or so, I doubt "every week of my life" fits anyhow.

The whole purpose of a discussion forum is for different folks to discuss different matters. By getting different inputs, each person can then decide what fits their situation best, what they feel the most comfortable with, etc.

My point is this: Just like you can't depend on one security product to do the job 100% of the time correctly by itself, you can't depend on any one person to "know it all." even in just one area of technology. Frankly, there's just too much out there for one person to be THE expert.

--

"If to err is human, then I must be some kind of human!" -Me

 

[ronin77]

@ fj62alex

WinsockFix doesn't tell you what it found (or didn't find.) If you don't care whether anything was actually found or corrected, use it instead.

I find Spybot and MBAM roughly equal, with different strengths and weaknesses, because they use different methods to do what they do. However, use whichever suits your tastes.

BTW, I do this (and more) every week, too. ...But I'm sure you're capable of deciding for yourself whether I'm worth listening to...

 

[xit]

I have found that what works on one system may or may not work on another. That being said I found that if I catch this certain malware at an early stage, it is much easier to combat, if it has progressed, it can be a challenge to overcome.

Sometimes by asking the owner good questions, it may give a different direction as to how to proceed & every situation has its own unique problems & remedies.

Through trial and error, over time, you know the best approach and what programs and procedures work for a certian problem.

From here we can then share with others & we all benefit.

xit

 

[goombawaho]

I'll put my skills up against anybody. I gave up on Spybot a while back as MBAM was much quicker for a quick scan and knocked stuff out better.

Sure, I use different tools at different times, but I find that the exact same procedure on each machine yields a very high rate of permanent removal.

1. Temp file removal
2. shut off all non-necessary processes with Process Explorer
3. Run MBAM quick scan
4. Look at startup items with Autoruns
5. Reboot
6. Check running processes again
7. Check startup items again with Autoruns & HijackThis

This procedure fixes 95% of the malware I see. The bad stuff, I hit with GMER, RogueFix RootRepeal and/or ComboFix.

Read and learn.

 

[goombawaho]

As my final comment in this thread: I see a lot of people on this forum that give very poor advice - not naming any names.

Such is the nature of a forum where anyone can give advice. It's sort of like asking for medical help from someone on Craig's List. Buyer beware.

 

[kjv1611]

I'll vouch for MBAM being pretty much THE best antimalware app as of today. Unfortunately that doesn't mean it'll be that way tomorrow. It wasn't long ago, really, that Spybot was considered the best or one of the best. I've all but totally discounted its use myself, as I began having more problems with its use than success. However, someone else may have better success I suppose... and it's been so long for me, it could've changed by now.

ronin77,

You say you use Spybot now? Has it improved for you in the past 1 to 2 years, or is it running about the same as before? Just curious for now. I wouldn't mind giving that and/or Ad-Aware a chance again if I hear a reason to try.

--

"If to err is human, then I must be some kind of human!" -Me

 

[ronin77]

You can always trust a condescending, smarter-than-thou techie with an ego the size of Texas.

...Especially if he criticizes people he doesn't know, with backgrounds, skills, and experience that may be more impressive than his...!

...You can take my word on this, because I'm an expert on techie egos. ;-)

 

[ronin77]

@kjv1611...

Frankly, I haven't seen much change in the performance of Spybot over the past two years -- it still works pretty much as well for me now as it did then.

Adaware is still bad. I had another bad run-in with it on a customer's PC just yesterday.

Spybot is pretty much passive the way I use it. i.e. As a cleaner only. Are you talking about TeaTimer being a hassle? It is! I never install it.

As cleaners, I've seen both Spybot and MBAM miss important components that the other caught, or fail to remove infection components that the other couldn't. About equal, I'd say. That's why I use both. I just tend to use Spybot more because I'm familiar with it and it's extra tools, and it pretty much always gets the job done for me.

 

[ronin77]

@kjv1611

Not soliciting any trade secrets, but just out of curiosity...

What do you do for infections like Sysguard and IS2010, when the system will only boot to a warning message and go no further, or boots completely, but won't allow any other processes to run...? (In normal OR Safe mode?)

In these situations, you can't run any software at all...?

 

[kjv1611]

In those situations, I'll often just recommend a reinstall, possibly. Otherwise, I'd try a liveCD virus scanner/cleaner such as DrWeb CureIt!. I've not tried it yet, but I know BadBigBen has recommended Avira's LiveCD recovery tool as well. If it's half as good as their standard AV program, then I'm sure it's are a real winner.

The reason I personally end up just recommending a clean install is that oftentimes folks will have so much garbage on a machine, and then the malware on top of it, that they end up with a much better setup once I custom install wipe, reinstall, and customize the whole thing. And with some Malware, you could end up trying to "fight" it for as long or longer than just doing a clean install.

I realize, of course, there are some circumstances when a reinstall needs to be avoided at all costs, either by preference or b/c of some software that's been lost and is now practically irreplaceable.

Of course, you can always try other bootable tools as well, such as UBCD and UBCD4Win.

--

"If to err is human, then I must be some kind of human!" -Me

 

[ronin77]

Ok, that explains the differences in experiences. I start at the other end of the process...

I almost always boot to UBCD first, find and quarantine the viral components, and clean the hostile startups, BHOs, Toolbars, and logons. That "breaks" the virus. Then I reboot and use the AV/AM software to clean up the rest of the components and anything else I might have missed.

It's pretty rare that I try to clean a system while it's under the control of the infection.

I've been wanting to try out Avira's LiveCD recovery tool, too. In fact, I think I'll check it out right now...

 

[2ffat]

<Slightly Off-Topic>I still use Spybot and like it but it is not the only tool in my arsenal. I just installed Ad-Aware and am about to permanently give it the boot. It insists on installing things like Ad-Aware Live, Chrome, Ad-Aware for Outlook (I don't use Outlook), and several other services. It takes me longer to remove those than it does to remove some infections.

I use Avira LiveCD and Dr.Web CD. I like both but the last time I used Avira (last week on a PC trashed by that MS update), it showed several false positives. In this case it didn't matter since I ended up wiping the hard drive and starting over.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[kjv1611]

Thanks for the info on Ad-Aware, 2ffat. That makes me kick my possible thought of retesting it to the curb. I agree on the add-ins... if they want to use them as well, they should be optional - not required, and by all means NOT installed by default if the other piece is missing (ex, Outlook).

As for the OP, fj62alex hasn't logged in since the day he posted this question, and he's asked a few questions off and on for about 4 years, but no "thanks", and historically it looks like at least half his threads just go abandoned, no follow-up of his own, so who knows if he's getting help or not...

fj62alex,
If you log back in before the thread expires, let us know some sort of update on your situation. Did any of the suggestions help? Did you find any solution that worked - posted here or otherwise?

--

"If to err is human, then I must be some kind of human!" -Me

 

[2ffat]

A FAQ post would be most helpful.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[kjv1611]

You know what would really be helpful here (I think)? A wiki topic. But of course, that functionality isn't currently available. I wonder if that's something that could ever be considered here..

The reason I say that is b/c an area like this changes so often, a wiki article could theoretically be updated by any member, so it would be more likely to stay up to date, and be applicable at any given time.

--

"If to err is human, then I must be some kind of human!" -Me