Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010 complete removal


  • Please log in to reply
20 replies to this topic

#1 styx37

styx37

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 07 January 2010 - 07:22 AM

I recently was unfortunate enough to have my computer get infected with " Internet Security 2010" (which I believe is a virus or something like that) and I've already taken some steps in an attempt to remove it, but it's still clinging on.

First of all I'm not entirely sure that internet security 2010 is a virus but seeing as it downloaded itself onto my computer without my permission im assuming that it is indeed what's causing the issues.

When it first came to my attention, what happened was internet security told me my computer was infected and downloaded itself. All sorts of virus warning pop-ups started coming and my computer slowed down and lost some of its functionality. I immediately ran a full scan with Malwarebytes while leaving the countless pop-ups alone, seeing as they just came back if i got rid of them. While that was happening i looked for internet security on my desktop and deleted any parts i came across but i couldn't find it under the add/remove programs thing. Malwarebytes finished it's scan and I removed the infections it had found and restarted my computer as it said i needed to.
When the computer loaded back up the pop-ups stopped but the warning sign that took over my desktop was still there. I then ran a spybot search and destoy scan but it came up with no infections. This is when i tried looking up the infection, only to find i can't. My internet connection is fine, i ran the diagnose connection problems program and its fully connected to the internet. Im actually using the same connection to write this using my Wii system. But anyways, i couldn't find any more internet security files so i decided to boot my computer up in safe mode.
I ran another malwarebytes scan in safe mode (found no infections) and restarted back in normal mode after trying to run system restore (i didnt have it enabled so i had to turn it on in normal mode).
I then tried to run the system restore only to find it would only give me one date/time to restore to.... which was only about 15 minutes in the past.
The last thing I did was attempt to change my desktop picture from the warning sign that took over, and that worked and actually stayed on after another restart.

Overall i need my internet back fast and have run out of ideas as to getting rid of the rest of the virus.
Im using Windows XP but im not insanely computer tec savy so i really need help.

BC AdBot (Login to Remove)

 


#2 Concept82

Concept82

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 January 2010 - 08:09 AM

I have the same problem. I put up a post yesterday about it and am just about to try the suggested steps now myself. Check the below link to view the topic.

http://www.bleepingcomputer.com/forums/t/284677/internet-security-2010/

#3 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 07 January 2010 - 09:04 AM

Sweet thanks for the link :thumbsup:
Some of it i can't do cause i can't use my computer's internet to follow the links and download but the other stuff i'll try.

#4 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 07 January 2010 - 10:46 AM

Didn't work..... my brain is going to implode :thumbsup:

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:35 PM

Posted 07 January 2010 - 12:53 PM

Hello, If you cannot use the Internet,you will need access to another computer that has a connection.
Puy both RKill and MBAM on a flash drive or CD.

RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 07 January 2010 - 10:06 PM

I'll try but I don't really have another computer at hand to use.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:35 PM

Posted 07 January 2010 - 11:17 PM

I am guessing you have XP here..

Try doing a system restore to a few days before you were infected. This may bring your internet back .. Then try runing RKill and Mbam.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 11 January 2010 - 04:56 AM

If you read my first post you'd see why that's not an option, but im working on getting some programs on a separate computer right now.

#9 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 11 January 2010 - 05:26 AM

Ok so my internet has been restored now, therefore im able to post the log for malwarebytes. I don't know if Internet Security is completely gone or not though.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/11/2010 4:19:51 AM
mbam-log-2010-01-11 (04-19-51).txt

Scan type: Quick Scan
Objects scanned: 114029
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\Documents and Settings\Krista\Application Data\SystemProc\lsass.exe (Trojan.Inject) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Inject) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yazeriza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Krista\Application Data\SystemProc\lsass.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Krista\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\confin.sys (Malware.Trace) -> Quarantined and deleted successfully.

#10 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 11 January 2010 - 05:27 AM

Oh, i'd also like to know if i can delete all the things malwarebytes put into quarantine.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:35 PM

Posted 11 January 2010 - 10:18 AM

Hello, good progress. Yes those are all deleteable.

We stilll need to look for more tho so do these and we should be done...

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 11 January 2010 - 02:42 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2010 at 01:28 PM

Application Version : 4.33.1000

Core Rules Database Version : 4464
Trace Rules Database Version: 2284

Scan type : Complete Scan
Total Scan Time : 02:12:17

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 5951
Registry threats detected : 1
File items scanned : 43656
File threats detected : 0

Rogue.Component/Trace
HKU\S-1-5-21-861567501-2049760794-839522115-1004\Software\Microsoft\FIAS4057

Running Malwarebytes again and following the rest of the directions right now.

#13 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 11 January 2010 - 02:55 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3541
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/11/2010 1:49:45 PM
mbam-log-2010-01-11 (13-49-45).txt

Scan type: Quick Scan
Objects scanned: 115106
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

And now im doing the last part.

#14 styx37

styx37
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 11 January 2010 - 04:11 PM

C:\Documents and Settings\Krista\My Documents\LimeWire\Incomplete\T-3555427-jilted john [dvd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20090720-123325.backup Win32/Qhost trojan cleaned by deleting - quarantined

Alright finally done. My computer seems to be running as it was before it got infected, although the only thing telling me something was still wrong after i attempted to clear the initial infection was the fact that internet was disabled. Seeing as my internet is still working though i have high hopes.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:35 PM

Posted 11 January 2010 - 04:24 PM

Hello, much better.. we still need to see if that bogus download left any rootkits as they like to do.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users