I have a laptop that has a really, really slow internet. I called my provider Comcast but they said my system is fine and to download Norton Anti-Virus. I am thinking I may have received an Internet Security 2010 virus a few days ago. So I downloaded Avast and Spybot anti-virus programs on my computer. Some of the pop-ups went away but my internet is still really slow....

And my desktop has a message on it saying that "Your Computer Is Infected" which has not gone away.

I tried doing system restore a few times but although it goes through the process at the end there is a screen that says SYSTEM RESTORE INCOMPLETE?

Why is system restore not working?

How can I fix my computer?

Thanks.

Recommended Answers

All 11 Replies

I have a laptop that has a really, really slow internet. I called my provider Comcast but they said my system is fine and to download Norton Anti-Virus. I am thinking I may have received an Internet Security 2010 virus a few days ago. So I downloaded Avast and Spybot anti-virus programs on my computer. Some of the pop-ups went away but my internet is still really slow....

And my desktop has a message on it saying that "Your Computer Is Infected" which has not gone away.

I tried doing system restore a few times but although it goes through the process at the end there is a screen that says SYSTEM RESTORE INCOMPLETE?

Why is system restore not working?

How can I fix my computer?

Thanks.

Because System Restore is NOT ever to be used to remove infections, or any program for that matter. It is not a removal process and actually only backs up a few key files. It will not back up data or any personal items. It also should only ever be used to go back just one or two days, no more.
So how many anti-virus programs DO you have installed on the machine? You mention two, Norton and Avast. The absolute rule is ONE anti-virus program should be installed, no more. Spybot is fine it is not an anti-virus program so it can stay. If you have both Norton and Avast then you must Uninstall one of them via Add/Remove before proceeding any farther.

Then do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version if one is available. There are always new updates to the definitions.
* Once the program has loaded, select Perform full scan, then choose the drive(s) then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected if malware is found.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily.The log can be retrieved by opening up MBAM and clicking on the Logs Tab at the top of the program .

Reboot the computer

Next download HiJackThis. Run a system scan and save the log.
Post back here with the MBA-M log and the HJT log.

Hi,

I only have AVAST and Spybot on my computer right now. I don't have Norton and was only thinking about using it in place of one or both of the above programs because it may be the full Norton version.

Thank You for replying. I will do as you say and then post the logs.


PZPZ

Because System Restore is NOT ever to be used to remove infections, or any program for that matter. It is not a removal process and actually only backs up a few key files. It will not back up data or any personal items. It also should only ever be used to go back just one or two days, no more.
So how many anti-virus programs DO you have installed on the machine? You mention two, Norton and Avast. The absolute rule is ONE anti-virus program should be installed, no more. Spybot is fine it is not an anti-virus program so it can stay. If you have both Norton and Avast then you must Uninstall one of them via Add/Remove before proceeding any farther.

Then do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version if one is available. There are always new updates to the definitions.
* Once the program has loaded, select Perform full scan, then choose the drive(s) then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected if malware is found.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily.The log can be retrieved by opening up MBAM and clicking on the Logs Tab at the top of the program .

Reboot the computer

Next download HiJackThis. Run a system scan and save the log.
Post back here with the MBA-M log and the HJT log.

I posted the log from Malwarebytes below:


Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/4/2010 11:16:57 PM
mbam-log-2010-02-04 (23-16-57).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 165609
Time elapsed: 39 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piradipid (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: apemerl.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\apemerl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Parakash Pratibhu\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Parakash Pratibhu\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Program Files\Shared\_lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Hi,

I only have AVAST and Spybot on my computer right now. I don't have Norton and was only thinking about using it in place of one or both of the above programs because it may be the full Norton version.

Thank You for replying. I will do as you say and then post the logs.


PZPZ

Now do the HiJackThis and post that log for me.

Okay, I have a new problem now. Malwaresbytes detected around 11 infected files, and around 3 required a restart to delete.

My computer restarted and the "Your Computer Is Infected" sign is not on the background anymore....but now I have no Internet. I cannot get on the Internet using any type of Internet Browser. I called my ISP (Comcast) but they said the problem must be on my end because the internet signal is fine from their end...and it must be do to either downloading Malwarebytes or the restart.

How can I fix this so I have the Internet working normally again?

Now do the HiJackThis and post that log for me.

Do you have access to a computer where you could download a repair tool, save to a cd or flash drive and then take it to the infected computer?

Yes, I can use my work computer to download a repair tool to my USB flash drive. What repair tool is best for this problem?

Do you have access to a computer where you could download a repair tool, save to a cd or flash drive and then take it to the infected computer?

There are two which you can try:
LSPFix

or this one.

WinSock XP Fix
put the program on the desktop and double click to run it. Reboot and see if the problem is fixed.

Okay. Thanks. I will try this to see if it works.

I used WinSock and the problem is now fixed. Hooray!

So Thank You for all your help. It would have been nice to figure out what WinSock detectred and fixed. Also should I keep Malwarebytes on my computer or uninstall it?

There are two which you can try:
LSPFix

or this one.

WinSock XP Fix
put the program on the desktop and double click to run it. Reboot and see if the problem is fixed.

The winsock program fixes the broken winsock stack which was caused by the infection.

Keep Malwarebytes' absolutely. It is top of the line at the moment, as you can see. At least once a week UPDATE the program and then do a Quick Scan with it. Remove everything it finds and Reboot. IF the Quick Scan does find something then Update the program again, after the reboot and do a Full Scan with it to see if it finds anything else.
If the Quick scan doesn't find anything then all is good and no other scan would be needed.

BUT, we aren't quite finished here yet. At least a couple more things you need to do to be sure the computer IS clean, these types of infections very often has a lot of files, or bring in others and just one scan or one type of scan is not enough.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot the computer.

Download HiJackThis and run a system scan with it and save the log.

Post back with the ESET log and the HiJackThis log.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.