40 replies to this topic

[Mii]

I recently started getting strange pop-ups every time I try to go to any website. Today, it was acting really slow and I hate to shut it down several times. When I turned it back on, the desktop was set with a wallpaper that said my computer was infected and etc. There would also be a red circle with a white "X" in the middle down in the icons on the taskbar. And it would once in a while pop up saying I needed to download some type of removal tool for the TrojanSPM/LX. I'm new to this so I'm not sure what to do. @.@

[CatByte]

Hi,


Please do the following:


Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "Shell"="explorer.exe"
  "Userinit"="C:\\WINDOWS\\system32\\Userinit.exe,"
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoSetActiveDesktop"=-
  "NoActiveDesktopChanges"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoSetActiveDesktop"=-
  "NoActiveDesktopChanges"=-
  
  :Files
  helper32.dll /lsp
  winhelper86.dll /lsp
  %HOMEDRIVE%\Internet Security 2010.lnk /s
  %systemroot%\System32\winlogon32.exe
  %systemroot%\System32\smss32.exe
  %systemroot%\System32\AVR10.exe
  %systemroot%\System32\helper32.dll
  %systemroot%\System32\winlogon32.exe
  %systemroot%\System32\smss32.exe
  %systemroot%\System32\warning.html
  %systemroot%\system32\IS15.exe
  %systemroot%\System32\winhelper86.dll
  %HOMEDRIVE%\trhh.exe
  %HOMEDRIVE%\sdigdvmg.exe
  %HOMEDRIVE%\wgqi.exe
  %HOMEDRIVE%\byyk.exe
  %systemroot%\lsass.exe 
  %systemroot%\odbn0.exe
  %systemroot%\System32\sdra64.exe
  %systemroot%\System32\41.exe
  %systemroot%\System32\153.exe
  %systemroot%\System32\292.exe
  %systemroot%\System32\491.exe
  %systemroot%\System32\1869.exe
  %systemroot%\system32\2876.exe
  %systemroot%\System32\2995.exe
  %systemroot%\System32\3902.exe
  %systemroot%\System32\4827.exe
  %systemroot%\System32\5436.exe
  %systemroot%\System32\5447.exe
  %systemroot%\System32\5705.exe
  %systemroot%\System32\6334.exe
  %systemroot%\System32\7376.exe
  %systemroot%\System32\9961.exe
  %systemroot%\System32\11478.exe
  %systemroot%\System32\11538.exe
  %systemroot%\System32\11942.exe
  %systemroot%\System32\12382.exe
  %systemroot%\system32\12662.exe
  %systemroot%\System32\13931.exe
  %systemroot%\system32\14070.exe
  %systemroot%\System32\14604.exe
  %systemroot%\System32\14771.exe
  %systemroot%\System32\15724.exe
  %systemroot%\System32\16827.exe
  %systemroot%\System32\16944.exe
  %systemroot%\system32\17125.exe
  %systemroot%\System32\17421.exe
  %systemroot%\System32\18467.exe
  %systemroot%\System32\18716.exe
  %systemroot%\System32\19169.exe
  %systemroot%\System32\19718.exe
  %systemroot%\System32\19895.exe
  %systemroot%\system32\19905.exe
  %systemroot%\System32\19912.exe
  %systemroot%\system32\21386.exe
  %systemroot%\System32\21726.exe
  %systemroot%\system32\22934.exe
  %systemroot%\System32\23281.exe
  %systemroot%\system32\24242.exe
  %systemroot%\System32\24464.exe
  %systemroot%\system32\24478.exe
  %systemroot%\System32\26308.exe
  %systemroot%\System32\26500.exe
  %systemroot%\System32\26962.exe
  %systemroot%\system32\27213.exe
  %systemroot%\System32\28145.exe
  %systemroot%\system32\28466.exe
  %systemroot%\System32\29358.exe
  %systemroot%\System32\32391.exe
  %systemroot%\System32\32439.exe
  %systemroot%\system32\ndisdrv.sys
  %HOMEDRIVE%\s
  %systemroot%\system32\kbdsock.dll
  %systemroot%\system32\mshlps.dll 
  %systemroot%\system32\drivers\kdrhkukb.sys 
  %PROGRAMFILES%\InternetSecurity2010
  %systemroot%\System32\lowsec
  
  :Services
  lmuytnv
  ndisdrv
  qvazdxe
  
  :Commands
  [purity]
  [emptytemp]
  [CREATERESTOREPOINT] 
  [resethosts]

• Then click the Run Fix button at the top
• Let the program run unhindered, it wont take long.

[Mii]

I can't seem to get to the website with the link to download OTL. >.<

[CatByte]

you'll have to click on the address bar in your browser and copy / paste the path directly into the address bar:

http://oldtimer.geekstogo.com/OTL.exe

[Mii]

It's still not working

[CatByte]

do you have access to another computer where you can download it and transfer it over via USB?

[Mii]

Sadly I don't have one. XP

[CatByte]

OK

go to start > run

copy/paste the following command into the run box > OK

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t Reg_dword /d 0 /f

This should enable your Task Manager.

Now go into your task manager (ctrl +alt +del)


see if there are any processes lited from the list below: If there are > end process (do not reboot) > that should be enough to get the OTL program downloaded:

winlogon32.exe
smss32.exe
AVR10.exe
helper32.dll
winlogon32.exe
smss32.exe
warning.html
IS15.exe
winhelper86.dll
trhh.exe
sdigdvmg.exe
wgqi.exe
byyk.exe
odbn0.exe
sdra64.exe
41.exe
153.exe

[Mii]

The virus is preventing my Task Manager from opening, and any other .exe files for that matter except a few.

[CatByte]

see if your can download this file - paste the link into the browser address bar

http://www.raktor.ne...er/explorer.exe

[Mii]

Yes I can, I just downloaded it.

[CatByte]

good, It should run...post the resulting log..it should free up your computer enough to be able to download and run OTL

[Mii]

As it ran, a pop-up kept coming up saying WARNING Application cannot be executed. The file is infected. Please activate your antivirus software. Otherwise than that here's the log exeHelper by Raktor Build 20091220 Run at 21:08:26 on 01/26/10 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Deleting file C:\WINDOWS\system32\41.exe Error deleting C:\WINDOWS\system32\41.exe - Set for removal on reboot - PLEASE REBOOT Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- As for OTL, I couldn't get to the homepage of the website itself.

[CatByte]

reboot as exeHelper requested
re-run exe helper
then copy paste the path for OTL into your browser again

http://oldtimer.geekstogo.com/OTL.exe

a file should start to download - save it to your desktop.

If a download doesn't start tell me what happens when you try it?

[Mii]

OTL is running~ XD