I don't know what exploit just hit, but I have now just finished my 3rd removal attempt of "Internet Security 2010" (aka "AntiVirus 2010", and all the other versions of this virus). I've never seen such a successful attack---but then again, these were all old XP machines.
Anyhow, I think I finally have it down now, and I'm writing this to remind myself for next time.
Since MalwareBytes will take care of most of it, use ProcessExplorer to suspend execution of the virus' 2 resident programs. With the virus frozen, install and scan with MalwareBytes. Maybe if you can update it, it will take care of everything and you won't have to do the rest manually. However, most of the time, the Internet isn't available when the computer is infected.
Once it's done and you reboot, you've still got that stupid "helper32.dll" hooked into the network stack, so you'll get this "warning" web page if you attempt to go to mozilla.com, amazon.com, or facebook.com (to name a few).
Get rid of that file; look for any other files in system32 that were created on the same day as helper32.dll (namely a winlogon32 file and a bunch of numbered executables; MalwareBytes should have already gotten rid of the infamous "41.exe)). If you can't directly delete it, use the SysInternals utility to schedule a rename during reboot.
After deleting the file, you'll need to fix the LSP (Layered Service Provider) stack. In a command-prompt, run "netsh winsock reset", then reboot. If things don't work, you'll need to use AutoRuns to get rid of the registry key, then do the netsh command.
If the netsh command spits out an error regarding ipmontr.dll, you either haven't deleted helper32.dll yet, or one of it's friends is causing a problem and they need to be deleted.
If someone else stumbles onto this and finds this very vague, sorry. I don't have time to be as explicit and thorough as I would like. There should be enough key words in here to make Google turn up helpful results.
Anyhow, I think I finally have it down now, and I'm writing this to remind myself for next time.
- Get MalwareBytes
- Get ProcessExplorer, AutoRuns, and that command-line utility that schedules file renames during Windows' startup.
- Go to BleepingComputer for their guide, but also their .reg file
- Put it all on a USB stick
Since MalwareBytes will take care of most of it, use ProcessExplorer to suspend execution of the virus' 2 resident programs. With the virus frozen, install and scan with MalwareBytes. Maybe if you can update it, it will take care of everything and you won't have to do the rest manually. However, most of the time, the Internet isn't available when the computer is infected.
Once it's done and you reboot, you've still got that stupid "helper32.dll" hooked into the network stack, so you'll get this "warning" web page if you attempt to go to mozilla.com, amazon.com, or facebook.com (to name a few).
Get rid of that file; look for any other files in system32 that were created on the same day as helper32.dll (namely a winlogon32 file and a bunch of numbered executables; MalwareBytes should have already gotten rid of the infamous "41.exe)). If you can't directly delete it, use the SysInternals utility to schedule a rename during reboot.
After deleting the file, you'll need to fix the LSP (Layered Service Provider) stack. In a command-prompt, run "netsh winsock reset", then reboot. If things don't work, you'll need to use AutoRuns to get rid of the registry key, then do the netsh command.
If the netsh command spits out an error regarding ipmontr.dll, you either haven't deleted helper32.dll yet, or one of it's friends is causing a problem and they need to be deleted.
If someone else stumbles onto this and finds this very vague, sorry. I don't have time to be as explicit and thorough as I would like. There should be enough key words in here to make Google turn up helpful results.
Comments