Hello Friends
I had this problem this week & started searching on net for this issue & found this forum which actually helped me to resolve this issue. I actually combined lot of suggestions together & did some more search & found the following solution.
About the Symptoms à
*) While browsing the internet suddenly without any warning an application was installed by the name “Internet Security 2010” & this claims itself as anti-spyware & asked me to install it. This even list down some viruses which attcked my laptop, but that is actually a fake screenshot.
*) Starting getting notification that my laptop is infected & I have to install anti-spyware at the same time my desktop image changed to the text telling me the same thing.
*) I shut down my internet connection at that very moment & disable the wireless connection of my laptop.
*) I started the Full Scan of Symantec & it found the vrus called “”. Symantec deleted this one & asked me to re-start the system.
*) I re-started the system & then the first time I got snapshot ( shown by jimauer ) in this forum before logging.
*) Now once I am inside my Task Manager & regEdit were disabled. So I tried to start them using exe files but got response as “File are infected, install good anti-spyware” (something like this only)
*) Now I went to C:\windows\system32 & look for the timestamp when my laptop was infected with this virus. I was able to delete couple of exe’s but for most of the exe’s it says “process is running cannot be deleted”.
*) Now at this moment I shut down my PC as it was late night & when next day I tried to start it, the moment I logged in it throws me out with my domain ID & Administrator ID.
Solution for this Issue
Pre-requisites à
*) Logon CD of Windows XP ( depends on what kind of OS you have )
*) Administrator credentials of your laptop
*) Install Malwarebytes & Ccleaner in some clean PC & store it in USB drive
· Follow the Part 1 mentioned in following Microsoft Site (http://support.microsoft.com/kb/307545/en-us )
· Once you are finished with Part 1 you would be able to login inside your system with Safe Mode.
o You might to need to follow the article 309531 to gain access of System Volume Information folder
· Now start deleting following à
o Delete folder Internet Security 2010 from Program Files
o Goto C:\windows\system32 & look for the timestamp when virus attacked your PC & start deleting all the exe’s. In my system most of them were starting with the numbers like 41.exe, 3071.exe. Also delete exe’s like smss32.exe, winlogon86.exe.
o I actually deleted most of them which had 32 or 86 in it.
· Now complete the Part 2, Part 3 & Part 4 of Microsoft site mentioned above.
· Also for Part 4 I actually picked up the Restore point 4 days before this virus infected my laptop
· Once you complete all the steps login again in Safe Mode using your Administrator ID, Take note if you will try logging with any other ID it will take you to the blank screen with same desktop image you had before this virus attacked.
· Install Malwarebytes & Ccleaner using USB drive & start scanning your syste, & in parallel you can do following tasks.
· Now is the time do a lot of manual work (deletion), once you are inside the system. What I noticed that most of the folders & files when I right click on them & click on Security listed down the User ID (I will call him S) which was all numbers (starting with S & ending with 4137).
· Goto your Program Files folder & listed down your directory in Detail mode & also select to show the Owner detail of these folders. You will find that for most of the folders Owner is that “S” as owner.
· Sort the folder on the basis of Owner & select all with Owner as “S”. Now right click goto Security, click on Advance à Owners . Change owners as Administrators or anyone other name who has Administrative rights & don’t forget to click on to “Apply to sub-folders & objects”.
· Come back to permissions & try to remove “S” user ID. In order to apply same thing on all the sub-folders & objects, click on option “ Child …..” & de-slect the option “ Inherit Permissions …”.
· I did the same thing for all the folders in C:\Windows\system32 & then in all the folders of my laptop. This will actually take hours but worth resolving this issue.
· After all this I went to Scheduled Tasks in Control Panel & found this user Id actually schedule some activities. I deleted all of them.
· Now goto the Recovery folder & here I found recovery bin created by “S” & the name was also same as “S”. I deleted this one.
Malwarebytes didn’t found anything wrong with the laptop & at the same time I executed Full scan of Symantec, no threats noticed by this one too.
After all these my laptop is back to working condition & I didn’t lost any data yet. But as this happened in company laptop. This virus somehows deleted the domains & I am only able to login with IDs which are created for laptop only.
Hope above steps will resolve your issues, I will keep on checking this forum. Let me know in case you have any doubt or need any further information, pls. keep in mind I had Windows XP with SP3.
Many Thanks to everyone who share their experience here which actually help me a lot.
Happy Recovery