Official Intrusion Detection System

A warning box pops up saying

"Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC saftey is at risk. To get rid of unwanted spyware and keep your computare safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)"

On everything I've Googled the message has come up different from mine. As mine says. "You private information and PC saftey is at risk." Where as everyone else's says "Your private information and PC safety is at risk."

It has changed my background to "Your system is infected"

It has disabled the Windows Task Manager (ctrl-alt-del), regedit.exe, and most other Windows diagnostic I tried. I ran Norton Antivirus and it did not find a problem. I ran Spybot S&D and it found it. I ran Spybot S&D a second time and it deleted all but 2 entries that were in memory. Spybot called for a restart to finish cleaning the entries. After the restart, I cannot log on. It will go as far as showing my desktop wallpaper and "click when the audio drivers load, then immediately says "logging off" and "saving your settings." I can not sign into Safe Mode of any kind, "a previous good setting", or anything else, but to a command line in the Recovery Console.

I ran "chkdsk C: /r " in the Recovery Console. It found and fixed one problem, but did not help my boot problem. What next? I would rather donate here than pay a tech in town. Unplugging the box is no fun! Forgive me for posting in the wrong place. I am new to the site and am still learning your rules. They are different from other forums I have used.

Thanks,

Tony

Lets try using a boot disc.

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore.

• Download The Avira AntiVir Rescue System from Antivir.de.
  
• Just double-click on the rescue system package to burn it to a CD/DVD.
  
• Then please use that CD/DVD with Avira Rescue System to boot your computer.
  

You'll get a boot option to either boot from hard drive or AntiVir Rescue System.


Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.


Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.


Then please start the scan.

The Avira AntiVir Rescue System wil now

• repair a damaged system,
  
• rescue data,
  
• scan the system for virus infections.
  

I downloaded Avira and made the CD. I had trouble booting to my first CD/DVD and finally was able to boot from my second CD/DVD. The first menu was different:

(ver. 3.6.9 - 20090527143502)

Boot Options:
1. Boot AntiVir Rescue System (default)
2. Boot from first Hard Drive

Advanced users only
3. Boot AntiVir Rescue System (800x600 16) VGA 788
4. Boot AntiVir Rescue System (1024x768 16) VGA 791
5. Boot AntiVir Rescue System VGA =ask



Then shows Linux guy

Then shows:

Avira AntiVir Rescue System
-----------------------------------

Press Alt-F7 to return to the graphical user interface

root@RescueSystem: /#



The graphical interface never loads. I tried all options except boot from first hard drive.

I am going to try to burn another disk. What next?

I have a HP Pavilion a610e with Norton and Spybot S&D.

Last edited by TonyRoebuck on 18th January 2010, 12:13 pm; edited 1 time in total (Reason for editing : Added Computer Info)

I have tried every way to make and run the Avira boot CD, even the exe and iso from their website. I am trying to be patient, but need the computer. The CD will not boot the graphical interface, just the command line. I can access Midnight Commander. Both these options are useless to me because I know Dos commands, but do not know Linux commands.

I am going external to try to fix my HD. I only have one NTFS desktop computer, so slaving it will not work. I am going to use my XP laptop. It has some RAM issues (physical problems), but is usually stable.

Do you have any software recommendations. I will try to use Spybot S&D first, since it has found it once. It took a while, but I found a post that told how to get Spybot S&D to scan a drive other than C:. I hope it works.

No problems with that, it's worth it a shot eh?

Still working. I'm able to access the drive. Data is still there!! I have copied all our "critical" files (I think) onto another drive. I was able to access Spybot's log files. The offending entity is called Supsav.Smss32. Spybot removed all but the registry entry under: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" I found a file in the Windows\Prefetch folder that pointed to smss32.exe. I deleted it and then accessed the external drive's Windows registry to remove the "...\Run"entry. It was gone.

I put the drive back in and it still will not boot... same problem. I am running a-squared Free 4.5 now in hopes of removing anything Spybot missed. I almost gave up and installed XP onto another clean drive from my brother-in-law. New problem... I have no install disks (nȯne included with the original packaging and manuals). My restore files are on a partition on the non-bootable drive! Genius!!

Is there a way to make a bootable "install" DVD with the contents of that drive?

While a-squared was running, I found an XP Recovery Disk I made, put in a drawer, and forgot about (2004). I will try to boot into it when I finish this scan. Maybe it will work.

Still looking for ideas.

Give the recovery disc a shot too then, it's the userinit key that has been modified within the registry.

The Recovery disk was worthless, unless you know the NT commands, or want to do a re-install. After more Google, I found it on a 2006 post!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Userinit was set to C:\Windows\system32\winlogon32.exe and it should be set to C:\Windows\system32\userinit.exe.

I now am up and running!! The only remaining problem I have found (so far) is from where the virus changed my desktop wallpaper to it's green "Your System is Infected" image. The image is gone and the controls for my wallpaper are grayed-out and inaccessible. I just have the capability to change colors. It must be in the registry somewhere too. Any ideas where?

I ran an updated Spybot S&D and removed a few "stat counters" and am running Norton AV Full scan. Do I need to reset the System Restore Point, or anything else that might have a copy of a bad setting? If so, how?

Thanks! My wife is happy to be able to blog again.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Thanks. I am downloading now. I found a fix for the wallpaper issue after my post. It worked just as the 2006 forum said. In case someone else needs it, it is found at:

http://www.thespykiller.co.uk/downloads/cleandesktop.exe

I will get to work on MBAM after I finish work.

One question:

I have WildTangent programs (games) installed on the computer for my kids. They always show a false positive. If you remove it, my kids' games do not work. Also, there is a false positive for one of my wife's Broderbund software, Print Shop Deluxe. I also cannot remove it without damage to the program. If they show up in MBAM, what do I do... and will it affect the results you need?

Doubt MBAM detect those because the MBAM team know of the false positive in WildTangent and leave it, and I highly doubt the printer one will shop up, but if it does, we'll restore it.

Sorry about the delay. I had an emergency and had to stop restoration of the computer for a while. I will try when I finish work tonight.

Okay, standing by.