[WindyOne7]

Hello. This morning when I fired up my computer I had a new program installed that I've never seen or heard of before called 'Antivirus Plus'. I have not downloaded anything for quite a while, and am certain that I didn't (knowingly) download this program. It popped up 4 screens at startup that showed that it was scanning my hard drive, that it had found 32 viruses that had infected my machine, that this was only an unregistered version and that I should register (and pay $99.00) so it could erase and clean the infected files.

I tried to close all of the windows but they kept popping up every 10 minutes or so. I also tried to delete the program from my hard drive using 'add-delete programs' in Control Panel, but I could not find any sign of the program. I then tried to use the 'System Restore' to restore my computer to an earlier time (about two weeks ago) but when it started shutting down, I got this message "Stop: c000021a {Fatal System Error} The Windows Logon Process system process terminated unexpectedly with a status of =0x00000000 (0x00000000 0x00000000). The system has been shut down."

I'm at a loss. I have these screens popping up every 10 minutes or so all day long while I'm trying to work... very frustrating.



Thanks for your reply.

[Flashorn]

Hey Windy !!


Welcome to PCWorld Community !



Well, I hope you can still connect to the internet because some of

those Scareware will disable your ability to visit or even download

security programs. Download the FREE versions of these apps.



Let's start with Malwarebytes' Anti-Malware . (click on the blue words)

Please download from this link and install. Once installed , make

absolutely sure to Up-Date the definitions by going to the Update

tab from the top of the security app. Now that we know you have

Plus, we will do a FULL scan of your PC. This might take a while

so, be patient.



The second security application I would like you to run is :

SUPERAntiSpyware . (click on the blue words)

Again , download from the link provided and install. Make

sure you also Up-Date the definitions Before you start a

FULL scan of your HDD. This too, will take some time.



The last one is a Standalone Antivirus and does not require a

install. You only have to double click on the .exe and click on

the Start in the ensuing pop-up. This will start the scan automatically.

Dr.WebCureIt . scroll down to bottom

of page for the download link.



Once you have finished with the scans. If you could , go to the

LOGS tabs in Both of the first scanners and Copy and Paste

the results of those scans in your next post.



After all the scans are done , you will need to Clean out the temps

files left behind by the installation of the Rogue and the malware

scanners. Please download and run (no install) this cleaner:

ATF Cleaner by Atribune .This page will explain.

that it is recommended for 2000 / XP but, is infact also recommended

for Vista :

Direct Download : Please download <!ATF Cleaner by Atribune.





Don't forget to Copy and Paste the results from the logs of both first scanner.
FLASHORN.

[mjd420nova]

I sure wish I or someone could backtrack this nasty piece of scareware and the web site that contains the hidden files that get downloaded to install it. It seems to be a tough one to clean out and doing a wipe and backup has been the only way I've found to get rid of it. None of the previously mentioned anti-virus web sites were successful in identifing it or getting rid of it. The worm or trojan that gets installed has been pretty good at hiding itself and thwarting attempts to clean it out. Please let us all know what your results are and if you can figure out from where it was inflicted.

[Grr8008]

Hi! Definitely run Malwarebytes. Here is another good one: http://www.pcworld.c...nloads/file/fid,22262-order,4/description.html There are a lot of imposters on the web so don't google search these. If you can, then go through the PcWorld download center. Also if you want a free Anti virus then Avast is a good choice: http://www.avast.com/ These are great programs that are highly recommended. Trust me when I say that google search and download Avast without a site checker and you are in for the same kind of viruses you are trying to prevent. Oh and if you find what it is, post it so I can find the definition for future reference.

[WindyOne7]

Flashorn,



Thanks alot for your reply. I'm working on it as I speak (type). I apologize for being so green, but allow me these follow-up questions re your response.

I've downloaded, installed, updated and did a full scan on my machine as you suggested using Malwarebytes' Anti-Malware. It found 31 infected files. Should I deal with these files ('remove selected') with this program now before I go on to the next scan that you listed, or do you want me to scan with both programs before I take any action?

Thanks again.

[Grr8008]

I would remove now and then go on. After all, it can't hurt and you will probably then have a faster scan next time. Plus the longer you leave it the more time it has to infect your system!

[WindyOne7]

Thanks, I will do so.

[Grr8008]

Good luck and good luck on the next scan!

[Flashorn]

Hey Windy !!



Please go ahead and Remove Selected with MalwareBytes as

soon as it finds any infected files. Now, MalwareBytes Might ask

to Re-Boot so it can Delete (remove) the most infected files. Re-Booting

will permit MalwareBytes to See those files better since they are Not

in use. (no hooks).



You can now do the Same with both of the other scanners I have mentioned.

Start with SUPERAnitSpyware and finish with Dr.WebCureIt. Once finished with

the scans , you should do a Clean Up with the ATF Cleaner. Simply click on

the link to download and the .exe will appear in this page for you to download.



Please , don't forget to post the Resulting Logs from Both MalwareBytes' and

SUPERAntiSpyware.



If you are not certain of a procedure, do exactly as you have done this time ,

that is , ask before you act.



FLASHORN.

[WindyOne7]

Well, it appears that I'm not doing well. I did as you suggested then restarted the computer when prompted and immediately got a message in red bold 72 pt type saying "Warning Your computer is infected with spyware" and a balloon message "Warning: application cannot be executed. The file DLACTRLW.EXE is infected. Please activate your antivirus software". I assumed that these messages were bogus, like the original messages were, so I just closed them. Then after starting IE (my icons were visible in the background) I got back to your message and starting to download and run SUPERAntiSpyware, it wouldn't run. Then an error message on a blue 'DOS-looking' screen that said something like the error message I got before but a lot longer... "Fatal Errors" and "System Shut Down" and "a process or thread crucial to system operation has unexpectedly exited or been terminated" etc., and it was frozen on that screen, so I restarted again (power off and then on) and went back to IE ...couldn't stop this cycle again and again.... "Security Monitor:Warning" of a TrojanSPM/LX and click yes to download official IDS software (which I did not do) then a firewall alert about a file that is trying to access the internet with a worm Lsas...



Fortunately, I have 2 computers (not connected by a network) so as one is acting like this, the other I am using to contact you.



Any hope?

[smax013]

I would suggest trying to run some of these scans in Safe Mode.

[WindyOne7]

smax013,



Thank you and bless you for your response. I believe my problems are solved. By your suggestion of starting in safe mode, I received a message that said "you can start in safe mode or click 'no' and use system restore..." There it was...I used system restore ( which would not work this morning after being infected but only crashed repeatedly) and restored my computer to a month ago and everything seems as before, with no error messages or anything out of the ordinary! I'll run the Anti-Malware program to see if it finds anything, but the way it's looking now, everythings alright.



Whew...What a day!



Thanks again!!!

[Flashorn]

Hey Windy !!



I guess smax got to you first . This was to be my next suggestion but, since

you already have it done, I am glad that all is back to normal. I would still

run the scans in Safe Mode even though you were able to Restore to an

earlier date. Once the scans are finished please Clean Out the Temps Files

with the ATF Cleaner I have posted earlier. If you have any other problems,

we will be happy to help .



FLASHORN.

[Grr8008]

You didn't happen to get the name of the virus before you got rid of it did you?

[coastie65]

Hey Grr8008, Here's something for you seeing as how windy listed the name of the thing : www.auditmypc.com/process/lsas.asp Not a very nice thing. coastie

[WindyOne7]

"No, officer, I didn't get the license number of the truck that ran me over!" :-)

I was so relieved that it was possibly over that I never looked back...kind of like running from a guy with a gun...he stops chasing you after a block or so, but you keep running for miles!

[coastie65]

Hey Windy, believe it or not you did. When you posted " Worm Lsas". That thing is nasty and I put in a link to some facts on it, for those who may wish to check it out. So you did good. coastie

[Grr8008]

you might also find more info here. http://www.symantec....5903-99&tabid=1 Windy, this might help you find out where it got in.