WTF is this Malware and What do I do!?

[Hack&Lube]

Man, this thing popped up on my XP partition today which I need for some projects and it has me beat! I was surfing internet forums and suddenly avast started going crazy. Then this thing started installing "Antivirus 2010" and put it into my system tray. I think I managed to get rid of that portion of it but now I'm in real trouble.



This screen is what I see on my desktop now. Rife with spelling errors and at the end of the countdown, it shuts down the system so the time needed to run any full length virus scans just isn't there.

I've already tried shutdown -a but somehow this is circumventing that. I'm running shutdown - s -t 50000 to see if an independant shutdown.exe process will somehow keep this thing from shutting down my computer at the end of the countdown.

System restore is disabled, safe mode boots to bluescreen. I can't run Malwarebytes (program will load, scan will not start). I am currently running DoctorWeb in express mode but there isn't enough time to even do an express scan before this thing shuts my system down.

I booted into another partition and ran a scan and found infected explorer.exe (cured) and fake rundll.exe and ntload.exe trojans which I deleted but the problem persists and the fake rundll.exe keeps coming back. Internet is unplugged. My hosts file should be blocking all the sites connected to "Antivirus 2010" now but I think whatever this countdown thing on my desktop is is completely different.

With my luck it will be some stupid Gen3 Rootkit that no scanner can pick up. Does anybody have any idea what this thing is and what I can do?

[Rathji]

That looks seriously nasty.

Boot from the Dr Web Live CD, UBCD (or any other Windows PE/Linux Live CD). Should give you the ability to scan to fix or at very least recover files from the drive before DBANing it.

http://www.freedrweb.com/livecd/
http://www.ubcd4win.com/contents.htm

[Hack&Lube]

I think that this is something new, I've been googling for hours but the only mention I have seen that sounds like my variant (all solutions are for old varients that are seem to be completely different and ineffectual) is from 2 days ago.

http://www.bleepingcomputer.com/forums/topic341961.html

File retrieval is not an issue as I've got another OS on another drive but I really do need to save this particular installation and not just nuke it.

[kdogg]

Wow. That's nasty. As just having virus problems myself (Rootkits), I would suggest trying to booting off of a CD (as suggested by Rathji), then downloading Kaspersky trail to clean everything up. Worked for me.

Good luck.


PS Avast sucks.
________
Bobbby_Joe cam

[Frank MetaMusil]

If you've got the disc, do this:

You don't want to install a new OS, so start the repair utility.
Go through the startup sequence and you will eventually get to the C:\windows prompt. Change the directory to system32 (cd \windows\system32). At the C:\ windows\system32 prompt type
copy userinit.exe winlogon32.exe.

This replaces the missing winlogon32 file with the correct userinit file.
type EXIT
After you get the computer restarted you will still need to fix the registry problem (START RUN Regedit)
HKEY_LOCAL_MACHINE\Software\windowsNT\currentversi on\winlogon\
Just click on the winlogon folder and find the file in the window. The winlogon file needs to be set to
userinit=c:\windows\system32\userinit.exe. This will probably show up as userinit=c:\windows\system32\winlogon32.exe.

[Hack&Lube]

Quote:

Originally Posted by Frank MetaMusil

If you've got the disc, do this:

You don't want to install a new OS, so start the repair utility.
Go through the startup sequence and you will eventually get to the C:\windows prompt. Change the directory to system32 (cd \windows\system32). At the C:\ windows\system32 prompt type
copy userinit.exe winlogon32.exe.

This replaces the missing winlogon32 file with the correct userinit file.
type EXIT
After you get the computer restarted you will still need to fix the registry problem (START RUN Regedit)
HKEY_LOCAL_MACHINE\Software\windowsNT\currentversi on\winlogon\
Just click on the winlogon folder and find the file in the window. The winlogon file needs to be set to
userinit=c:\windows\system32\userinit.exe. This will probably show up as userinit=c:\windows\system32\winlogon32.exe.

Thanks man, that mostly did the trick! I replaced winlogon86 as well and noticed there were rogue references trying to load ntload.exe with explorer inside the winlogon folder as well.

[Hack&Lube]

Hmm, now I am getting this. Is this normal? The Winlogon32 and Winlogon86s were fake files in the first place right? I just had to overwrite them with userinit?

[algernon]

Which Forums?

Oh. and why don't you ever use the Thanks button in your threads pleading for help?

[I-Hate-Hulse]

Quote:

Originally Posted by algernon

Which Forums?

Oh. and why don't you ever use the Thanks button in your threads pleading for help?

Probably because he said "Thanks" the old fashion way, by typing thanks. He even put in an exclamation point for good measure. Try that with your button.

On a side note, despite Oilkiller's great work in testing antivirus software, given this and other user commentary, I'm questioning the continuing use of Avast on my systems....

[Azure]

Download Rkill...

http://www.technibble.com/rkill-repa...l-of-the-week/

And run Malware Bytes. I've had the same problem on different computers and this seems to do the trick.

[Vulcan]

As an aside, has anybody ever been saved from a virus infection by Windows 7 UAC. I turned that sucker off, when it put me through a song and dance every time I opened any new application. It even did it with Firefox.

[Azure]

Never.

But I have been saved by Microsoft Security Essentials a LOT.

[Frank MetaMusil]

Quote:

Originally Posted by Hack&Lube

Hmm, now I am getting this. Is this normal? The Winlogon32 and Winlogon86s were fake files in the first place right? I just had to overwrite them with userinit?

Yes, that's correct.

[Bobblehead]

Quote:

Originally Posted by Vulcan

As an aside, has anybody ever been saved from a virus infection by Windows 7 UAC. I turned that sucker off, when it put me through a song and dance every time I opened any new application. It even did it with Firefox.

If XP had a UAC then perhaps H&L may not have been infected by this, it would not have been able to change those files without the alert popping up.

That warning SHOULD come up every time you update. It is supposed to activate when anything tries to update files in system folders, registry or "Program Files". No recent programs should ever be regularly updating anything in those places. If it is a legacy program then perhaps that may happen, but then if you trust it you can just give that app Administrator privileges and you won't be bothered.

And if your Firefox is asking for admin privileges every time it starts I would check out your plug ins and add ons. The only time Firefox ever bugs me is for upgrades to the browser itself.

[FanIn80]

Yeah, I can't think of any valid reason for Firefox to be requesting Admin rights. Sounds like there's a bucket of fish in that orthodontist appointment, if you know what I mean.

[Vulcan]

Quote:

Originally Posted by Bobblehead

If XP had a UAC then perhaps H&L may not have been infected by this, it would not have been able to change those files without the alert popping up.

That warning SHOULD come up every time you update. It is supposed to activate when anything tries to update files in system folders, registry or "Program Files". No recent programs should ever be regularly updating anything in those places. If it is a legacy program then perhaps that may happen, but then if you trust it you can just give that app Administrator privileges and you won't be bothered.




And if your Firefox is asking for admin privileges every time it starts I would check out your plug ins and add ons. The only time Firefox ever bugs me is for upgrades to the browser itself.

Nah, I shut off all my plug ins and add ons and it still required UAC permission every time I opened Firefox. This only happened on 64 bit and it did the same on my laptop (64 bit also) but not on my 32 bit computer. Searching the net there were others with the same problem and I went to the Firefox forum but there was no solution, although the last Firefox version seems to have fixed it.

When I had UAC on, I still got a virus although it was my own stupidity and lack of sleep, by not logging off instead of trying to close a suspicious pop up. MSE cleaned it up right away though.

[Bobblehead]

I'm on 64 bit home and work and have never encountered this issue with Firefox and UAC and not on 32 bit Vista, either.

[Vulcan]

Quote:

Originally Posted by FanIn80

Yeah, I can't think of any valid reason for Firefox to be requesting Admin rights. Sounds like there's a bucket of fish in that orthodontist appointment, if you know what I mean.

What's this supposed to mean?

[Vulcan]

Quote:

Originally Posted by Bobblehead

I'm on 64 bit home and work and have never encountered this issue with Firefox and UAC and not on 32 bit Vista, either.

I'm not saying it was common but it did affect a number of computers. It probably was one of my add ons since I use the same ones on all of my computers, but turning them off didn't seem to solve the problem.

http://forums-test.mozillazine.org/v...573024&start=0

http://support.mozilla.com/tiki-view...4262&forumId=1

http://support.mozilla.com/tiki-view...1417&forumId=1

[FanIn80]

Quote:

Originally Posted by Vulcan

What's this supposed to mean?

Well... I imagine that if my PC started asking for Admin rights when I launched a web browser, I'd probably have the same reaction as I would if someone handed me a bucket of fish when I went to an orthodontist appointment.