08-24-2010, 06:07 AM
|
#1
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
WTF is this Malware and What do I do!?
Man, this thing popped up on my XP partition today which I need for some projects and it has me beat! I was surfing internet forums and suddenly avast started going crazy. Then this thing started installing "Antivirus 2010" and put it into my system tray. I think I managed to get rid of that portion of it but now I'm in real trouble.
This screen is what I see on my desktop now. Rife with spelling errors and at the end of the countdown, it shuts down the system so the time needed to run any full length virus scans just isn't there.
I've already tried shutdown -a but somehow this is circumventing that. I'm running shutdown - s -t 50000 to see if an independant shutdown.exe process will somehow keep this thing from shutting down my computer at the end of the countdown.
System restore is disabled, safe mode boots to bluescreen. I can't run Malwarebytes (program will load, scan will not start). I am currently running DoctorWeb in express mode but there isn't enough time to even do an express scan before this thing shuts my system down.
I booted into another partition and ran a scan and found infected explorer.exe (cured) and fake rundll.exe and ntload.exe trojans which I deleted but the problem persists and the fake rundll.exe keeps coming back. Internet is unplugged. My hosts file should be blocking all the sites connected to "Antivirus 2010" now but I think whatever this countdown thing on my desktop is is completely different.
With my luck it will be some stupid Gen3 Rootkit that no scanner can pick up. Does anybody have any idea what this thing is and what I can do?
|
|
|
08-24-2010, 06:23 AM
|
#2
|
Franchise Player
Join Date: Nov 2006
Location: Supporting Urban Sprawl
|
That looks seriously nasty.
Boot from the Dr Web Live CD, UBCD (or any other Windows PE/Linux Live CD). Should give you the ability to scan to fix or at very least recover files from the drive before DBANing it.
http://www.freedrweb.com/livecd/
http://www.ubcd4win.com/contents.htm
__________________
"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
|
|
|
08-24-2010, 06:29 AM
|
#3
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
I think that this is something new, I've been googling for hours but the only mention I have seen that sounds like my variant (all solutions are for old varients that are seem to be completely different and ineffectual) is from 2 days ago.
http://www.bleepingcomputer.com/forums/topic341961.html
File retrieval is not an issue as I've got another OS on another drive but I really do need to save this particular installation and not just nuke it.
Last edited by Hack&Lube; 08-24-2010 at 06:46 AM.
|
|
|
08-24-2010, 08:26 AM
|
#4
|
Scoring Winger
|
Wow. That's nasty. As just having virus problems myself (Rootkits), I would suggest trying to booting off of a CD (as suggested by Rathji), then downloading Kaspersky trail to clean everything up. Worked for me.
Good luck.
PS Avast sucks.
________
Bobbby_Joe cam
Last edited by kdogg; 08-17-2011 at 04:06 PM.
|
|
|
08-24-2010, 09:09 AM
|
#5
|
RANDOM USER TITLE CHANGE
Join Date: Jan 2010
Location: South Calgary
|
If you've got the disc, do this:
You don't want to install a new OS, so start the repair utility.
Go through the startup sequence and you will eventually get to the C:\windows prompt. Change the directory to system32 (cd \windows\system32). At the C:\ windows\system32 prompt type
copy userinit.exe winlogon32.exe.
This replaces the missing winlogon32 file with the correct userinit file.
type EXIT
After you get the computer restarted you will still need to fix the registry problem (START RUN Regedit)
HKEY_LOCAL_MACHINE\Software\windowsNT\currentversi on\winlogon\
Just click on the winlogon folder and find the file in the window. The winlogon file needs to be set to
userinit=c:\windows\system32\userinit.exe. This will probably show up as userinit=c:\windows\system32\winlogon32.exe.
Last edited by Frank MetaMusil; 08-24-2010 at 09:46 AM.
|
|
|
The Following User Says Thank You to Frank MetaMusil For This Useful Post:
|
|
08-24-2010, 03:09 PM
|
#6
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
Quote:
Originally Posted by Frank MetaMusil
If you've got the disc, do this:
You don't want to install a new OS, so start the repair utility.
Go through the startup sequence and you will eventually get to the C:\windows prompt. Change the directory to system32 (cd \windows\system32). At the C:\ windows\system32 prompt type
copy userinit.exe winlogon32.exe.
This replaces the missing winlogon32 file with the correct userinit file.
type EXIT
After you get the computer restarted you will still need to fix the registry problem (START RUN Regedit)
HKEY_LOCAL_MACHINE\Software\windowsNT\currentversi on\winlogon\
Just click on the winlogon folder and find the file in the window. The winlogon file needs to be set to
userinit=c:\windows\system32\userinit.exe. This will probably show up as userinit=c:\windows\system32\winlogon32.exe.
|
Thanks man, that mostly did the trick! I replaced winlogon86 as well and noticed there were rogue references trying to load ntload.exe with explorer inside the winlogon folder as well.
|
|
|
08-24-2010, 03:35 PM
|
#7
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
Hmm, now I am getting this. Is this normal? The Winlogon32 and Winlogon86s were fake files in the first place right? I just had to overwrite them with userinit?
Last edited by Hack&Lube; 08-24-2010 at 03:37 PM.
|
|
|
08-24-2010, 09:58 PM
|
#8
|
Lifetime Suspension
Join Date: Apr 2006
Location: Removed by Mod
|
Which Forums?
Oh. and why don't you ever use the Thanks button in your threads pleading for help?
|
|
|
08-24-2010, 10:21 PM
|
#9
|
Franchise Player
Join Date: Jul 2003
Location: Sector 7-G
|
Quote:
Originally Posted by algernon
Which Forums?
Oh. and why don't you ever use the Thanks button in your threads pleading for help?
|
Probably because he said "Thanks" the old fashion way, by typing thanks. He even put in an exclamation point for good measure. Try that with your button.
On a side note, despite Oilkiller's great work in testing antivirus software, given this and other user commentary, I'm questioning the continuing use of Avast on my systems....
|
|
|
08-25-2010, 09:57 AM
|
#11
|
Franchise Player
Join Date: Dec 2003
Location: Sunshine Coast
|
As an aside, has anybody ever been saved from a virus infection by Windows 7 UAC. I turned that sucker off, when it put me through a song and dance every time I opened any new application. It even did it with Firefox.
|
|
|
08-25-2010, 10:11 AM
|
#12
|
Had an idea!
|
Never.
But I have been saved by Microsoft Security Essentials a LOT.
|
|
|
08-25-2010, 10:16 AM
|
#13
|
RANDOM USER TITLE CHANGE
Join Date: Jan 2010
Location: South Calgary
|
Quote:
Originally Posted by Hack&Lube
Hmm, now I am getting this. Is this normal? The Winlogon32 and Winlogon86s were fake files in the first place right? I just had to overwrite them with userinit?
|
Yes, that's correct.
|
|
|
08-25-2010, 10:16 AM
|
#14
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
Quote:
Originally Posted by Vulcan
As an aside, has anybody ever been saved from a virus infection by Windows 7 UAC. I turned that sucker off, when it put me through a song and dance every time I opened any new application. It even did it with Firefox.
|
If XP had a UAC then perhaps H&L may not have been infected by this, it would not have been able to change those files without the alert popping up.
That warning SHOULD come up every time you update. It is supposed to activate when anything tries to update files in system folders, registry or "Program Files". No recent programs should ever be regularly updating anything in those places. If it is a legacy program then perhaps that may happen, but then if you trust it you can just give that app Administrator privileges and you won't be bothered.
And if your Firefox is asking for admin privileges every time it starts I would check out your plug ins and add ons. The only time Firefox ever bugs me is for upgrades to the browser itself.
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
08-25-2010, 11:33 AM
|
#15
|
GOAT!
|
Yeah, I can't think of any valid reason for Firefox to be requesting Admin rights. Sounds like there's a bucket of fish in that orthodontist appointment, if you know what I mean.
|
|
|
08-25-2010, 04:21 PM
|
#16
|
Franchise Player
Join Date: Dec 2003
Location: Sunshine Coast
|
Quote:
Originally Posted by Bobblehead
If XP had a UAC then perhaps H&L may not have been infected by this, it would not have been able to change those files without the alert popping up.
That warning SHOULD come up every time you update. It is supposed to activate when anything tries to update files in system folders, registry or "Program Files". No recent programs should ever be regularly updating anything in those places. If it is a legacy program then perhaps that may happen, but then if you trust it you can just give that app Administrator privileges and you won't be bothered.
And if your Firefox is asking for admin privileges every time it starts I would check out your plug ins and add ons. The only time Firefox ever bugs me is for upgrades to the browser itself.
|
Nah, I shut off all my plug ins and add ons and it still required UAC permission every time I opened Firefox. This only happened on 64 bit and it did the same on my laptop (64 bit also) but not on my 32 bit computer. Searching the net there were others with the same problem and I went to the Firefox forum but there was no solution, although the last Firefox version seems to have fixed it.
When I had UAC on, I still got a virus although it was my own stupidity and lack of sleep, by not logging off instead of trying to close a suspicious pop up. MSE cleaned it up right away though.
|
|
|
08-25-2010, 04:24 PM
|
#17
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
I'm on 64 bit home and work and have never encountered this issue with Firefox and UAC and not on 32 bit Vista, either.
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
08-25-2010, 04:30 PM
|
#18
|
Franchise Player
Join Date: Dec 2003
Location: Sunshine Coast
|
Quote:
Originally Posted by FanIn80
Yeah, I can't think of any valid reason for Firefox to be requesting Admin rights. Sounds like there's a bucket of fish in that orthodontist appointment, if you know what I mean.
|
What's this supposed to mean?
|
|
|
08-25-2010, 05:31 PM
|
#20
|
GOAT!
|
Quote:
Originally Posted by Vulcan
What's this supposed to mean?
|
Well... I imagine that if my PC started asking for Admin rights when I launched a web browser, I'd probably have the same reaction as I would if someone handed me a bucket of fish when I went to an orthodontist appointment.
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 10:04 PM.
|
|