Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Antivirus 2010 Variant? Countdown Timer can't be Aborted!


  • Please log in to reply
4 replies to this topic

#1 Spare-Flair

Spare-Flair

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 24 August 2010 - 07:42 AM

I consider myself a fairly expert user, I think this is something that is very new as all the old removal or diagnostic instructions for Antivirus 2010 have no effect.

This thing popped up on my XP partition today which I need for some projects and it has me beat! I was surfing internet forums and suddenly avast started going crazy telling me I had several incursions (I was reading HardOCP at the time of all things) Then this thing started installing "Antivirus 2010" and put it into my system tray. I think I managed to get rid of that portion of it by killing the process immediately but now I'm in real trouble.

Posted Image

This screen is what I see on my desktop now. Rife with spelling errors and at the end of the countdown, it shuts down the system so the time needed to run any full length virus scans just isn't there.

I've already tried shutdown -a but somehow this is circumventing that. I tried running shutdown - s -t 50000 to see if an independant shutdown.exe process will somehow keep this thing from shutting down my computer at the end of the countdown but my system ends up rebooting anyway when the virus countdown ends.

System restore is disabled, safe mode boots to bluescreen. I can't run Malwarebytes (program will load, scan will not start). I am currently running DoctorWeb in express mode but there isn't enough time to even do an express scan before this thing shuts my system down.

I booted into another partition and ran a scan and found infected explorer.exe (win32.dat.3 cured), winlogon.exe (win32.dat.3 cured) and fake rundll.exe and ntload.exe trojans which I deleted but the problem persists and the fake rundll.exe keeps coming back. Internet is unplugged. My hosts file should be blocking all the sites connected to "Antivirus 2010" as per the old instructions now but I think whatever this countdown thing on my desktop is is completely different.

With my luck it will be some stupid Gen3 Rootkit that no scanner can pick up. Does anybody have any idea what this thing is and what I can do? The timer prevents me from doing anything meaningful at all aside from doing scans from another installation on a separate partition which could pickup infected files but cannot access the registry, start-up files, etc.

Edited by Spare-Flair, 24 August 2010 - 07:51 AM.


BC AdBot (Login to Remove)

 


#2 UofMSpoon2

UofMSpoon2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 24 August 2010 - 12:22 PM

Hey buddy. I had this exact same problem. I still had access to my programs and icons and such, and like you, I tried using my anti-virus scanners but there wasn't enough time to scan thoroughly. My 2 boot-time scans with Avast failed as well to detect anything. Which is shocking since that's a good program. So I thought since the program is a "fake" program, maybe the computer is fooled as well!
So I went to Add/Remove Programs, and there it was. Antivirus 2010. I clicked remove and uninstalled it...and it's been a few days so far and it's still gone. I did have one hiccup this morning where the blue screen behind the error overwrite my desktop background, but no countdown or errors otherwise, I think I just tripped the old file. I restarted and it was fine. So I hope this helps.

#3 Spare-Flair

Spare-Flair
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 24 August 2010 - 02:38 PM

Hey buddy. I had this exact same problem. I still had access to my programs and icons and such, and like you, I tried using my anti-virus scanners but there wasn't enough time to scan thoroughly. My 2 boot-time scans with Avast failed as well to detect anything. Which is shocking since that's a good program. So I thought since the program is a "fake" program, maybe the computer is fooled as well!
So I went to Add/Remove Programs, and there it was. Antivirus 2010. I clicked remove and uninstalled it...and it's been a few days so far and it's still gone. I did have one hiccup this morning where the blue screen behind the error overwrite my desktop background, but no countdown or errors otherwise, I think I just tripped the old file. I restarted and it was fine. So I hope this helps.


That's an intersting solution, unfortunately, I have no antivirus 2010 in my add/remove programs. This may stem from me frantically killing the process in tast manager when I first noticed it self installing :thumbsup:

I'll try copy userinit.exe winlogon32.exe and see if it does anything

Edited by Spare-Flair, 24 August 2010 - 03:12 PM.


#4 Spare-Flair

Spare-Flair
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 24 August 2010 - 04:12 PM

Okay, I think I've fixed it.

I went to a command line on my other OS and went to C:\Windows\System32

Then I ran:
copy userinit.exe winlogon32.exe
copy userinit.exe winlogon86.exe

Restarted and the countdown timer desktop was gone. I then went and deleted rogue entries in HKEY_LOCAL_MACHINE\Software\windowsNT\currentversion\winlogon\ (was trying to load ntload.exe with explorer.exe)

That's removed the countdown timer. Now to see if I need to clean anymore residuals from it or Antivirus 2010. I still would like to know how I got this in the first place. I was browsing www.hardforums.com when Avast suddenly popped up a load of red messages saying that something was blocked (but obviously it wasn't) and I saw Antivirus 2010 installing itself and appearing in my taskbar. At that point I frantically hit CTRL-ALT-DEL and shut down anything that I didn't recognize.

Edited by Spare-Flair, 24 August 2010 - 04:13 PM.


#5 Spare-Flair

Spare-Flair
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 24 August 2010 - 04:34 PM

Hmm, now I am getting this. Is this normal? The Winlogon32 and Winlogon86s were fake files in the first place right? I just had to overwrite them with userinit?

Posted Image

Edited by Spare-Flair, 24 August 2010 - 04:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users