Last weekend I was planning on upgrading my Dell XPS 720 Vista desktop to Windows 7, but a friend of mine ran into a nasty piece of malware called "Internet Security 2010" which removed a registry key that allows you to logon to the system and corrupted the system to the point where you could not successfully install any malware or virus protection. If you are to logon the Internet Security 2010 malware essentially holds you hostage for a fee to supposedly clean up the system but do not purchase the service it is a scam.
The first problem I had to deal with is the logon logoff loop. When attempting to logon you automatically get logged off. There are two potential problems to resolving the issue: You either have a missing or corrupt userinit.exe or the registry key pointing to userinit.exe is missing or corrupt. To identify either problem you need to be able to logon. Here are the steps to try:
- Boot up in safe mode (F8 at initial PC power on) and select option 1 (you do not need the network). Try to log in (This did not work for me), if you can log on follow the Phase II and III instructions (Phase I is for another virus) in this article http://www.winxptutor.com/wsaremove.htm .
- Some folks have used the recovery console which requires your XP CD to boot up with, but the only function you can really perform is to check if userinit.exe exists under your Windows/system32 directory. I used the Phase III instruction found here http://www.winxptutor.com/wsaremove.htme. The file userinit existed but copying it to wsaupdate.exe per the phase III instructions did not solve my problem.
- It seemed my only hope was to try to access the registry and since the recovery console does not provide that functionality I had to find another way. The solution I used to accomplish this was to boot the system from a Bart PE CD which I had to create. The instructions to do so and how to edit the registry can be found here http://windowsxp.mvps.org/peboot.htm.
With the system booted with BART PE, I was able to edit the registry and found that the winlogon registry key was missing. I created it per the instructions above, rebooted and was able to logon. Once I logged on, I got the Internet Security 2010 malware message telling me I had a virus with a purchase scam. In order to remove the virus/malware I followed the instructions in this article http://www.softsailor.com/how-to/13827-how-to-uninstall-remove-internet-security-2010-virus-removal-guide.html.
The system is now functioning normally.
Malware Masquerading As Anti Virus Getting Worse
There seems to be a trend in web based malware today, masquerading as what looks to be a valid anti-virus message to the untrained eye. Click on the message and your system is infected with nasty malware which demands what amounts to ransom to fix your system and who knows whether the fix really works. This is the second time I am dealing with a friend's computer being infected by such malware. Both masqueraded as anti-virus/anti-malware solutions requesting payment to clean up the machine. The Washington Post this week published an article on the subject of these extortion schemes and how this malware morphs its messages based on the anti-virus software you have installed on the machine. The latest malware on my friend's machine was called "Advanced XP Defender" (the first one was Internet Security 2010), because the last go around I had installed Microsoft Defender and Security Essentials.
This malware was particularly nasty because it changes some key administrator privileges in the system where you can't even run .exe applications and corrupts your current anti-virus installation, in my case Microsoft's Security Essentials. I could not even reinstall security essentials.
In the end the two things that worked where to follow these Microsoft instructions (down the page) and installing the Malwarebytes free scanner. I can't say enough good things about Malwarebytes, it installed when MS Security Essentials would not and once updated with the latest signatures it was able to fully clean the machine. I was then able to install MS Security Essentials.
I think that MS Security Essentials' Real Time scanner would have caught this piece of malware but it did not. My question now is whether the free MS Security Essentials works well and maybe it's time to pony up the $24.95 for Malwarebytes full version.
Posted by sskarlatos on March 26, 2010 at 09:03 AM in Commentary, Virus-Malware, Web/Tech, Windows XP | Permalink | Comments (1) | TrackBack (0)
Digg This | Save to del.icio.us