MTT Posted February 14, 2009 I am new to forums so please bear with me. Am I in the right place? I have a problem that I can't fix. I have a red X in the system tray that says Alert! You have a security problem. do you want to scan your computer for virus's? It also tries constantly to connect to http://anykuy.com. I have disabled my internet connection so that it cannot connect to the internet. It also had disabled regedit & other things. I cannot even connect to the internet at all now even when I try. any help possible? Share this post Link to post Share on other sites
siliconman01 Posted February 14, 2009 What Windows Operating System are you running and is it 32bit or 64bit? Do you already have SuperAntispyware installed on your infected system? Share this post Link to post Share on other sites
MTT Posted February 14, 2009 I have XP home. I installed superantispyware after I was infected. I have already tried things such as combofix & sdfix. It temporarily removed the alert from the taskbar but it would still try to connect to anykuy.com. It did restore my regedit though. I downloaded the superantispyware def files but it does not indicate that they were updated. Thanks Share this post Link to post Share on other sites
Lagerx Posted February 14, 2009 You can remove this infection with MBAM http://malwarebytes.org/mbam.php SAS will update database for this detection soon. Share this post Link to post Share on other sites
MTT Posted February 14, 2009 It seems as though maybe I got it. I finally got my SAS to install the updates offline. I rebooted & do not see my alert. I am now in the process of updating & running malwarebytes. Thanks for the help. Share this post Link to post Share on other sites
MTT Posted February 14, 2009 Still no luck. After I ran sas with the latest updates, it removed the alert from the taskbar but still popup with alert message & tried to connect to anykuy.com. I then ran malwarebytes with the latest updates. It found a rogue named cognac in the registry program files. removed it but still have the same problem. After reboot it came back with the alert in the taskbar. I suppose I will have to format to get rid of it. Hate to give in to these things by having to do that. Share this post Link to post Share on other sites
banjodeano Posted February 14, 2009 hiya, i have same prob, if i get a solution before you i will let you know...good luck, this virus looks to be a bad one Share this post Link to post Share on other sites
siliconman01 Posted February 15, 2009 A few things to look at: 1. Check your HOSTS file which is located at C:\Windows\System32\drivers\etc. The file name is HOSTS with no extension. - Right click on HOSTS and open it with NotePad - Any line starting with a # is a comment line and is not active - The first active entry should be 127.0.0.1 localhost - Vista machines may have an entry ::1 localhost which is for IPV6 and is a valid entry. - All other active entries should start with 127.0.0.1 . Delete any line that does not start with 127.0.0.1 - In fact, you only need one entry in this file which is 127.0.0.1 localhost and you can delete all other lines. The Windows default for the HOSTS file is a bunch of comment lines and then one entry 127.0.0.1 localhost - Save and close NotePad - Reboot Below is an example of a HOSTS file. It shows additional valid entries over and above 127.0.0.1 localhost and ::1 localhost 127.0.0.1 localhost::1 localhost 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 a9rhiwa.cn 127.0.0.1 http://www.a9rhiwa.cn 127.0.0.1 acezip.net 127.0.0.1 http://www.acezip.net 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net 127.0.0.1 d.abnad.net 127.0.0.1 e.abnad.net 127.0.0.1 t.abnad.net 127.0.0.1 z.abnad.net NOTE: Some security programs such as Spybot S&D place values in the HOSTS file to block access to websites and other ad blocks. These entries will all start with 127.0.0.1. You could add an entry 127.0.0.1 anykuy.com just after 127.0.0.1 localhost and it will block IE from going to anykuy.com. 2. Run some of the reset/repair tools in SAS - In SAS, go to Preferences>Repair tab - To fix a broken Winsock which affects your ability to connect to the Internet, run Repair broken Network Connection (Winsock LSP chain) - Fix Internet Explorer by running Home Page Reset, Internet Zone Security Reset, Local Page Reset, Internet Explorer Policy Restrictions, Reset URL Prefixes, Reset Web Settings, Reset ZoneMap Settings, Share this post Link to post Share on other sites
MTT Posted February 15, 2009 My host file doesn't look right to me. Here's a copy of it. # Copyright © 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost Share this post Link to post Share on other sites
siliconman01 Posted February 15, 2009 MTT, Your HOSTS file is okay. Everything above the 127.0.0.1 localhost entry at the bottom are comments which means that they are neutral lines....okay to have. The lines start with a # character...which is for a comment line. You can add 127.0.0.1 anykuy.com below the 127.0.0.1 localhost and it will block website anykuy.com. Example below. # Copyright © 1993-1999 Microsoft Corp.# # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost 127.0.0.1 anykuy.com NOTE: This does NOT clean out the infection from your computer. It merely blocks IE from accessing the website anykuy.com. Also, download the latest core/trace definitions for SAS and then scan again to see if SAS detects this infection now. Share this post Link to post Share on other sites
MTT Posted February 15, 2009 I added the entry in the host file but is still does not block it. I found that it keeps adding an entry to my temp folder every time that I delete this. I use mbam to stop the temp file and delete it. It then always on reboot adds new files to the temp folder. The temp files ALWAYS start with a ~ then random letters & numbers.tmp. It also loads these language files. turkish.bin polish.bin korean.bin japanese.bin and so on. 27 .bin files in all. Share this post Link to post Share on other sites
MTT Posted February 15, 2009 It also seems to have something to do with userinit.exe Share this post Link to post Share on other sites
siliconman01 Posted February 15, 2009 But have you tried the latest detection rules of SAS which can be manually downloaded at the link below? https://www.superantispyware.com/definitions.html 1. Download/install the latest SAS definitions 2. Also download the latest definitions for MBAM 3. Reboot your computer into SAFE MODE 4. Do a Complete Scan with SAS and let it quarantine what it finds. 5. Do a Full Scan with MBAM and let it quarantine what it finds. 6. Reboot back into Normal Mode. From what I can gather about this infection, it is a real nasty and is stemming from a rootkit...hidden on your system. Share this post Link to post Share on other sites
MTT Posted February 15, 2009 Yes I updated and ran both sas and mbam. I did not do it in safemode though. Yea this one is really nasty. It's apparently new enough that sas & mbam haven't got it figured out yet. It's odd that the language files in the temp folder are .bin Share this post Link to post Share on other sites
siliconman01 Posted February 15, 2009 I recommend that you create a support ticket and let the SAS gurus help you directly. https://www.superantispyware.com/precreateticket.html Share this post Link to post Share on other sites
MTT Posted February 15, 2009 Thanks. I didn't know how to have them check it. I appreciate the link & the time you spent on this too. Thanks again Share this post Link to post Share on other sites
MTT Posted February 15, 2009 Thanks. I didn't know how to go about the sas people. Thanks for the time & effort that you spent with me. Share this post Link to post Share on other sites
siliconman01 Posted February 15, 2009 If you click on "Click here to submit a diagnostic report" on the link below, it will send info from your system to them. They will analyze the info and contact you back via email. Refer also to your post here in the forum...give them the link to your first post. https://www.superantispyware.com/precreatediagnostic.html Share this post Link to post Share on other sites
garryab Posted February 19, 2009 I have found that a virus MS AntiSpyware 2009 is responsible for various Computer problems once it gains access. The signs are: a Security Icon on the quick start bar of the browser. Flash message from icon is ' your computer is under attack etc' This Icon is deleteable but it first displays 3 messages. One message invites you to have your computer checked by selection. Select NO. The next message carefully positioned askes if you want you to keep running without protection. The No is same spot as previous No. Select Yes. That ends the 1minute cycle. Then you access internet it changes the page to anykuy.com/.... to stop you connecting. It also shows your Security as not having any antivirus software. It also enters your Browser Bar and reflects 'thank you for downloading the ...Bar'. I eventually found in the Application Data of my Programs a folder 'Crucial Software' which I deleted. I now have 2 more problems to overcome. An alarmed message that your computer is being attacked by a virus. I cannot remember the 2nd one. So It back to the drawing board for now. will post any further news. Garryab Share this post Link to post Share on other sites
Aspen Posted February 19, 2009 I've had exactly the same problem with a machine today. MSAntispyware2009 and the continual prompts to go to anykuy.com. This was on a Windows XP Pro machine. What I've found is the following.. 1. McAfee resident shield was installed and running yet the virus still got on to the machine 2. MalwareBytes AntiMalware detects and removes MSAntispyware 2009 and others but does not resolve the problem with the system tray icon and the anykuy.com redirects 3. SuperAntiSpyware exactly the same...it does not detect/fix the anykuy.com redirects 4. SpybotSD exactly the same problem 5. McAfee anti-virus exactly same problem Eventually I discovered that the problem is that c:\Windows\System32\userinit.exe has been modified. It is this, I think, that is causing the problem. Of course, replacing it is a little tricky as it's running on the infected machine. To replace it I booted from the WinXP CD and entered the recovery console. From here you can replace userinit.exe with a clean version > d: > cd I386 > expand USERINIT.EX_ C:\WINDOWS\SYSTEM32 > exit after rebooting i note that the little tray icon is no longer present and for the last three hours I've not had any annoying attempts to take me to the anykuy.com web-page. I'm just rescanning with every tool I can find but, for me anyway, it appears that an infected (though not detected) userinit.exe was the problem. (note: infected userinit was 61K, 64K on disk...clean version is 25.5K, 28K on disk from SP3 XP pro) Hope this helps someone...it was bugging me why none of the anti-virus/anti-spyware tools were finding it but maybe it hides itself from detection. Share this post Link to post Share on other sites
invent101 Posted February 20, 2009 Aspen: i think you are right... thank you very much. howver, im in an XP Home edition where nobody has passwords. when i go into the recovery console, it asks for a password and i just hit enter. when i try your expand command, it just says acess denied and returns to d:/i386: can you help me? i am so close to getting this over with. by the way, in the meantime, after I log in, i must kill the userinit processes and i am free of problems, but i have to do this every time i log in.! Share this post Link to post Share on other sites
Aspen Posted February 20, 2009 invent101, I think the access denied is because it cannot replace the existing userinit.exe file that is already present. If from the recovery console you are able to... cd Windows\System32 ren userinit.exe userinit.old ...and then try the expand... d: cd I386 expand userinit.ex_ c:\windows\system32 I think you will be OK. Failing that, by whatever means possible you need to replace your existing userinit.exe with a nice clean one (maybe just expand userinit.ex_ to c: and then move it into place in Normal mode after killing the existing process). Good luck, Aspen Share this post Link to post Share on other sites