This one is fairly new and goes to some pretty extreme lengths to keep itself loaded. Once loaded it installs a hidden rootkit onto your system. Rootkits are hard enough to remove as it is, these guys make it worse by redirecting all your search engine results to their own search ad pages that essentially get you nowhere. Even if you manage to get a good URL link to a website that might help you the virus blocks the traffic so you see nothing but the typical no server found message. The only way I could get any info on it was by selecting the cached pages of the search results. Once it was fully loaded I could see there was a lot of network activity so I knew it was doing something nefarious over the internet, one of the victims posted somewhere that one of his monitor programs said it was sending out 100's of e-mails.
Even if your virus software and anti-spyware finds the two random named .SYS files and tries to quarantine them the hidden rootkit will reinstall them on reboot with different names. Once the rootkit is firmly in place the malware hooks two .DLL files to the WinLogon.exe process. Winlogon.exe is a necessary windows process thats used in both normal and safe modes so theres no way to shut it down or safely kill it without the system coming to a stop or immediate reboot. Because the DLL's are hooked to the needed process you cant rename or delete the files where they reside in the \windows\system32 folder in either reg or safe mode. One of the DLL's is hidden by the rootkit and the other is in plain view.
Normally enough systems get infected and one of the software Co's puts out a handy dandy EXE file you can run that removes the malware like they have with the Vundo virus. This one is new enough so there isnt an EXE out yet.
Thru trial and lots of shit that just plain didnt work I figured out a way to remove the malware and an even easier way to prevent your system from loading it in the first place. The malware relies on two specific named DLL files to be located in the \windows\system32\ folder. The first file is called WLCTRL32.DLL and the second is WINCTRL32.DLL
Windows has special rules when it comes to files, renaming/replacing can be done to them given the appropriate rights and actions but folders are different. Windows is somewhat constrained when its dealing with them. Theres no windows rights or mechanism for renaming/replacing folders with files so if theres a folder with the same name as a file then its rights trump those of a file with the same name.
Long story short on the 'fix' .. if you goto your windows\system32 folder and create two new folders with the same name as the files then the virus cant load the files it needs to run.
Note: you must call the folders by the full file name so one folder is called 'winctrl32.dll' and the other is called 'wlctrl32.dll' [ minus the quotes ] in order for the preventative fix to work. They also must reside in the windows\system32 folder since thats where the virus wants to install the files.
For those that think that creating a folder there is a security risk it isnt. Theres no such security risk in creating any folder anywhere in windows.
Heres to hoping you dont catch this one since its not too fun removing.
Even if your virus software and anti-spyware finds the two random named .SYS files and tries to quarantine them the hidden rootkit will reinstall them on reboot with different names. Once the rootkit is firmly in place the malware hooks two .DLL files to the WinLogon.exe process. Winlogon.exe is a necessary windows process thats used in both normal and safe modes so theres no way to shut it down or safely kill it without the system coming to a stop or immediate reboot. Because the DLL's are hooked to the needed process you cant rename or delete the files where they reside in the \windows\system32 folder in either reg or safe mode. One of the DLL's is hidden by the rootkit and the other is in plain view.
Normally enough systems get infected and one of the software Co's puts out a handy dandy EXE file you can run that removes the malware like they have with the Vundo virus. This one is new enough so there isnt an EXE out yet.
Thru trial and lots of shit that just plain didnt work I figured out a way to remove the malware and an even easier way to prevent your system from loading it in the first place. The malware relies on two specific named DLL files to be located in the \windows\system32\ folder. The first file is called WLCTRL32.DLL and the second is WINCTRL32.DLL
Windows has special rules when it comes to files, renaming/replacing can be done to them given the appropriate rights and actions but folders are different. Windows is somewhat constrained when its dealing with them. Theres no windows rights or mechanism for renaming/replacing folders with files so if theres a folder with the same name as a file then its rights trump those of a file with the same name.
Long story short on the 'fix' .. if you goto your windows\system32 folder and create two new folders with the same name as the files then the virus cant load the files it needs to run.
Note: you must call the folders by the full file name so one folder is called 'winctrl32.dll' and the other is called 'wlctrl32.dll' [ minus the quotes ] in order for the preventative fix to work. They also must reside in the windows\system32 folder since thats where the virus wants to install the files.
For those that think that creating a folder there is a security risk it isnt. Theres no such security risk in creating any folder anywhere in windows.
Heres to hoping you dont catch this one since its not too fun removing.
