Internet Security 2010 Rogue, Winlogon2.exe and Other Fun Things for this Week…

I’ve been pretty busy this week with malware appointments and thought I’d share this weeks “note to self stuff”…

  1. A client calls me and says that they have a fake antivirus (internet security 2010 rogue) and now they can’t login to Windows
  2. When I arrive I load my UBCD4WIN and immediately:
    • Replace Atapi.sys.
    • Replace Userinit.exe.
    • Load the host registry and fix the winlogon key so that userinit points to c:\windows\system32\userinit.exe, (not winlogon2.exe).
    • Disconnect the network connection.
    • Reboot.
    • Load Malwarebytes and load the latest updates via usb stick.
    • Quick Scan with MBAM and remove anything found.
    • Reboot.
    • Load new AV (either Microsoft Security Essentials or Kaspersky Internet Security 2010)
  3. Perform misc cleanup stuff and then leave.

, , , , ,