After over a dozen infections of IS2010 and a few similar and sometimes nastier programs over the last 6 months on some of our computers, I now have 2 approaches. Both use UBCD4WIN, a disk which I made a couple of years ago and I don't remember the details but I think it generates an ISO file that uses the Bart PE (Pre-Environment) that you burn to a CD and it has a bunch of utility programs on it and supports the use of USB drives.
1. Full reinstall; sometimes I can copy the user's files from within Windows, lately I have had to boot from a UBCD4WIN CD to copy the user files before doing the full reinstall
2. Use a UBCD4WIN, Bart PE bootable CD with utilities that allow access to files and the registry to delete some things and change others, then reboot into Windows and install and run the latest MalwareBytes program from a USB drive to try to find anything you missed. Note that deleting the files and registry entries may not be enough; if you get caught in a Login/Logoff loop you may have to modify the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit string value should be:
C:\WINDOWS\system32\userinit.exe,
(I am hoping a. SAV starts detecting and preventing this REAL soon and b. I might get recovery time down to less than an hour instead of the current 4 hours c. Our users get smarter)
I got this information from this forum; it doesn't mention smss32.exe but that showed up at the same time as the is2010.exe and is in many of the same registry areas and folders, sorting by DATE helps spot it and its accompanying files in the WINDOWS and SYSTEM32 folders:
- - - - -
INTERNET SECURITY 2010 fake AntiVirus
Submit and delete these files:
NOTE: deleting these caused the Can't Login problem, see fix below
c:\WINDOWS\system32\41.exe
c:\WINDOWS\system32\winhelper86.dll
c:\WINDOWS\system32\winlogon86.exe
c:\WINDOWS\system32\winupdate86.exe
c:\Program Files\InternetSecurity2010
c:\Program Files\InternetSecurity2010\IS2010.exe
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
%UserProfile%\Desktop\Internet Security 2010.lnk
%UserProfile%\Start Menu\Internet Security 2010.lnk
Remove These Internet Security 2010 Registry Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “winupdate86.exe”
HKEY_CURRENT_USER\Software\IS2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Internet Security 2010?
* * * * * * * *
I forget where I found this:
CAN'T LOGIN TO WINDOWS
This is happening because spyware eddited the register of your computer. I had the same problem.
Everytime i logged into windows xp it logged me out right away.
I got rid of the problem by :
Booting the pc with your start disks created with windows xp *1 or Booting the pc using your windows xp cd-rom *2
*1 - at the command prompt goto c:\windows\system32\
copy userinit.exe wsaupdater.exe
now reboot your pc , you should be able to log into windows
goto start , run then type regedit
find the following registerkey :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit string value should be:
C:\WINDOWS\system32\userinit.exe,
On the damaged installations it's one of these:
C:\WINDOWS\system32\wsaupdater.exe,
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsaupdater.exe,
In this case edit the string to :
c:\windows\system32\userinit.exe,
Everything should work fine now !
Do install some good anti spyware software and do a virus check as mine was infected with a trojan as well.
*2 Boot the pc from the windows setup disk , at the setup screen press R for recovery
at the recovery console type cd system32
type copy userinit.exe wsaupdater.exe
type exit
then follow the instructions under *1 with the regedit.