anykuy virus removal

Yesterday I found anykuy a redirect type virus that placed a red circle with a white cross on my taskbar and had popup windows stating that I had problems and needed to do a scan with fake software.

I updated ESET SS and did a scan 3 or 4 times updateing before each scan and the problem is still there.

I have sent a support ticket and while I am waiting I wanted to see if anyone else has this problem and how to solve it quickly.

A quick internet search ahs not resulted in an easy answer. The virus has been around for a while I am surprised that ESET SS has not caught it.

Thank you!

 

Are you saying it didn't detect it or it didn't clean it? What about scanning in safe mode?

 

Hi Elapsed,

The virus was not detected as far as I know and it certainly did not clean it.

Several other viruses were detected and cleaned on the same day - related?

I rarely get viruses at all so I do not know much about scanning in safe mode. Is this easy to do?

Meanwhile ESET has received my support request but not answered yet.

Should I simply wait or?

 

That's the best idea, they will help you fix the problem.

 

OK, I will wait, thank you for your help.

 

ESET never got back to me which is quite frustrating.

Meanwhile I no longer see the red circle with white cross on my task bar and I am not being directed to anykuy.com anymore.

But my ESET scans take around 6 hours which were less than 2 hours before.

I have been manually scanning daily and over three days caught around 11viruses.

Related to my anykuy.com problem?

Three on the first day WIN32 Trojanclicker agent

Five over two days WIN32 trojan downloader
CMDOW.143 application PRC view application two each over 2 days

Any thoughts will be greatly appreciated

 

i would scan this computer with MBAM. its free and very reliable.

 

Thank you for the suggestion.

Is this something that is compatable with ESET SS?

Does ESET have to be turned off first?

 

you can run both at the same time. free version of mbam doesn't run in real time, its just on demand scanner

few other users on this forum run both, ess and mbam pro, at the same time without problems

 

I've had exactly the same problem with a machine today. A tray icon warning about security issues and the continual prompts to go to anykuy.com. This was on a Windows XP Pro machine. What I've found is the following..

1. McAfee resident shield was installed and running yet the virus still got on to the machine
2. MalwareBytes AntiMalware detects and removes MSAntispyware 2009 and others but does not resolve the problem with the system tray icon and the anykuy.com redirects
3. SuperAntiSpyware exactly the same...it does not detect/fix the anykuy.com redirects
4. SpybotSD exactly the same problem
5. McAfee anti-virus exactly same problem

Eventually I discovered that the problem is that c:\Windows\System32\userinit.exe has been modified. It is this, I think, that is causing the problem. Of course, replacing it is a little tricky as it's running on the infected machine. To replace it I booted from the WinXP CD and entered the recovery console. From here you can replace userinit.exe with a clean version

> d:
> cd I386
> expand USERINIT.EX_ C:\WINDOWS\SYSTEM32
> exit

after rebooting i note that the little tray icon is no longer present and for the last three hours I've not had any annoying attempts to take me to the anykuy.com web-page. I'm just rescanning with every tool I can find but, for me anyway, it appears that an infected (though not detected) userinit.exe was the problem. (note: infected userinit was 61K, 64K on disk...clean version is 25.5K, 28K on disk from SP3 XP pro)

Hope this helps someone...it was bugging me why none of the anti-virus/anti-spyware tools were finding it but maybe it hides itself from detection.

 

Hello,

Please forward a file that ESET Smart Security has identified as infected in a .ZIP or .RAR file protected with a password of "infected" to samples@eset.sk with a Subject: of "Remover Requested - {insert name of malware as detected by ESET Smart Security here}" and a link to this message thread.

You can also include a log file from ESET SysInspector inside your password-protected archive, which will help the virus lab with their analysis.

Regards,

Aryeh Goretsky

 

Thanks AspenJ. After using Malwarebytes' Anti-Malware I followed your guidance but the result was different. The userinit.ex_ file showed up in the Windows32 folder but it was not expanded. I tried expanding it in place but that wouldn't work either. Thinking that the process wasn't working because there was still the infected userinit.exe file in place I tried to delete it, but no go. Then I tried renaming it - I used userinit1.ex1 - and rebooted. Whoopee, I now have a normal size userinit.exe file and the system allowed me to delete the renamed infected file. It has been about two hours now and I've had no more pop ups or warnings and the little red dot with the x on it is gone.

Thanks again.

 

I ended up running combofix to resolve this same issue. I was about to try aspenJ's method but thought I would run one more highly recommended utility and it ended up catching the culprit. Just another option for you all.

Weigel5

 

Dear AspenJ;;

Exactly HOW did you discover that your Windows System32 folder was bad?

Mike