anykuy virus removal

Discussion in 'ESET Smart Security' started by Traveler2, Feb 16, 2009.

Thread Status:
Not open for further replies.
  1. Traveler2

    Traveler2 Registered Member

    Joined:
    Feb 16, 2009
    Posts:
    33
    Yesterday I found anykuy a redirect type virus that placed a red circle with a white cross on my taskbar and had popup windows stating that I had problems and needed to do a scan with fake software.

    I updated ESET SS and did a scan 3 or 4 times updateing before each scan and the problem is still there.

    I have sent a support ticket and while I am waiting I wanted to see if anyone else has this problem and how to solve it quickly.

    A quick internet search ahs not resulted in an easy answer. The virus has been around for a while I am surprised that ESET SS has not caught it.

    Thank you!
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Are you saying it didn't detect it or it didn't clean it? What about scanning in safe mode?
     
  3. Traveler2

    Traveler2 Registered Member

    Joined:
    Feb 16, 2009
    Posts:
    33
    Hi Funkydude,

    The virus was not detected as far as I know and it certainly did not clean it.

    Several other viruses were detected and cleaned on the same day - related?

    I rarely get viruses at all so I do not know much about scanning in safe mode. Is this easy to do?

    Meanwhile ESET has received my support request but not answered yet.

    Should I simply wait or?
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    That's the best idea, they will help you fix the problem.
     
  5. Traveler2

    Traveler2 Registered Member

    Joined:
    Feb 16, 2009
    Posts:
    33
    OK, I will wait, thank you for your help.
     
  6. Traveler2

    Traveler2 Registered Member

    Joined:
    Feb 16, 2009
    Posts:
    33
    ESET never got back to me which is quite frustrating.

    Meanwhile I no longer see the red circle with white cross on my task bar and I am not being directed to anykuy.com anymore.

    But my ESET scans take around 6 hours which were less than 2 hours before.

    I have been manually scanning daily and over three days caught around 11viruses.

    Related to my anykuy.com problem?

    Three on the first day WIN32 Trojanclicker agent

    Five over two days WIN32 trojan downloader
    CMDOW.143 application PRC view application two each over 2 days

    Any thoughts will be greatly appreciated
     
  7. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    i would scan this computer with MBAM. its free and very reliable.
     
  8. Traveler2

    Traveler2 Registered Member

    Joined:
    Feb 16, 2009
    Posts:
    33
    Thank you for the suggestion.

    Is this something that is compatable with ESET SS?

    Does ESET have to be turned off first?
     
  9. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    you can run both at the same time. free version of mbam doesn't run in real time, its just on demand scanner

    few other users on this forum run both, ess and mbam pro, at the same time without problems
     
  10. AspenJ

    AspenJ Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    1
    I've had exactly the same problem with a machine today. A tray icon warning about security issues and the continual prompts to go to anykuy.com. This was on a Windows XP Pro machine. What I've found is the following..

    1. McAfee resident shield was installed and running yet the virus still got on to the machine
    2. MalwareBytes AntiMalware detects and removes MSAntispyware 2009 and others but does not resolve the problem with the system tray icon and the anykuy.com redirects
    3. SuperAntiSpyware exactly the same...it does not detect/fix the anykuy.com redirects
    4. SpybotSD exactly the same problem
    5. McAfee anti-virus exactly same problem

    Eventually I discovered that the problem is that c:\Windows\System32\userinit.exe has been modified. It is this, I think, that is causing the problem. Of course, replacing it is a little tricky as it's running on the infected machine. To replace it I booted from the WinXP CD and entered the recovery console. From here you can replace userinit.exe with a clean version

    > d:
    > cd I386
    > expand USERINIT.EX_ C:\WINDOWS\SYSTEM32
    > exit

    after rebooting i note that the little tray icon is no longer present and for the last three hours I've not had any annoying attempts to take me to the anykuy.com web-page. I'm just rescanning with every tool I can find but, for me anyway, it appears that an infected (though not detected) userinit.exe was the problem. (note: infected userinit was 61K, 64K on disk...clean version is 25.5K, 28K on disk from SP3 XP pro)

    Hope this helps someone...it was bugging me why none of the anti-virus/anti-spyware tools were finding it but maybe it hides itself from detection.
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please forward a file that ESET Smart Security has identified as infected in a .ZIP or .RAR file protected with a password of "infected" to samples@eset.sk with a Subject: of "Remover Requested - {insert name of malware as detected by ESET Smart Security here}" and a link to this message thread.

    You can also include a log file from ESET SysInspector inside your password-protected archive, which will help the virus lab with their analysis.

    Regards,

    Aryeh Goretsky
     
  12. Snowbird

    Snowbird Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1
    Location:
    Canada/Florida
    Thanks AspenJ. After using Malwarebytes' Anti-Malware I followed your guidance but the result was different. The userinit.ex_ file showed up in the Windows32 folder but it was not expanded. I tried expanding it in place but that wouldn't work either. Thinking that the process wasn't working because there was still the infected userinit.exe file in place I tried to delete it, but no go. Then I tried renaming it - I used userinit1.ex1 - and rebooted. Whoopee, I now have a normal size userinit.exe file and the system allowed me to delete the renamed infected file. It has been about two hours now and I've had no more pop ups or warnings and the little red dot with the x on it is gone.

    Thanks again.
     
  13. weigel5

    weigel5 Registered Member

    Joined:
    Feb 1, 2007
    Posts:
    9
    I ended up running combofix to resolve this same issue. I was about to try aspenJ's method but thought I would run one more highly recommended utility and it ended up catching the culprit. Just another option for you all.

    Weigel5
     
  14. Pinzgauer

    Pinzgauer Registered Member

    Joined:
    Mar 16, 2009
    Posts:
    1
    Dear AspenJ;;

    Exactly HOW did you discover that your Windows System32 folder was bad?

    Mike
     
Thread Status:
Not open for further replies.