Worst Malware Ever!

Discussion in 'malware problems & news' started by itman, Apr 28, 2013.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Jun 22, 2010
    I found this sucker by accident last weekend.

    I finally decided to something about this WIN 7 Event Id 11 log event entry stating wininit.exe was dynamically loading .dlls at boot time. This error message had been generated forever on my WIN 7 installation. I never worried about it much since I had installed Avast on my PC initially and uninstalled it later. Avast BTW dynamically loads some of its .dlls. I knew that Avast was sloppy about resetting the LoadAppInit_Dlls switch in the registry back to zero.

    This switch controls if .dll injection occurs using .dll module names stored in the registry key, HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs; "0" = no and "1" = yes. So in the process of resetting the two flags, I have x64 i.e. HKLM\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs , back to "0", I decided to check what was in the x86 reg section AppInit_DLLs key. Now from the base key display, nothing was shown. However when I opened the AppInit_DLLs key in edit mode, there was something "lurking" there. The front of the key was shown in bright blue. Don't know what that sucker was but I deleted it.

    Warning - the AppInit_DLLs keys also exist in other Hive registry keys. Leave those values alone!

    Now my PC runs like a champ. At least I have an explanation for all the weird crap going on my PC for some time that none of the multiple antimalware scanners I have used could catch.

    BTW – whatever that malware was, it was being injected into every .exe that loads at boot time. Also MS uses wininit.exe for those on demand events that require a reboot; like chkdsk. Now I have an explanation why that along with other boot events had been flaking off.

    Actually you can set a registry key in the same section as the above keys to only load MS certified .dlls. Now get this – that option is set off by default. MS says it’s to ensure “compatibility” with third party apps. And people wonder why Windows always gets hacked?
    Last edited: Apr 29, 2013
Thread Status:
Not open for further replies.