Have you seen this virus?

[stanav]

One of my co-workers's laptop is infected with this malware that I'n not sure what exactly to call it, but this is what I found on his laptop:

1. It create entries in registry to start up 2 programs "%windir%\temp\winlogan.exe" and "%AllUsers%\ApplicationData\randomfoldername\spywareCatcher2009.exe" when windows start.

2. Periodly display fake warning messages about malware infection.

3. It disable McAfee antivirus and Avast.

4. It block all of these programs from running:
- Task manager
- Command prompt
- Regedit
That is, when I tried to run any of these, nothing happens. No error message either. Just absolutely nothing.

4. It put entries in hosts file and lock it from being changed. I can open the hosts file but can not make changes to it. If I attemp to save the changes, windows show an error message "cannot create c:\windows\system32\drivers\ect\hosts file. The directory doesn't exist". (Note that that directory is where I open the hosts file from)

5. It turns off System Restore thus no restore point is available.

6. Constantly sending/receiving packets over the network connection.

7. It somehow manage to hide the winlogan.exe file. Using windows explorer with folder options set to show all hidden files as well as system files, I still cannot find winlogan.exe.

I was able to disable the 2 programs mentioned above via msconfig and deleted spywareCatcher 2009.exe. This stops the random fake virus warnings, but all other symptoms remain.

I'm about to reformat the HDD now since his laptop has been running pretty sluggish already before the infection. However, I"m just wondering any of you have encountered a malware this smart?

[kareemanime]

I am not very sure but I had something similar 2 months ago. The part about disabling the task manager and the command prompt is the same. Also those false alarms were very annoying. McAfee couldn't deal with it.
I downloaded the free version of Avira antivirus and it controlled nearly everything. And I say nearly because the windows continued to work slowly after that so I had to reinstall it again after a while. But I didn't have any problems since then. Every thing works fine now.

[Nightwalker83]

Hi stanav,

Does your colleague remember how long the virus has been on the computer?

I just found this:

http://removal-tool.blogspot.com/200...val-guide.html

after I searched for "spywareCatcher 2009.exe".

[Lord Orwell]

it's not a virus. It's considered malware. I don't suppose you have had a fake antivirus program appear and the alerts are coming from a shield icon in your task bar?

[stanav]

Yes, the SpaywareCatcher 2009.exe is a fake antivirus and I was able to shut it off, but the winlogan.exe is a backdoor trojan that I could not get rid of. Anyway, I reformatted the drive and reloaded it from an image. Problem is considered solved, but I still would like to know what to do to regain control of cmd.exe, taskmgr.exe and regedit.exe should this happen again. Note that as I said in the original post, these programs were blocked from running. When I tried to run one of them, windows acted as if it was openning the program but then nothing happened. No errors whatsoever. It looked like the program was opened and then closed down immediately before it even became visible.

[Lord Orwell]

that is exactly what was happening. Windows was opening them but another program running was closing them. You need to keep a good spyware program running such as spybot s&d. It has a "teatimer" application that stops blacklisted applications from even running in the first place.

It's also capable of repairing permission issues where you aren't allowed to run ctrl-alt-del for example.