Virus winter.exe
IT October 31st, 2007A coworker today ended up with a virus on his box while trying to find a javascript. I'm not entirely sure what he did but before he knew it his box was infected and throwing some some nasty little messages telling him to pay for software to remove it. The virus, once running, executes some pretty thoughtful techniques to stop you from getting rid of it. I haven't found much online to really help since apparently this has only been out a few days (going by when the most recent postings I found were dated) so I am typing this up just in case it should be helpful. We initially thought that it was the Smitfraud virus but most of the known fixes didn't seem to work on getting rid of it. Here are the characteristics of the virus:
- No access to run in the start menu
- No access to control panel in the start menu
- No access to task manager, even when trying to execute from the system folder
- Homepages in IE and FF are changed
- Search results, such as google, will return porographic material instead of actual results
- Running the smitfraud removal tools disabled unless the folder has been renamed
- Annoying popup every so often telling you there is a "Windows Security Alert" with a warning reading "Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unauthorised access to your files! Click YES to download spyware remover ..."
The fix? Well since we couldn't access the task manager to shut off the executable we downloaded three applications to gain access to shut down the processes. You can download them here:
I suggest you reboot the machine and log in using safe mode (mash F8 when the computer is booting). We logged in with the normal account experiencing the issues since we did not have an actual machine account. What you need to do is first shut down the executables running in memory, here is a list of applications to kill (using Process Explorer's kill tree command).
- infos.exe
- winter.exe
- proper.exe
- autos.exe
- there is also a .reg file containing winter.exe that was installed telling the computer to add it to the autorun application list (sorry, we don't happen to have the name)
Next you want to kill the autorun entries for the following using autorun (right click each entry and delete them all):
- infos.exe
- winter.exe
- proper.exe
- autos.exe
- skun.dat
- bronto.dll
Once you have completed the above go into your C:\WINDOWS\system32 folder and delete these files from your hard drive so they cannot run again. You can sort by date to find the ".reg" file I mentioned. If you open it with notepad you will see where it added an entry to run winter.exe when your machine is started.
Now run the combofix executable listed above and let it go through all the cleaning processes. Lastly, we completely deleted the prefetch folder that had a few references to these files in C:\windows\prefetch. We rebooted the machine and TADA no more issues...
I hope this helps someone.
31 Responses to “Virus winter.exe”
Leave a Reply
You must be logged in to post a comment.
November 5th, 2007 at 2:52 pm
Thanks, the symantec website was of less help than you were … so thank you !
November 6th, 2007 at 10:28 pm
I’m currently talking to my seventh symantec technician. Not one of them have successfully deleted the virus. This is ridiculous. Some of my friend ssaid that orton and Symantec were never very good at fixing their computers either. I’m about to try to follow your instructions and I really hope they work! I’ll let you know…
November 7th, 2007 at 4:48 pm
The virus is finally gone. Thanks for all of the help! I’m asking symantec for my 99.95 fee back that paid for the technicians who helped me that couldn’t get rid of the virus. We’ll see how that goes…
I’ve also gotten so sick of symantec’s Norton Antivirus that I am going to switch to Mcafee or posibly AVG Antivirus. I suggest everyone else who reads this do the same.
Thanks again! This site was a lifesaver!
November 7th, 2007 at 5:04 pm
This is the worse thing that I have ever seen. It really makes a mess of your system. The best solution that I found was using ComboFix.
I found out that when it gets onto your system, it will send out tons of spam over the internet.
November 10th, 2007 at 2:35 pm
I could not find Combofix from Techspot. There are 14 steps and lots of tools, but Combofix seems not there.
Would you please give some more detailed instruction?
November 13th, 2007 at 7:06 am
Will try your suggestions when I get home… I’ve got Panda Internet Security 2008 updated and it couldn’t delete it either, just like Norton and Kasperky’s…
November 17th, 2007 at 5:42 pm
this virus has been driving me nuts! thank you!
November 18th, 2007 at 3:07 pm
Whomever authored this virus should be banned from the internet for life. This is senseless. It’s now November 18 and my Norton product still doesn’t have a fix for it so I’ll have to have a geek come in to help remove it. Thanks for the info.
November 18th, 2007 at 7:17 pm
Thank you very much for your help, this worked! The virus drove me insane. After removing the virus following your steps I had to regedit the controlpanel to gain access to that again and that’s fine too now.
November 19th, 2007 at 4:24 am
Hey, thanks to the removal instructions. I was on the right track, but had not found the .reg or bronto.dll until now. It has stopped regenerating not.
Thanks
November 19th, 2007 at 11:40 am
If you guys can get me the name of the REG file I will include it for others so they know exactly what to look for. I am glad that this helped you all out.
November 19th, 2007 at 7:36 pm
I too, need the name of the REG file. I think my issue keeps coming back because I am missing that. I have been able to locate all the other files and shut down the processes, but yesterday it came back – so it must be that REG file I can’t identify. HELP! I agree that Norton is very unhelpful; what a waste. I think free Avast has them beat, hands down.
November 20th, 2007 at 12:00 pm
Go into your C:/Windows/System32 folder and sort by date… if the file is there it should have a date around the time you were infected. You can safely open the file and see the reference to winter.exe in it. The reg file should not cause the virus to return unless it is ran and the exe for the virus are still on your machine. It is quite possible you have a new version since it has been nearly a month since it seemed to start appearing. Good luck.
November 20th, 2007 at 12:02 pm
When I said open, I don’t mean “run”… I mean right click on it and open it with Notepad. Do not double click it to open it.
November 20th, 2007 at 2:45 pm
I did a search in Windows and Windows\System32 for *.reg with folder options set to show all hidden. I only found one reg file and it had to do with a printer.
November 21st, 2007 at 9:40 am
yesterday I couldn’t find any trace of winter.exe or proper.exe. Today they are back. It is the reg file I cannot find. Please help; this is driving me nuts. Does the file have a .reg extension? Why does nothing show in the system32 folder when I do a search for all *.reg files?
November 25th, 2007 at 1:23 pm
I had additional related malware files called msanton.exe and timoty.exe. Didn’t have skun.dat or bronto.dll. Ran through everything once. When I logged back in, a few files came back. Went through process again. This time everything is clean.
Maybe I’m a little paranoid, but when I try to open a program and go to “Open With”, one of the program options is called “Dummy”. I can find no other reference to this on my computer. Does anyone know what this is?
November 25th, 2007 at 3:52 pm
Well, what should I say ..THANK YOU FOR THE GREAT WORK!!
it seems like that everything works fine now.
At first I did try to clean the computer by my self…. removing the files infos.exe, winter.exe, proper.exe, autos.exe, skun.dat and bronto.dll ..and so running in safe mode I could create a new admin account.
Installed F-Secure and it found just 4 virus more, I did delete them and the computer after the reboot crashed(blue screen).
I run in safe mode again and I executed Combofix from Techspot. So i got back to my new account and searched the registry for “proper.exe” I deleted the key I did a scan of all the HHD with F-Secure and found 70 more virus. After the cleaning now it seems that everything works fine…. but the old account it doenst work…… but …wtf…. the new one works fine and I got back all I hade on the pc.
thanks again
/polo
PS
sorry for my bad english
November 26th, 2007 at 6:54 pm
Dude, you rule. Couldn’t find the registry file but did find a weird looking text file that magically resurrected while I was cleaning house named sol709.txt in sys32 which may have been a masquerade.
November 29th, 2007 at 12:31 am
This helped so much! Thank you!! I’m still having one issue, though, and I’m not sure if it’s related to the virus or not. When logged in as the main user account (which is an administrative account) on my XP Home machine, I still get “Restriction” errors when I try to do things like right-click the desktop and choose Properties. And I am still not able to access the Control Panel when logged in as this account. However, all of these things work just fine when logged in as the actual Administrator. Is this a corrupt user account or a leftover side-effect of the virus? Or something else entirely?
December 1st, 2007 at 5:06 pm
Fantastic! I was at my wits end with this bullshit virus and your process save me countless hours and money! I ws ready to wipe the hard drive and reload all my programs…thank god I found you on Google.
Thanks one thousand times!
December 6th, 2007 at 2:04 pm
One of my student computers had this on it today. I had a “sol774.txt” file in my System32 folder that kept regenerating. After following your advice, I think I am finally rid of the darn thing.
BTW, the reg file flickered on my screen for a quick moment when ComboFix restarted my computer. I didn’t catch the entire name but I think it started with “SWF???.reg” I used Recuva to search for the name of the file but without any luck. I did find that some very interesting folders in C:\WINDOWS\system32\GroupPolicy\Adm from Clip2Play and other similar sites.
On a hunch I looked up the sol file extension at filext.com and one result was Flash MX SharedObject. SWF in the .reg file and SOL in the .txt file makes me think this was somehow a flash-embedded virus. I’ve not heard of a flash virus before but it would make sense that ActionScript could produce this.
December 7th, 2007 at 7:45 pm
all i got to say is thank you!!!!!
December 9th, 2007 at 11:52 pm
I did these tasks and ran combofix. After it finished and restarted, my computer would not load. It only loads in safe mode. I also lost access to the internet in safe mode with networking. Does anyone have anyclue why and how to get it to load in normal mode. thanks
December 10th, 2007 at 8:00 am
I don’t know how I got it! All I remember is a window asking if I’d like to use Microsoft Explorer as my default whatever. I should have been wary, because it came with no reason.
That was on friday the 07th. I tried a lot of things, like starting up in safe mode with command prompt, where I was able to whipe off proper.exe and winter.exe, but they kept coming back.
On the internet many blogs looked unpromissing, until I found you!
My security parameters didn’t allow me to download the 3 applications you mentionned and the virus(ses) didn’t allow me to change the parameters, so I downloaded them at home onto an USB key.
This morning I started my computer which let me know that it couldn’t find proper.exe like before, but the pop-ups were gone… I followed your procedure anyway and couldn’t find any virus, so I think that I whiped them out previously (don’t ask me how). Some things were stil active though, like missing Control Panel etc, so I ran Combofix and now all is back and running properly.
I’d like to thank you for willing to share your knowledge and to give advice, and also to congratulate you on your knowledge !!!
Bernard
December 11th, 2007 at 2:36 pm
This virus is downloaded automatically when
visiting some web pages.
It adds files to c:\winnt\system32
proper.exe
winter.exe
bronto.dll
It also add files to c:\documents and settings\All Users\Start Menu\Programs\Startup:
autos.exe
And instead of ‘All Users’ above in the directory for the current user (same sub-directories) would be found:
infos.exe
It adds values to policies explorer key in registry
Directions for Removal
login as normal
Open task manager kill ‘winter’
Edit registry
Search for proper.exe
It would be found in ‘Shell’ after Explorer.exe
remove it (don’t remove explorer.exe)
Search for winter.exe
It would be found twice under the ‘run’ keys delete both instances
Search for bronto.dll
Delete the whole CLSID
Go to c:\winnt\system32
Delete:
proper.exe
winter.exe
bronto.dll
Go to c:\documents and settings\All Users\Start Menu\Programs\Startup
Delete autos.exe
Go to c:\documents and settings\’put your user id here’\Start Menu\Programs\Startup
Delete infos.exe
Search for ‘NoControlPanel’ in registry
Delete all values in explorer key.
Restart
December 19th, 2007 at 12:19 am
I recall the night I got this one. The Javascript came on at the same time these bugs came in. My Java was almost 4 years old, so I updated to their new version right away which is much more secure.
December 20th, 2007 at 10:38 pm
Combofix did it.
Have a client who had the winter.exe virus on an xp pc. Couldn’t find the Control Panel, even from the Run command line. Add/Remove programs was inaccessible. Often got an error saying I didn’t have rights to do anything. When right-clicking a file, the menu had an extra choice in gibberish.
Downloaded Combofix from another pc onto my USB flash drive. Ran Combofix and it came up in a Dos/command window and proceeded through deleting all of the files associated with this virus.
After rebooting, I could find no mention of winter.exe or its associated files anywhere. Even the registry which and run commands for the virus was clean.
Why can’t ALL antivirus programs be this quick and efficient?
December 24th, 2007 at 4:43 pm
Great thank you a lot. I was so helpful for me!!
March 25th, 2008 at 3:06 pm
When I boot up in safe mode, my personal user account is missing, replaced by the Administrator account. How can I correct that?
April 20th, 2008 at 6:59 pm
Smitfraud is definelty bad stuff. The first time I came across this I had a ton of problems removing it. Now whenever I run into this I do a system restore first then run the free smitfraudfix tool and then run a full scan with Spyware Doctor. If you have Smitfraud I can gurantee you are infected with other threats as well and that is way you need to use other software besides just the smitfraud fix tool.