today i started getting really odd network behaviour, which i thought was because of my windows xp reinstall procedure, i kept getting network buffer errors. After a short period of time i finally installed my favourite tools back and when i started up TcpView i noticed Kernell.exe is using all my network resources.
First it connect to gurgun.adm.umu.se:6667, obviously taking me to an irc channel. After that all hell breaks loose and it starts making connections to my fellow students in our university’s lan.
Kernell.exe is 111 616 bytes, creating date is 29.08.2002, it is in c:\windows\system32\ dir and its marked as hidden and system file. Also when its un-hidden, after a while it marks itself as hidden again.
I’ve tried few other free virus removal tools [stinger etc], but none of the programs recognize the virus. And i’m unable to use internet proper at the moment because this virus used all my daily quota in just few minutes.
So i’m wondering if i could submit this new virus or most likely a new variation of old virus somewhere. I propably could get rid of this virus by just removing the exe and some registry entries, but i thought i’d ask if file is needed for the virus database. Avast isn’t recognizing this.
System specs:
Windows XP Professional, SP1 with latest individual patches.
which i thought was because of my windows xp reinstall procedure,
That is why you now have problems. You didn't install a firewall and av software before connecting to the net again. Another problem is that you don't have all security patches/updates installed.
Click on the link in my signature and from the menu “malware removal isntructions”. Take your time to read that page and do everything as explained there. No need to rush.
I do have latest updates but it’s true that i propably could have been connected to internet that 1-3 minutes before i installed Avast and Personal Firewall. I have a Lan and dhcp just throws me into internet in seconds and this time forgot to unplug the cable when i re-installed windows.
But the worrying part is that this virus is not detected by Avast Antivirus.
I’ve managed to run few internet scanners and indeed it’s infected with Backdoor.Win32.Rbot.gen or Win32/RpcDcom.gen, just how you want to name it.
But still, when i scan that file with Avast, nothing.
I just hope Avast would add this virus to it’s database, that’s all.
EDIT: True, I didn’t have all the latest patches, because yesterday several important patches were released by microsoft. Still, virus remains undetected by Avast which was the main issue.
Please send the file in a password-protected archive (Zip or RAR) to
virus (at) avast.com
include archive-password and short description of problem in the mail-text
if you just recently reinstalled, it surely wouldn’t be much of a problem to do it again → that would be best, cause your system is now compromised/not secure any more…
→ 1)
download the full installer of SP2 or get it from a friend with fast
connection or from a PC-magazine
Format C: or system partition
( if possible: better divide hard-disk into a WIN/System partition and D: data-partition)
install XP OFFLINE (network-Cable unplugged)
use NEW, secure passwords, also change PINs, sensitive data used/entered since previous reinstall)
install XP’s SP2 OFFLINE
Install newest AVast-version (best with network shield enabled) OFFLINE
Maybe install (and of course configure) a firewall (OFFLINE)
Now is the first time you may plug-in the Cable/connect to inet/network:
first go to Windowsupdates-sites and install remaining Updates
then Secure your system & browser…
See the Link “VirusRemoval” below in my sig → BACKDOOR-Section
for details
