My avast and definitions are up to date. I made a boot time check of all drives. Nothing showed up. But I clearly had viral behavior. Websites were being redirected. (mozilla.org was one)
So finally this morning after I had run the the avast boot time check over night I launched up WinTasks (a running process-control program, something like an extended version of the taskmanager) and it showed a process named “winlogin.exe”.
Giving me the information this was a sign of infection with Randex.
I then proceeded to search the web for a removal tool, found one, removed the virus and here I am. Asking why Avast couldn’t protect my system as it should.
Well, none AV can detect ALL viruses, there are some viruses that aren’t detected and some that are detected.
If you find a virus that isn’t detected by avast!, you can send it to Alwil and they will add it to the VPS file
You can send the infected file to virus[at]avast[dot]com in password protected archive, in the mail body you must write the password for the archive(usually the password is “virus”) and a little description.
Well, I don’t have the virus anymore as the remover deleted it naturally. So I can’t send it to ALWIL.
I posted the link for the removal tool in Stefanz’ thread btw.
Mmmh, there’s also a removal tool by microsoft. (google for: randex removal microsoft)
And it says my system’s not infected anymore. But when I try to access mozilla.org, even after clearing the cache, I still get pointed to this fake site that clearly isn’t mozilla…
Happens in any of my installed browsers. Even in LYNX.
Any ideas?
Check your hosts file: there may be a redirection.
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS
You should see an entry for mozilla org together with an IP address which will be the address of the bogus site.
You can rename the hosts file and Windows will create a new one, or use notepad to edit it I think. It may be protected though, I can’t remember. HijackThis! also allows you to remove redirections an Spybot S & D removes some automatically. There’s also a good utility called HostMan which will allow you to remove entries.
To make sure a system is clean, you always must run several tools.
Have a look in the malware removal section on this website: http://mrspock.dsmirc.co.uk
W32.Randex.E is an Internet Relay Chat (IRC) Trojan Horse that allows its creator to control a computer by using IRC.
It is also a worm that can use the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to spread itself.
Symantec.
So it’s vitally important to update once it’s gone to make sure it doesn’t come back.
It Randex may be stealth malware, hiding folders and perhaps registry entries. It also seems to be able to inject itself into system processes at an early stage of Windows boot up.
This may be why avast! has problems with the malware? Perhaps some malware can be active even during the boot time scan?
I believe there is a better “tutorial” at : www.spywarewarrior.com/rogue_anti-spyware.htm .
The last “part” of this site is where I suggest you read,
starting with “Trustworthy Anti-Spyware Products”.