Randex goes by undetected by Avast 4.6 Home

My avast and definitions are up to date. I made a boot time check of all drives. Nothing showed up. But I clearly had viral behavior. Websites were being redirected. (mozilla.org was one)

So finally this morning after I had run the the avast boot time check over night I launched up WinTasks (a running process-control program, something like an extended version of the taskmanager) and it showed a process named “winlogin.exe”.
Giving me the information this was a sign of infection with Randex.

I then proceeded to search the web for a removal tool, found one, removed the virus and here I am. Asking why Avast couldn’t protect my system as it should.

Hello kolya :slight_smile:

Well, none AV can detect ALL viruses, there are some viruses that aren’t detected and some that are detected.

If you find a virus that isn’t detected by avast!, you can send it to Alwil and they will add it to the VPS file :wink:
You can send the infected file to virus[at]avast[dot]com in password protected archive, in the mail body you must write the password for the archive(usually the password is “virus”) and a little description. :wink:

What a coincidence!!

Can you let Stefanz have the address of the removal tool?

http://forum.avast.com/index.php?topic=16890.0

Well, I don’t have the virus anymore as the remover deleted it naturally. So I can’t send it to ALWIL.
I posted the link for the removal tool in Stefanz’ thread btw.

Yes, I understood that from your previous post, I’ve just explained you what to do if you find an undetected virus in the future :wink:

Mmmh, there’s also a removal tool by microsoft. (google for: randex removal microsoft)
And it says my system’s not infected anymore. But when I try to access mozilla.org, even after clearing the cache, I still get pointed to this fake site that clearly isn’t mozilla…

Happens in any of my installed browsers. Even in LYNX.
Any ideas?

If avast! detected it, I’ll sugest a boot time scanning.
If not, an on-line scanning, see spyware scanning at http://www.spywareguide.com/txt_onlinescan.html and online virus scanning at http://www.security-ops.tk/

Check your hosts file: there may be a redirection.

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

You should see an entry for mozilla org together with an IP address which will be the address of the bogus site.

You can rename the hosts file and Windows will create a new one, or use notepad to edit it I think. It may be protected though, I can’t remember. HijackThis! also allows you to remove redirections an Spybot S & D removes some automatically. There’s also a good utility called HostMan which will allow you to remove entries.

One of these is sure to work!

Yah, cool. I moved “C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts” and restarted the system. No more funny redirects now.
Thank you pal.

To make sure a system is clean, you always must run several tools.
Have a look in the malware removal section on this website: http://mrspock.dsmirc.co.uk

:slight_smile: Sounds like you had spyware, not a virus. Before using
the “removal tool”, did you run an antispyware scan, &
if yes, what was its “findings” ?

W32.Randex.E is an Internet Relay Chat (IRC) Trojan Horse that allows its creator to control a computer by using IRC.
It is also a worm that can use the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to spread itself.

Symantec.

So it’s vitally important to update once it’s gone to make sure it doesn’t come back.

It Randex may be stealth malware, hiding folders and perhaps registry entries. It also seems to be able to inject itself into system processes at an early stage of Windows boot up.

This may be why avast! has problems with the malware? Perhaps some malware can be active even during the boot time scan?

Yes, I ran “Spybot Search & Destroy” with updated definitions but it didn’t find it.

I am currently ging through this tutorial on MajorGeeks which seems to be a pretty thorough procedure to get rid of malware/spyware/trojans.

I read about Randex being an IRC-trojan. I was in a single* IRC channel for quite some time, maybe that’s where I got this lil ‘gift’.

  • By ‘single’ I mean it was only one IRC channel I joined. What did you think? :wink:

:slight_smile: I believe there is a better “tutorial” at :
www.spywarewarrior.com/rogue_anti-spyware.htm .
The last “part” of this site is where I suggest you read,
starting with “Trustworthy Anti-Spyware Products”.