While searching for a cell-phone usb driver I contacted a rootkit virus.
How it went from where it was to being on my machine, who knows, I have just about averything blocked and disabled, but somehow it did.
Its one of those “your machine is infected please visit our website to dis-infect it” type of malwares, and of course then it proceeds to take over and flag every program you open as infected.
Avast catches it one time on power up, but it somehow inserts itself again. Avast identifies the rootkit correctly, but the little installer exe slips right past it, even if you scan the installer’s folder with AVAST. The rootkit is syssvc.exe, but thats not what gets past Avast.
The malware installer is placed a folder named wcxqqvsby in my C:\Documents and Settings[my-name]\Local Settings\Temp folder and is named ahfnvwrtsbl.exe.
Then it added two registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {I forget the name…but it points to the installer listed above}
and in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {I forget the name…but it points to the installer listed above}
AVAST seems to catch one (AVAST is about the third entry in the HKEY_LOCAL_MACHINE path) flags it and puts it in the virus chest, I guess the thing gets re-inserted when the HKEY_CURRENT_USER path is executed, and for reasons that are not clear {to me} AVAST doesnt seem to catch this (or maybe it caught this and not the one in HKEY_LOCAL_MACHINE), the bottom line is that one gets through.
I will zip and send a copy of the installer to the AVAST team in separate email
oh one other thing…I dont know if the installer or the virus done this, but after I cleared my machine, both IE and FireFox had the proxy server set to the machine’s permanent internal ip address, so they didnt work till I cleared it.
cm