It seems that I have a virus I nowhere found anything about. I have spend several hours looking for info on almost all sites… finally decided to post here.
Virus acts in a quite strange way. First of all, it disabled my wireless connection, wireless zero configuration didn’t help. Then, i tried installing avast! home edition, and installation went fine, everything ok, but right after the installation virus deleted all important exe files in avast folder(shortcuts created on desktop don’t even have icons) and it didn’t even reboot. same thing happened with Spybot and AVG didn’t even finish the installation. Other thing is, at startup it opens hidden iexplore window asking for simplified chinese installation. And the last i have noticed, my protector suite (finger print reader application) crashes after reboot.
I am running windows xp tablet pc edition on toshiba portege m400 laptop.
This could be a rootkit variant which f-secure’s Blacklight should be able to take care of.
I doubt the virus disables the wireless connection as that would potentially reduce its effectiveness not to mention draw it to your attention. It may however be as a result of another issue, not one I have any experience of as I don’t use wireless networking.
well, blacklight found and cleared something, but it seems to be not enough, tried installing avast again, but the main ashAvast.exe is not there, spybot makes the has the same problem as before.gosh, It looks like i never get rid of this!
I am trying to scan with the simple interface of avast, which is there, but it doesnt find anything.
I will try the panda rootkit cleaner, but the problem is that my safe mode doesn’t work, it throws bluescreen right after load. I have already run AVG AntiSpyware from normal mode, quarantined a few non-related things.
Anyway, I am still investigating on what it could be, because none of the programs gave me the answer, and It has something in common with this:
However, there is nothing to indicate that they were removed. Check for the presence of these files, in Explorer ensure that Hidden Files and folders id displayed in Tools, Folder Options, View. If the rootkit element is still there those files may still be hidden. If they are there Add them to the User Files section (File, Add) of the avast chest.
You mention the security advisor info:
If there is an indication of a registry key deleted to stop boot into safe mode then it should be possible to recreate that from the same information.
Try to schedule an avast boot-time scan. You should be able to Run the Simple User Interface by finding the C:\Program Files\Alwil Software\Avast4\ashSimpl.exe (or ashSimp2.exe if the first doesn’t run) once you open it from the Menu, ‘Schedule boot-time scan…’ If anything is found in the boot-time scan send it to the chest (don’t delete).
I would never have said that solution to this problem is so easy as running the system restore:)
Everything works fine, Spybot can install, wireless works and I suppose safemode will work too.
This is the first feature on windows I really like.
If You have any ideas on what to do now, if i really did remove the worm or anything else, post it now, because I am going to celebrate! I spent all day doing this anyway…
the solution isn’t always that simple and in this case it allowed the restoration of the safe-boot and perhaps reversed the registry entries for the running processes. any files previously deleted are likely to have stayed that way as they weren’t in the system folders.
I think that system restore is so good (not) that it is permanently disabled on my system, it has severe restrictions and isn’t a means of back-up.
System Restore MVP site - [url]http://bertk.mvps.org/[/url]
There are many, many reasons why a System Restore may fail. For example, see "Why are previous restore points not working?" in the "Troubleshooting" section of this official Microsoft page:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx
There’s lots more on that page that’s worth reading too. Note especially the sections on “Does System Restore protect personal data files?” (the short answer: no); “What should I do if System Restore does not work?”; “Why are my restore points missing or deleted?”; “Why does the System Restore Wizard lockup?”; and so on. Just a few minutes on that page ought to convince just about anyone that System Restore is not intended for heavy-duty system protection!
Run both blacklight and the panda rootkit cleaner.
Once you have done that. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
A note on my comment on my having disabled system restore, for those possibly reading this later, I don’t recommend this unless you have something to replace it, as even with any possible flaw it is better than no system restore at all.
I use a disk imaging software that takes an exact copy of my partitions, saved to another hard drive or to DVD, this is my fall back replacement to system restore. I do a regular weekly image of my working partitions and keep 5 weeks worth on my 2nd HDD, so if I have a problem I restore the previous image, at worst I lose 6 days of system changes. I also do a daily back-up my volatile data files, .doc, .xls, email database folders, favourites, address book, basically anything you don’t want to lose.
So don’t disable system restore permanently unless you have a comprehensive system recovery & back-up plan.