Unknown Virus, strange appearence

Hello

It seems that I have a virus I nowhere found anything about. I have spend several hours looking for info on almost all sites… finally decided to post here.

Virus acts in a quite strange way. First of all, it disabled my wireless connection, wireless zero configuration didn’t help. Then, i tried installing avast! home edition, and installation went fine, everything ok, but right after the installation virus deleted all important exe files in avast folder(shortcuts created on desktop don’t even have icons) and it didn’t even reboot. same thing happened with Spybot and AVG didn’t even finish the installation. Other thing is, at startup it opens hidden iexplore window asking for simplified chinese installation. And the last i have noticed, my protector suite (finger print reader application) crashes after reboot.

I am running windows xp tablet pc edition on toshiba portege m400 laptop.

Thank’s for any help!
Prosim pomoc sikovni hosi:)

Check out the topic, http://forum.avast.com/index.php?topic=25941.0.

This could be a rootkit variant which f-secure’s Blacklight should be able to take care of.

I doubt the virus disables the wireless connection as that would potentially reduce its effectiveness not to mention draw it to your attention. It may however be as a result of another issue, not one I have any experience of as I don’t use wireless networking.

well, blacklight found and cleared something, but it seems to be not enough, tried installing avast again, but the main ashAvast.exe is not there, spybot makes the has the same problem as before.gosh, It looks like i never get rid of this!

I am trying to scan with the simple interface of avast, which is there, but it doesnt find anything.

I am starting to be desperate!

Try the Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx.

Once you have done that run AVG anti-spyware from safe mode (keep pecking at the F* key during boot).

What did blacklight find, did it not give a report ?

I will try the panda rootkit cleaner, but the problem is that my safe mode doesn’t work, it throws bluescreen right after load. I have already run AVG AntiSpyware from normal mode, quarantined a few non-related things.

Anyway, I am still investigating on what it could be, because none of the programs gave me the answer, and It has something in common with this:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=56690

notice the bottom of the page, it deletes registry key for safe boot. Oh dear.

But still, I dont have anything in %AppData%\hidn, as well as in the reg files depicted.

So I am not sure it’s it.

here is the blacklight log:

i did run the panda rootkit cleaner, and it removed something, but definitely not the one I need to, the on-access file deleting still goes on.

Any ideas?

Please make notes of what is detected (file names and locations, etc.) and removed, etc. it helps us to get a handle on things and help you.

The only thing of not and the main issue are the ones

02/09/07 20:53:56 [Info]: Hidden process: C:\WINDOWS\system32\hldrrr.exe 02/09/07 20:53:56 [Info]: Hidden process: C:\WINDOWS\system32\hldrrr.exe 02/09/07 20:54:07 [Info]: Hidden file: c:\Documents and Settings\Valued customer\Application Data\hidires\hidr.exe 02/09/07 20:54:07 [Info]: Hidden file: c:\Documents and Settings\Valued customer\Application Data\hidires\m_hook.sys 02/09/07 20:56:06 [Info]: Hidden file: C:\WINDOWS\system32\hldrrr.exe

However, there is nothing to indicate that they were removed. Check for the presence of these files, in Explorer ensure that Hidden Files and folders id displayed in Tools, Folder Options, View. If the rootkit element is still there those files may still be hidden. If they are there Add them to the User Files section (File, Add) of the avast chest.

You mention the security advisor info:
If there is an indication of a registry key deleted to stop boot into safe mode then it should be possible to recreate that from the same information.

Try to schedule an avast boot-time scan. You should be able to Run the Simple User Interface by finding the C:\Program Files\Alwil Software\Avast4\ashSimpl.exe (or ashSimp2.exe if the first doesn’t run) once you open it from the Menu, ‘Schedule boot-time scan…’ If anything is found in the boot-time scan send it to the chest (don’t delete).

More info, been doing some searches, “how to” +restore deleted HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot key

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/
http://didierstevens.wordpress.com/2006/06/22/save-safeboot/
http://cquirke.blogspot.com/2006_07_01_cquirke_archive.html
http://cquirke.blogspot.com/2006/07/repairing-safe-mode-safeboot.html

okay, I have checked presence of those files in explorer, they are not there (I see hidden folders). the result of the boot-time scan:

02/09/2007 23:40
Scan of all local drives

Number of searched folders: 10637
Number of tested files: 110750
Number of infected files: 0

And the little bastard is still there!

I am going to try to restore the safemode and run the AVG antispyware, we’ll see what that can do.

OMG,

I would never have said that solution to this problem is so easy as running the system restore:)

Everything works fine, Spybot can install, wireless works and I suppose safemode will work too.

This is the first feature on windows I really like.

If You have any ideas on what to do now, if i really did remove the worm or anything else, post it now, because I am going to celebrate! :slight_smile: I spent all day doing this anyway…

  1. the solution isn’t always that simple and in this case it allowed the restoration of the safe-boot and perhaps reversed the registry entries for the running processes. any files previously deleted are likely to have stayed that way as they weren’t in the system folders.

  2. I think that system restore is so good (not) that it is permanently disabled on my system, it has severe restrictions and isn’t a means of back-up.

System Restore MVP site - [url]http://bertk.mvps.org/[/url] There are many, many reasons why a System Restore may fail. For example, see "Why are previous restore points not working?" in the "Troubleshooting" section of this official Microsoft page: http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx

There’s lots more on that page that’s worth reading too. Note especially the sections on “Does System Restore protect personal data files?” (the short answer: no); “What should I do if System Restore does not work?”; “Why are my restore points missing or deleted?”; “Why does the System Restore Wizard lockup?”; and so on. Just a few minutes on that page ought to convince just about anyone that System Restore is not intended for heavy-duty system protection!

Run both blacklight and the panda rootkit cleaner.

Once you have done that. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Thank You Very Much David for your patience with me.

You are invited for a pint ( in case you come to Slovakia):slight_smile:

You are welcome and thank you ;D

A belated welcome to the forums.

A note on my comment on my having disabled system restore, for those possibly reading this later, I don’t recommend this unless you have something to replace it, as even with any possible flaw it is better than no system restore at all.

I use a disk imaging software that takes an exact copy of my partitions, saved to another hard drive or to DVD, this is my fall back replacement to system restore. I do a regular weekly image of my working partitions and keep 5 weeks worth on my 2nd HDD, so if I have a problem I restore the previous image, at worst I lose 6 days of system changes. I also do a daily back-up my volatile data files, .doc, .xls, email database folders, favourites, address book, basically anything you don’t want to lose.

So don’t disable system restore permanently unless you have a comprehensive system recovery & back-up plan.