Jump to content
Posted 10 January 2009 - 06:15 AM
Posted 10 January 2009 - 08:54 AM
HijackThis and autoruns are not anti-virus softwares but investigative tools. How exactly did you remove this malware? How is your computer running now? Any more reports/signs of infection?
anti virus softwares such as HijackThis and autoruns had worked in my case and identified the very elusive mscvhost.exe
Posted 11 January 2009 - 01:27 AM
Posted 11 January 2009 - 08:46 AM
Sorry to hear about having to reformat but sometimes that is the best solution. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action.
My final option (armageddon option [LOL]) then was to reformat the systems affected: Drive C and others. This, I left to the expertise of the computer technician.
Posted 12 January 2009 - 12:16 AM
Posted 27 January 2009 - 12:14 PM
Yes, I've been wondering what to call HijackThis and autoruns. Investigative tools. Thanks for that!
About the huelar.exe virus as it was collectively known... I consider them as a group because they're 3 viruses working together to protect each other and keep from being removed from the system, meanwhile making the user's computer life miserable and always attached to huelar virus (as it's motto goes, "I will always be with you -huelar" are the exact words I found in the registry). In my case, HijackThis had found the 3 of them in various places, and of course I deleted them butmscvhost.exe can't be removed because it says it's currently running in the active processes.But when I checked taskman, process explorer and tcpview, there's no sign mscvhost.exe. According to HJT (hijackthis), it's in the "documents and settings". But since that area is infected by the virus, I can't access it without the virus initiating itself again. So I got the idea mscvhost was obviously being obscured by another virus/malware/rootkit protecting it. I still don't know what it is. I also found out the virus disables all search process related to finding it and its associates in all areas of the system. Now I looked into registry and also in safe mode to check and I found some traces of huelar infection but not the elusive mscvhost.exe. There are also some files/subfiles in registry that can't be accessed. When I ran cmd, it failed to find/erase the virus too. So, all hope gone and evaporated, I decided to consult my second to the last option: find a good AV: Norton AV 2009. So it scanned and found the huelars. I rebooted the laptop again to refresh its state only to find out the system had crashed completely because Winlogon had been tampered. From this, my guess is that the mscvhost attached itself to winlogon. My final option (armageddon option [LOL]) then was to reformat the systems affected: Drive C and others. This, I left to the expertise of the computer technician.
Now I have a laptop with a dying hard drive but still equipped with its vital functions (and new short life span), a Drive D remainder of the aftermath and a fresh new experience to digest. I'm still grieving on the loss of my vital wares and files in drive C but I know now I won't put it there again.
I will still run a series of AV scanning on the system to be sure it's free of the virus later.
Posted 27 January 2009 - 12:23 PM
Edited by lindaga35, 27 January 2009 - 12:25 PM.
Posted 27 January 2009 - 01:26 PM
Posted 29 January 2009 - 05:48 AM
Posted 29 January 2009 - 06:45 AM
Method of Distribution
Via Drives and Network Shares
Win32/Rahlue.A propagates by traversing all folders in all drives, including accessible network shares. If a folder is found, the worm creates a copy of itself, using the name and path of the folder as the executable's filename. For example, if the worm finds a folder at C:\Program Files, it drops a copy of itself in that folder as "C:\Program Files.EXE" and hides the original folder.
Posted 29 January 2009 - 07:49 AM
Posted 29 January 2009 - 10:09 AM
0 members, 0 guests, 0 anonymous users