Brian phoned yesterday, to ask if Adam could take a look at Jasmine’s laptop. Adam wasn’t in, so Diana suggested that he talk to me. Brian initially said that he didn’t want to take my time looking at a PC with a potential virus on it. I told him just to drop the machine off, and I would add it to the other two computers on my desk. I’m second-level support for the eight computers we have in our house, so all of the hard problems come to me.
This laptop took forever to boot, and would come up with a message (as I had seen in the bitdefender forum) of:
Your system could become unstable
A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS – Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)
Although the panel looks like a Windows error, the wording is pretty suspicious (and grammatically incorrect). It’s the virus talking, not Windows. (There’s no reason for the kernel to be going to a COM2 port, when you have high-speed Internet access!)
Other symptoms included thousands of pot???.tmp files in the root directory, and an inability to start up a command prompt, because the /windows/systems32/ directory was hidden.
First, I downloaded the VundoFix program from atribune.org and ran that. This program was last updated in January 2007. It took a while, but VundoFix confirmed the Virtumonde virus. I followed through to clean up the virus, and it removed and patched a lot of files … except one. VundoFix said that this file would be removed after a reboot. I rebooted, VundoFix came up, and the last file was supposedly fixed. With another reboot, however, the system32 directory was still invisible, and another run of VundoFix disclosed an infected file. I retried the search, fix and reboot three more times, with the same result.
With another web search, I found that Lavasoft had developed a VirtuMonde remover, and it has been incorporated into Ad-Aware 2007 (including the free version). I downloaded Ad-Aware 2007 Free, but when I tried to install it, the installation would fail because some other program was simultaneously being installed.
Looking at Windows Task Manager … Processes … I saw multiple instances of msiexec running. One of these msiexec processes blocks other installation requests. I killed these processes, and Ad-Aware 2007 installed smoothly. Running Ad-Adware then not only found and isolated the files infected by Virtumonde, but also two other viruses … as well as the usual browser malware. I always thought that Ad-Aware was just for browsers … but I guess Lavasoft does much more than that!
When I could bring up a command prompt, it was a simple instruction to delete pot*.tmp, in two directories.
The laptop seems to be working fine, now. I’m 99% certain that I’ve killed the Virtumonde virus. The 1% uncertainty is that there are msiexec processes that come up after a cold boot. These could be normal processes (e.g. one turned out to be the anti-virus profiles from Sympatico Security Services being refreshed) … or they could be the Virtumode virus continuing to lurk.
Brian picked up the machine this morning. I’ve advised him to back up all of the data files on CDROM, in the case that the virus isn’t really dead. He had been advised by a technician in a store to just reinstall Windows XP. For systems engineers from the mainframe generation, reinstalling an operating system is an extraordinary measure that isn’t taken lightly. In my opinion, the problem determination skills of PC-oriented technicians leaves much to be desired. The elapsed time — not working time, because it took so long for the programs to run, and the infected operating system to reboot — to fix the machine was probably 6 to 8 hours.
Most PC technicians are all about action, not thinking. Sticking to a problem for the better part of a working day requires patience. I wish that university and college students could develop the good analytical discipline to figure out the one technical issue that is wrong, and put that right.
