I'm posting in this thread because I think this virus may have mutated. Same virus (win32:rootkit-gen [RTK], but with different symptoms. Heres what happened.
BTW, Ive been using Avast free for years with zero probs.
Yesterday (10 July 2010), I was doing a Google search on "Mac vs PC for audio..."
I clicked approximately the 5th link down on results (Avast 5 free was running at the time), and a strange screen appeared.. then a security type screen appeared and began scanning my system. Not avast, and this wasn't from anything installed on my system..
A little green and white shield also appeared in my system tray, and I lost all control of the computer. All it would let me click was the "security" program that had appeared.
When I tried to bring up task manager (to try to find and kill the process), I got a windows (type) alert.. something like:
"cannot open file. taskmangr.exe is infected. Do you want to activate your virus software?"
It also brought up a java pop-up in my system tray (that java was running).
I did manage to bring up avast (from the sys tray), but it said in red letters " your computer is not protected" or something like that..
Basically, all of my shields had been turned off, and I could not restart them. When I clicked "FIX NOW", or "turn on" (for a shield) it had no effect. Nothing happened.
I pulled my (USB) wireless adapter to disable the network, and did manual power down and reboot. When my system came up, the virus was still there controlling my system.
After a while, I was able to somewhat disable the virus by doing the following.
I booted (XP) in safe mode, and uninstalled Java (I figured the virus may need it, since Java had come up).
I also brought up the startup configuration tool and disabled most of the startup files.
After that, when I re-booted I was able to control my system again, and ran an Avast 5 boot scan, + a Panda on-line scan, + the MS malicious software removal tool.
None of the scans produced a virus hit at that time.
Also, the problems with Avast 5 continued... (I attribute that to changes that the virus made)
Avast 5 said that my license was expired... (I hit the "register now" button, and it would say "retrieving information", but nothing would happen. It just returned to the same screen.
I did do an uninstall / re-install of Avast 5. When I first re-installed, I was able to enter my license number, and the text dialogue said "Thanks for registering!".
But then it immediately went back to the previous behavior saying that my license is expired.
I still could not turn on any shields (in Avast 5)... and could not connect to the Avast server to update virus definitions (or enter my license #)
I did restore my firewall to default settings as well ( thinking that the virus may have messed with them), but it did not help.
So, I uninstalled Avast 5 and installed 4.8.
The problem I had with 4.8 is that it also could not connect for virus updates (it just said "cannot connect to server").
All this was last night.
This morning, I enabled each of my startup files one by one, and identified the virus manually (gibberish.exe). Then I did a windows search and moved the virus to a folder on my desktop so it would not be executed when the system starts.
Then I started researching the "cannot connect to server" issue that avast was having.
What I found is that the virus had changed my proxy settings in IE options to use a proxy to connect to the internet, but because I was browsing with Firefox (settings in Firefox were not changed) I had not noticed it.
When I changed my settings in IE back to NOT use a proxy, Avast 4.8 was able to connect to the update server.
After the update was done. I right clicked the virus file to look at properties. It was then that Avast 4.8sounded the Malware alarm and moved the virus to the chest.
My concern here (and the reasons Im posting) is that I'm not sure I have completely removed the virus.
Since it seems to have mutated, I'm worried that there may be parts of it left on my system which could be doing their own damage without my knowledge.
It should be noted that this virus changed my proxy settings, and somehow rendered Avast usless. It also messed with my avast expiration date somehow.
I haven't seen those symptoms reported in the past in association to this virus, so this may be something new.
I also am concerned that this virus went through Avast like butter. It took immediate control of my system, and I'd done nothing except click a link in my Google search results. That doesnt leave me real confident that Avast is on this problem, though I do feel better that Avast found it after the definition update.
I would appreciate any information or ides that someone may have on this?
Thanks very much.
-Haze