a virus encounter

Due to my struggles with Open Office Impress, I decided to take advantage of Microsoft’s at home use program and install Office 2007 on my home computer.  Short story, I had a dormant virus on my machine that showed up as soon as I installed Office 2007.  This reminds me why I avoid Microsoft products like Internet Explorer – way too tightly coupled to the operating system.  Longer story:

Symptoms

Right after I installed Office 2007, my Windows XP computer started exhibiting a number of odd problems:

  1. Took 30-45 minutes to shut down the computer
  2. When downloading an attachment from Firefox, Firefox hangs.  Killing it in the task manager and re-launching Firefox keeping the tabs intact indicates the file is still downloading and it completes.
  3. Starting postgres via a shortcut opens a DOS window saying “starting” and hanging.
  4. Starting the postgres process in Services gives:

    Error 1053: The service did not respond to the start or control request in a timely fashion

  5. Internet Explorer does not open.  (I can’t say when the last time this worked was.  I only tried in hopes I could use the Windows Update site.
  6. Add/remove programs shows an empty list.  (Meaning I can’t uninstall Office 2007)

What I unsuccessfully tried to fix it

  1. sfc scan now from Yahoo answers
  2. Running three registry commands from Microsoft knowledge base (also mentioned at Yahoo but I wasn’t about to touch my registry on the advice of a third party site.)  The first gave an error, the other two ran.
  3. Microsoft’s registry fix.  I was able to download it (painfully), but got “install server not responding”
  4. Avast full scan – it hung on the file “c:\windows\system32\drivers\acpiec.sys” about 10% through my hard drive.

What finally worked

Avast’s boot time scan is supposed to run before the drivers are loaded.  Since there was clearly an issue in the driver directory, I decided to try this.  I still didn’t think I had a virus at this point.  The problem CLEARLY showed up right after installing Office 2007, making it Office 2007’s fault, no?

I tried a few times to run the boot scan.  This took a while because each shut down took so long.  And the first two were “unsuccessful shutdowns” where Avast didn’t get the cue that it was supposed to run before Windows launched.

Luckily the boot scan logs everything it finds so you don’t have to watch it.  The process ran for a number of hours and then logged to C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report.

The boot scan found a few corrupt zip files (Apache ant documentation, some class file jars) and a bad Open Office OLE file – all of which it logged and ignored.  It then found seven infected files.

Infected by “Java:Jade-“

Avast says this is caused by old Java exploits.  I don’t think these are a problem and am virtually certain they aren’t the cause of my issue.  However since they are in the cache and I hardly use NetBeans, I just deleted them.  (I use Eclipse for development.  NetBeans is only installed for the FIRST robotics plugin code.)

File C:\Documents and Settings\me\Application Data\Sun\Java\Deployment\cache\6.0\19\66c54313-5302a8c6|>c.class is infected by Java:Jade-A [Heur],

File C:\Documents and Settings\me\Application Data\Sun\Java\Deployment\cache\6.0\52\59ec2974-343db254|>vload.class is infected by Java:Jade-C [Heur], Deleted

Infected by “Win32:Alureon-KG”

Microsoft describes this trojan as being responsible for a range of harmful activities.  None of them look particularly relevant to the problem I’m having.  But they are in a temp directory so no harm in seeing them go.

File C:\Documents and Settings\me\Local Settings\Temp\encrawsxmo.tmp is infected by Win32:Alureon-KG [Trj], Moved to chest
File C:\Documents and Settings\me\Local Settings\Temp\masneowxrc.tmp is infected by Win32:Alureon-KG [Trj], Moved to chest

Infected by “Win32:Malware-gen”

This isn’t good but I don’t have any Symantec products installed anymore.  I switched from Norton to Avast over a year or two ago.

File C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll is infected by Win32:Malware-gen, Moved to chest

Infected by “Win32:Malware-gen” (part 2)

Eureka! Two dlls are infected by something.  I don’t know which of these was the root cause of my problem, but it was clearly one of them.  I went to check what each of them are for since removing a system file is risky.  dkvcm.exe is a known virus file.  I couldn’t find anything on the dll good or bad.

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1238\A0204372.dll is infected by Win32:Malware-gen, Moved to chest

File C:\WINDOWS\system32\dkvcm.exe is infected by Win32:Malware-gen, Moved to chest

Conclusion

I seem to have had a virus lurking that came to life when I installed Office 2007.  Thanks to Avast, all the symptoms are gone now and my machine is back to normal.