• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Just had my first XP BSOD.

dennilfloss

dennilfloss

Past Lifer 1957-2014 In Memoriam
"If this is the first tiem... you must restart your computer."
"beginning dumping of memory."

First one I can remember since I switched from W98 about 6 years ago. Right as I was finishing encoding a DVD too and was about to generate the menu.:|

And now Kaspersky made that pig squeal and warns me about

[/b]Worm.Win32.Huhk.c[/b]


Crap. I have little time for disinfecting today and tomorrow before I leave for the holidays. Hope this one's easy to nuke.
 
Asshole worm deleted Explorer. I had to use Avanquest Perfect Image and restore my C drive from a three-week old image. Good thing I save my programs and stuff on other partitions. MSN Livemail restored my emails automatically so I lost nothing there. Just reupdated Kasperky's 7 and will do a thorough system scan to make sure I did not catch this before the image was created and it did not just lie inwait for the last three weeks.

That thing got through even on max security settings. A curse on malware-creating fuckers. Die turds, die!:|
 
I struggled with this "worm" today as well.

I can definitely confirm that it was Kaspersky that deleted explorer.exe. If it gave you the "special procedures required to clean this file" message then rebooted your machine, then that's what happened. Those "special procedures" are deleting the infected file on startup.

I can't verify that it's a false positive, but I did make some observations that support it being an error on Kaspersky's part:

1) I did a routine system scan a few days ago and have not installed any new software or downloaded anything since. I then updated Kaspersky's signatures and did a new system scan today and that's when it found Huhk.c. Of course, this could just mean that something was installed without me knowing or that I've always had this worm and it was undetected until a recent signature update.

2) Kaspersky always found it in the explorer.exe in system memory. Killing the explorer process and then restarting the process still leaves an infected explorer.exe in memory. This would make sense if the explorer.exe file was infected, but scanning the explorer.exe file itself turned up clean -- or so I thought. Actually, if you set Kaspersky's security level to HIGH instead of NORMAL, it finds it in the explorer.exe file as well. In other words, NORMAL security level only finds it when running in memory, HIGH security level finds it in memory and the file. This inconsistency is a little strange and suggests that perhaps the heuristics scanner in Kaspersky is misidentifying harmless code in explorer.exe as this worm, and the image in memory is possibly different from the file itself. Not really evidence for it being a fake, but it's kind of weird.

3) I installed a windows XP system update via Windows Update today. Part of that update included a new explorer.exe. Kaspersky's background file scanner immediately flagged the explorer.exe downloaded as part of the critical update as having this worm (before it was installed). I find this very strange. The reason I find this very strange is this: After Kaspersky deleted my explorer.exe I restored a copy from a clean backup I had. Upon restarting my system I did a full system scan and Kaspersky found nothing at all (note that the explorer.exe I grabbed off my recovery disc was a different version than whatever one may be causing these false positives). So my system was completely clean. Then I got the Windows critical update, and then Kaspersky flagged the downloaded explorer.exe as having the worm. It would be very odd (although not impossible), on a clean system, for a newly created file to become infected as you'd think Kaspersky would have found -something- suspicious.

4) I've read reports where people observe that only files named explorer.exe are infected by this virus. I have observed that old versions of explorer.exe are not flagged as infected, and the newest versions are. I also know that it is not normally possible to modify explorer.exe while it is running, yet I did not have this virus and then suddenly I did. It would not make sense for my explorer.exe to have been modified while it was running. And like I said, the only thing that changed on my system between the time I didn't have the worm and the time I did was the Kaspersky signatures.

Edit: 5) This is a big one. Note that there are virtually no Google results for this virus. It isn't in the virus encyclopedia either. Nearly all forum posts regarding this virus are from today. I find it highly unlikely that this worm basically did not exist and then all of a sudden a whole bunch of people with very different system setups doing very different things got this weird worm all at the same time. The only thing in common between all these people is that they all seem to be Kaspersky users and they all have the latest signatures.

Edit: 6) Another suggestion of false positive can be found here: http://forum.kaspersky.com/ind...id=503634&#entry503634

I am definitely leaning towards a false positive because it appeared out of nowhere, I can't get rid of it no matter how hard I try, and even the newly downloaded explorer.exe from the Microsoft Update thing is flagged as being infected. If you have somebody around you that you know has a clean system and has the latest Windows updates, one experiment is to grab there copy of explorer.exe, rename it (before copying it to your own machine just in case some virus is infecting files named explorer.exe when they are created), and scan it for viruses with your version of Kaspersky. If it detects the worm, then it's probably a false positive, because it wouldn't make any sense for a file coming off a clean system to be infected with this worm.

As for your BSOD, I wonder if it is just an unfortunate coincidence that all this happened at the same time.

I'll post any new info if I have it.

Jason
 
Actually, it's definitely a false positive. Within the last maybe hour or so, Kaspersky updated their signatures again to fix the problem. Update your signatures now and then rescan, you should not find any files infected by this worm.

Jason
 
Originally posted by: JCipriani
I struggled with this "worm" today as well.

I can definitely confirm that it was Kaspersky that deleted explorer.exe. If it gave you the "special procedures required to clean this file" message then rebooted your machine, then that's what happened. Those "special procedures" are deleting the infected file on startup.

I can't verify that it's a false positive, but I did make some observations that support it being an error on Kaspersky's part:

1) I did a routine system scan a few days ago and have not installed any new software or downloaded anything since. I then updated Kaspersky's signatures and did a new system scan today and that's when it found Huhk.c. Of course, this could just mean that something was installed without me knowing or that I've always had this worm and it was undetected until a recent signature update.

2) Kaspersky always found it in the explorer.exe in system memory. Killing the explorer process and then restarting the process still leaves an infected explorer.exe in memory. This would make sense if the explorer.exe file was infected, but scanning the explorer.exe file itself turned up clean -- or so I thought. Actually, if you set Kaspersky's security level to HIGH instead of NORMAL, it finds it in the explorer.exe file as well. In other words, NORMAL security level only finds it when running in memory, HIGH security level finds it in memory and the file. This inconsistency is a little strange and suggests that perhaps the heuristics scanner in Kaspersky is misidentifying harmless code in explorer.exe as this worm, and the image in memory is possibly different from the file itself. Not really evidence for it being a fake, but it's kind of weird.

3) I installed a windows XP system update via Windows Update today. Part of that update included a new explorer.exe. Kaspersky's background file scanner immediately flagged the explorer.exe downloaded as part of the critical update as having this worm (before it was installed). I find this very strange. The reason I find this very strange is this: After Kaspersky deleted my explorer.exe I restored a copy from a clean backup I had. Upon restarting my system I did a full system scan and Kaspersky found nothing at all (note that the explorer.exe I grabbed off my recovery disc was a different version than whatever one may be causing these false positives). So my system was completely clean. Then I got the Windows critical update, and then Kaspersky flagged the downloaded explorer.exe as having the worm. It would be very odd (although not impossible), on a clean system, for a newly created file to become infected as you'd think Kaspersky would have found -something- suspicious.

4) I've read reports where people observe that only files named explorer.exe are infected by this virus. I have observed that old versions of explorer.exe are not flagged as infected, and the newest versions are. I also know that it is not normally possible to modify explorer.exe while it is running, yet I did not have this virus and then suddenly I did. It would not make sense for my explorer.exe to have been modified while it was running. And like I said, the only thing that changed on my system between the time I didn't have the worm and the time I did was the Kaspersky signatures.

Edit: 5) This is a big one. Note that there are virtually no Google results for this virus. It isn't in the virus encyclopedia either. Nearly all forum posts regarding this virus are from today. I find it highly unlikely that this worm basically did not exist and then all of a sudden a whole bunch of people with very different system setups doing very different things got this weird worm all at the same time. The only thing in common between all these people is that they all seem to be Kaspersky users and they all have the latest signatures.

Edit: 6) Another suggestion of false positive can be found here: http://forum.kaspersky.com/ind...id=503634&#entry503634

I am definitely leaning towards a false positive because it appeared out of nowhere, I can't get rid of it no matter how hard I try, and even the newly downloaded explorer.exe from the Microsoft Update thing is flagged as being infected. If you have somebody around you that you know has a clean system and has the latest Windows updates, one experiment is to grab there copy of explorer.exe, rename it (before copying it to your own machine just in case some virus is infecting files named explorer.exe when they are created), and scan it for viruses with your version of Kaspersky. If it detects the worm, then it's probably a false positive, because it wouldn't make any sense for a file coming off a clean system to be infected with this worm.

As for your BSOD, I wonder if it is just an unfortunate coincidence that all this happened at the same time.

I'll post any new info if I have it.

Jason
Click to expand...

Yup. The message I got before restart was the special procedure.🙁

 
PS: dennilfloss: For future reference, Windows comes with a utility called SFC that will scan for changes in important system files then copy them off an installation CD or from wherever. If you go into a command prompt and type "SFC /SCANNOW" (it takes a few minutes) then reboot, it should restore screwed up files without affecting anything else, it may prompt you to insert a Windows CD. Although in this case it would have been misleading since you still may have been left with a falsely "infected" explorer.exe.
 
a search on my pc for "Huhk.c." turned up nothing, but i am using AVG.

if it was a "false positive" it should be on the " Kaspersky" web site if they know about it.
 
I meant "Worm.Win32.Huhk.C". It is on their web site, sort of. It's on that forum post, somebody says "it's a false positive, signatures will be updated soon, please be patient". There's probably an apology or explanation of some sort buried on one of their forums somewhere.

Kaspersky users should update their signatures again and rescan. The "infection" will disappear. If it's truly a mistake on Kaspersky's part, then non-Kaspersky users should never have had to deal with any of this at all.
 
Originally posted by: JCipriani
PS: dennilfloss: For future reference, Windows comes with a utility called SFC that will scan for changes in important system files then copy them off an installation CD or from wherever. If you go into a command prompt and type "SFC /SCANNOW" (it takes a few minutes) then reboot, it should restore screwed up files without affecting anything else, it may prompt you to insert a Windows CD. Although in this case it would have been misleading since you still may have been left with a falsely "infected" explorer.exe.
Click to expand...


Saw that.

http://forum.kaspersky.com/ind...p?showtopic=55669&st=0

This thread also explains how to restore it from the AV backup with task Manager starting Kaspersky's. Of course, being just an average user,I did not know this but now I do.

You live, you learn.:music:


 
isnt it somewhat excessive for a virus program to delete/alter important windows files, should'nt that file have been placed into a virus bin so it could have been recovered, iffin it wasnt a virus/worm.
 
:thumbsdown:

OK people here's my survival and removal experience! (I'm an XP guy)

Just like all of the rest of you I FREAKED and allowed Kaspersky to run the show. After several reboots and scans it successfully deleted explorer.exe

Of course that left me DOA and I started grasping at straws to bail myself out. I found by dumb luck a very easy way to restore explorer.exe - it is a file you can run from task manager called c:\windows\system32\restore\rstrui.exe. Just pick yesterday and it will restore explorer.exe.

I got back in the drivers seat and went to this thread by googling worm.win32.huhk.c.
I have since updated Kaspersky and rescanned confirming the problem is dealt with.

Thankfully I didn't trash my system! A big F.U. to Kaspersky for whatever mistake they made. Imagine an AV program intentionally crippling everybodies windows!!!

Good luck to all you out there in Kasperskyville. Hope you all have my good fortune.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top