When trojans invade the PC kingdom
Today has not gone the way I envisioned it, not by a long shot. It started innocently enough with me grabbing the Fujitsu P1620 out of the dock to get some work done in slate mode while watching the morning news. It went downhill quickly from there. The first thing I was confronted with was a dialog box from OneCare that told me it had detected a trojan on my system. A trojan is one of those malware programs that invades your system by looking like something else and then sets about doing untold harm to your Windows box. Fortunately for me I had OneCare duly protecting my system and it spotted the trojan right away. I have no idea how it got into my system as I am very careful about things like that but if it’s clever enough I guess it can get in anyway. I am happy with the way OneCare protects my systems and much more so now that it’s stopped this trojan in its tracks.
OneCare asked me if I wanted to clean the trojan off my system and I of course said yes. I neglected to write down exactly what trojan it had detected but no matter. OneCare proceeded to clean the offender off my system, a process that took about 10 minutes. It must have invaded quite a bit of territory in my PC kingdom. When the cleansing was comnplete OneCare restarted the Fuji and that’s when the fun times started.
The Fujitsu restarted and in the bootup process an error dialog box appeared telling me that the Fujitsu Menu program couldn’t find its XML database to populate the button bar. The Fujitsu Menu utility is the nice button bar that is invoked by pressing the Fn button on the screen bezel twice after which it gives a nice button bar with user configurable options on it that are easily pressed by the fingertip. It provides functions like access to the Mobility Center, screen rotation, display settings and the like. It wasn’t kidding that the XML database was now gone as when I invoked the Menu utility this confronted me:
Yep, the buttons were all there but none of them were set to do anything. This wasn’t a big problem as the Edit button you see makes it a breeze to set the buttons to do anything I want and I quickly did that:
This wasn’t to be the only thing affected by the Trojan cleanup however as I started getting error messages for several of the Fujitsu utilities that run during startup. I ended up removing and reinstalling all of them, Fujitsu Button utility, system extensions and the lot. Everything is now back to normal with the exception of the Fujitsu Set State that gives an error at boot time. I can’t see anything that is not working though so I’ll leave that be for now as the system is running OK. It just goes to show you how malware can be a show-stopper even when your system is adequately protected. There is no telling what would have happened had OneCare not intercepted this bad boy. I also have to give kudos to Fujitsu for making all of these special utilities and drivers available through their support web site. It was very simple to download and reinstall them without having to rebuild the entire system.
Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.
It’s a shame that you didn’t note the trojan because it would be interesting to know if OneCare did detect a real trojan or misidentified one of Fujitsu’s apps. It seems strange that the cleanup would have targeted your Fuji utilities unless it was a false-positive. Does OneCare keep a history of the files it’s cleaned up?
Oh yeah, I meant to apologise if my post seems overly paranoid. I didn’t get much sleep last night due to a combination of noisy neighbours and the switch to daylight savings here in the UK :)
I would agree with Jake, it sounds like it could have been a false positive. If you review your Application and System event logs, it may have logged the name of the trojan, Symantec antivirus does, at least with the corporate version.
I also wonder if onecare got tricked into thinking the fuji utlities were a trojan. Seems odd to have that be the only things affected.
A false positive was my first thought too but this system hadn’t changed since I got it so I didn’t seriously consider that. I should have as I have since scoured the event logs and found the threat that was detected:
http://www.microsoft.com/security/encyclopedia/details.aspx?name=TrojanDownloader%3aWin32%2fZlob.gen!AW&threatid=2147603587
The telling criteria that this is likely a false positive is the date the threat was added by MS- yesterday. So most likely OneCare updated its threat signatures last night and this morning tagged this as a threat. It’s the first false positive (if that’s indeed what this is) that I’ve encountered with OneCare and I’ve been using it since it first went beta. Live and learn.
In my copy of OneCare I can see an option to display what the last virus scan discovered.
Glad you survived it.
I stopped to eat so didn’t write the CAPTCHA till after – my comment is obviously moot.
In 2006 Spybot’s flagged some key Tablet PC functionality as a threat. Details are at http://forums.spybot.info/showthread.php?t=8668. The “new” material on the system was the new Spybot definitions, which unfortunately had an error.
hunting for virus and similar is like hunting for terrorists. these days one is just as likely to get a civilian as the real deal…
Interesting. My AVG virus scan detected a Zlob trojan during its overnight scan on Friday. What gets me is that none of the so-called real-time scanners I have running (and apparently wasting system resources) detected anything. Maybe that was a false positive, too.
It all seems to be sort of a crap shoot to me. One day, nothing…then, all of a sudden a virus scan detects a virus or two (in directories where nothing seemed to change).
Well, I certainly would not describe OneCare as “adequate protection”. It simply isn’t up to the job.