[Merged] False Positive...explorer.exe?, Worm.Win32.Huhk.c Options

[richardhula]

Running KIS 7.0.1.321 on XP/SP2 laptop. I had this false positive problem but did NOT delete explorer.exe as KIS wanted me to, guessing that it was a false positive. Consequently my desktop & taskbar are intact. I have updated KIS twice since then & re-booted but I still get threat warning. To remove this "Worm.Win32.Huhk.c in module explorer.exe" threat should I select "delete" or "add to trusted zone" (or someting else?)

Also getting update issue. Updater initially runs ok & after downloading, local files are updated, but updater window stays open shows less than 100% complete (it's happened three times now with progress frozen between 23% & 94%). Consequently update window remains open, tray icon shows updater still running & stop does not work - it displays stopping but then hangs. I have to exit Kaspersky & re-enable at which point it usually shows latest update time stamp. I reported this in 7.0.1.321 bugthread but wonder if anyone else is getting this.

Richard

[Baz^^]

Well I'm glad everyone is happy that everything has been fixed
Last night my laptop reported the Worm32.Huxxx infection with a popup warning me that my PC was infected and prompting me to delete ... it then went on to delete my desktop and corrupt my Acronis Backups on the laptop and associated external USB drive.
My laptop was unuseable and I was unable to restore my backup!
By good fortune I had upgraded my drive a few days ago so I had a 'backup', albeit a few days old, so I am able to continue - without the old drive I would be stuffed.
These events could have been disasterous for me and I would like to know what I can do in order to prevent something like this happening again - I bought and trusted Kaspersky to protect my PC, in fact this week it's probably done more to cause me problems than a virus would have done!

Kaspersky makes a backup of the deleted file.

The fix to get your computer running again takes about 30 seconds to do

http://support.kaspersky.com/viruses/computers?qid=208279581

[Baz^^]

Discard the threats from your detected list, and it will no longer flag those files.

[Autumn Breeze]

Well I'm glad everyone is happy that everything has been fixed
Last night my laptop reported the Worm32.Huxxx infection with a popup warning me that my PC was infected and prompting me to delete ... it then went on to delete my desktop and corrupt my Acronis Backups on the laptop and associated external USB drive.
My laptop was unuseable and I was unable to restore my backup!
By good fortune I had upgraded my drive a few days ago so I had a 'backup', albeit a few days old, so I am able to continue - without the old drive I would be stuffed.
These events could have been disasterous for me and I would like to know what I can do in order to prevent something like this happening again - I bought and trusted Kaspersky to protect my PC, in fact this week it's probably done more to cause me problems than a virus would have done!

well it's not a good idea to have the bkup you're depending on to save your azz connected to your computer... except when doin' bkups/restores/etc of course...

i have several ext HDD's and i only connect with the one that holds my bkup when saving or restoring, otherwise it's disconnectd and turned off - no way anything can get to it...

a true bkup/recovery system must be totally isolated and secure from the 'puters its protecting...

even my externals that i use for other purposes i only connect when needed... i want as little exposure as possible...

... These events could have been disasterous for me and I would like to know what I can do in order to prevent something like this happening again - I bought and trusted Kaspersky to protect my PC, in fact this week it's probably done more to cause me problems than a virus would have done!

Kas did nothin' to harm you... you messed up (just like all of us) so take responsiblity and and learn from your experiences....

always assume that anything can cause you problems - HDD crash, viruses, physical destruction of your bkup, progam malfuction, OS screwin' up... anything can mess up your data so always CYA...

This post has been edited by Autumn Breeze: 20.12.2007 18:23

[rjbsec]

Kas did nothin' to harm you... you messed up (just like all of us) so take responsiblity and and learn from your experiences....

That's complete nonsense - I had no way of learning about the above 'fix' until I was able to get back onto the Internet and access this thread, before that happened my hdd was wiped.
I didn't create the false positive, KIS did - you buy such software to protect you from system problems not to create them.
I didn't mess up KIS messed up, I'm just left to clear up the mess!

Maybe I should have my backups in the safe but for my general use pc I don't judge that to be necessary - if my neglect caused a virus to screw my pc I would accept the blame but that was not the case KIS screwed it and I'm not happy about it.

[Autumn Breeze]

That's complete nonsense - I had no way of learning about the above 'fix' until I was able to get back onto the Internet and access this thread, before that happened my hdd was wiped.
I didn't create the false positive, KIS did - you buy such software to protect you from system problems not to create them.
I didn't mess up KIS messed up, I'm just left to clear up the mess!

Maybe I should have my backups in the safe but for my general use pc I don't judge that to be necessary - if my neglect caused a virus to screw my pc I would accept the blame but that was not the case KIS screwed it and I'm not happy about it.

lol whatever, blame whoever you want... yeah maybe (prolly) Kas made a mistake... how many things in this world are perfect? please name them, which you can't because nothin' is... fallibility is a part of everything...

gee software messed up! wow now that's a news flash lol

as i said b4, EXPECT ANYTHING/EVERYTHING TO MESS UP... that's the purpose of havin' bkups...

here's a new flash for you - YOU MESSED UP TOO... you should have had a bkup that was totally, in every sense of the word, isolated/protected from harm... act like an adult and accept the fact that you didn't follow that rule...

again, we all mess up, everything messes up... nothin' is perfect... so always assume the worst can happen... then if it does, you are covered...

use this as a learnin' experience instead of actin' like a child and lookin' for somewhere else to blame other than yourself...

you touched the stove and got burned... ok, so don't touch the stove again...

sometimes it takes some pain to learn but those can be the best lessons 'cause you're not likely to foreget 'em...

'course you can still blame others for your mistakes but i don't think it's gonna keep you protected in the future either...

This post has been edited by Autumn Breeze: 20.12.2007 19:15

[crdadmin]

Wow.. that was a fun morning.

Come on Kaspersky.. You'd think someone might be testing the pattern files so that windows executables wouldn't get clobbered. Luckily the damage was repairable (this time).

First it was regedit, now explorer.exe. Can we start being a little more cautious in the future?

Ok how about a new policy? No releasing pattern files at 3am, and lay off the vodka please.

[RaideR25]

I too have the worm.win32.Huhk.c. Everytime I start my computer it runs okay for a few minutes then the dreaded red screen comes up from Kaspersky. It says the worm is deleted and my computer restarts, but after a few minutes it does the same thing. It says something about explorer.EXE. I will try and get some screen shots and submit them. Could this be a false positive or something involved with a Kaspersky update? I have the 7.0 suite on 5 computers and hope it doesn't get on them.

[Baz^^]

Wow.. that was a fun morning.

Come on Kaspersky.. You'd think someone might be testing the pattern files so that windows executables wouldn't get clobbered. Luckily the damage was repairable (this time).

First it was regedit, now explorer.exe. Can we start being a little more cautious in the future?

Ok how about a new policy? No releasing pattern files at 3am, and lay off the vodka please.

Obviously there will be lessons learnt from this episode. Mistakes do happen, albeit very rarely.

[death.by.huhk.c.]

I still can't use my computer. Kaspersky have been no help at all, not on this thread, nor via email, nor on the phone.

I can start up Windows XP Home Edition SP2, but then I can't get any further. When I try to start up Kaspersky Antivirus Version 6 from Windows Task Manager, I get this error message: "The application failed to initialize properly (0xc0000005). Click on OK to terminate the application."

I can open My Computer by double clicking on it but can't do anything with it: I can copy a file but not paste it to a target location. None of the programs that should load automatically on startup are doing so. There is no Start Menu or Task Bar.

I'm at a loss as to what to do next.

[Baz^^]

Do you have a windows xp install cd?

You can try to run a "repair install" that will replace missing/corrupted windows files. It should leave your documents and everything else intact.

http://www.microsoft.com/windowsxp/using/h...ips/doug92.mspx


Make sure to perform a windows update after completing the procedure.

[death.by.huhk.c.]

Do you have a windows xp install cd?

You can try to run a "repair install" that will replace missing/corrupted windows files. It should leave your documents and everything else intact.

http://www.microsoft.com/windowsxp/using/h...ips/doug92.mspx
Make sure to perform a windows update after completing the procedure.

I've got an OEM machine and Kaspersky came bundled with it, but unfortunately no Windows disks.

[zapofrog]

Hi all,

Just a couple of questions if I may, to confirm my understanding of the solution:
forgive me if I have missed the answers in the thread, there is much I didn't understand.

-My KAV was set to delete if disinfection failed so deleted explorer and my desktop has vanished: I will restore files (C:\windows\explorer.EXE) as advised in this forum
The following deleted items are also showing:
C:\windows\system32\dllcache\explorer.exe and
explorer.exe\Explorer.EXE

SHould I restore these as well?

-when clicking restore, the (please specify file name to restore" window opens.
Am i right in assuming I can just click on SAVE without having to alter name or file type?

-I feel like removing the "delete if disinfection fails" setting... this ok?

Many thanks,
Z

[Lucian Bara]

windows xp pro/home sp2 english? if so i can send you my explorer.exe (in a zip archive), it should work (not that you have anything to loose), just unpack it in c:\windows.

the file>new task>browse dialog in task manager should allow you basic copy/paste actions.
or you could try to download and install this patch: http://www.microsoft.com/downloads/details...FE-0707F2A0534B i think it's the most up-to-date explorer.exe

zapofrog,
yes restore both, you only need to click restore and ok, kav should select the original file path by default

-I feel like removing the "delete if disinfection fails" setting... this ok?

not a good idea, most malware today are not file infectors, but trojans, backdoors or other standlone malware, which can't be disinfected only deleted. instead you could set it to prompt for action for file anti-virus, that way you are asked what to do.

This post has been edited by Lucian Bara: 21.12.2007 00:55

[skivb]

I've got an OEM machine and Kaspersky came bundled with it, but unfortunately no Windows disks.

back in the old days you could bootup to dos from floppy. then copy files. but explorer.exe is about 1MB. and you need to steal a copy of explorer.exe from another xp.

i think there such thing as booting from usb gizmos.

else, a linux livecd can boot then you can copy (explorer.exe from an otherwise empty floppy). but you'd need to burn the livecd if don't have one yet. and still need to saunter next door to borrow half a cup of explorer.exe from your friendly neighbor.

anyway, i am now waiting for another xp computer to restart after (yep) kis finishes the "special disinfection".

i wish i'd been slightly more skeptical since i've never had viruses (nok on wud)
_______________
some trivia, while whiling away some time in this meanwhile...
"death.by.huhk.c" reminds me of:
http://www.google.com/search?q=huks+rop+philippines
and
"hokkkk, pt'thuiey"

[zapofrog]

zapofrog,
yes restore both, you only need to click restore and ok, kav should select the original file path by default
not a good idea, most malware today are not file infectors, but trojans, backdoors or other standlone malware, which can't be disinfected only deleted. instead you could set it to prompt for action for file anti-virus, that way you are asked what to do.

Lucian, thks for reply
I restored the first item, then started to restore the C:\windows\system32\dllcache\explorer.exe item but was told it already exists, replace it yes or no?

You replied so quickly that I didn't realise you actually were also talking to me... so I was waiting patiently for an answer, while it was there in front of me for ages... sigh

[Lucian Bara]

no, windows has a thing called system file protection that will try to recover microsoft files once they are also deleted, in your case it seems windows restored it on it's own. do a reboot, is everything back to normal?

[zapofrog]

no, windows has a thing called system file protection that will try to recover microsoft files once they are also deleted, in your case it seems windows restored it on it's own. do a reboot, is everything back to normal?

Yeis! Beautiful! It does indeed all look normal.

Very educational, these false positives...

So tell me, when I try to restore the last item in my list of 3 backup items, explorer.exe\Explorer.EXE, the following message appears: file path does not exist, please verify the correct pat was given.

Should I just ignore this, now that the 1st restore was successful?

[Lucian Bara]

no, i think that's different, explorer.exe\explorer.exe is not a file path, it's a "memory path" (in this case it means the explorer.exe module under explorer.exe). since that's not a file path, it can't be restored (but the image for that process is c:\windows\explorer.exe which should aready be restored) - everything back to normal.

[zapofrog]

no, i think that's different, explorer.exe\explorer.exe is not a file path, it's a "memory path" (in this case it means the explorer.exe module under explorer.exe). since that's not a file path, it can't be restored (but the image for that process is c:\windows\explorer.exe which should aready be restored) - everything back to normal.

Yes, all back to normal.

Many many thanks to all who contributed to this thread.


(so where did this worm name appear from if not a true virus attack?)