Wednesday, May 6, 2009

BSOD, rdbss.sys, network dropouts, unwise_.exe, and the Win32/Heur virus/trojan

This will only help a very small number of you, but for the sake of these few...

I have lost HOURS and HOURS this week with the internet connection on my email computer dropping out.

"Repair Connection" worked a few times, but in the last few days even that stopped helping.

Switching between LAN and wireless also helped initially, but in the past few days, not at all.

It got to the point where I would lose ALL network access within a few minutes of boot.

Just long enough to check email once.

And it got to the point where I could only "fix" it by rebooting.

So get this : my (slow) email machine, that takes roughly five minutes to do a shutdown/reboot cycle, had to be turned off and turned back on practically every time I wanted to check email or send an email!!!!!!! Very frustrating!

(Nor was it just a case of "set & forget". The laptop requires password entry at two points during the boot cycle, so rebooting it is a major distraction.)

I tried using Internet Explorer's diagnose-connection-problems tool. It informed me that "Windows has detected a problem with the winsock provider catalog on this computer", and offered to repair the problem. But that didn't help.

At around the same time, I began to find that the laptop would bring up the infamous "Blue Screen Of Death" (BSOD) during shutdown. Every time. Yet another source of pain in the email-checking routine.

And of course, I'm used to checking email at least every hour, as it is a primary means of communication with customers...

The BSOD was a red herring. It said that rdbss.sys had been unloaded "without canceling pending operations" - whatever that means. I searched and searched, and of course, found nothing that helped.

I tried resetting the Winsock stack - as suggested by some articles - but the problem persisted.

What if... what if this is a symptom of a common virus?

I haven't had a virus on any of my computers in something like six or seven years.

I don't actually have a virus scanner installed - they usually slow a computer down horribly.

As a very technically-oriented programmer, I am very familiar with the limitations of technology, and instinctively manage to steer clear of most sources of viruses.

But whatever was going on with my email computer was very strange, and it was wasting hours and hours, so I decided to give it a virus scan.

AVG became my tool of choice.

I downloaded it onto another computer and transferred the installer across via USB stick.

Fortunately, it allowed me to install without needing to access the internet - e.g. for updated virus signatures.

Pretty quickly, the virus scan turned up a "Win32/Heur" virus in a file called "C:\Windows\fonts\unwise_.exe". Aha! Likely the culprit!

And sure enough it was. More on the virus in a moment, but I used Task Manager to kill the running instance of unwise_.exe, and within minutes, my network access was working properly again!

It might even be that unwise_.exe and its Win32/Heur were not directly killing the network, but perhaps were engaging in network activity that my network router found objectionable. Or maybe the problem was indeed entirely within that infected laptop.

Either way, virus gone, problem solved.

And the BSODs have disappeared too!

So if you're having strange network dropouts minutes after boot... it might just be a virus.

---

A couple of thoughts about this particular virus :

It uses the file name "unwise_.exe" - note the underscore. I find this intriguing. "unwise.exe" (no underscore) is (IIRC) the name of a popular program uninstaller that works with a very large number of programs. (Is it part of the "InstallShield" suite? I'm hazy on the details now...)

So presumably, the virus writers chose the name "unwise_.exe" (note the underscore) because of its similarity to "unwise.exe" (no underscore) - i.e. to try to make it look more innocuous.

But to the trained eye, it was every bit suspicious.

First up, whilst "unwise.exe" (no underscore) is a common name, "unwise_.exe" (note the underscore) is NOT a common name, and uncommon file names that are so suspiciously similar to common file names don't just happen by accident!

Secondly, the file had both the SYSTEM and HIDDEN file attributes set. Oh yeah - that means you won't actually be able to find it yourself, unless you do something like go to the Command Prompt and type something like "dir C:\Windows\fonts\*.exe /ah".

Thirdly, no executables ever live in the C:\Windows\fonts folder. That alone is almost sufficient proof that the file is malicious. But what a clever choice - the C:\Windows\fonts folder cannot actually be browsed in Windows Explorer like other folders can. If you launch Windows Explorer and navigate to C:\Windows\fonts, you'll see a special "fonts list" view, which fails to show the offending "unwise_.exe", even though it is in that folder.

So whoever wrote this "unwise_.exe" thing knew what they were doing, and went to great lengths to hide their malicious program's presence on affected systems.

Note further that this virus installs itself to start at system boot (or user logon - one or the other, and I'm not quite sure which) and to run under the SYSTEM account. That's another clue that it's a bad boy - the real "unwise.exe", being an uninstaller, and thus always launched by the USER not the SYSTEM, would not be found in the Task Manager running under the SYSTEM account.

---

Oh - and before you flame me - someone else had been using my email computer quite heavily around the time of the infection (1-May-2009 was the date of infection, based on the file datetime stamp on the C:\Windows\fonts\unwise_.exe file), and so whilst that probably means I need to install an anti-virus program permanently if I'm going to let them keeping using my computer, it does potentially vindicate my "I don't need an anti-virus program for myself" attitude of many years.

---

Thanks for reading! I hope this helps some of you...

8 comments:

Unknown said...

Hi mate! Great article! :)

After XP reinstall, I experienced the same problems. Since I got ADSL modem drivers back from backup, I painted them in blame.

Took drivers from CD, reinstalled, and it worked. For a while... sounds familiar? :D

Then I removed modem completely, rebooted, and installed it again.

Now it works!

Well... not for long lol :)))

So I got very very sick and tired of this problem.

I recalled the fact that XP with SP2 allows only 10 half-open TCP connections instead of 200 that I use to tweak it to. I downloaded BitComet (painfully!) and installed it. It was the only program I could remember of that can tweak tcpip.sys to allow more half-open connections.

So I rigged it to 200 and rebooted.

Voila! No problems!
It looks like the virus was abusing the file, and when it was changed it could no longer do so!

10 minutes after I ran tasklist and noticed 'unwise_.exe'. What the--... something leftover from BitComet? :O

File location trace...

C:\Windows\Fonts !!?
You got to be kidding me :D
Hidden and system attributes?! LOL :D

I immediatelly killed the process (noticed it ran under system user so I killed the service as well) and started Googling about it.

This is when I found your blog entry :)

Virus is a total pain in the ass, and it can only be caught if your newly installed XP is not patched, but put online first :)

Lucky for me, I remembered my trusty BitComet and it saved me the agony until I'd find out the process. Some amount of minutes, but they'd be like hours. Now I love it even more :)

Anyway, sorry to spam your comments like this, but I just had to write a little about my story :)

It's 02:40 am here, and I'm so pissed off, and so glad at the same time I wasn't even able to sleep :D

Again, sorry for random rant.

Have a nice day, and thank you for this blog entry.
It's good to see there are people that can use their head and good thinking when it comes down to troubleshooting problems :)

Dave Smith W said...

Ok, so if you can't directly view it, how do you delete it? Or is it ok to leave it there once you've killed the process and removed it from the "autoruns" list? I tried the command prompt you suggested and it found the file, but the "del" command wouldn't work.

Verbose Philosopher said...

Glad to hear it helped, Sinisa!

Dave, after you've killed the unwise_.exe process, you should be able to delete it fine, so it seems strange that when you tried to delete it, you couldn't. When you say "the del command wouldn't work", could you report the exact error message it gave? Thanks.

Unknown said...

Hi,

Just wanted to say thanks, spent the last few hours messing around with the PC trying all the usual crap when I found your page. Sure enough it was this virus causing all the problems. You saved me a lot more hours of heartache.

Cheers

Unknown said...

This virus has been bugging me for long. First time I simply reinstalled xp as had no data on it. This time decided to get to the core of problm.. heres a way to get rid of it : remove from task manager / use taskill command in prompt. rmeove from regedit by searching for unwise_ . go to fonts folder in cmd, type attrib -s -h -r unwise_.exe .. then do del unwise_.exe n you are good to go

Unknown said...

I just did a system restore to a point in time I didn't have the virus, it worked great!

reality said...

hmm....

I just found and removed this from my wife's T61...and it took all of 3 minutes.

I think you forgot basic troubleshooting procedure...

- she has a network connection problem...so I ran tcpview.

- I instantly see the dozen normal connections, doing nothing...AND another dozen active connections...all going to offsite computers....ALL from a process called 'unwise_.exe'.

- step 2: do a SEARCH in explorer. There it is in FONTS...and there it is in Prefetch.

- step 3; highlight both, hit delete.

- snag; the one in FONTS won't delete, because it's running.

- step 4; overlay Task Manager window on Explorer window (still showing search-results)...get ready...kill the unwise process then QUICKLY highlight the file in exlorer and hit 'delete' and click 'yes'.

done....gone.

Moral: when you have a problem connecting, the FIRST thing to do is check connections....you would've discovered the problem in seconds, rather than days.

tcpview is your friend.

sysinternals is your god...lol.

virus removal said...

Great article bro. I learned some new thing from your articles and comments. Thanks a lot.