Someone was asking a question about the Stinger in Home and Home Office, so I downloaded it to have a look at the threats it was designed to pick up. (For the record, the current version of Stinger looks for 2112 named malware threats.)
Then, having got it, I decided to give it a go and ran it on my system. It ran for hours, nothing found, very boring, and then ...
When I wasn't looking it detected - it said - something called "FakeAlert!PCVirusless" in C:\Windows\System32\atl71.dll - and promptly deleted the file. My fault, it was left on the default setting of "Repair" instead of "Report Only" or "Rename".
I was extremely surprised by this : I've had no signs of malware infection at all. Even more surprising is what I found when I Googled for this piece of malware, putting its name in quotes, I got back just 3 - three - results : two from the 15th Jan. (one of them in these forums) and one from today. And all seem to be from running the Stinger.
I cannot find this alleged Trojan anywhere, and it is not in the list of malware that the Stinger is meant to look for.
The file itself is a required file for Visual Studio and possibly other .NET applications, so I'll look for a way to get a copy from somewhere to download. It shouldn't be too difficult. But this has set me wondering : first, was this a false positive? And has anyone else come across this Stinger behaviour?
Edit - You can find instructions on how to get a fresh copy of atl71.dll at http://support.microsoft.com/kb/915564Message was edited by: Hayton on 20/01/11 13:08:49 GMT
I had an identical experience. The atl71.dll file was deleted and now the system will not boot normally! I can only boot ito Safe mode. I tried replacing the file per the instructions in the Editor's note, but that didn't help. Can anyone offer any suggestions?
If by 'Editor' you mean me, well, I'm honoured to be promoted. :-)
All I can say is that I went to the Microsoft page and followed the link there, downloaded a new dll file and put it into Windows\System32, then rebooted my machine (as per the Microsoft instructions), and everything seems fine.
Perhaps there's something different you need to do if you don't have XP. What's your OS?
Edit - Have a look at this warning against downloading dll files from anywhere but (in this case) Microsoft. The author also gives his opinion that it may be necessary to uninstall the entire application or set of applications (in this case, all of Microsoft's .NET software) and reinstall it. Not nice.
The same author also gives some more advice here, and one of the things he says I agree with : use System Restore to undo the Stinger deletion.Message was edited by: Hayton on 20/01/11 16:27:46 GMT
Thanks, Hayton. I am running XP Home Edition. Unfortunately, System Restore isn't an option because I turned it off prior to running Stinger (per McAfee's recommendation) to prevent the system from restoring any infected files automatically. I recovered the deleted file using Recuva and replaced it, but that did not work. Perhaps there is some real malware on the system that is preventing it from booting, now that the dll is gone.
Oh dear, a Double Whammy.
Let's deal with the boot problem first. If the Stinger only deleted that one file, it shouldn't give you problems. If you have Safe Mode with Internet Access, try checking for updates - not just McAfee, but also Microsoft. Download any that are pending, then run a McAfee scan in Safe Mode (not that you have much choice). If you have Malwarebytes installed, run that too, otherwise you can get a free copy from here.
What you have may not be malware, so much as a corrupted XP installation. If you can get into a DOS window, or Start/Run, type 'sfc' (no quotes) and settle back to wait while all the system files are checked for damage and/or absence. Anything that needs to be replaced will be taken from c:\I386.
Then download Microsoft's Baseline Security Analyzer and run it to check for security holes in your setup; and if you don't have Microsoft's Fixit Center for XP installed, I recommend you get that too and run a few checks on different parts of Windows - you'll have to experiment, I've mainly used it to fix problems with IE.
If none of that works I think you might have a bit of a problem. In which case you'll need the wisdom of Ex_Brit, he's an ex-Microsoft expert. I think that means former expert in Microsoft products, I don't think he's ever been to Redmond.
Thanks for the advice everyone. The PC is all fixed, thanks to some expert help from a forum member on geekstogo.com. A combination of OTL and Combofix did the trick.
I'm glad to see your problem has been fixed. I keep forgetting how useful geekstogo can be; I'm adding it to my Favourites/Experts Forums list.
There's still been no word as to why Stinger did this, but from what you said I assume it's been modified so as not to do it again. And I can count myself lucky, I suppose, that I didn't have the same problem you had.
I will get someone to check this and flag it off to the right team if found true..
Note : it would be great if someone could upload the stinger logs as soon as possible.
Thanks Vinod, I will re-run stinger and get ot to save a log this time, Looks like it dosn't on default. should be about 25 minutes
enclosed I upload my last stinger report after running on the directories download and windows/system32. In both directories are the file atl71.dll. To be precise the one in the second directory was a copy of the other in download. I do not understand why the file in the download directory is clean and the other one infected.
Also I upload screenshots of the explorers documenting the files and of the stinger report on the screen. I hope this may help you.