Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kazy/Ping virus removal


  • Please log in to reply
6 replies to this topic

#1 Paul.Estep

Paul.Estep

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 05 December 2011 - 12:06 PM

Ok so you think you have been infected with the Kazy virus. well there is 1 positive way that you can tell if you have or not. open task manager and see if PING.EXE is running, if it is and you are not pinging someone then your computer is infected.

So you have determined that you are indeed infected well in that case we need to remove that infection as fast as possible. to start off we need to find out what the virus is named, kazy will always name its self a 3 letter name some of the ones ive seen are gmj.exe, syt.exe and qta.exe. you can find the name of it by opening task manager sorting by name and finding it.

So you found the name, next we want to open windows search and search for that file. when you search make sure you enable search to search all hidden files and folders / system files. when the search is done it should show 2 files. 1 will be the fake anti virus and have a logo that looks like a OLD Microsoft office icon and the other will be a .pf file. before you can delete them you need to kill them off in task manager go ahead and do that then Immediately delete both file. the .pf needs to be deleted as well because if its not it will remake the .exe file.

Now you have removed the annoying fake anti-virus lets remove the core of it. Go to c:\windows\temp inside of that folder will be several files the ones you want to delete is ALL the .exe's and all of the files that start with jar_cache once all of those are deleted run TDSSKILLER.exe if it finds anything then let it do its job and restart once the system has rebooted run TDSSKiller again and if does not detect anything you have Successfully removed the infection!!

im currently working on a tool that does the whole process for you. when i finish it will post it on this thread. BTW i hope this is a good first post.

a picture of a computer infected with Kazy
Posted Image

Warning removing this virus will break windows file association to fix this put this into a notepad and it as xp.reg then run it saying yes you would like to add this to your registry.
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

If you want an automated way to do this then use this batch file code. all you need to do is copy the following code to a text file and save it as a .bat file you will need the xp.reg in the same folder as this file to make it work 100%.
@echo off
color 0c
title Kazy Virus Removal Tool
echo Only run this if the PING virus has been detected.
echo please end the virus via task Manager before continuing.
echo.
start taskmgr.exe
pause
cls
copy xp.reg c:\
cd\
cd %SYSTEMROOT%\temp
echo y|del *.exe
echo y|del *.tmp
cd\
cd %USERPROFILE%
echo y|del /p iphist.dat 
echo y|del /p ping.txt
cd \Local Settings\Application Data
echo y|del *.exe
cls
echo A popup will show up and ask you weather you want to add
echo the information to your registry. Select Yes
cd\
start xp.reg
pause.
echo y|del xp.reg
color 0a
cls
echo Congrats you just removed The main virus
echo now run TDSSKiller and antizeroaccess to see if the infection remains.
echo i would also recommend you run a good anti-virus software.
pause


Edited by Paul.Estep, 05 December 2011 - 03:43 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:33 AM

Posted 05 December 2011 - 02:06 PM

//will always name its self a 3 letter name some of the ones ive seen are gmj.exe, syt.exe and qta.exe.//

Here you speak about Rogue antivirus software

You need not search for executables ,it is always present in your appdata folders

//OLD Microsoft office icon and the other will be a .pf file. //

Go to Appdata/local folder,you will find them

//Now you have removed the annoying fake anti-virus lets remove the core of it. //

you cant remove them.Run malwarebytes ,remove the infections still you can find those two files,Run EXE fix and then remove those two files

//once all of those are deleted run TDSSKILLER.exe if it finds anything//

Hero you refer to zero access rootkit

PING.EXE is a clear symptom of this rootkit

32 BIT pc

TDSSkiller doesnt find zero access rootkit on 32 bit PC's always.It finds only when ping.exe runs in the background.PING.exe hides itself most of the time.

64 BIT PC

Even here you can find ping.exe

But tdsskiller fails to identify zero access

Only combofix detects it

(Symptoms:desktop.ini,system64 folder,consrv.dll)

So you need to take all this in to account

//im currently working on a tool that does the whole process for you.//

awesome,good luck

#3 Paul.Estep

Paul.Estep
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 05 December 2011 - 02:55 PM

im sorry narenxp but you are wrong on so many levels i am cleaning this virus now and ive cleaned it about 30 times before trust me on this guys if you get this virus then this is the fastest most efficient way to remove it. do you see that screen shot? well i just took it from an infected computer.

if you try to run malwarebytes before you do this it will not open the program and will corrupt the install.

Edited by Paul.Estep, 05 December 2011 - 03:33 PM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:33 AM

Posted 05 December 2011 - 06:19 PM

//im sorry narenxp but you are wrong on so many levels //

please explain

//if you try to run malwarebytes before you do this it will not open the program and will corrupt the install. //

You can run it by renaming mbam or running as administrator

You are just focussing on ping.exe and rogue but not on rootkit which is dropped on the PC

//ive cleaned it about 30 times //

I work for a well known organization in US which deals with remote support and malware removal

Everyday i get around 40 to 50 PC with this rogue issue(including ping.exe) and system fix issue

We are removing these infections and we know what we are working on.

So i have a little bit knowledge on this

Thanks

#5 Paul.Estep

Paul.Estep
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 05 December 2011 - 07:30 PM

dude just because you have remote access to computers doesn't mean anything. if you look at that screen shot you will notice that i remoted into it.. if you don't think that this will work for you then don't use it but more times then not it works for me and all my coworker so please stop trollin...

what is your deal man. this does work if you follow the directions. combo fix is really nice if you are AT the computer however 9/10 it will blue screen if you are running it via a remote login requiring the end user to grab an win xp disk and repair the installation this is not good, so we do not use combo fix unless 100 percent necessary since my first post i have cleaned this SAME virus off 3 more computers and all 100% cured you tell me it does not work but you haven't tried it so how would you know. after this is ran you install MSE and update it then you run malwarebytes malware bytes will scan the computer and remove any files it finds while scanning it will trigger other virus's and MSE will pick them up and delete them that is how this work. if you use my file it takes about 12 seconds to get both MSE and Malwarebytes up and running so you can clean the infection. why would you say that this would not work???

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:33 AM

Posted 05 December 2011 - 09:59 PM

You misunderstood what i said.

You are just trying to cure the rogue you forget about rootkit behind it.TDSSkiller fails with 64 bit zero access.It doesnt find zero access rootkit in 32 bit unless ping.exe runs in background.So there are so many issues i want you to look into

I'm sorry if my words were discouraging.I didnot mean to be rude.

//combo fix is really nice if you are AT the computer however 9/10 it will blue screen//

I dont support combofix or any software.I just want you to have a indepth knowledge about what you are dealing with

Thanks

#7 Paul.Estep

Paul.Estep
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 12 December 2011 - 04:35 PM

Ok so i have finished the removal tool this has ONLY been tested on windows xp pro 32bit (it may work with other versions of 32 bit xp/2000)

WARNING: DO NOT RUN THIS TOOL UNLESS YOU NEED TO!! this tool can mess things up if you don't do it right if you need help please ask. don't risk it.

here is the Download link: KVR_Tool.exe

1. install the tool
2. find the bad xxx.exe
3. type the name in the removal tool and end the task on task manager
4. press enter
5. let the tool do its thing.
6. after the computer reboots press y and enter
7. press enter on the cmd window.
8. run MalwareBytes When its finished do a reboot.
9. enjoy :)

I do not take credit for the anti-zeroaccess program that is contained in this program. i did however write the code for the batch files that do the dirty work.

antizeroaccess is property of Webroot.

Edited by Paul.Estep, 12 December 2011 - 06:49 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users