Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem Opening Drives After (hopefully!) Removing Kava.exe/kavo.exe Infection


  • Please log in to reply
3 replies to this topic

#1 Rachael1

Rachael1

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 10 October 2007 - 02:05 AM

Hello! My computer (Windows xp) was recently infected with kava.exe (also appeared as kavo and ntdelect). One strange thing that had been happening since approximately the time I got infected was when I went to My Computer to open my C drive and external hard drive, I would double click on the icons and the drives would open in a different window, rather than the same window as had previously always been the case. So, I followed the steps on this website: http://www.bleepingcomputer.com/tutorials/how-to-remove-a-trojan-virus-worm-or-malware/

Ie, I located kava.exe in safe mode with autoruns, deleted it, and tried to delete it from C:\WINDOWS\system32 which is where autoruns said it was located. But I got an error message saying I coudn't because it was either in use or access was denied. So I restarted in normal mode, and was then able to delete it from C:\WINDOWS\system32

Since then, I have been unable to find any trace of the infection in either safe or normal modes, using the windows search function, spybot and autoruns as the way of searching. However!! Now, when I try to open my drives from My Computer by double clicking, it doesn't open them in any window, instead it asks me with which program I want to open the drives with!! Luckily I can still access the drives by using the drop down menu in My Computer or by choosing to open them with Internet Explorer, but clearly something is not right.

So, my questions: Does this mean I'm still infected??? If so how do I fix it?? And how do I get it back to normal for opening my drives from My Computer?? Any help will be very gratefully received!! Thank you!!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:06 PM

Posted 10 October 2007 - 10:22 AM

From what you describe, it appears to be a flash drive infection.

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable) and automatically executes a malicious autorun.bat file which calls wscript.exe to run autorun.vbs on your computer. When a flash drive becomes infected, the Trojan will infect a system when the flash drive is inserted if autorun has not been disabled.

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Rachael1

Rachael1
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 10 October 2007 - 11:34 AM

Thank you so much quietman7! I ran it and although it was over really quickly, everything seems to be back to normal because now I can access my drives as normal. Thank you!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:06 PM

Posted 10 October 2007 - 11:40 AM

Your welcome.

Now if everything is ok, you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users