Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virus?


  • Please log in to reply
9 replies to this topic

#1 Dianopan

Dianopan

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 16 September 2008 - 09:58 AM

I bought a Windows PC 2 months ago and had been using it without any problem until I connected it to the Internet yesterday. The moment I clicked on IE, this message appeared:

avast! Warning
A Trojan Horse Was Found!
File name: c:\g.exe
Malware name: Win32.Oliga(Trj)
Malware type: Trojan Horse
VPS version: 080913-0. 09/13/2008

The system recommended: Move to Chest
and I did that

This happened a few times, and I moved all to chest, as recommended.

Another message also appeared:

A Rootkit Was Found!
File name: C:\WINDOWS\System32\KAVO0.DLL

Since then I cannot access my drives. I have 2 physical drives: a C: drive with OS and applications; a second drive partitioned as D: and E: drives. When I click on any drive, the system prompts for me to choose a program from a list to open the drive as a file.

I am not sure what I should do now to return my PC to its healthy state. I don't even know what is g.exe doing in my PC. (I have removed the Internet connection cable from my PC).
PLEASE HELP.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:29 AM

Posted 16 September 2008 - 10:55 AM

KAVO0.DLL is related to a Password-stealing Trojan often seen with rootkits. Password Stealing Trojans and Rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans. This particular infection is known for downloading other malicious files on a system to include dropping them in the root drive so g.exe is probably one of them.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Can you use Task Manager? If so, you can use Malwarebytes Anti-Malware and follow these instructions to perform a Quick Scan in normal mode.

After downloading the program, open Task Manager, click the File menu and select New Task (Run…) or click the Applications Tab and select "New Task" at the bottom. Browse to the location of mbam-setup.exe, double-click on it and then press "Ok" to start the install.

After installation, the setup Wizard should show a checkmark next to Launch and Update MBAM so just click Finish to open the program. If it does not open, launch Task Manager again, click the Applications Tab and select "New Task" at the bottom. Browse to the location of mbam.exe (default location is C:\Program Files\Malwarebytes Anti-Malware), double-click on it and then press "Ok" to launch the program and perform your scan. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 16 September 2008 - 11:05 AM

Welcome to BleepingComputer

A little googling and common sense indicates you have a backdoor trojan with rootkit, these are extremely dangerous, it might be best to consider a clean install

You would probably need to use a clean computer and a usb drive to try to remove the infection, one link I found mentioned that the infection could move from one drive to another, so adequate precautions would seem prudent.

You might want to burn a cd instead

I am a slow typer and googler
Chewy

No. Try not. Do... or do not. There is no try.

#4 Dianopan

Dianopan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 20 September 2008 - 12:24 AM

Thank you quietman7 and DaChew.

It appears that the maleware is gone. But I am still worried because I cannot regain control of my drives. I still get the same problem when I click on the drive: I get the Open With dialogue where I am asked to "Choose the program you want to use to open this file:" File E:\ followed by a list of programs.

Here is the copy from Log.

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 2

9/18/2008 9:58:37 AM
mbam-log-2008-09-18 (09-58-37).txt

Scan type: Quick Scan
Objects scanned: 44510
Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kavo0.dll (Spyware.OnlineGames) -> Delete on reboot.

-----------------------
Please help me to regain my drives. And is my PC safe now???
------------------------------------------------------------------------

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:29 AM

Posted 20 September 2008 - 06:42 AM

Your MBAM log indicates some files will be deleted on reboot. If MBAM encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and check all items found for removal. Then click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, then rescan again anyway and post a new log.

Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Dianopan

Dianopan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 20 September 2008 - 12:09 PM

Thank you again quietman7. :thumbsup:

I have regained my drives. How can I keep my PC SAFE???

Here is my Report.txt:
----------------------------------------------------------------

SDFix: Version 1.226
Run by Administrator on Sat 09/20/2008 at 09:31 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\autorun.inf - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp75.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp76.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 09:35:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"="C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"="C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod:*:Enabled:Liquid"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!

-------------------------------------------------------------------------------

And from MBAM:
-------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.28
Database version: 1180
Windows 5.1.2600 Service Pack 2

9/20/2008 9:46:04 AM
mbam-log-2008-09-20 (09-46-04).txt

Scan type: Quick Scan
Objects scanned: 45065
Time elapsed: 1 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:29 AM

Posted 20 September 2008 - 03:04 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Dianopan

Dianopan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 21 September 2008 - 05:04 AM

Thank you again, Quietman7

My faith in Windows is at rock bottom. I have been using a MacBook Pro all these while and I never gave a thought to computer virus. It's only when I bought this Windows PC, I met with hell. I have originally installed avast! home edition in the PC and yet I got infected. Should I get some other anti-virus software for the PC?

I have quickly installed VirusBarrierX5 in my MacBookPro !!!

I have yet to hook up my PC to the Internet !

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:29 AM

Posted 21 September 2008 - 06:11 AM

Choosing an anti-virus is a matter of personal preference, features offered, the amount of resources utilized, how it may affect system performance and what will work best for your system. A particular anti-virus that works well for one person may not work as well for another. You may need to experiment and find the one most suitable for your use. Another factor to consider is whether you want to use a paid for product or free alternative.

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Further, subsequent scanning after updates of a particular security product has been released may result in detection of items which had previously gone undetected by prior scans. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

However, you can overkill your system with resource heavy security programs that will drain your resources and slow down performance. Sometimes you just have to experiment to get the right combo for your particular system as there is no universal solution that works for everyone.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Dianopan

Dianopan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 23 September 2008 - 02:32 AM

Thanks for the tip, Quietman7.

I'd like to know how a physical drive name (such as C:) became a file name? Is this the work of the registry?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users