Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Kzva.dll Good Or Bad File?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Berra

Berra

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 06 October 2006 - 05:04 PM

I find this file in c:\windows\system and when I try to see its attrib, it just closed the exlorer.

I also notice this:

Logfile of HijackThis v1.99.1
Scan saved at 23:36:00, on 2006-10-06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SKRIVBORD\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [HijackThis startup scan] C:\WINDOWS\SKRIVBORD\HIJACKTHIS\HijackThis.exe /startupscan
O4 - Startup: Netmon2.lnk = C:\Math\NETMON.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O21 - SSODL: lHTTvD - {5DD730CF-F77D-9A65-4931-A7CE78819B39} - C:\WINDOWS\SYSTEM\KZVA.DLL

When I search kzva.dll in regedit.exe I found a string named "ThreadingModel"

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 07 October 2006 - 03:19 PM

Hello Berra, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 08 October 2006 - 03:37 AM

Hello Berra, sorry for the delay in getting back to you.

======

Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
If you do not have a firewall installed, please download and instal one of these excellent (and free) products: Zone Alarm or Sygate
It is important to note that you should only have one firewall installed at a time, but you can download both to your Desktop and install each in turn to see which one you prefer.

======

You are missing another important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

======

Please visit the online Jotti Virus Scanner
Click on Browse button.
Copy and paste the following filepath in the box:

C:\WINDOWS\SYSTEM\KZVA.DLL

Click on the Open button.
The scanner will check the file with various AV companies.
Copy and paste the results box into a reply to this thread.

Please also do this step for this file:

C:\Math\NETMON.EXE

======

Please post back with the results of the two Jottis, and a new HijackThis log,
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 Berra

Berra
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 10 October 2006 - 03:49 AM

NetMonitor is small program which monitors TCP/IP connections on my machine.
When I upload the file to Jotti Virus Scanner.

File: Netmon.exe
Status: INFECTED/MALWARE
MD5 c334a2a9f90558ed407d9dbd64968b05
UNA Found Backdoor.Valv-NeT.201

When I search internet for info that malware didn't exist.



I download AVG free edition and clean the computer, but before that I isolate the kzva.dll file to a disk.
When I try to upload the file to Jotti Virus Scanner, AVG didn't let upload the file and claim that the file is a Trojan horse Proxy.amp

However I uninstall AVG and did an another try.
To answer my own question: Yes it is a bad file.

File: Kzva.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 78b92439bfc27a12e387731acbf5891b
Packers detected: UPX
Scanner results
AntiVir Found Trojan/Proxy.Agent.DF.14
ArcaVir Found Trojan.Proxy.Agent.Df
Avast Found Win32:Trojano-2801
AVG Antivirus Found Proxy.AMP
BitDefender Found Trojan.Proxy.Agent.DF
ClamAV Found Trojan.Agent-607
Dr.Web Found Trojan.DownLoader.4998
F-Prot Antivirus Found W32/Trojan.APZ
Fortinet Found W32/Agent.DF!tr
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Agent.df
NOD32 Found a variant of Win32/TrojanProxy.Agent.DK
Norman Virus Control Found W32/Agent.ICJ
UNA Found TrojanProxy.Win32.Agent
VirusBuster Found Trojan.PR.Agent.COZ
VBA32 Found Trojan-Proxy.Win32.Agent.df

Oh I almost forgot the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:11:43, on 2006-10-10
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM\ANTIVIR PERSONALEDITION CLASSIC\AVGCTRL.EXE
C:\PROGRAM\ANTIVIR PERSONALEDITION CLASSIC\SCHEDM.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SKRIVBORD\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [avgctrl] "C:\Program\AntiVir PersonalEdition Classic\avgctrl.exe" /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [schedm] "C:\Program\AntiVir PersonalEdition Classic\schedm.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\WINDOWS\SKRIVBORD\HIJACKTHIS\HijackThis.exe /startupscan
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

Edited by Berra, 10 October 2006 - 06:01 AM.


#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 11 October 2006 - 09:59 AM

Hey Berra, sorry for the delay in getting back to you. I know it may seem helpful for you to try things out for yourself, and see if it makes any difference, but can you please only do things that I tell you to do during this fix, and we will get you clean quicker. Things like installing other antiviruses can have bad effects; two running symultaneously can cause problems on your computer, so I'd reccommend not doing this.

======

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

======

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
======

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

======

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
======

Please post back with the following:
-Ewido log
-Panda log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 21 October 2006 - 04:35 AM

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users