Author Topic: Win32:Vanti-BK [Rtk] (Read 8747 times)

Sonichko · « **on:** May 28, 2008, 10:47:04 PM »

Hi! I'm new to this... and after using a friend's pen drive here in commonly unprotected territory (I'm living in Argentina) I began to get this message and alarm every time I turn my computer on:

File name: C:\\WINDOWS\system32\drivers\vga.sys

malware name: Win32:Vanti-BK [Rtk]

type: Rootkit

VPS version> 080526-0, 05/26/2008

1) So I put it in the "chest", but the message still comes back - what does that mean? And what is this virus doing to my poor little computer while I try to figure out what to do to IT?

2) Is it safe to try to delete it or do I need this file?

3) Does anyone know a way to FIX this?

thanks!!

FreewheelinFrank · « **Reply #1 on:** May 28, 2008, 10:53:31 PM »

False positive, I think.

http://forum.avast.com/index.php?topic=35692.0

polonus · « **Reply #2 on:** May 28, 2008, 11:01:36 PM »

Hi Sonichko,

To be sure and it won't hurt your system,
use this online scanner: http://www.virusalert.nl/?show=link&id=symsec
Also use this with option 2 : http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Provide us with a hjt log as an attached txt file, download hjt 2.02 from here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe

polonus

Sonichko · « **Reply #3 on:** May 28, 2008, 11:29:02 PM »

Thanks FreewheelinFrank and Polonus,

I uploaded the file to VirusTotal and it found nothing, so the idea that it is a false positive is sounding pretty good.

To be sure, I tried to go to your first link, Polonus, but I got an Internal Server Error message. I tried the second one but it opened on my computer as a series of icons with difficult names, and I wasn't sure how to proceed. sorry, I am not very experienced with these, is there another way or can you help me to understand which of the icons to open?

thanks so much!

polonus · « **Reply #4 on:** May 28, 2008, 11:34:00 PM »

Hi Sonichko,

Just do the following download this and do a scan, it is a non-resident very good scanner:
DrWebCureIt: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

Report the results here,

polonus

Sonichko · « **Reply #5 on:** May 29, 2008, 12:09:22 AM »

VERY INTERESTING.

Now I'm showing up with a modification of Win32.Besso (apparently a trojan) in kavo.exe and yp.bat - SO FAR. So I have to do a complete scan instead of the "express". So this will take a while... Thanks, that is an excellent tool. - I'm sure that they would have shown up in the other too, but I had scanned only the file avast told me was infected.

polonus · « **Reply #6 on:** May 29, 2008, 07:54:11 PM »

Hi Sonichko,

1. COVERT ANALYSIS OF: KAVO.EXE

* File Names Used: 7
* Paths Used: 5
* Common File Name: KAVO.EXE
* Common Path: %TEMP%\
* Vendor Information: No Vendor details specified
* KAVO.EXE may use 7 or more path and file names, these are the most common:
* 1 :%CACHE%\CONTENT.IE5\

??\AA[1].EXE
* 2 :%CACHE%\CONTENT.IE5\

??\HELP[1].EXE
* 3 :%CACHE%\CONTENT.IE5\

??\LL[1].EXE
* 4 :%WINDIR%\AF.EXE
* 5 :%WINDIR%\SYSTEM32\KAVO.EXE
* File Name Structure: Normal
* File and Path Structure: Suspicious, code execution from unusual location

2. RELATIONSHIP ANALYSIS OF: KAVO.EXE

* Malicious Objects Created: 2 objects
* Malicious Creators: 1
* Malware Run Keys: None
* Self Persists:
* Antivirus Detection: No third party antivirus detection observed
* Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: KAVO.EXE

* The following behaviors have been observed for this object:
* Installs programs.
* Deletes programs.
* Creates Run Keys.
* Runs other programs.
* Hijacks running processes.
* Creates known malware.
* Creates copies of itself.

4. PROPAGATION ANALYSIS OF: KAVO.EXE

* Malware Group Propagation Rate: Moderate (spreading)
* Malware Group: Covert Sys Exec

polonus

Sonichko · « **Reply #7 on:** May 29, 2008, 10:14:05 PM »

wow - sounds serious.

Sorry I lost my internet signal last night and am now continuing. I was able to complete the scan using the Dr. Web site. Here are the results:

kavo.exe;c:\windows\system32;Modification of Win32.Besso;Moved.;
yp.bat;c:\;Modification of Win32.Besso;Moved.;
m.exe;C:\;Modification of Win32.Besso;Moved.;
zz[1].exe;C:\Documents and Settings\Lisa Barnard\Local Settings\Temporary Internet Files\Content.IE5\RJEUILPL;Modification of Win32.Besso;Moved.;
A0058086.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058110.dll;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058112.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058133.dll;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058135.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058151.dll;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058164.dll;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058166.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058169.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0058189.dll;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0058191.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059189.dll;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059192.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059210.dll;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059216.exe;C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;

So the good news is that I no longer get the alarm from Avast about the original problem - the WIN32: Vanti-BK thing.

Now I am just wondering:

1) If Dr. Web moved all of it - am I good to go?

2) Do I need to do something else to actually get rid of it?

3) Were these two viruses really the same thing, or is it probable that I had the besso trojan (or is kavo the real name?) for a long time, infecting all my friends as well?

thanks!!

polonus · « **Reply #8 on:** May 30, 2008, 01:17:35 PM »

Provide us with a hjt log as an attached txt file, download hjt 2.02 from here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe

pol

Sonichko · « **Reply #9 on:** May 30, 2008, 06:51:11 PM »

Hi Polonus,

here is the Hijack this log...

polonus · « **Reply #10 on:** May 31, 2008, 09:53:50 PM »

Hi Sonichko,

Here is the analysis of your logfile:
http://www.hijackthis.de/logfiles/52c29231a588dfd491e5b87a1c9ce6e4.html
Will be there for three consequent days.

Fix this one, if it is unfamiliar to you:
01 Hosts: 66.6.1228.108 www.bancanet etc. mx

polonus

Sonichko · « **Reply #11 on:** June 02, 2008, 09:33:15 PM »

Hi Polonus! Thank you!

I fixed that one...

and I went over the list and took everything off that was labeled "safe" or that I am sure I understand, and attached it again here - showing only things that were not clearly labeled as safe or unsafe, and things that were labeled as doubtful or unnecessary...

Could you please tell me if there is anything else that you think I should fix?

Some of them said I ought to check them for trojans - what is the best way to do that? just run Dr. Web Cure it again?

Thanks for all your help!

polonus · « **Reply #12 on:** June 02, 2008, 10:46:26 PM »

Hi Sonichko,

I went over the items you posted thoroughly and they do not pose any danger at least, so you can leave them. You can give this a run: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm

Surf safe, welcome to the forums,

polonus

Sonichko · « **Reply #13 on:** June 02, 2008, 10:55:15 PM »

Yeay!!

Thanks so much! Have a good week!

Sonichko (aka Lisa)

Sonichko · « **Reply #14 on:** June 04, 2008, 01:49:46 AM »

Hi again!

well - I finally got around to running the Malware program you mentioned.

And I still had Kavo, which is now (I believe!) deleted.

It wanted me to delete this too but I wasn't sure...

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Not selected for removal.

What do you think?

Author Topic: Win32:Vanti-BK [Rtk] (Read 8747 times)

Sonichko

Win32:Vanti-BK [Rtk]

FreewheelinFrank

Re: Win32:Vanti-BK [Rtk]

polonus

Re: Win32:Vanti-BK [Rtk]

Sonichko

Re: Win32:Vanti-BK [Rtk]

polonus

Re: Win32:Vanti-BK [Rtk]

Sonichko

Re: Win32:Vanti-BK [Rtk]

polonus

Re: Win32:Vanti-BK [Rtk]

Sonichko

Re: Win32:Vanti-BK [Rtk]

polonus

Re: Win32:Vanti-BK [Rtk]

Sonichko

Re: Win32:Vanti-BK [Rtk]

polonus

Re: Win32:Vanti-BK [Rtk]

Sonichko

Re: Win32:Vanti-BK [Rtk]

polonus

Re: Win32:Vanti-BK [Rtk]

Sonichko

Re: Win32:Vanti-BK [Rtk]

Sonichko

Re: Win32:Vanti-BK [Rtk]