Avast WEBforum
Other => Viruses and worms => Topic started by: nielsr on April 28, 2009, 03:34:06 PM
-
Dear all,
My Cruzer USB flash disc seems to be infected with this virus: win32:Oliga [trj]
(http://img528.imageshack.us/img528/9053/oliga.jpg)
I tried to google on the filename, but I only found 1 Ukrainian site... not much info though.
This trojan acts quite strange. It seems to hide some files/folders. My flash disc (still) has a capacity of 2 GB, of which 1,64 is used (by some docs, this is correct). However, if I select all visable files on my flash disc, this is only 300 MB (hidden files switched on). Apparently there are some MBs missing, which makes sense because I also lost one folder with important documents.
Now, is there a solution to delete this Trojan AND/OR to restore the files, because according to "my computer", they are still there, but not visable on the disc itself.
Background info: I got the virus when I was in an internet cafe in Tanzania last year...
On my computer I use Windows XP SP3.
Thanks in advance,
Niels
-
***
Welcome to the forums, nielsr. :)
Please try the advice given by Polonus at the forum link below.
http://forum.avast.com/index.php?topic=40407.0
***
-
Hi you folks,
@Charleyo thanks for linking the victim to a posting with a cleansing proposal for this malware.
@nielsr
Please follow the link CharleyO gave you and additionally use this tool to cleanse your pendrive or USB stick:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop from here: http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives.
Please do so and allow the utility to clean up those drives as well.
Hold down the Shift key when inserting the drive until Windows detects it
to keep autorun.inf from executing if it is present.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf
in each partition and every USB drive that is plugged in when you ran it.
Don't delete this folder...it will help protect your drives from future infection,
polonus
-
Thanks for your replies!
I followed the first steps in CharleyO's post doing the MBAM scan (2 malwares, cleaned, and after reboot nothing was found anymore). I also made a Hijackthis logfile (see attached). I was not sure if the other part of that topic also would help me so I didn't do that (system restore).
I also used Flash Disinfector several times as you described. After it said "done", I rebooted my computer but still nothing was changed on my flash disc. And Avast still detects that Trojan and my "hidden" folders are still invisible.
Is there any possibility I can retrieve my files?
Thanks again!
-
Hallo nielsr,
Ik heb je HJT logfile bekeken en er werd geen actieve software firewall aangetroffen. Draai je de windows firewall?
Je kunt de volgende entries even nakijken en eventueel fixen.
De entry 02 BHO (no name) etc.
Upload even de Carbon Poker entry bij virustotal.com om te zien of ie legitiem is.
Zijn de volgende ingaven bekend? hunt.rug.nl, 129.125.36.9 en 129.125.14.3 anders nazien en fixen.
Ook even de B.service.exe even nazien bij virustotal.com.
Verder zie ik niet iets bijzonders, de hidden files kunnen ook duiden op een sonowal infectie, kijk eens of je hier iets herkent?
http://forums.techguy.org/malware-removal-hijackthis-logs/776184-sinwal-trojan.html
Het moeten dan random dll namen zijn die in system(32) staan, doe ook eens een scan met IceSword, die je kunt downloaden hier: http://majorgeeks.com/downloadget.php?id=5199&file=15&evp=0d36c3ec48c6373fd5daac78f0c6a417
Hier komt nog even een overzicht van je actieve systeemtaken:
Overzicht van actieve taken:
smss.exe
Systeem taak
Session Manager Subsystem
winlogon.exe
Systeem taak
Microsoft Windows Logon Process
services.exe
Systeem taak
Windows Service Controller
lsass.exe
Systeem taak
Local Security Authority Service
svchost.exe
Systeem taak
Microsoft Service Host Process
svchost.exe
Systeem taak
Microsoft Service Host Process
svchost.exe
Systeem taak
Microsoft Service Host Process
aswUpdSv.exe
Virusscan
Avast Anti-Virus Component
ashServ.exe
Virusscan
Avast
spoolsv.exe
Systeem taak
Microsoft Printer Spooler Service
ATKKBService.exe
Driver
ASUS Keyboard Service
CTsvcCDA.exe
Achtergrondtaak
Creative CD-ROM Services
jqs.exe
Achtergrondtaak
jqs.exe
NBService.exe
Achtergrondtaak
Nero BackItUp
NBService.exe
Achtergrondtaak
Nero BackItUp
nvsvc32.exe
Applicatie
NVIDIA Driver Helper Service
PnkBstrA.exe
Punkbuster deze taak even nakijken op virustotal.com volgens mij OK
pnkbstra.exe
SnoopFreeSvc.exe
There is no file information. The program is not visible. The file is an unknown file in the Windows folder. SnoopFreeSvc.exe is not a Windows system file. Therefore the technical security rating is 70% dangerous, however also read the users reviews. Dus nakijken op virustotal.com
Onbekende taak
svchost.exe Ook even scannen - hier kan iets meeliften
Systeem taak
Microsoft Service Host Process
SearchIndexer.exe
Systeem taak
Search Indexer
RUNDLL32.EXE
Systeem taak
Microsoft Rundll32
GamerOSD.exe
C:\PROGRAM FILES\ASUS\GAMEROSD\GAMEROSD.EXE is not malware. Safe!
ASUS GamerOSD ASUSTeK Computer Inc. ASUS GamerOSD 1, 0, 0, 1
GamerOSD.exe
RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager
HPWuSchd2.exe
Achtergrondtaak
Hewlett Packard Software Update Scheduler
SnoopFreeUI.exe
http://www.file.net/process/snoopfreeui.exe.html
Even deze executable uploaden naar virustotal.com
Onbekende taak
ashDisp.exe
Virusscan
Avast AntiVirus
gnotify.exe
Achtergrondtaak
GMail Notifier
rundll32.exe
Systeem taak
Microsoft Rundll32
Mouse32a.exe
Muisdriver programma, kwam met de installatie van de muis
Achtergrond taak
jusched.exe
Achtergrondtaak
Sun Java Update Scheduler
ctfmon.exe
Systeem taak
Alternative User Input Services
MsnMsgr.Exe
Applicatie
MSN Messenger
MsnMsgr.Exe
Achtergrondtaak
MsnMsgr.Exe
TeaTimer.exe
Applicatie
Spybot S&D Realtime Scanner
ashMaiSv.exe
Virusscan
Avast Anti-Virus Component
msmsgs.exe
Applicatie
MSN Messenger
GoogleUpdate.exe
Achtergrondtaak
GoogleUpdate.exe
GoogleUpdate.exe
Achtergrondtaak
Google Updater
ashWebSv.exe
Virusscan
avast! Web Scanner
hpqtra08.exe
Achtergrondtaak
Hewlett Packard Imaging
LaunchU3.exe
Achtergrondtaak
U3 Smart drive Software
Launchy.exe
Achtergrondtaak
TODO
hpqSTE08.exe
Driver
HP Imaging
wlcomm.exe
Achtergrondtaak
wlcomm.exe
chrome.exe
Applicatie
Chrome Browser
chrome.exe
Applicatie
Chrome Browser
chrome.exe
Applicatie
Chrome Browser
chrome.exe
Applicatie
Chrome Browser
chrome.exe
Applicatie
Chrome Browser
chrome.exe
Applicatie
Chrome Browser
chrome.exe
Applicatie
Chrome Browser
chrome.exe
Applicatie
Chrome Browser
googletalkplugin.exe
Achtergrondtaak
Google Talk
chrome.exe
Applicatie
Chrome Browser
LaunchPad.exe
File LaunchPad.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 49,152 bytes (60% of all occurrence), 36,864 bytes, 2,392,064 bytes, 2,158,671 bytes, 4,603,904 bytes, 2,162,688 bytes, 2,314,240 bytes, 1,960,464 bytes.
The program has a visible window. Program has no file description. File LaunchPad.exe is not a Windows core file. Therefore the technical security rating is 38% dangerous,
Launches from the USB-pendrive, dus nakijken en scannen bij virustotal
Achtergrond taak
explorer.exe
Systeem taak
Microsoft Windows Explorer
HijackThis.exe
Applicatie
Hijackthis 2.02
Zo je hebt nu wat huiswerk, je virustotal resultaten zie ik gaarne tegemoet, als er 0 resultaten bijzitten, is dat niet interessant anders even de malware namen doorgeven, mocht er wat gevonden worden,
polonus
-
Hey Polonus,
Bedankt voor je reactie!
Most entries you mentioned are not dangerous.
I scanned some files you asked me with VirusTotal, but none of them gave a result (0/40 e.g.), so not interesting I guess.
Windows Firewall is up and running I saw.
Also the IceSword didn't give any clues.
However I preformed some other scans which I found in other topics:
SDfix (attached)
Online Kaspersky report, which found 2 infected items (attached). The strangest thing is that while I was selecting the folders to scan (i.e. I:\, my flash disc), I actually saw my hidden folders with documents on the flash disc in the browse tree. Isn't that strange? However I can not explore these folders in My Computer...
Kaspersky results: I:\0gjn3yw.exe Infected: Trojan.Win32.Vaklik.bop
I:\lky.exe Infected: Trojan-Downloader.Win32.Zlob.aceg
After this I got the option to search Kaspersky Database but it didn't recognize these trojans (here (http://www.viruslist.com/en/find?words=Trojan.Win32.Vaklik.bop&search_mode=virus&search=Search) and here (http://www.viruslist.com/en/find?words=Trojan-Downloader.Win32.Zlob.aceg&search_mode=virus&search=Search&described_only=on&kl_only=on))
Any more ideas? Thanks again!
-
Hi nielsr,
Seen to the executables found, read this:
http://www.prevx.com/filenames/X1463245723997338634-X1/CKVO.EXE.html
Trojan created as: %System%\ckvo.exe
c:\0gjn3yw.exe
For lky.exe
LKY.EXE description :The filename LKY.EXE was last seen on 12.4.2008, and it is considered unsafe.
Threat name Win32.X Filename %%root%%\lky.exe Filesize Unknown
Last seen 12.4.2008 Status Known to av as unsafe.
This file can perform following behavior.
- File is created as process on the disk.
- This process can create, delete or modify files on the disk.
LKY.EXE remove instruction
1. Temporarily Disable System Restore, Reboot computer in SafeMode;
2. Locate LKY.EXE virus files and uninstall LKY.EXE files program.
Follow the screen step-by-step screen instructions to complete uninstallation of LKY.EXE.
3. Delete/Modify any values added to the registry related with LKY.EXE,
Exit registry editor and restart the computer;
4.Clean/delete all LKY.EXEinfected file(s):LKY.EXE and related,
or rename LKY.EXE virus files;
5.Please delete all your IE temp files with LKY.EXE manually, run a whole scan with avast av
Another procedure below:
Follow the following procedure:
PROCEDURE:
1. While the computer is still off;
2. Plugin the USB Drive
3. Insert the Windows XP CD-ROM into the CD-ROM drive. It must be the bootable Windows XP Installer
4. Start the computer from the CD-ROM drive. It will start Windows Setup screen
5. When the “Welcome to Setup” prompt appears.Press “R” to start the Recovery Console
6. If asked “Which Window installation would you like to logon to” select the number. Type “1? then Enter, if only one installation of Windows is present
7. Enter the administrator password, press Enter
8. It will bring you to command prompt, C:\Windows>
9. Proceed with the following command:
- Type d: (This is the drive letter of USB. It can be e: or f: defending on how many hard disk or cd drive is installed)
- Type attrib -h -r -s autorun.inf
- Type “edit autorun.inf” it will open DOS Editor and display contents as follows
==========================
[autorun]
open=lky.exe
shell\Open\Command=lky.exe
shell\open\Default=1
shell\Explore\Command=lky.exe
shell\Autoplay\command=lky.exe
==========================
Take note on the file that it called to open (in your specific example it is lky.exe)
10. Exit DOS Editor and return to command prompt, D:\>
11. Delete the file that was called to open on DOS Editor
- Type del /f /a lky.exe
12. Delete autorun.inf file
- Type del /f /a autorun.inf
13. Exit Recovery Console by typing exit.
You might need this tool for removal: http://ccollomb.free.fr/unlocker/
polonus