win32:small-IKZ [Trj]

[Kyote]

I have turned off system restore. But every time I restart my computer I get avast popping up yelling me that I have this virus 'win32:small-IKZ'

Avast seems to have o trouble deleting the file, nor does it have trouble moving it to the virus chest. The first 2 times I let it delete it. The last 2 times I've moved the file to the chest. Seems to make no difference. The next day when I tyurn my computer on I'm infected all over again.

The file is found in the root of my C: drive. After avast removes it if I go there in explorer there are several files that look like they are related to the executeable that avast found 'a.exe'

When I do a google search for win32:small-IKZ I get only non-english results. When I search the avast site I get no exact hits. When I search this forum for win32:small-IKZ I get an error and it tells me to inform an Administrator.

Can someone help?

---
Kyote

[DavidR]

What are the other file name/s you think may be related to the a.exe detection ?

It looks like you have an undetected or hidden element to infection, which is either restoring the file (not from system restore obviously) or downloading it again. What is your firewall ?

I don't know if any of these anti-spyware tools will work on XP 64bit.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner.

A google search for a.exe rather than the malware name returns many hits, http://www.google.com/search?q=a.exe, you could try the same for the other suspect files.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

[Kyote]

ok here are some of the files I suspect are part of the detected virus.

b.exe
n.bat
x.dat
z.dat
winlogon.exe

These 5 files are in my C: drives root, where the a.exe file with the virus was located. b.exe tends to disappear after a few moments once avast gets rid of a.exe.

I'll try the things you've mentioned. Also thank you. I don't know why in the world it never occured to me to google the a.exe... Must be losing it in my older age.

I'll post back here to let you know how things are going.

Oh by the way. I am only using the built in Win XP pro firewall. I haven't found a free version of any that works on a 64 bit system yet.

[Kyote]

Here's the log of one of the programs you told me about mate.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/21/2007 at 02:15 AM

Application Version : 3.9.1008

Core Rules Database Version : 3365
Trace Rules Database Version: 1364

Scan type       : Complete Scan
Total Scan Time : 00:25:11

Memory items scanned      : 305
Memory threats detected   : 1
Registry items scanned    : 4639
Registry threats detected : 2
File items scanned        : 28708
File threats detected     : 39

Trojan.Downloader-Gen/Svchost-Fake
   C:\WINDOWS\FONTS\SVCHOST.EXE
   C:\WINDOWS\FONTS\SVCHOST.EXE
   [Host Process] C:\WINDOWS\FONTS\SVCHOST.EXE

Adware.Tracking Cookie
   C:\Documents and Settings\Kyote\Cookies\kyote@mediaplex[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@atdmt[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@questionmarket[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@ads.addynamix[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@advertising[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@specificclick[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@zedo[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@bluestreak[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@ad.yieldmanager[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@trafficmp[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@apmebf[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@fastclick[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@realmedia[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@2o7[1].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@collective-media[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@ads.pointroll[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@adopt.euroclick[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@doubleclick[2].txt
   C:\Documents and Settings\Kyote\Cookies\kyote@adopt.specificclick[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@toplist[1].txt

Adware.Web Buying
   HKU\S-1-5-21-3717343459-168131164-1001816311-1002\Software\WebBuying

Trojan.Downloader-SVCHost/Fake
   C:\WINDOWS\FONTS\CRACK.EXE

Trojan.Downloader-Gen/TaLDrv
   C:\WINDOWS\SYSTEM32\BBC5\GSTDRVR8.EXE
   C:\WINDOWS\SYSWOW64\BBC5\GSTDRVR8.EXE

Adware.Vundo-Variant/Small
   C:\WINDOWS\SYSTEM32\BYXVSRO.DLL
   C:\WINDOWS\SYSTEM32\EFCAYVT.DLL
   C:\WINDOWS\SYSTEM32\JKKIIJK.DLL
   C:\WINDOWS\SYSTEM32\LJJKHED.DLL
   C:\WINDOWS\SYSWOW64\BYXVSRO.DLL
   C:\WINDOWS\SYSWOW64\CBXUSPO.DLL
   C:\WINDOWS\SYSWOW64\EFCAYVT.DLL
   C:\WINDOWS\SYSWOW64\JKKIIJK.DLL
   C:\WINDOWS\SYSWOW64\LJJKHED.DLL

Adware.Vundo Variant
   C:\WINDOWS\SYSTEM32\CBXUSPO.DLL

[DavidR]

Clear all cookies, though they aren't particularly high risk and not security more privacy it is good to periodically clear out your cookies folder/s.

If you haven't already done so quarantine the files detected as malware. Before you do that, if you can zip and password protect the following files SVCHOST.EXE, BYXVSRO.DLL, EFCAYVT.DLL, JKKIIJK.DLL, LJJKHED.DLL, CBXUSPO.DLL, GSTDRVR8.EXE and send them to avast, see below.

This one if it was downloaded as a crack, C:\WINDOWS\FONTS\CRACK.EXE, shows just how dangerous this can be as it is most likely to be responsible for other unwanted gifts, send this to avast in the zip file also.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Since Vundo was detected it would probably be best to run a specialist vundo tool.
Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html

Again I'm not sure if this will work with XP64, strange we may have problems finding tools for winXP64 but the malware doesn't seem to have a problem with it, I thought 64bit OSes were more secure.

[Kyote]

Sorry Mate. I posted that log file but then I let the program do it's job and remove the threats. I ran it twice and on the second pass it only found 4 infected files. When it asked me to restart I did so and right after logging in, no avast warning. But I decided tyo play it safe and I rebooted to safe mode and ran the program again. In safe mode everything was clear, no infections what-so-ever.

I then restarted and in normal windows I downloaded and installed Spybot:S&D which I cannot believe I didn't do once I got this computer. It found over 300 additional items including a few trojans. It also found Virtumonde and seems to have removed it. But I will follow your manual steps and see if all traces are gone.

Again, I apologize. I did all of that before checking for a response to my latest post so I don't have a backup that I know of to send to avast, or I would. I cannot recall but I'll check in that Super spy program to see if it backs-up the files it removes and if so how I can get access to them.

So far though, no virus warnings.

PS
I almost forgot. I sent a copy of the original crack.exe file via avasts file/email send option from the chest several days ago when the virus first showed up.

[Kyote]

Okay it seems it does quarantine the found items. But I don't want to simply restore them as it will put them in all their various locations. Is there a way to tell the superantispy to restore to a specific location?

[Lisandro]

No, there isn't such an option  :'(

[Aitch]

Looks Very similar to my issue... Win32:Small-IKZ[trj].

Is there any possibility that Avast! will be able to get rid, or am I going to have to trust myself to be able to follow what seem like pretty complex routes to a possible solution?

In the immortal words of the unworthy... "HELP!!"

[Lisandro]

I going to have to trust myself to be able to follow what seem like pretty complex routes to a possible solution?

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda (for XP).

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

I suppose it's well explained, but fell free to ask for further help if you need.

[Aitch]

Thanx for all that... errr... can AVAST! and AVG Antispyware run simultaneously on XP?

[Lisandro]

can AVAST! and AVG Antispyware run simultaneously on XP?

Sure, not a trouble at all.