Author Topic: Please Help with This Virus  (Read 8160 times)

0 Members and 1 Guest are viewing this topic.

ryoumi241

  • Guest
Please Help with This Virus
« on: August 25, 2008, 11:07:09 AM »
 :( I have this kind of virus but I don't actually know what's the name of the virus. The only thing I know is when I insert my Flash Drive my pc infects my flash drive until I insert it to the other pc. The virus always comes back even if I move it to virus vault. And this is my real problem, everytime I try to show hidden files on my drive. The files won't show and I clicked folder options again and I see that the folder options is set to "Do not show hidden files and folders". That's all I want to fix.. Please help..

 :'( Please..

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33756
  • malware fighter
Re: Please Help with This Virus
« Reply #1 on: August 25, 2008, 11:33:42 AM »
Hi ryoumi241,

First run this tool from here: http://www.softpedia.com/progDownload/W32-Autorun-Worm-Removal-Download-93479.html

Then download hijackthis latest version from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
Take care it is not installed into a temp folder.
Post a hijackthis log.txt file attached to your next posting,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

ryoumi241

  • Guest
Re: Please Help with This Virus
« Reply #2 on: August 25, 2008, 12:33:57 PM »
Quote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:22 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe
C:\Program Files\Ringz Studio\Storm Codec\mplayerc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Philips Intelligent Agent] "C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O20 - AppInit_DLLs: c:\windows\system32\ddabxxw.dll
O20 - Winlogon Notify: yayxwxu - yayxwxu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6024 bytes

and i didn't pressed "fix checked".. what will i do?? plesae help..  :'( :'( :-\ :'( :'(

micky77

  • Guest
Re: Please Help with This Virus
« Reply #3 on: August 25, 2008, 02:55:21 PM »
I don't think one entry looks very healthy,wait for an experienced member to look,someone will comment soon.
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67199
Re: Please Help with This Virus
« Reply #4 on: August 25, 2008, 03:10:54 PM »
  • Download Flash Drive Disinfector and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
  • Note: Flash Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder... it will help protect your drives from future infection.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88184
  • No support PMs thanks
Re: Please Help with This Virus
« Reply #5 on: August 25, 2008, 04:32:40 PM »
These look no to healthy either - Suspect:
O20 - AppInit_DLLs: c:\windows\system32\ddabxxw.dll
O20 - Winlogon Notify: yayxwxu - yayxwxu.dll (file missing)

Your JAVA version is way out of date.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
JRE version 6 update 7 is the latest Regular JAVA release. However, there is Version 6 Update 10 RC version, but that is one step above Beta and not a regular release (personally I wouldn't use this version).


HJT ACTIONS
Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)
####
Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
####
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.9.6082 (build 23.9.8494.792) UI 1.0.781/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33756
  • malware fighter
Re: Please Help with This Virus
« Reply #6 on: August 25, 2008, 04:51:25 PM »
Hi ryoumi241,

You could fix the following using hijackthis:
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O20 - Winlogon Notify: yayxwxu - yayxwxu.dll (file missing) because it is not functional anymore
Here I would first upload to virustotal and check the results- could be a WinLogon SAS file:
O20 - AppInit_DLLs: c:\windows\system32\ddabxxw.dll

The filename is associated with the malware group KAVKOP:Trojan-A.
These files have no vendor, product or version information specified in the file header.
CKVO.EXE has been seen to perform the following behavior(s):

    * The Process is packed and/or encrypted using a software packing process
    * Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
    * Adds Products to the system registry
    * Modifies Windows Security Policies to restrict/expand User Privileges on the machine
    * Writes to another Process's Virtual Memory (Process Hijacking)
    * This Process Deletes Other Processes From Disk
    * This Process Creates Other Processes On Disk
    * Adds a Registry Key (RUN) to auto start Programs on system start up
    * Can communicate with other computer systems using HTTP protocols
    * Executes a Process
    * Injects code into other processes
    * Registers a Dynamic Link Library File
    * Creates a new Background Service on the machine
    * Disables safe mode on your PC
    * Uses DNS to retrieve the IP address for web sites
    * Visits web sites on your PC without you knowing
    * Copies files
    * The Process is polymorphic and can change its structure
    * Loads and Executes a System Driver File

CKVO.EXE has been the subject of the following behavior(s):

    * Created as a process on disk
    * Executed as a Process
    * Has code inserted into its Virtual Memory space by other programs
    * Added as a Registry auto start to load Program on Boot up
    * Deleted as a process from disk
    * Copied to multiple locations on the system
    * This program is often downloaded from the web
    * Downloaded from covert web sites without the user knowing
    * Registered as a Dynamic Link Library File

CKVO.EXE can also use the following file names:

    * XQF.COM
    * HELP.EXE
    * DPTTQI~1.COM
    * 95029408.SVD
    * EGBJF.CMD
    * DPTRNE~1.COM
    * J.COM
    * 26184453.SVD
    * DDR.EXE
    * N.COM
    * 6.BAT
    * 21949015.EXE
    * 07565785.EXE
    * K.COM
    * 22785238.SVD
    * 30990614.EXE
    * 07720104.EXE
    * 17541991.COM
    * FI.CMD
    * 65802616.DAT
    * L63SNN8.EXE
    * 66252322.SVD
    * 51783003.EXE

Info from Virus, Spyware & Malware Center
For the other problem, you encountered, try this solution:

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe
    * Double-click FixPolicies.exe.
    * Click the "Install" button on the bottom toolbar of the box that will open.
    * The program will create a new Folder called FixPolicies.
    * Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
    * A black box will briefly appear and then close.
    * This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

After running FixPolicies, logoff and restart system, and try logging in to normal mode. Let me know if you can,

polonus
« Last Edit: August 25, 2008, 04:53:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

ryoumi241

  • Guest
Re: Please Help with This Virus
« Reply #7 on: August 26, 2008, 06:01:19 AM »
hey i fixed this 2 by using hijackthis

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O20 - Winlogon Notify: yayxwxu - yayxwxu.dll
O20 - AppInit_DLLs: c:\windows\system32\ddabxxw.dll

but still I haven't restarted my pc because my mom still waits for my dad.. i'll try it when I got home again.. i'm still studyin' for our test tomorrow..

wyrmrider

  • Guest
Re: Please Help with This Virus
« Reply #8 on: August 26, 2008, 07:04:34 PM »
good on ya mate
You do what Polonus says exactly and dad will give you two thumbs up :)
good results on the test
taint luck as you are doing your homework
cheers

ryoumi241

  • Guest
Re: Please Help with This Virus
« Reply #9 on: August 27, 2008, 02:57:33 PM »
Quote
Hi ryoumi241,

You could fix the following using hijackthis:
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O20 - Winlogon Notify: yayxwxu - yayxwxu.dll (file missing) because it is not functional anymore
Here I would first upload to virustotal and check the results- could be a WinLogon SAS file:
O20 - AppInit_DLLs: c:\windows\system32\ddabxxw.dll

The filename is associated with the malware group KAVKOP:Trojan-A.
These files have no vendor, product or version information specified in the file header.
CKVO.EXE has been seen to perform the following behavior(s):

    * The Process is packed and/or encrypted using a software packing process
    * Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
    * Adds Products to the system registry
    * Modifies Windows Security Policies to restrict/expand User Privileges on the machine
    * Writes to another Process's Virtual Memory (Process Hijacking)
    * This Process Deletes Other Processes From Disk
    * This Process Creates Other Processes On Disk
    * Adds a Registry Key (RUN) to auto start Programs on system start up
    * Can communicate with other computer systems using HTTP protocols
    * Executes a Process
    * Injects code into other processes
    * Registers a Dynamic Link Library File
    * Creates a new Background Service on the machine
    * Disables safe mode on your PC
    * Uses DNS to retrieve the IP address for web sites
    * Visits web sites on your PC without you knowing
    * Copies files
    * The Process is polymorphic and can change its structure
    * Loads and Executes a System Driver File

CKVO.EXE has been the subject of the following behavior(s):

    * Created as a process on disk
    * Executed as a Process
    * Has code inserted into its Virtual Memory space by other programs
    * Added as a Registry auto start to load Program on Boot up
    * Deleted as a process from disk
    * Copied to multiple locations on the system
    * This program is often downloaded from the web
    * Downloaded from covert web sites without the user knowing
    * Registered as a Dynamic Link Library File

CKVO.EXE can also use the following file names:

    * XQF.COM
    * HELP.EXE
    * DPTTQI~1.COM
    * 95029408.SVD
    * EGBJF.CMD
    * DPTRNE~1.COM
    * J.COM
    * 26184453.SVD
    * DDR.EXE
    * N.COM
    * 6.BAT
    * 21949015.EXE
    * 07565785.EXE
    * K.COM
    * 22785238.SVD
    * 30990614.EXE
    * 07720104.EXE
    * 17541991.COM
    * FI.CMD
    * 65802616.DAT
    * L63SNN8.EXE
    * 66252322.SVD
    * 51783003.EXE

Info from Virus, Spyware & Malware Center
For the other problem, you encountered, try this solution:

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe
    * Double-click FixPolicies.exe.
    * Click the "Install" button on the bottom toolbar of the box that will open.
    * The program will create a new Folder called FixPolicies.
    * Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
    * A black box will briefly appear and then close.
    * This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

After running FixPolicies, logoff and restart system, and try logging in to normal mode. Let me know if you can,

polonus

just finished our test.. still have this always hiding thing.. but my yahoo messenger got back.. i can open it now. this is irritating.. im really going to buy deepfreeze. please help...

ryoumi241

  • Guest
Re: Please Help with This Virus
« Reply #10 on: August 28, 2008, 11:08:49 AM »
by the way, there's always something that appear everytime I open up my pc. here it is..

Quote
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

what shoud i do with this..?

wyrmrider

  • Guest
Re: Please Help with This Virus
« Reply #11 on: August 28, 2008, 08:41:01 PM »
Well in 2002 Tony Klein posted

It might be helpful if we could get a look at your startups:

Go to Start/run, and type Msinfo32, followed by OK.
Go to Software Environment/Startup Programs.
Click Edit/'Select all', and then 'copy'
Now paste the contents in your post.

but you might not remember this :)

a windows shell tutorial FYI

is it this?
http://www.pcreview.co.uk/forums/thread-285855.php
http://www.horstmann.com/bigj/help/windows/tutorial.html

answer here
http://support.microsoft.com/default.aspx?scid=kb;en-us;330132

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33756
  • malware fighter
Re: Please Help with This Virus
« Reply #12 on: August 28, 2008, 09:27:56 PM »
Hi ryoumi241,

About shell.32 :
shell32.dll should not be disabled, required for essential applications to work properly.

Determining whether shell32.dll is a virus or a legitimate Windows DLL depends on the directory location it executes or runs from, you could upload shell32 to www.virustotal.com to see whether the scanners there flag it as malware. Report what virustotal found or when it was clean,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!