win32:Oliga [Trj] Hides folders?

[nielsr]

Dear all,

My Cruzer USB flash disc seems to be infected with this virus: win32:Oliga [trj]


I tried to google on the filename, but I only found 1 Ukrainian site... not much info though.

This trojan acts quite strange. It seems to hide some files/folders. My flash disc (still) has a capacity of 2 GB, of which 1,64 is used (by some docs, this is correct). However, if I select all visable files on my flash disc, this is only 300 MB (hidden files switched on). Apparently there are some MBs missing, which makes sense because I also lost one folder with important documents.

Now, is there a solution to delete this Trojan AND/OR to restore the files, because according to "my computer", they are still there, but not visable on the disc itself.

Background info: I got the virus when I was in an internet cafe in Tanzania last year...
On my computer I use Windows XP SP3.


Thanks in advance,

Niels

[CharleyO]

***

Welcome to the forums, nielsr.   

Please try the advice given by Polonus at the forum link below.

http://forum.avast.com/index.php?topic=40407.0


***

[polonus]

Hi you folks,

@Charleyo thanks for linking the victim to a posting with a cleansing proposal for this malware.

@nielsr
Please follow the link CharleyO gave you and additionally use this tool to cleanse your pendrive or USB stick:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop from here: http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

    * Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    * The utility may ask you to insert your flash drive and/or other removable drives.
      Please do so and allow the utility to clean up those drives as well.
      Hold down the Shift key when inserting the drive until Windows detects it
      to keep autorun.inf from executing if it is present.
    * Wait until it has finished scanning and then exit the program.
    * Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf
in each partition and every USB drive that is plugged in when you ran it.
Don't delete this folder...it will help protect your drives from future infection,

polonus

[nielsr]

Thanks for your replies!

I followed the first steps in CharleyO's post doing the MBAM scan (2 malwares, cleaned, and after reboot nothing was found anymore). I also made a Hijackthis logfile (see attached). I was not sure if the other part of that topic also would help me so I didn't do that (system restore).

I also used Flash Disinfector several times as you described. After it said "done", I rebooted my computer but still nothing was changed on my flash disc. And Avast still detects that Trojan and my "hidden" folders are still invisible.

Is there any possibility I can retrieve my files?

Thanks again!

[polonus]

Hallo nielsr,

Ik heb je HJT logfile bekeken en er werd geen actieve software firewall aangetroffen. Draai je de windows firewall?
Je kunt de volgende entries even nakijken en eventueel fixen.
De entry 02 BHO (no name) etc.
Upload even de Carbon Poker entry bij virustotal.com om te zien of ie legitiem is.
Zijn de volgende ingaven bekend? hunt.rug.nl, 129.125.36.9 en 129.125.14.3 anders nazien en fixen.
Ook even de B.service.exe even nazien bij virustotal.com.
Verder zie ik niet iets bijzonders, de hidden files kunnen ook duiden op een sonowal infectie, kijk eens of je hier iets herkent?
http://forums.techguy.org/malware-removal-hijackthis-logs/776184-sinwal-trojan.html
Het moeten dan random dll namen zijn die in system(32) staan, doe ook eens een scan met IceSword, die je kunt downloaden hier: http://majorgeeks.com/downloadget.php?id=5199&file=15&evp=0d36c3ec48c6373fd5daac78f0c6a417

Hier komt nog even een overzicht van je actieve systeemtaken:

Overzicht van actieve taken:
smss.exe   

Systeem taak
   

Session Manager Subsystem
winlogon.exe   

Systeem taak
   

Microsoft Windows Logon Process
services.exe   

Systeem taak
   

Windows Service Controller
lsass.exe   

Systeem taak
   

Local Security Authority Service
svchost.exe   

Systeem taak
   

Microsoft Service Host Process
svchost.exe   

Systeem taak
   

Microsoft Service Host Process
svchost.exe   

Systeem taak
   

Microsoft Service Host Process
aswUpdSv.exe   

Virusscan
   

Avast Anti-Virus Component
ashServ.exe   

Virusscan
   

Avast
spoolsv.exe   

Systeem taak
   

Microsoft Printer Spooler Service
ATKKBService.exe   

Driver
   

ASUS Keyboard Service
CTsvcCDA.exe   

Achtergrondtaak
   

Creative CD-ROM Services
jqs.exe   

Achtergrondtaak
   

jqs.exe
NBService.exe   

Achtergrondtaak
   

Nero BackItUp
NBService.exe   

Achtergrondtaak
   

Nero BackItUp
nvsvc32.exe   

Applicatie
   

NVIDIA Driver Helper Service
PnkBstrA.exe   

Punkbuster deze taak even nakijken op virustotal.com volgens mij OK
   

pnkbstra.exe

SnoopFreeSvc.exe
   
There is no file information. The program is not visible. The file is an unknown file in the Windows folder. SnoopFreeSvc.exe is not a Windows system file. Therefore the technical security rating is 70% dangerous, however also read the users reviews. Dus nakijken op virustotal.com


Onbekende taak
svchost.exe  Ook even scannen - hier kan iets meeliften   

Systeem taak
   

Microsoft Service Host Process
SearchIndexer.exe   

Systeem taak
   

Search Indexer
RUNDLL32.EXE   

Systeem taak
   

Microsoft Rundll32
GamerOSD.exe   

C:\PROGRAM FILES\ASUS\GAMEROSD\GAMEROSD.EXE is not malware. Safe!
ASUS GamerOSD ASUSTeK Computer Inc. ASUS GamerOSD 1, 0, 0, 1
   

GamerOSD.exe
RTHDCPL.EXE   

Driver
   

Realtek HD Audio Sound Effect Manager
HPWuSchd2.exe   

Achtergrondtaak
   

Hewlett Packard Software Update Scheduler

SnoopFreeUI.exe
http://www.file.net/process/snoopfreeui.exe.html   

Even deze executable uploaden naar virustotal.com
   

Onbekende taak
ashDisp.exe   

Virusscan
   

Avast AntiVirus
gnotify.exe   

Achtergrondtaak
   

GMail Notifier
rundll32.exe   

Systeem taak
   

Microsoft Rundll32

Mouse32a.exe
   

Muisdriver programma, kwam met de installatie van de muis
   

Achtergrond taak
jusched.exe   

Achtergrondtaak
   

Sun Java Update Scheduler
ctfmon.exe   

Systeem taak
   

Alternative User Input Services
MsnMsgr.Exe   

Applicatie
   

MSN Messenger
MsnMsgr.Exe   

Achtergrondtaak
   

MsnMsgr.Exe
TeaTimer.exe   

Applicatie
   

Spybot S&D Realtime Scanner
ashMaiSv.exe   

Virusscan
   

Avast Anti-Virus Component
msmsgs.exe   

Applicatie
   

MSN Messenger
GoogleUpdate.exe   

Achtergrondtaak
   

GoogleUpdate.exe
GoogleUpdate.exe   

Achtergrondtaak
   

Google Updater
ashWebSv.exe   

Virusscan
   

avast! Web Scanner
hpqtra08.exe   

Achtergrondtaak
   

Hewlett Packard Imaging
LaunchU3.exe   

Achtergrondtaak
   

U3 Smart drive Software
Launchy.exe   

Achtergrondtaak
   

TODO
hpqSTE08.exe   

Driver
   

HP Imaging
wlcomm.exe   

Achtergrondtaak
   

wlcomm.exe
chrome.exe   

Applicatie
   

Chrome Browser
chrome.exe   

Applicatie
   

Chrome Browser
chrome.exe   

Applicatie
   

Chrome Browser
chrome.exe   

Applicatie
   

Chrome Browser
chrome.exe   

Applicatie
   

Chrome Browser
chrome.exe   

Applicatie
   

Chrome Browser
chrome.exe   

Applicatie
   

Chrome Browser
chrome.exe   

Applicatie
   

Chrome Browser
googletalkplugin.exe   

Achtergrondtaak
   

Google Talk
chrome.exe   

Applicatie
   

Chrome Browser

LaunchPad.exe
File LaunchPad.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 49,152 bytes (60% of all occurrence), 36,864 bytes, 2,392,064 bytes, 2,158,671 bytes, 4,603,904 bytes, 2,162,688 bytes, 2,314,240 bytes, 1,960,464 bytes.
The program has a visible window. Program has no file description. File LaunchPad.exe is not a Windows core file. Therefore the technical security rating is 38% dangerous,    
Launches from the USB-pendrive, dus nakijken en scannen bij virustotal
   

Achtergrond taak
explorer.exe   

Systeem taak
   

Microsoft Windows Explorer
HijackThis.exe   

Applicatie
   

Hijackthis 2.02

Zo je hebt nu wat huiswerk, je virustotal resultaten zie ik gaarne tegemoet, als er 0 resultaten bijzitten, is dat niet interessant anders even de malware namen doorgeven, mocht er wat gevonden worden,

polonus

[nielsr]

Hey Polonus,

Bedankt voor je reactie!

Most entries you mentioned are not dangerous.
I scanned some files you asked me with VirusTotal, but none of them gave a result (0/40 e.g.), so not interesting I guess.
Windows Firewall is up and running I saw.

Also the IceSword didn't give any clues.

However I preformed some other scans which I found in other topics:

SDfix (attached)

Online Kaspersky report, which found 2 infected items (attached). The strangest thing is that while I was selecting the folders to scan (i.e. I:\, my flash disc), I actually saw my hidden folders with documents on the flash disc in the browse tree. Isn't that strange? However I can not explore these folders in My Computer...

Kaspersky results:

I:\0gjn3yw.exe   Infected: Trojan.Win32.Vaklik.bop
I:\lky.exe   Infected: Trojan-Downloader.Win32.Zlob.aceg

After this I got the option to search Kaspersky Database but it didn't recognize these trojans (here and here)

Any more ideas? Thanks again!

[polonus]

Hi nielsr,

Seen to the executables found, read this:
http://www.prevx.com/filenames/X1463245723997338634-X1/CKVO.EXE.html

Trojan created as: %System%\ckvo.exe
c:\0gjn3yw.exe
For lky.exe
LKY.EXE description :The filename LKY.EXE was last seen on 12.4.2008, and it is considered unsafe.
Threat name Win32.X Filename %%root%%\lky.exe Filesize Unknown
Last seen 12.4.2008 Status Known to av as unsafe.
This file can perform following behavior.
- File is created as process on the disk.
 - This process can create, delete or modify files on the disk.

LKY.EXE remove instruction

1. Temporarily Disable System Restore, Reboot computer in SafeMode;

2. Locate LKY.EXE virus files and uninstall LKY.EXE files program.
Follow the screen step-by-step screen instructions to complete uninstallation of LKY.EXE.

3. Delete/Modify any values added to the registry related with LKY.EXE,
Exit registry editor and restart the computer;

4.Clean/delete all LKY.EXEinfected file(s):LKY.EXE and related,
or rename LKY.EXE virus files;

5.Please delete all your IE temp files with LKY.EXE manually, run a whole scan with avast av
Another procedure below:

Follow the following procedure:
PROCEDURE:
1. While the computer is still off;
2. Plugin the USB Drive
3. Insert the Windows XP CD-ROM into the CD-ROM drive. It must be the bootable Windows XP Installer
4. Start the computer from the CD-ROM drive. It will start Windows Setup screen
5. When the “Welcome to Setup” prompt appears.Press “R” to start the Recovery Console
6. If asked “Which Window installation would you like to logon to” select the number. Type “1? then Enter, if only one installation of Windows is present
7. Enter the administrator password, press Enter
8. It will bring you to command prompt, C:\Windows>
9. Proceed with the following command:
- Type d: (This is the drive letter of USB. It can be e: or f: defending on how many hard disk or cd drive is installed)
- Type attrib -h -r -s autorun.inf
- Type “edit autorun.inf” it will open DOS Editor and display contents as follows
==========================
[autorun]
open=lky.exe
shell\Open\Command=lky.exe
shell\open\Default=1
shell\Explore\Command=lky.exe
shell\Autoplay\command=lky.exe
==========================
Take note on the file that it called to open (in your specific example it is lky.exe)

10. Exit DOS Editor and return to command prompt, D:\>
11. Delete the file that was called to open on DOS Editor
- Type del /f /a lky.exe

12. Delete autorun.inf file
- Type del /f /a autorun.inf

13. Exit Recovery Console by typing exit.

You might need this tool for removal: http://ccollomb.free.fr/unlocker/

polonus