Viruses: trojan (win32:kavos)

[swaprules]

I am getting several alerts from my avast that it has detected some trojans which included some .dll and some .bat files.I did a boot time scan though it still is detecting them.
HEres my HJT log-->
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:09 AM, on 6/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\security\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A14B453-F018-4131-9F3D-7C5735E1FB87}: NameServer = 203.187.215.35 203.187.192.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A14B453-F018-4131-9F3D-7C5735E1FB87}: NameServer = 203.187.215.35 203.187.192.15
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 6432 bytes

What other info u need?THanx in advance!

[swaprules]

Also i did a root kit scan using the avast anti root kit which didnt find any problems.

[FreewheelinFrank]

This is a nasty:

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

http://www.bleepingcomputer.com/startups/olhrwef.exe-24654.html

If possible, add this file to avast!'s Virus Chest and submit for analysis from there.

Run HijackThis! again, close all other windows including browser, tick the enrty above and click 'fix'.

Reboot into Safe Mode and delete the file.

[FreewheelinFrank]

Your Java application is way out of date. You need to update it. Go to Add/Remove Programs and remove all old versions of Java. Install the new version from the link below.

http://www.java.com/en/download/index.jsp

Check for other out-of-date and insecure programs here.

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)

[Maxx_original]

how about the boot-time scan? did it make any difference in the detection/cleaning?

[swaprules]

Yes it found some trojans which i quarantined but every few minutes it shows a warning saying that some file is a trojan .The last file shown was fsaht.cmd(others including .dll and .bat).I did the above things except the updates to java and other software.
Any other ideas?

[cinchez]

And after this is over and of course, ur pc is finally clean, pls upgrade to Win XP SP3, it will clear many vulnerabilities in SP2^^So its safer^^and secure^^

Good Luck^^

-AnimeLover^^

[FreewheelinFrank]

Update SuperAntispyware and run a scan.

Run Flash Disinfector:

http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/

Has that 04 entry gone?

[swaprules]

Ya that 04 entry has gone.Ran the flash disinfector.Will update everything once pc is clean.Anyone knows how to generate log of SuperAntispyware scan?It shows some instances of adware (Vundo variant and a tracking cookie) and a trojan.Dropper/sys-NV. HELP!!

[swaprules]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2009 at 09:18 PM

Application Version : 4.26.1004

Core Rules Database Version : 3938
Trace Rules Database Version: 1881

Scan type       : Complete Scan
Total Scan Time : 00:16:41

Memory items scanned      : 475
Memory threats detected   : 1
Registry items scanned    : 6013
Registry threats detected : 6
File items scanned        : 16270
File threats detected     : 4

Adware.Vundo/Variant
   C:\WINDOWS\SYSTEM32\E8MAIN0.DLL
   C:\WINDOWS\SYSTEM32\E8MAIN0.DLL

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BB4C402F-882A-4526-8C08-51278EA437C1}
   HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}

Adware.Tracking Cookie
   C:\Documents and Settings\User\Cookies\user@adinterax[2].txt
   C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt

Trojan.Dropper/Sys-NV
   C:\WINDOWS\SYSTEM32\OLHRWEF.EXE

[swaprules]

BTW I had some of the infected files sent to threatexpert or sumthing and it showed country of origin as china.
BAH!!!
Also when SuperantiSpyware tries to quarantine and remove the infected stuff, it shows a runtime error saying something like -->pure virtual function call.

[pranaysharma94]

Win32:Kavos is a trojan horse intended to steal on-line game passwords etc. It comes along with the rootkit klif.sys (notice the similarity to the name used by the Kaspersky driver). Once infected, Kavos drops itself into the root folder of all drives (under randomly generated names) and adds an autorun.inf to ensure the loading of the malicious files. It simultaneously creates some libraries in the \system32 folder with names such as kavo0.dll, amvo0.dll etc. Older variants of this malware are detected as Win32:Oliga, Win32:Monga and Win32:Gamona

[FreewheelinFrank]

BTW I had some of the infected files sent to threatexpert or sumthing and it showed country of origin as china.
BAH!!!
Also when SuperantiSpyware tries to quarantine and remove the infected stuff, it shows a runtime error saying something like -->pure virtual function call.

Try updating SAS or using the 'alternate start tool' as described here.

http://www.superantispyware.com/supportfaqdisplay.html?faq=88

EDIT: Your SAS is up to date- try the other options.

[swaprules]

NOw once in a while avast is detecting an infected file with what it says a heuristic or something scan (??).The file always is the same fsaht.cmd.Any idea about this??

[mkis]

Could you try another boot time scan?

Set scan local drives at thorough with archive box checked,
Set Advanced ----> Move files to chest -----> Allow move

Since you have long passed option of System Restore (I assume you have) --turn off System Restore

Run boot time scan.

Run HjT scan and reply post log to forum.