Customized Virus solution

Hi All,

Many of us have viruses in their system but they are not sure which virus is this? and how to conquer it? I have come up with a new idea in which i can provide you all a manual virus solution according to the nature of virus attack.

If you wish to seek the solution follow these simple steps

1. Download Latest version of hijackthis
   
2. Run it and save hijackthis log on your hard drive.
   
3. List down all the PC related problems you are facing.
   
4. Attach the hijackthis log and mail me all your PC related problems to my email id spgarg04@gmail.com
5. I would try to resolve your problem.

Note: Hijackthis software doesn't steal any secret information of your PC, it just list out the processes.

Regards.

Virus Removal : Kamsoft.exe, ckvo.exe, autorun.inf : Folder within folder

Hi All,

Its being a long time since i have written anything.

Today i have come up with a solution to a new virus problem. This is called Kamsoft.exe :)

Most of the PCs may be infected by this new virus, and the channel for this virus is our all time favourite USB drive.

High Level Symptoms:

1. It creates within a folder which is of approx. 603 KB in size.
2. It disables regedit
3. You can't see hidden files and folders i.e it disables hidden files and folder options in Control Panel.
4. It may disable msconfig.
5. It makes your PC very slow.
6. Attacks all drives and modifies mount points key in registry so that when you double click on drives they open in new window instead of opening in same window

Action performed by the Virus:

1. This malware creates the following entry in the registry :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe

2. It creates or may create following files in Root and other drives. C:\, D:\ etc.

• uuuq.exe
• whi.com
• 39lpji.com
• ktnquo.exe
• vxl.exe
• oq.cmd
• fe.bat
• kk3.bat
• rs.cmd
• autorun.inf

3. Following files may be found in System32 folder:

• ckvo.exe
• ckvo0.exe
• ckvo1.exe
• kamsoft.exe

Vius Removal

1. Start the computer in safe mode by pressing F8 during booting

2. Open Registry Editor (if Registry Editor is disabled Goto step no. 3 else goto 4)

3.

• Hit Windows+R to bring up Run (Start>Run)

• Type in gpedit.msc and click OK
• For regedit : In the Group Policy window, browse to User Configuration>Administrative Templates>System, you will see a small entry named “Prevent access to registry editing tools“. Double click that entry. Check the Disabled option, and click OK. Your regedit.exe has just been enabled.
  

4. Search for (Ctrl+F) ckvo.exe, delete all entries (Repeat same for Kamsoft.exe, atuorun.inf)

5. Goto HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

delete all the keys starting with {........}

For Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}

In the above key delete {05ef6149-5e60-11dd-8a88-0003254ecf1b}

6. Open the command prompt go to C:\>

7. type attrib so you can see the hidden files in root drive

8. To clear the attributes of malware files type

• attrib -s -h -r filename
• e.g. attrib -s -h -r autorun.inf

9. Delete the filename by typing

• del filename
• e.g. del autorun.inf

10. repeat steps 8 and 9 for all files of malware.

(Note don't delete the system files)

• ntdtect.com
• ntldr
• hiberfil.sys
• io.sys
• pagefile.sys
• autoexec.bat
• boot.ini
• config.sys
• msdos.sys
• etc.

11. look for the files of malware in all other partitions and delete them using steps 7-10.

12. go to c:\windows\system32>
13. type

• attrib -s -h -r kamsoft.exe
• attrib -s -h -r ckvo.exe
• attrib -s -h -r ckvo.dll
• attrib -s -h -r ckvo0.dll
• attrib -s -h -r ckvo1.dll
• del kamsoft.exe
• del ckvo.exe
• del ckvo0.dll
• del ckvo1.dll
• del ckvo.dll

14. Some files in system32 may not delete then you should logoff once and logon to delete any files associated with this malware

15. Now open Registry editor go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL

Change the DWORD value of Checked Value from 0 to 1.

16. Now go to folder options and change the hidden file attributes and show system files options. You should be able to see all hidden files.

17. Turnoff the system restore and turn it on again so the previous restore points will be deleted

18. Delete all files which are of 603 kb in size after searching them.

Comments are welcome. You may seek help or reply me @ spgarg04@gmail.com

Music folder virus in your pen drive

Hello,

These USB drives are driving me crazy. Most of the times they carry unwanted guests (Virus files). Earlier it was Brontok (remember that 44 KB file, a folder with .exe extension). Now we can see Music folder in almost every pen drive.
What is it exactly?

hmmmmmm

I am not sure about what it is exactly, but few things i can tell you about it.

1. If it is executed or if it has a presence in your system then it will do the followings:
• It will create a 232 KB folder in your hard drive.
• It will start a fake lsass.exe process, the origin of this process is C:\windows\system.
• The original shell extension file exists in C:\windows\system32 folder.
• You can delete the Music folder if this process is running but it will come back.
  
2. Now simply do the following to kill this
1. Kill the process lsass.exe in task manager which has user name as "Administrator" or "Your name"
2. Delete file lsass.exe from C:\Windows\system.
   
3. Now remove registry entry:

• If you are running Windows 95/98/ME, this startup entry is being started via the Shell= line in the Windows\system.ini file.
• If you are running Windows NT/XP/Vista/2000/2003, this startup entry is being started via the Shell= line in the registry key:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Once you do these steps. You can delete the Music folder and it won't come back.

Comments are welcome. You may seek help or reply me @ spgarg04@gmail.com

Can't view hidden files and folders?

I spent almost 4-5 hours struggling this problem, but finally figured it out.

Symptoms

1. You can't see hidden files and folders, even if you try modifying registry.
   
2. Whenever you double click on drive icon on My Computer, it takes some time to open and always opens in new window.
   
3. Your PC becomes a little slower.
4. The Process is packed and/or encrypted using a software packing process
5. This Process Creates Other Processes On Disk
6. This Process Deletes Other Processes From Disk
7. Loads and Executes a System Driver File
8. Writes to another Process's Virtual Memory (Process Hijacking)
9. Registers a Dynamic Link Library File
10. The Process is polymorphic and can change its structure
11. Violates Prevx File Security Settings
12. Executes a Process
13. Adds a Registry Key (RUN) to auto start Programs on system start up
14. The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
15. Modifies Windows Initialization And System Settings Used On Start up

Causes

1. This problem can be a caused by a backdoor/Trojan amvo.exe.
   
2. amvo.exe is bundled with several other worms/files some of them are
   
1. 80avp08.com
2. dosocom.com
3. usdeiect.com
4. xfoolavp.com
5. autorun.inf
6. Nideiect.com
7. u.bat etc.. (a list of files is available here )
   
3. These files are stored on the directories i.e. C:\, D:\ etc. and also on C:\windows\system32\amvo.exe
   
4. You wouldn't be able to delete any of these files. Not even in Safe mode because it adds a autorun registry which loads amvo on boot.
   

Solution

1. KILL all the processes like AMVO.exe or AVPO.exe
2. Type "msconfig" without quote in run and press Enter.
1. Go to startup tab and uncheck any entry on amvo.
   
3. Type "cmd" without quote in run
1. type "d:" and then press Enter
2. type autorun.inf and then press Enter
3. a file will open in notepad. this would have the name of the .exe/.bat/.com file in it, which is mounted at the boot time.
   
4. Type "regedit" without quote in run and press Enter.

1. Press Ctrl+F and type amvo, do the search again and again and delete all the related entries.
2. Press Ctrl+F and type u.bat, do the search again and again and delete all the related entries.
3. Press Ctrl+F and type amva, do the search again and again and delete all the related entries. Generally it should be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\amva
4. search for the registry of file name which was entered in autorun.inf and delete all entries.
   

Now restart the computer. and do the followings

1. Go to regedit and then HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Advanced\Folder\Hidden\SHOWALL
2. Double click on the entry called CheckedValue and replace the 0 with 1.
   

1. Now Close all the windows and Press Ctrl+E to open the explorer.
2. Enable the hidden option from the folder options.
   
3. Delete all the malicious files as mentioned above.
   
4. Your computer is now trojan free.
   
5. Find all the amvo related files and delete them. (some of them are amvo0.dll, amvo1.dll etc.)

Prevention

Generally this Trojan travels through a USB drive. so better explorer USB drive rather than opening it.

Comments are welcome. You may seek help or reply me @ spgarg04@gmail.com