Feeds:
Posts
Comments

Archive for the ‘Virus Wars’ Category

Eh, lately I keep getting spam emails from random emails like admin@viagra.com or something (always from the same @viagra.com!!). Lucky for me, I don’t even read them so they don’t really affect me much. o_o
.

But today, the topic is on WAR!!
.

No, this isn’t Sparta. Not 300, either. But like the movie (and no, I haven’t watched the movie), this is a ridiculous war. And guess what? I’m victorious!!
.

And so, let me retell my battle stories to all who’re willing to listen. xP
.

(Though actually I meant to write this like 2 months ago, and I got lazy until today. o_o)

.


Part 1: And the Symptoms Began…

.

Avast Alert

.

Well, here’s the story.
.

  • I’m using Windows XP SP2. Not Vista, thank goodness.
    .
  • I’ve C: and D: drives (Program Files are in D: drive).
    .
  • I use Avast! antivirus, as you can see here.
    .
  • In the C: and D: directories, there are autorun files that triggers Avast’s alert (as in the picture) if I double click the drives to access from My Computer. Wonderful.
    .
  • No matter what you do to the file (move to chest, delete, etc), it keeps coming back.
    .

Persistent, right?
.

IT’S TIME FOR WAR!!11!1!

.


Part 2: HIDDEN FILES! SHOW YOURSELVES!!

.

First thing, what I normally do is enable Show Hidden Files and Show System Files under Folder Options in order to catch the autorun files in my C: and D: drives, so that I could fry them before I fry the actual virus.
.

And so, Browser > Tools > Folder Options > View.
.

Check Show Hidden Files and uncheck Hide Protected Operating System Files. OK.
.

Done.
.

But hey, I still don’t see the semitransparent files in either C: or D: drives?!
.

Round 2. Browser > Tools > Folder Options > View.
.

What the?! Hide Hidden Files and Hide Protected Operating System Files became checked again!!
.

Repeat, repeat, and repeat.
.

Still the same story.
.

Is there some hidden force messing about with my comp?! Darn it.
.

Deciding to leave the virus for a while longer, I poked Uncle Google in search of a way to enable my Show Hidden Files and stuff again. Usually, a lot of sites aren’t very useful when it comes to these, but then I found a particular website (link here) that has lots of scripts to help with Windows stuff.
.

And one of them is the Show Hidden Files script, which forces the Folder Options to change Show Hidden Files to be checked.
.

Whee.
.

It worked for a while… and then went back to its previous settings so I can’t find the hidden autorun files.
.

Bleh.
.

Another place, a forum topic, suggested using Regedit to force the Show Hidden Files to be checked, which is just to change the CheckedValue from 0 to 1.
.

Close Regedit.
.

Open Regedit.
.

Lo and behold!!
.

Still can’t see hidden files.

.

.

Note: Oh, darn, the picture’s too long. Click on this link to view the whole picture.
.

Eh, forget that for a while. Lemme kill the virus first.

.


Part 3: UNCLE GOOGLE! HELP!!!

.

Yep, as with all the malware problems I’ve had in the past (problems as in, I couldn’t remove it on my own), first I consult dear old Uncle Google. After all, I don’t really like registering on tech forums to bug people for help before I do all the things I could, first.
.

Search results: 6510. Whoa.
.

The first few are, as usual, some “HELP I GOT WIN32 ROOTKIT-GEN [RTK]!!!!1!!1!!” topics from various forums. Consulting these many topics, I began outlining and implementing my war strategy.
.

Hey, they did help me… well, for other malware problems in the past. o_o
.

Oh, and you know what?
.

klif.sys is a file generated by Kaspersky antivirus… BUT I’VE NEVER HAD KASPERSKY IN MY ENTIRE LIFE!!
.

It’s getting confusing. T_TT

.


Part 4: VIRUSTOTAL! HELP!!!

.

Virus Total is a website where you can upload a file and get it scanned (for free!) with some 30+ antivirus software and tell you the results. For example, if you find a funky looking file sitting happily in your system32 folder and your antivirus didn’t complain, you could get it scanned at this place without getting new software installed!
.

Of course, it doesn’t help with removing the files, so… o_o
.

This site was recommended in a few of the “HELP I GOT WIN32 ROOTKIT-GEN [RTK]!!!!1!!1!!” forum topics, and I found it’s a good place to start determining whether the file’s a false positive or really infected. And so, I uploaded the aforementioned file (and Avast! didn’t cease or desist and kept throwing me more of the “ZOMG ROOTKIT ALERT!!” message).
.

Guess what? Virus Total said that 6 out of 32 antivirus programs say it’s a malware.
.

Cool.
.

Of course, once I found out it’s a malware, I tried removing it manually (i.e. by going to the folder and hitting delete). But Avast didn’t stop complaining, so…
.

Skirmish lost.
.

.


Part 5: SOPHOS ANTI-ROOTKIT! HELP!!!

.

One of the help forum topics said to look for anti-rootkit tools to remove rootkits. Whee, something that sounds like it works.
.

Consulting Uncle Google again (he never tires of me, does he?), I picked the first result from the list, which was Sophos Anti-Rootkit. Hey, the first on the list gotta be good, right?
.

But this strategy failed, because Sophos Anti-Rootkit never did find any rootkit on the comp. And, upon searching the file using the Windows folder search, I couldn’t find the file again.
.

What the heck?!
.

Darn. Now I gotta find out exactly where it is again.
.

Skirmishes lost: 2.

.


Part 6: AVAST! HELP!!!

.

Notice how I’ve only said the “ZOMG ROOTKIT ALERT!!” message pops up randomly? I never said anything about a scan, did I?
.

Then, I began the time-consuming Avast scan while I poked Uncle Google a bit more.
.

Hey, guess what?
.

KLIF.SYS DIDN’T EVEN TURN UP ON THE AVAST SCAN!!11!1!!
.

But I did find loads of other things, which included:
.

  • Loads of Trojans on System Restore Files. Yikes! That gotta be the remains of the Trojan I fried from my sister’s friend’s pendrive some months ago, aren’t they?
    .
  • Loads of Rootkits on System Restore Files. Wut? Where’d that come from?!
    .
  • Some Rootkits on C: and D: folders. Were those the autorun files I tried to fry?
    .

It was a grand total of 16 infections!! That’s the most in years. o_o
.

But since the scan didn’t catch the pesky little virus…
.

Skirmishes lost: 3.
.

.


Part 7: REBOOT, AVAST BOOT-TIME SCAN! HELP!!!

.

When some of the guys on the forums asked for “I GOT WIN32 ROOTKIT-GEN [RTK]!!!!1!!1!!” help, I noticed that some of the files were (like some of my infections) System Restore files. The people who tried to help said to disable System restore, restart, and reenable System Restore.
.

Yep, I disabled System Restore. And at the same time, I scheduled a boot-time Avast! scan.
.

Then, I cleaned my temporary files. (1422 temp files ZOMG!)
.

Muahaha, you gotta be fried now, virus!!
.

And I hit restart.
.

…3 hours later, the system rebooted, and, somehow, the rootkit is still there. Bleh.
.

Skirmishes lost: 4.

.


Part 8: TECH FORUMS! HELP!!!

.

Yep, I do get desperate after 3 days. So I went on some forums and asked for help, telling them what I did so far.
.

So I installed HijackThis (a program that scans your comp and saves a log file of running registries and process) and posted the log file to show the forum guys.
.

Then take a look at the red line a guy helped me identify:
.

O4 – HKLM..Run: [ZoneAlarm Client] “D:Program FilesZone LabsZoneAlarmzlclient.exe”
O4 – HKLM..Run: [avast!] D:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKCU..Run: [MsnMsgr] “C:Program FilesWindows LiveMessengerMsnMsgr.Exe” /background
O4 – HKCU..Run: [kamsoft] C:WINDOWSsystem32ckvo.exe
.

CKVO IS A MALWARE AS WELL!!!
.

Holy macaroni. Is there no end to my woes in this war?
.

Running numerous searches using Window’s folder search enabled me to locate ckvo.exe and ckv0.dll in the system32 folder. Upon deleting them manually (Avast doesn’t complain about them, somehow), the files disappear… and eventually come back.
.

ZOMGWTFBBQ!!!11!!!!1!
.

Skirmishes lost: 5.

.


Part 9: MALWAREBYTES! HELP!!!

.

Then there’s this other guy who came and offered help in the forums. He gave a list of 3 or 4 anti-rootkit software, but none of them found any rootkit.
.

Weird?
.

Then he suggested Super Anti-Spyware and MalwareBytes’ Anti-Malware, in hopes of finding whatever it was that causes the barrage of problems in my comp.
.

Super Anti-Spyware found nothing but tracking cookies (normal stuff).
.

MalwareBytes, on the other hand…
.

IT SHOWED THE ROAD TO VICTORY IN THIS LONG WAR!!
.

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
ExplorerAdvancedFolderHiddenSHOWALLCheckedValue
(Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
.

Oh yeah! It finally found the registry entry that blocked me from seeing hidden files!!
.

Victory is near. xP
.

Skirmishes won: 1.

.


Part 10: And the Road to Victory!!

.

Browser > Tools > Folder Options > View.
.

Check Show Hidden Files and uncheck Hide Protected Operating System Files. OK.
.

Repeat.
.

Browser > Tools > Folder Options > View.
.

LO AND BEHOLD!! SHOW HIDDEN FILES STAYED CHECKED AND HIDE SYSTEM FILES STAYED UNCHECKED!!
.

Holy yeah. Clicking OK on Folder Options has never felt better.
.

Since I’m finally able to see hidden and system files, I see loads and loads of familiar names in the C: and D: drives. THOSE ARE THE FILES THE ALERT KEEPS POPPING UP FOR BUT IN THE WRONG PLACE!!
.

Darn. All this wild goose chase all because of a registry entry that doesn’t let me see hidden system files. T_T
.

But hey, it’s finally over, right? After deleting all the autorun and stuff (and left the important system files alone), no more rootkit problems in my comp!!
.

So, in conclusion?
.

Use MalwareBytes’ Anti-Malware. It helps to kill infected registries. xP
.

Note: After some time of deleting that one infected registry, I had some slight network problems on my computer and not my siblings’ computers. Upon reading some stuff from Google search, apparently messing with your registry messes up your Internet connection. However, there’s a solution; there’s one site (can’t remember which) that has something called a WinSock Fix script (just a script file). Upon using that, my network is fixed. So just a heads up. =D
.

And all is well until now!

.

~Estrelita Farr, enthusiastically writing!

Read Full Post »