A most persistent Win32 Rootkit-gen [Rtk]. Help? =(

Hi, everyone! I’m new here, though I’m sorry to say that I posted here out of desperation. =(

Recently, I keep getting this Avast error. It hasn’t done anything funny to my comp yet (other than the fact I can’t see hidden files), but I’d still like to prevent it from having a party in my comp. o_o

Version of Avast: 4.8, Home Edition
Version of OS: Windows XP SP2
Account type: Administrator, the only account on this comp

A screenshot of the persistent error message:

http://pichostonline.com/u/080826/b0969d4ddc.png

Characteristics of the problem:

  • Avast’s alert (picture above) shows up only when double-clicking C and D drives (there are 2 partitions) from My computer. Folder opens normally after that. It also pops up randomly.
  • Deleting or moving it to chest doesn’t work. The alerts still appear after doing both numerous times.
  • Avast resident guard detects it, but scanning using Avast antivirus (both normal scan and boot-time scan) didn’t work.
  • Sophos Anti-Rootkit didn’t detect the rootkit.
  • Show hidden files and Show system files are disabled, regardless of clicking Apply or Okay. Tried fixing using Registry Editor, but failed.

What I’ve done so far:

  • Uploading the klif.sys file into VirusTotal nets a 6/32 result, all recognising it as a rootkit.
  • Scanning using Avast antivirus (normal scan), which didn’t detect the klif.sys file as a rootkit.
  • Scanning using Avast antivirus (boot-time scan), with archive scanning enabled.
  • Scanning using Spyware Doctor, which only found some tracking cookies.
  • Scanning using Sophos Anti-Rootkit, which only detected 2 hidden registries.
  • Disable System Restore, restart, re-enable System Restore.
  • Cleaning temporary files.
  • Fixing the show hidden files problem with Registry Editor, but fails. (the CheckedValue thing keeps coming back when I delete it, so I can’t create a DWORD value with the same name)

A persistent CheckedValue:

http://pichostonline.com/u/080826/ea75992be3.png

My HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:08:53 PM, on 8/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/default.aspx?c=my&l=en&s=gen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [dscactivate] “C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip..{A5415F4E-1508-4922-B5EF-79D75A1FA9E9}: NameServer = 192.168.0.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 5104 bytes

I’ve spent my last 6 hours googling, reading and trying to fix this error, but all to no avail. =(

From searching, I do realise that the klif.sys file is from Kaspersky, but I’ve never installed Kaspersky on this computer. I thought maybe it came from ZoneAlarm, but I’ve never had this problem the last 6 months or so since I bought this comp. That’s why I’m a bit confused. o_o

I do appreciate any help for this, and thanks in advance!

What’s the size of this file, klif.sys? http://www.file.net/process/klif.sys.html offers some information about it, not that much, though.
The entry ckvo.exe looked a bit suspicious. There are a few hits on Google for that one. http://fplingblogger.blogspot.com/2008/06/ckvo-malware.html looks a bit promising. Seems if you can disable that, you may be able to permanently delete other offending files.
The research you’ve done is probably about what I’d do, too. I don’t think my malware killing instincts are necessarily better than yours, so the above is educated guesswork. (IE, try any fixes at your own risk.) (and jolly good luck.)
Try line 155 left, here: http://www.kellys-korner-xp.com/xp_tweaks.htm to enable showing hidden files.
There are other malware fighters here that really seem to know their onions.
Just wanted to post this now in case they’re all asleep or at work, and to say welcome. :smiley:
Chances of getting good help here= excellent.

See: http://forum.avast.com/index.php?topic=12079.15
KAV removal tool: http://www.ice-kav.com/utilities.php
http://www.ice-kav.com/downloads/util/KAV_Registry_Clean.zip

Maybe, just delete KLIF.sys file (if you can).

According to which Kaspersky product you were using (or other product that install that file) (http://www.ice-kav.com/tools.php):
KAV 5.x removal utility: KAV_Registry_Clean.zip
KAV 4.5x removal utilty: KAV_Rem.zip
AntiHacker removal utilty: KAH_Rem.zip

Please do NOT use Kaspersky anti-hacker together with Avast!
It seems that Kaspersky writes something in the registry that is picked up by Avast! that makes Avast! think there’s another AV program installed.
Allthough this is not the case (KAH is a firewall, not an anti-virus prog) Avast! will nag you about this.

Ah, the ckvo.exe. It got me into a wild goose chase trying to locate it, but I finally found it hidden in my system32 folder, together with ckvo0.dll and ckvo1.dll, all three were hidden so it took several tries for the search function to find. I deleted the files manually (by hitting delete), but of course, that just isn’t enough to get rid of it. I can’t delete ckvo1.dll because it says “access denied”, so I suspect that’s the one causing all the pain. Then, it came back some minutes later!! Bah. T_T

(I’m not too sure how the Bart CD thingy stated in the fella’s blog works, the one used to remove ckvo.exe. Or maybe I’m just kinda kaput now. O_O)

I tried running the script from the link you gave me, which I downloaded and opened to enable hidden files. It… didn’t work, though. It allows me to uncheck the “hide all system files” (that’s an improvement from before), but it doesn’t allow me to show all hidden files. Clicking Okay/Apply will force it back to the default choices. T_T

And I can’t exactly tell what’s the size of the klif.sys file because… well, it sort of disappeared from the system32/drivers folder. Unfortunately, this doesn’t stop the autorun to activate it, which prompts Avast’s alert to pop up. I suspect it went into hidden mode after realising I was after it. Darn. =(

Anyway, thanks for your help and for the welcome~

Thanks for the heads up~

I’ve never installed Kaspersky, so I’m not sure which of these I should use. I’ve search countless times for the klif.sys file, but it even disappeared from the sight of the search function. Well, except there was this fleeting moment where it turned up in the search as “C:\WINDOWS\system32\drivers\kilf.sys{CATROOT- [a long random string]}”, or something like that. I deleted that manually (by hitting delete), but I still get the alert when I double click any of the drives. T_T

Thanks for helping though. o_o


I’m off to sleep now so I may not reply for the next 16 hours or so (I have classes during the day). Then I’ll come home and try and settle this again.

Thanks, I appreciate the help. =D

Update:

I’m back from class and decided to leave klif.sys alone and chase after the ckvo.exe instead. o_o

I ran numerous searches using the explorer, and the only ckvo file is ckvo0.dll. But since HijackThis says there’s ckvo.exe running, it’s gotta be hiding somewhere, right?

So I googled for a way to remove ckvo.exe (most of the links on the first page didn’t seem to help much though), until I found this guy suggesting using HijackThis to kill the ckvo.exe process. I did that, ran another HijackThis scan, and the ckvo.exe disappeared. I ran another search in my comp and deleted the ckvo0.dll file.

After that I used the “Enable show hidden file” script downloaded from the link Tarq57 gave, and I was suddenly able to see hidden files again. xP

I discovered there isn’t any autorun file of any sort in my C: and D: folders (only a bunch of MSN’s sqmdata[some number].sqm files), and miraculously, everything’s suddenly fixed. ZOMGLOLBBQ?

Thanks to Tarq57 and Tech for replying to my topic, more so to Tarq57 for helping to identify the darn ckvo.exe virus in my comp. xP

EDIT:

WARGH!!

I ran another HijackThis scan for fun after I posted here, and THE DARN CKVO.EXE IS BACK IN MY SYSTEM!!11!!!1!!

Looks like I’ll have to find it again. T_T

I ran numerous searches using the explorer, and the only ckvo file is ckvo0.dll. But since HijackThis says there's ckvo.exe running, it's gotta be hiding somewhere, right?

Wrong, all HJT is telling you is that there is a registry entry to run this file. That entry may or may not also have (No File) or file missing after it, but that too is no guarantee that the file doesn’t exist. As you have mentioned klif.sys is recognised by some at VirusTotal as a rootkit, that could be hiding the file you are looking for. Or possibly some other rootkit may be present.

So that for my money this is your most serious issue and should be dealt with first.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

Thanks for replying. o_o

I ran Sophos Anti-Rootkit, Panda Anti-Rootkit and Trend Micro RootkitBuster, but they didn’t find any rootkit.

I ran several searches in the explorer (with hidden and system files enable), but it can no longer find ckvo.exe, ckvo0.dll, ckvo1.dll or klif.sys. T_T

I’ve been running several HijackThis scans to see if that ckvo.exe process came back, but luckily it didn’t. Currently I can view hidden files, but if I play with Folder Options, it’ll resume the previous problem of not being able to see hidden files (until I ran the VBS script to enable hidden files again).

But, if I double click on my C: drive or play with the Folder Options, the ckvo.exe thing comes back in the HijackThis log even if there’s no autorun!

Gah. =(

I’m not sure what file it is that’s causing all the problems. Is it possible for a file to remain undetected, but alerts Avast with different file names (such as that klif.sys) and creates registry entry with a different file name (such as that ckvo.exe)?

Well that is good news in not finding any rootkit.

I do think that your problem with not being able to find files was related to them being hidden and your not being able to unhide them. Once you got the ability to see them it also allows applications to also see and deal with them.

If a file keeps coming back there is likely to be an undetected element to the infection which restores or downloads it again.

Your firewall plays an important part in that defence and personally I feel ZA Free is limited in this regard.

There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

What other security tools have you run, e.g. anti-spy/malware ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.

  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Yeah, most likely it’s that problem, though I was able to search hidden files for a while. Probably because even with the script, I can only set it to show hidden files and not system files. T_T

Thanks for the heads up, I’ll take a look and get one of those, though not tonight. Tomorrow night, I’d think~

Oh, yikes, now I remember what I forgot in the last couple of months. An anti-spyware. T_T

I’m downloading the Superantispyware now (a bit slow), though I’ve a question. I know that it’s not recommended to have 2 antivirus programs installed and active at the same time, but what about anti-spyware/malware? I’m inclined to think I should only have one, but I wanted to ask just in case. o_o

Will post an update after I run a scan with Superantispyware and maybe with MalwareBytes Anti-Malware. =D

Update:

Okie, scanned with Superantispyware. But all it found are tracking cookies, not any other malware that’s bullying me. T_T

Getting MalwareBytes Anti-Malware now. o_o

SAS and MBAM are on demand scanners only they will NOT conflict

I don’t bother with checking for tracking cookies, I disable it in the Preferences. Have your browser settings deny 3rd party cookies (those not for the site you are on) and periodically clear all cookies.

Oh, is that so? Thanks for the info~

Thanks for advice, I’ll do that occasionally. =D

And today was a great breakthrough! I ran MalwareBytes Anti-Malware and it finally caught the hidden registry process that was blocking me from showing hidden and system files! >=O

Turns out I’ve some very persistent hidden system files in my D drive (whose names I recognised because Avast keeps saying they’re Win32: Rootkit-gen [Rtk] files, no wonder I kept getting it!) and some autorun files. I’ve deleted the autorun files (AUTOEXEC.BAT, autorun.inf, autorun.pnf, etc) and left the system files in my C drive, so no worries there~

Thanks for help very much, DavidR! =D


Edit:

Just a question: there’s this n.com file in my C drive, though I’m not sure whether to remove it or not. o_o

A screenshot:

http://img185.imageshack.us/img185/3387/ndotcomqc5.png

I’ve searched online about it, but I haven’t been able to find any info about it. Do you have any idea what it is?

Don’t worry about the other system files, I’ve googled about them enough to know they’re important. =D

It’s that n word again
n.com could be anything
does rt click and “properties” show anything
how old is it
can you run it in a sandbox?
can you go to virus total and upload?

(hack hack hack)

you might just rename it for now n.bak and see if anything misses it
put it in the user area of the avast chest
and what might run it?

You’re welcome, MBAM is proving to be very useful at rooting out bad registry entries and as such highlighting other items.

Once you have run MBAM and it has had a clean out you should rerun avast, SAS as they might then find something that was otherwise hidden.

Re n.com, it certainly looks suspect, first Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.

If there are multiple detections ‘after’ you have added it to the chest (see below) you should delete it from the original location.

Add to Chest and Send sample to avast:

Add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Holy macaroni! 29/36 detected!!

Pro malware. o_o

Okie, I’ve wiped it from my comp, so should be no more problems now. I’ve scanned using HijackThis, now scanning with SAS and after this scanning with MBAM, but so far so good. =D

Funny how it started with that one Rootkit malware, which leads to so many things. o_o

Thanks for help, you two~

It’s officially resolved now. xP

I’d run a Kaspersky on line AV scan
these darn things like to hide

then run secunia software inspector and get updated
if java out of date run javara

run CCleaner
defrag
new restore point

what are you running for a RESIDENT anti syware/ anti malware? (in addition to AVAST)

The number isn’t a concern just that it is a confirmed bad file and should be got rid of. Just continue to monitor your system and watch for unusual behaviour.

That is how it often is, one piece of malware getting its claws in and inviting others along for the party and disabling or changing system settings to hide or make it more difficult for the user to deal with the problem. However, it looks like you are in the clear now, though no harm in doing an on-line AV scan (pause the standard shield for the duration of the other scan and enable immediately it is done) as suggested.

Glad that we could help.