how do i remove this virus please help me..

here’s the screen shot

http://i260.photobucket.com/albums/ii1/obe_bucket/untitled.jpg

thanks in advance… :-[

-gen items need some further investigation
did you move to chest?

do not just delete

upload a copy to virus total
post the virus total report back here

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

right- do what freewheeling says first

The C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt providers a more user friendly summary of the boot-time scan and it should list any detections.

here are the instructions to send result to virus total shamelessly copied from DavidR

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

i did what freewheeling said but still the virus keeps coming back when i open my Local Disk (C:) and when i delete it and open my C: again the virus still appears… :cry:

and here’s the report from Virus total:

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - Win32/Heur
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
Kaspersky - - -
McAfee - - PWS-Gamania.gen.a
Microsoft - - PWS:Win32/Frethog.D
NOD32v2 - - -
Norman - - -
Panda - - -
PCTools - - Trojan.Lineage.Gen!Pac.3
Prevx1 - - Cloaked Malware
Rising - - -
Sophos - - Sus/Behav-200
Sunbelt - - Packed.Win32.NSAnti.e
Symantec - - -
TheHacker - - -
TrendMicro - - PAK_Generic.001
VBA32 - - MalwareScope.Worm.Viking.3
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen

what should i do next…?
thanks again in advance…

If still having problems, post a HijackThis! log.

This infection is associated with the malware KAVKOP:Payload-A according to Prevx.

I suggest:

SuperAntiSpyware Free

Spybot - Search & Destroy

Spyware Terminator (exclude the crawler toolbar, add on, and the ClamAV module)

Hi Obeshi,

Consider this info on the malware, removal instructions as with worms:

W32/Tilebot-HX is a worm for the Windows platform.

W32/Tilebot-HX spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords.

W32/Tilebot-HX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-HX includes functionality to:

  • set up an FTP server
  • set up a proxy server
  • spread via AOL Instant Messager by sending messages automatically
  • change Internet Explorer start page
  • set or remove network shares
  • port scanning
  • packet sniffing
  • start a remote shell (RLOGIN)
  • access the internet and communicate with a remote server via HTTP
  • harvest information from clipboard
  • take part in Distributed Denial of Service (DDoS) attacks W32/Tilebot-HX is a worm for the Windows platform.

W32/Tilebot-HX spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords.

W32/Tilebot-HX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-HX includes functionality to:

  • set up an FTP server
  • set up a proxy server
  • spread via AOL Instant Messager by sending messages automatically
  • change Internet Explorer start page
  • set or remove network shares
  • port scanning
  • packet sniffing
  • start a remote shell (RLOGIN)
  • access the internet and communicate with a remote server via HTTP
  • harvest information from clipboard
  • take part in Distributed Denial of Service (DDoS) attacks

When first run W32/Tilebot-HX copies itself to \vcmon.exe.

The file vcmon.exe is registered as a new system driver service named “Remote TCP Services”, with a display name of “Remote TCP Services” and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Remote TCP Services\

W32/Tilebot-HX sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

polonus

Obeshi
lots of interest in your problem
as Polonius shows it is not a trivial problem

the programs that JTaylor mentioned are all good ones as is Malware Bytes Anti Malware and Rogue Remover
If you run any of these quarantine- do not delete
post up the HJT log after you have run JTaylors suggestions (or right now if you have not)
If you ran your HJT and since then have run anything else run a fresh HJT and tell us what else you ran and the results
Hope to hear from you soon- and the sooner the better

Hi obeshi,

Try the removal tool here in safe mode and without system restore installed :
http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.removal.tool.html

polonus

i did what polonus and jtaylor said but the virus is still in my local disk C:

the fixEsbot reported that:

Symantec W32.Esbot Removal Tool 1.3.1

W32.Esbot has not been found on your computer.

In the Super Anti Spyware it detected this:

Adware.Tracking Cookie
Adware.URLBlaze
Trojan.UNclassified/KXVO

still no luck… :cry:
but thanks guys for helping me out i do appreciate it ;D

Hi Obeshi,

Put a hijackthis log here as an added txt file for analysis. HJT latest version download from herë:
http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
Do you have any of the files mentioned here on your computer:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Unclassified.gen&threatid=45124

polonus

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:42 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\Core\nero.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [TBPanel] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


End of file - 6284 bytes

Hi Obeshi,

These should be fixed using HJT:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - HKCU..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe

the unsafe files using this name are associated with the malware group KAVKOP:Trojan-A.Some files using the name KXVO.EXE are also associated with the malware group:

* Obfustat.TYA

polonus

what should i do…? sorry newbie :slight_smile:

Frank gave a link which incorporates a HiJackThis tutorial, you should find it very helpful.

i already fix scan this
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
and
O4 - HKCU..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe

but the virus is still in my C: because when i open it

and when avast detect the virus again the

O4 - HKCU..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe

appears again in the hijack this log


Hi Obeshi -

Are you saying that you did you run HJT a second time, checkmark the little boxes to the left of these 2 entries …

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - HKCU..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe

and then click on FIX and the bottom?

I am asking to be sure we are all clear on what has been done.


yup

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

is gone but

O4 - HKCU..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe keeps coming back when avast detects the virus again

i did check the 2 entries check box and click fixed checked

virus only appears when i open my local disk C:

Download MBAM then install it then Update it definitions then run a Quick scan:
http://www.malwarebytes.org/mbam.php

A reboot may be necessary to remove locked items.