win32:Oliga [Trj] Hides folders?

Viruses and worms
1

Dear all,

My Cruzer USB flash disc seems to be infected with this virus: win32:Oliga [trj]

http://img528.imageshack.us/img528/9053/oliga.jpg

I tried to google on the filename, but I only found 1 Ukrainian site… not much info though.

This trojan acts quite strange. It seems to hide some files/folders. My flash disc (still) has a capacity of 2 GB, of which 1,64 is used (by some docs, this is correct). However, if I select all visable files on my flash disc, this is only 300 MB (hidden files switched on). Apparently there are some MBs missing, which makes sense because I also lost one folder with important documents.

Now, is there a solution to delete this Trojan AND/OR to restore the files, because according to “my computer”, they are still there, but not visable on the disc itself.

Background info: I got the virus when I was in an internet cafe in Tanzania last year…
On my computer I use Windows XP SP3.

Thanks in advance,

Niels

2

Welcome to the forums, nielsr. :slight_smile:

Please try the advice given by Polonus at the forum link below.

http://forum.avast.com/index.php?topic=40407.0

3

Hi you folks,

@Charleyo thanks for linking the victim to a posting with a cleansing proposal for this malware.

@nielsr
Please follow the link CharleyO gave you and additionally use this tool to cleanse your pendrive or USB stick:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop from here: http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. 
  Please do so and allow the utility to clean up those drives as well. 
  Hold down the Shift key when inserting the drive until Windows detects it 
  to keep autorun.inf from executing if it is present.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf
in each partition and every USB drive that is plugged in when you ran it.
Don’t delete this folder…it will help protect your drives from future infection,

polonus

4

Thanks for your replies!

I followed the first steps in CharleyO’s post doing the MBAM scan (2 malwares, cleaned, and after reboot nothing was found anymore). I also made a Hijackthis logfile (see attached). I was not sure if the other part of that topic also would help me so I didn’t do that (system restore).

I also used Flash Disinfector several times as you described. After it said “done”, I rebooted my computer but still nothing was changed on my flash disc. And Avast still detects that Trojan and my “hidden” folders are still invisible.

Is there any possibility I can retrieve my files?

Thanks again!

5

Hallo nielsr,

Ik heb je HJT logfile bekeken en er werd geen actieve software firewall aangetroffen. Draai je de windows firewall?
Je kunt de volgende entries even nakijken en eventueel fixen.
De entry 02 BHO (no name) etc.
Upload even de Carbon Poker entry bij virustotal.com om te zien of ie legitiem is.
Zijn de volgende ingaven bekend? hunt.rug.nl, 129.125.36.9 en 129.125.14.3 anders nazien en fixen.
Ook even de B.service.exe even nazien bij virustotal.com.
Verder zie ik niet iets bijzonders, de hidden files kunnen ook duiden op een sonowal infectie, kijk eens of je hier iets herkent?
http://forums.techguy.org/malware-removal-hijackthis-logs/776184-sinwal-trojan.html
Het moeten dan random dll namen zijn die in system(32) staan, doe ook eens een scan met IceSword, die je kunt downloaden hier: http://majorgeeks.com/downloadget.php?id=5199&file=15&evp=0d36c3ec48c6373fd5daac78f0c6a417

Hier komt nog even een overzicht van je actieve systeemtaken:

Overzicht van actieve taken:
smss.exe

Systeem taak

Session Manager Subsystem
winlogon.exe

Systeem taak

Microsoft Windows Logon Process
services.exe

Systeem taak

Windows Service Controller
lsass.exe

Systeem taak

Local Security Authority Service
svchost.exe

Systeem taak

Microsoft Service Host Process
svchost.exe

Systeem taak

Microsoft Service Host Process
svchost.exe

Systeem taak

Microsoft Service Host Process
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
spoolsv.exe

Systeem taak

Microsoft Printer Spooler Service
ATKKBService.exe

Driver

ASUS Keyboard Service
CTsvcCDA.exe

Achtergrondtaak

Creative CD-ROM Services
jqs.exe

Achtergrondtaak

jqs.exe
NBService.exe

Achtergrondtaak

Nero BackItUp
NBService.exe

Achtergrondtaak

Nero BackItUp
nvsvc32.exe

Applicatie

NVIDIA Driver Helper Service
PnkBstrA.exe

Punkbuster deze taak even nakijken op virustotal.com volgens mij OK

pnkbstra.exe

SnoopFreeSvc.exe

There is no file information. The program is not visible. The file is an unknown file in the Windows folder. SnoopFreeSvc.exe is not a Windows system file. Therefore the technical security rating is 70% dangerous, however also read the users reviews. Dus nakijken op virustotal.com

Onbekende taak
svchost.exe Ook even scannen - hier kan iets meeliften

Systeem taak

Microsoft Service Host Process
SearchIndexer.exe

Systeem taak

Search Indexer
RUNDLL32.EXE

Systeem taak

Microsoft Rundll32
GamerOSD.exe

C:\PROGRAM FILES\ASUS\GAMEROSD\GAMEROSD.EXE is not malware. Safe!
ASUS GamerOSD ASUSTeK Computer Inc. ASUS GamerOSD 1, 0, 0, 1

GamerOSD.exe
RTHDCPL.EXE

Driver

Realtek HD Audio Sound Effect Manager
HPWuSchd2.exe

Achtergrondtaak

Hewlett Packard Software Update Scheduler

SnoopFreeUI.exe
http://www.file.net/process/snoopfreeui.exe.html

Even deze executable uploaden naar virustotal.com

Onbekende taak
ashDisp.exe

Virusscan

Avast AntiVirus
gnotify.exe

Achtergrondtaak

GMail Notifier
rundll32.exe

Systeem taak

Microsoft Rundll32

Mouse32a.exe

Muisdriver programma, kwam met de installatie van de muis

Achtergrond taak
jusched.exe

Achtergrondtaak

Sun Java Update Scheduler
ctfmon.exe

Systeem taak

Alternative User Input Services
MsnMsgr.Exe

Applicatie

MSN Messenger
MsnMsgr.Exe

Achtergrondtaak

MsnMsgr.Exe
TeaTimer.exe

Applicatie

Spybot S&D Realtime Scanner
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
msmsgs.exe

Applicatie

MSN Messenger
GoogleUpdate.exe

Achtergrondtaak

GoogleUpdate.exe
GoogleUpdate.exe

Achtergrondtaak

Google Updater
ashWebSv.exe

Virusscan

avast! Web Scanner
hpqtra08.exe

Achtergrondtaak

Hewlett Packard Imaging
LaunchU3.exe

Achtergrondtaak

U3 Smart drive Software
Launchy.exe

Achtergrondtaak

TODO
hpqSTE08.exe

Driver

HP Imaging
wlcomm.exe

Achtergrondtaak

wlcomm.exe
chrome.exe

Applicatie

Chrome Browser
chrome.exe

Applicatie

Chrome Browser
chrome.exe

Applicatie

Chrome Browser
chrome.exe

Applicatie

Chrome Browser
chrome.exe

Applicatie

Chrome Browser
chrome.exe

Applicatie

Chrome Browser
chrome.exe

Applicatie

Chrome Browser
chrome.exe

Applicatie

Chrome Browser
googletalkplugin.exe

Achtergrondtaak

Google Talk
chrome.exe

Applicatie

Chrome Browser

LaunchPad.exe
File LaunchPad.exe is located in a subfolder of “C:\Program Files”. Known file sizes on Windows XP are 49,152 bytes (60% of all occurrence), 36,864 bytes, 2,392,064 bytes, 2,158,671 bytes, 4,603,904 bytes, 2,162,688 bytes, 2,314,240 bytes, 1,960,464 bytes.
The program has a visible window. Program has no file description. File LaunchPad.exe is not a Windows core file. Therefore the technical security rating is 38% dangerous,
Launches from the USB-pendrive, dus nakijken en scannen bij virustotal

Achtergrond taak
explorer.exe

Systeem taak

Microsoft Windows Explorer
HijackThis.exe

Applicatie

Hijackthis 2.02

Zo je hebt nu wat huiswerk, je virustotal resultaten zie ik gaarne tegemoet, als er 0 resultaten bijzitten, is dat niet interessant anders even de malware namen doorgeven, mocht er wat gevonden worden,

polonus

6

Hey Polonus,

Bedankt voor je reactie!

Most entries you mentioned are not dangerous.
I scanned some files you asked me with VirusTotal, but none of them gave a result (0/40 e.g.), so not interesting I guess.
Windows Firewall is up and running I saw.

Also the IceSword didn’t give any clues.

However I preformed some other scans which I found in other topics:

SDfix (attached)

Online Kaspersky report, which found 2 infected items (attached). The strangest thing is that while I was selecting the folders to scan (i.e. I:, my flash disc), I actually saw my hidden folders with documents on the flash disc in the browse tree. Isn’t that strange? However I can not explore these folders in My Computer…

Kaspersky results:

I:\0gjn3yw.exe Infected: Trojan.Win32.Vaklik.bop
I:\lky.exe Infected: Trojan-Downloader.Win32.Zlob.aceg

After this I got the option to search Kaspersky Database but it didn’t recognize these trojans (here and here)

Any more ideas? Thanks again!

7

Hi nielsr,

Seen to the executables found, read this:
http://www.prevx.com/filenames/X1463245723997338634-X1/CKVO.EXE.html

Trojan created as: %System%\ckvo.exe
c:\0gjn3yw.exe
For lky.exe
LKY.EXE description :The filename LKY.EXE was last seen on 12.4.2008, and it is considered unsafe.
Threat name Win32.X Filename %%root%%\lky.exe Filesize Unknown
Last seen 12.4.2008 Status Known to av as unsafe.
This file can perform following behavior.

  • File is created as process on the disk.
  • This process can create, delete or modify files on the disk.

LKY.EXE remove instruction

  1. Temporarily Disable System Restore, Reboot computer in SafeMode;

  2. Locate LKY.EXE virus files and uninstall LKY.EXE files program.
    Follow the screen step-by-step screen instructions to complete uninstallation of LKY.EXE.

  3. Delete/Modify any values added to the registry related with LKY.EXE,
    Exit registry editor and restart the computer;

4.Clean/delete all LKY.EXEinfected file(s):LKY.EXE and related,
or rename LKY.EXE virus files;

5.Please delete all your IE temp files with LKY.EXE manually, run a whole scan with avast av
Another procedure below:

Follow the following procedure:
PROCEDURE:

  1. While the computer is still off;
  2. Plugin the USB Drive
  3. Insert the Windows XP CD-ROM into the CD-ROM drive. It must be the bootable Windows XP Installer
  4. Start the computer from the CD-ROM drive. It will start Windows Setup screen
  5. When the “Welcome to Setup” prompt appears.Press “R” to start the Recovery Console
  6. If asked “Which Window installation would you like to logon to” select the number. Type “1? then Enter, if only one installation of Windows is present
  7. Enter the administrator password, press Enter
  8. It will bring you to command prompt, C:\Windows>
  9. Proceed with the following command:
  • Type d: (This is the drive letter of USB. It can be e: or f: defending on how many hard disk or cd drive is installed)
  • Type attrib -h -r -s autorun.inf
  • Type “edit autorun.inf” it will open DOS Editor and display contents as follows
    ==========================
    [autorun]
    open=lky.exe
    shell\Open\Command=lky.exe
    shell\open\Default=1
    shell\Explore\Command=lky.exe
    shell\Autoplay\command=lky.exe
    ==========================
    Take note on the file that it called to open (in your specific example it is lky.exe)
  1. Exit DOS Editor and return to command prompt, D:>
  2. Delete the file that was called to open on DOS Editor
  • Type del /f /a lky.exe
  1. Delete autorun.inf file
  • Type del /f /a autorun.inf
  1. Exit Recovery Console by typing exit.

You might need this tool for removal: http://ccollomb.free.fr/unlocker/

polonus