Win32:Vanti-BK [Rtk]

Hi! I’m new to this… and after using a friend’s pen drive here in commonly unprotected territory (I’m living in Argentina) I began to get this message and alarm every time I turn my computer on:

File name: C:\WINDOWS\system32\drivers\vga.sys

malware name: Win32:Vanti-BK [Rtk]

type: Rootkit

VPS version> 080526-0, 05/26/2008

  1. So I put it in the “chest”, but the message still comes back - what does that mean? And what is this virus doing to my poor little computer while I try to figure out what to do to IT?

  2. Is it safe to try to delete it or do I need this file?

  3. Does anyone know a way to FIX this?

thanks!!
???

False positive, I think.

http://forum.avast.com/index.php?topic=35692.0

Hi Sonichko,

To be sure and it won’t hurt your system,
use this online scanner: http://www.virusalert.nl/?show=link&id=symsec
Also use this with option 2 : http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Provide us with a hjt log as an attached txt file, download hjt 2.02 from here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe

polonus

Thanks FreewheelinFrank and Polonus,

I uploaded the file to VirusTotal and it found nothing, so the idea that it is a false positive is sounding pretty good.

To be sure, I tried to go to your first link, Polonus, but I got an Internal Server Error message. I tried the second one but it opened on my computer as a series of icons with difficult names, and I wasn’t sure how to proceed. sorry, I am not very experienced with these, is there another way or can you help me to understand which of the icons to open?

thanks so much!

Hi Sonichko,

Just do the following download this and do a scan, it is a non-resident very good scanner:
DrWebCureIt: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

Report the results here,

polonus

VERY INTERESTING.

Now I’m showing up with a modification of Win32.Besso (apparently a trojan) in kavo.exe and yp.bat - SO FAR. So I have to do a complete scan instead of the “express”. So this will take a while… Thanks, that is an excellent tool. - I’m sure that they would have shown up in the other too, but I had scanned only the file avast told me was infected.

Hi Sonichko,

  1. COVERT ANALYSIS OF: KAVO.EXE

    • File Names Used: 7
    • Paths Used: 5
    • Common File Name: KAVO.EXE
    • Common Path: %TEMP%\
    • Vendor Information: No Vendor details specified
    • KAVO.EXE may use 7 or more path and file names, these are the most common:
    • 1 :%CACHE%\CONTENT.IE5????\AA[1].EXE
    • 2 :%CACHE%\CONTENT.IE5????\HELP[1].EXE
    • 3 :%CACHE%\CONTENT.IE5????\LL[1].EXE
    • 4 :%WINDIR%\AF.EXE
    • 5 :%WINDIR%\SYSTEM32\KAVO.EXE
    • File Name Structure: Normal
    • File and Path Structure: Suspicious, code execution from unusual location
  2. RELATIONSHIP ANALYSIS OF: KAVO.EXE

    • Malicious Objects Created: 2 objects
    • Malicious Creators: 1
    • Malware Run Keys: None
    • Self Persists:
    • Antivirus Detection: No third party antivirus detection observed
    • Anti-Spyware Detection: No third party anti-spyware detection observed
  3. ACTIVITY ANALYSIS OF: KAVO.EXE

    • The following behaviors have been observed for this object:
    • Installs programs.
    • Deletes programs.
    • Creates Run Keys.
    • Runs other programs.
    • Hijacks running processes.
    • Creates known malware.
    • Creates copies of itself.
  4. PROPAGATION ANALYSIS OF: KAVO.EXE

    • Malware Group Propagation Rate: Moderate (spreading)
    • Malware Group: Covert Sys Exec

polonus

wow - sounds serious.

Sorry I lost my internet signal last night and am now continuing. I was able to complete the scan using the Dr. Web site. Here are the results:

kavo.exe;c:\windows\system32;Modification of Win32.Besso;Moved.;
yp.bat;c:;Modification of Win32.Besso;Moved.;
m.exe;C:;Modification of Win32.Besso;Moved.;
zz[1].exe;C:\Documents and Settings\Lisa Barnard\Local Settings\Temporary Internet Files\Content.IE5\RJEUILPL;Modification of Win32.Besso;Moved.;
A0058086.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058110.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058112.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058133.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058135.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058151.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058164.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058166.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058169.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0058189.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0058191.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059189.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059192.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059210.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059216.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;

So the good news is that I no longer get the alarm from Avast about the original problem - the WIN32: Vanti-BK thing.

Now I am just wondering:

  1. If Dr. Web moved all of it - am I good to go?

  2. Do I need to do something else to actually get rid of it?

  3. Were these two viruses really the same thing, or is it probable that I had the besso trojan (or is kavo the real name?) for a long time, infecting all my friends as well?

thanks!!

Provide us with a hjt log as an attached txt file, download hjt 2.02 from here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe

pol

Hi Polonus,

here is the Hijack this log…

Hi Sonichko,

Here is the analysis of your logfile:
http://www.hijackthis.de/logfiles/52c29231a588dfd491e5b87a1c9ce6e4.html
Will be there for three consequent days.

Fix this one, if it is unfamiliar to you:
01 Hosts: 66.6.1228.108 www.bancanet etc. mx

polonus

Hi Polonus! Thank you!

I fixed that one…

and I went over the list and took everything off that was labeled “safe” or that I am sure I understand, and attached it again here - showing only things that were not clearly labeled as safe or unsafe, and things that were labeled as doubtful or unnecessary…

Could you please tell me if there is anything else that you think I should fix?

Some of them said I ought to check them for trojans - what is the best way to do that? just run Dr. Web Cure it again?

Thanks for all your help!

Hi Sonichko,

I went over the items you posted thoroughly and they do not pose any danger at least, so you can leave them. You can give this a run: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm

Surf safe, welcome to the forums,

polonus

Yeay!! :slight_smile:

Thanks so much! Have a good week!

Sonichko (aka Lisa)

Hi again!

well - I finally got around to running the Malware program you mentioned.

And I still had Kavo, which is now (I believe!) deleted.

It wanted me to delete this too but I wasn’t sure…

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) → Bad: (0) Good: (1) → Not selected for removal.

What do you think?

Hi Sonichko,

Leave that item there, at least this removed the last items. This program is used to sort of round up the malware cleansing routine in the aftermath of it,

polonus