Hi! I’m new to this… and after using a friend’s pen drive here in commonly unprotected territory (I’m living in Argentina) I began to get this message and alarm every time I turn my computer on:
File name: C:\WINDOWS\system32\drivers\vga.sys
malware name: Win32:Vanti-BK [Rtk]
type: Rootkit
VPS version> 080526-0, 05/26/2008
So I put it in the “chest”, but the message still comes back - what does that mean? And what is this virus doing to my poor little computer while I try to figure out what to do to IT?
Is it safe to try to delete it or do I need this file?
I uploaded the file to VirusTotal and it found nothing, so the idea that it is a false positive is sounding pretty good.
To be sure, I tried to go to your first link, Polonus, but I got an Internal Server Error message. I tried the second one but it opened on my computer as a series of icons with difficult names, and I wasn’t sure how to proceed. sorry, I am not very experienced with these, is there another way or can you help me to understand which of the icons to open?
Now I’m showing up with a modification of Win32.Besso (apparently a trojan) in kavo.exe and yp.bat - SO FAR. So I have to do a complete scan instead of the “express”. So this will take a while… Thanks, that is an excellent tool. - I’m sure that they would have shown up in the other too, but I had scanned only the file avast told me was infected.
Sorry I lost my internet signal last night and am now continuing. I was able to complete the scan using the Dr. Web site. Here are the results:
kavo.exe;c:\windows\system32;Modification of Win32.Besso;Moved.;
yp.bat;c:;Modification of Win32.Besso;Moved.;
m.exe;C:;Modification of Win32.Besso;Moved.;
zz[1].exe;C:\Documents and Settings\Lisa Barnard\Local Settings\Temporary Internet Files\Content.IE5\RJEUILPL;Modification of Win32.Besso;Moved.;
A0058086.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058110.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058112.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058133.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058135.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058151.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058164.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058166.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP333;Modification of Win32.Besso;Moved.;
A0058169.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0058189.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0058191.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059189.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059192.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059210.dll;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
A0059216.exe;C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP334;Modification of Win32.Besso;Moved.;
So the good news is that I no longer get the alarm from Avast about the original problem - the WIN32: Vanti-BK thing.
Now I am just wondering:
If Dr. Web moved all of it - am I good to go?
Do I need to do something else to actually get rid of it?
Were these two viruses really the same thing, or is it probable that I had the besso trojan (or is kavo the real name?) for a long time, infecting all my friends as well?
and I went over the list and took everything off that was labeled “safe” or that I am sure I understand, and attached it again here - showing only things that were not clearly labeled as safe or unsafe, and things that were labeled as doubtful or unnecessary…
Could you please tell me if there is anything else that you think I should fix?
Some of them said I ought to check them for trojans - what is the best way to do that? just run Dr. Web Cure it again?
Leave that item there, at least this removed the last items. This program is used to sort of round up the malware cleansing routine in the aftermath of it,