I was spending too much valuable time to track down this malware. I've scanned using Kaspersky, Antivir, Spyware Doctor, XoftSpySE, Pandasecurity ActiveScan and SUPERAntiSpyware - none of which really remove the threat.
The threat first detected by the Antivir. A file called uj4fwefv.dll (or similar generated names) was found in the %TEMP%. If removed, the file will be regenerated.
It also generated an autorun.inf and l63snn8.exe in all Local Drives.
All the files mentioned are of SHR attributes.
After 2 days, I decided to go for Sysinternals Process Monitor, and monitor the source of the regenerations. It pointed to a C:\WINDOWS\SYSTEM32\ckvo.exe file. The file injects itself in the the Explorer.exe Kernel32.dll (viewed from the Stacks).
I used the BartPE CD and went on to remove all related files (including the generated files in %TEMP%). Then, just to be sure, mounted HKCU registry hive, and remove the startup referenced in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
After the system restart, no more traces of the stubborn malware exist.
Google search for cvko.exe will reveal one post that's similar to my experience.
Update: You can actually disable the running of ckvo.exe from the HKCU\Software\Microsoft\Windows\CurrentVersion\Run. After that, restart the PC and remove all related malware files.
Cheers!
Tuesday, June 24, 2008
Subscribe to:
Post Comments (Atom)
3 comments:
How about Windows Vista? If I want to kill Malware like this? but windows Vista don't have gpedit.msc, so how can i delete malware? Please Help
You wrote this for only Windows XP, How about Windows Vista? I know Windows Vista don't have gpedit.msc, so please tell how to kill malware from Windows Vista? I want kill Malware proceses from my pc. Thank for your help
gpedit.msc is just a way to create the DisallowRun value. You can create the strings and values directly by going into the Registry Editor.
A warning, though. Registry editing is risky is you don't know what you are going. So, be warned.
Good luck!
Post a Comment