Shocked, nay, horrified: I’m back to Norton

Discussion in 'privacy general' started by Radarnav12, Apr 3, 2005.

Thread Status:
Not open for further replies.
  1. Radarnav12

    Radarnav12 Registered Member

    Joined:
    Apr 3, 2005
    Posts:
    1
    Greetings. If the following is too much off topic, please redirect me to the appropriate forum. First, the reason I arrived here. A user in the organization I work for had installed some unauthorized and unsupported software on his computer, as well as quite a bit of spyware. I uninstalled all the non-supported software, and cleaned up the spyware using Spybot S&D, Ad-Aware, and Microsoft (Giant) AntiSpyware Beta. A subsequent scan with Hijack This revealed a suspect process starting from the registry (WinXP SP2) and listed as O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\i*****.exe (the exact file name I have written down at work, but it's probably not important as it appears to be randomly named). Everytime the computer is rebooted, Microsoft AntiSpyware reports this file as being blocked, as well as another file identified as C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rikn.exe. I have seen pretty much this exact same problem reported on another forum without a resolution. The executables were similar but not identical, but the same KavSvc service is mentioned. The first executable runs as a process, and killing the process and deleating the registry entry do no good as they are simply regenerated. Niether file is visible from Windows. In Recovery Console, the first file is visible and can be deleted from the System32 folder. However, the rikn.exe file is inaccessible. The parent folders have all been assigned the Read Only attribute, and attempts to change this from the Recovery Console are denied access.

    Now, I said all that to ask you this. The only references I find to KavSvc all point to Kaspersky AV. But this resembles a technique used by VX2 to hide and regenerate itself. So which do you think it is, a VX2 infestation or leftover files from Kaspersky? Since I really didn't pay much attention to the actual program names I was uninstalling, I can't say for sure that KAV was actually on the machine, and a scan with ADS Spy found no ADSs running. I have run mwav and Killbot with no success. My next step is to try Ultimate Boot CD to try and get to the rikn.exe file and delete it. The last time I delt with VX2, all the bad files were in the System32 folder, so this is a little different, and believe me, if this is actually a KAV leftover, I would stay miles away from Kaspersky! I would be grateful for any input you might have.
     
  2. Mephisto

    Mephisto Guest

    Re: Shocked, nay, horrified: I’m back to Norton

    During my KAV exprience (about a year and a half) i had no trouble with KAV Personal and all the problems in the world with KAV Pro. I have no idea why it happened that way - but i had decided to trial the Pro version so i uninstalled my ready to expire Personal version and not only did Pro not work properly i could not get rid of it.

    Too make a long story shorter i eventually reformatted and was so freaked out by KAV i didn't even re-install the Personal version - I run NOD 32 now.

    If the user had KAV installed you should see alot of Alternate Data Streams as KAV tags a bunch of files (KAVICHS). If you have no ADS and the user is not knowledgeable enough to have removed them, then i would lean towards this being a malicious program.

    Some programs find ADS better than others and some i found simply don't seem to work at all - I am not familiar with the one you used and would suggest downloading a trial of TDS 3 and setting in the options to search for ADS.
     
  3. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    I use Kaspersky and the only reference to kavsvc.exe (notice that it's not kavSvc.exe) is this one (using HiJackThis):"O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe".

    I think you have uninvited guests.... :)
     
  4. markayia

    markayia Guest

    i have a process named KavSvc that shows up in spybot search and destroy startups...my problem with this is the fact that i have never installed this antivirus program that you guys are saying it is for...it runs a program namedrrvapv.exe that my virus scan says is an adware named ADW_QOOLAID.B
    my problem is in safe mode logged in as admin i still cannot get rid of the damn thing if someone could help me it would be appreciated...oh yes without safemode the file that is located in the system32 folder doesn't even show up.


    sooooooooo
    confused
     
  5. markayia

    markayia Guest

    i suppose i should add that my antivirus software is and always has been pc-cillin from trend micro and i just upgraded it to the 2005 version
     
  6. dog

    dog Guest

    Hi markayia, ;)

    Welcome to Wilders'

    Your best bet would be to post a HiJack This log @ CastleCops or @ Gladiators be sure to read the forum rules regarding HJT Log postings. ;)

    They will assist/guide you with the removal infection. ;) Wilders' no longer provides HJT analysis as per This Note, but you will find the help you need at either of these sites. ;)

    I hope that helps, and keep us posted. ;)

    Steve
     
  7. CabinMan

    CabinMan Guest

    I am having a similiar problem with a process called KavSvc C:\winnt\system32\nzapzp.exe.

    Like you I have never installed the KAV AV and this process is tough to remove. Hijack this and manual registry edits have been unable to remove this process as it keeps repopulating the registry. I have about spent about 8 hours cleaning up a friends PC and this is the last thing to remove.

    Don't confuse this with the KAV AV. This is a serious baddie.
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Re: Shocked, nay, horrified: I’m back to Norton

    Yes it is and that is why if you follow dogs instruction they can help you there so one does not end up having to do more work like this poor guy.

    http://www.experts-exchange.com/Security/Win_Security/Q_21384247.html

    BTW..this is another one coming out of the same group trying to trash your PC :mad:

    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ikrmvr.exe


    so the exe file name thing will not help you solve the problem.
     
    Last edited: Apr 30, 2005
  9. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    If it is VX2, try this Add-On for Ad-Aware. VX2 Cleaner
     
Loading...
Thread Status:
Not open for further replies.