Sunday, October 26, 2008

REMOVING A MALICIOUS EXE. {My Search and Destroy against kavo exe.}


File extensions are the last characters after the period in the name of a file and identifies the type of data found in the file like .gif, .jpg, .bmp associates with image files. Legitimate .exe extensions are executable files that contains code for a program that helps run your computer and the infected ones and allow parasites associated with the file to operate invisibly in background unless the malicious file is removed.
Thats what usually happens, I leave my computer unattended, now comes someone, who wants to copy/save a file, then without thinking inserts a virus infected usb device into my computer without AV scanning..and voila.. a malicious .exe found a new habitat in my computer. I know at that time I'm dealing with a "nobody tells situation" so I have to deal with that malicious .exe directly firsthand.
Now various anti virus and anti rootkit scans reveals vague malicious autorun.ini or autorun.inf files which refreshes everytime after deletion. I then checked my task manager and various auturuns monitors, but the system appears normal, and this .exe hid itself pretty well or already masking as a legitimate file. Unexpectedly, the autorun monitor of my Revo Uninstaller reveals a kavo .exe in my Windows folder. Online research reveals that kavo .exe is used by PWSteal.Lineage, a trojan lineage game password stealer. Opting for manual removal, first I end/block it's process with my Revo's autorun monitor then I reboot my computer into safemode but with System Restore setting Off to prevent the malicious file from creating backups. Words of caution, be careful when deleting or blocking processes with autoruns monitor or you maybe targetting a legitimate file as well. Then I proceeded to the Windows folder and deleted the kavo .exe and to play it safe, the newly saved Word files and images from the infected usb device, sorry to the owner. I then reboot to normal mode, updated my AVG 7.5 Free Edition and run a scan again. Results detected the TrojanPSW, autoruns .ini and .inf, and and finally a kavo .exe who found its way in the System Volume. After wiping off all the malicious files and cleaning my registry files I reboot my computer to Normal Mode and then turn the System Restore back On. For an added security measure I installed MyUSBOnly thereby locking all device ports in my computer and setting the device whitelist to empty, just a precaution because I sometimes left my own devices lying around.
Kavo .exe is rated from moderate to low danger level trojan in various sites. Now with the new and more dangerous trojans/spywares, dealing with them will not be a simple story, and fighting with updated security suites and tools always helps. And last but not the least, as Sun Tzu stated, "Know Your Enemy", read all you can, be informed and updated of all new Virus Definitions Updates from various sites.

Stumble Upon Toolbar

Search Engine Spider Simulator

Enter URL to Spider