AVkiller.exe

DisvengeanceDisvengeance
edited April 2004 in Spyware & Virus Removal
I restarted my computer after removing a virus, and nothing showed up except my background, i couldnt even right click. So i pressed crt alt del and i noticed a program called AVkiller.exe, that resided in my windows\system directory. I ended it and it seemed that my computer was fixed. I scanned my computer, which i had just recently renewed virus definitions, and it found nothing. I deleted the avkiller.exe program, restarted, and it was running again. Anyone know what this is?

Comments

  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Looks like a variant of a known virus. Read:

    http://securityresponse.symantec.com/avcenter/venc/data/avkiller.trojan.html

    Follow the instructions there, you should be able to remove it. Let us know if it won't go away.

    Dexter...
  • DisvengeanceDisvengeance
    edited April 2004
    I did everything the nortan page said, ill see how everything works out tomorrow when i start my computer up, thanks for the help :smiles:
  • DisvengeanceDisvengeance
    edited April 2004
    I did everything that symantec said, and still nothing. It still appears, and when i go to look in the directory that it says its in, i cant find it. Full system scan detected nothing, even after doing liveupdate and intelligent update. Any help?
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    Run HijackThis, and post the log. We'll find it for you :)
  • DisvengeanceDisvengeance
    edited April 2004
    I can see were it is on the hijack this log, what do i do now?

    Logfile of HijackThis v1.97.7
    Scan saved at 2:00:00 PM, on 4/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\program files\steam\steam.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Disvengeance\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.short-media.com/
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IExplorer_] C:\windows\system\Avkiller.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKLM\..\RunOnce: [00000] C:\windows\system\Avkiller.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    Just click on these three items:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IExplorer_] C:\windows\system\Avkiller.exe
    O4 - HKLM\..\RunOnce: [00000] C:\windows\system\Avkiller.exe


    (The first is unnecessary - just to get rid of crap)

    and then "fix". It should take care of it.
  • DisvengeanceDisvengeance
    edited April 2004
    K, thanks a bunch prime :) It was starting to annoy me
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2004
    :):thumbsup:
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited April 2004
    One thing, if it comes back, disable System Restore in Me or XP, then kill as per this page, then run HijackThis again with System Restore off or disabled:

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.optixkiller.html#removalinstructions

    Basically, the page Dexter linked to is one form of it, an early form. There are about 16 variants of it that my AV knows about right now.

    XP can recover it from its restore, for some variants of Trojan.Optixkiller aka in other variants that use this trojan and slight variants of it in hybrids, Backdoor.Optix.

    Some variants also need 2000's System Restore turned off for 2000 Pro.

    It CAME BACK, probably, through an automatic system restore.

    NAV by default does not scan archives, the restore folder has the backups as archives. AND, if NAV is disabled, it will seem to scan but not kill things. So, turn off system restore first, disable it. THEN kill viruses and trojans, but scan and kill viruses in your restore point archives also. Otherwise, they can apparently self-ressurect themselves. This one used, possibly, Winstart.bat also, so if that file is on your machine, delete it, ok???? That is not a legit name for an XP or ME builtin process when there with the .bat extension.

    John D.
This discussion has been closed.