Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32:Kavos (Kamso) trojan on Sony pc

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32:Kavos (Kamso) trojan on Sony pc

Unread postby tdml694 » September 29th, 2009, 11:28 pm

Archive link to previous thread

viewtopic.php?f=12&t=45897

Followed direction from last response on the now archived topic. Removed CA Yahoo! Anti-Spy and also ran Norton removal tool successfully. Downloaded MGADiag.exe and here is the report log.

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-XC4Q9-W7RTD-7Q8G6
Windows Product Key Hash: Py7sqDcPBx6etfYqog5bPl/YZ9E=
Windows Product ID: 55274-OEM-2211906-00826
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.med
ID: {A8AD5648-5833-425E-BF1F-7C3464A2ACA8}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.36.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings:
User Agent:
Default Browser: D:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.sig[hr = 0x80070714]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A8AD5648-5833-425E-BF1F-7C3464A2ACA8}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010100.3.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-7Q8G6</PKey><PID>55274-OEM-2211906-00826</PID><PIDType>2</PIDType><SID>S-1-5-21-38917306-2780468815-807143145</SID><SYSTEM><Manufacturer>Sony Corporation</Manufacturer><Model>PCV-RZ49(UC)</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>2002 </Version><SMBIOSVersion major="2" minor="3"/><Date>20030919000000.000000+000</Date><SLPBIOS>Sony Corporation,Sony Corporation</SLPBIOS></BIOS><HWID>E1AF3D6F01846072</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Sony Electronics Inc.</name><model>UCV096CEUM</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.18.5"/><File Name="WgaLogon.dll" Version="1.7.18.5"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 172F2:GENUINE C&C INC|1DFC0:Sony Corporation|1DFC0:Sony Corporation ITCNC
Marker string from OEMBIOS.DAT: Sony Corporation,Sony Corporation

OEM Activation 2.0 Data-->
N/A

Downloaded StartupLite per recommendation and then reset SP3 Firewall per directions.

I then opened OTL, copied the lines from the codebox and pasted them in the Custom Scans/Fixes box. I then clicked on Run Fix button and let the program run. I had to click ok several times to acknowledge that system files could not be deleted. Scan took quite a while to "empty temporary files". The program then rebooted the machine and when it came back up all the icons on the desktop were gone except IE Explorer, OTL and Recycle Bin. I clicked on the Start Button and rolled mouse over All Programs and the only thing that appeared is the Startup Folder. I checked the C & D drives and all the programs appear to be there but I have nothing in the My Documents folder now and I still can't open the Recycle Bin.

I then downloaded Malwarebytes Anti-Malware to my desktop. When I tried to install and run the software I got the following error message:

Error creating registry key
HKEY_CURRENT_USER/SORTWARE/MALWAREBYTES'ANTI-MALWARE
Reg Create Key Ex failed; code 5
Access is denied.

* I get a similar error message when attempting to re-install my HP All-in-One printer software.

I am posting the OTL log after this.
tdml694
Active Member
 
Posts: 11
Joined: September 16th, 2009, 10:41 pm
Advertisement
Register to Remove

Re: Win32:Kavos (Kamso) trojan on Sony pc

Unread postby tdml694 » September 29th, 2009, 11:35 pm

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 26419412 bytes

User: All Users
->Temporary Internet Files folder emptied: 464971800 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9102871 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\NTUSER.DAT scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\NTUSER.dat.LOG scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1256488 bytes

User: Michelle
->Temp folder emptied: 970781 bytes
->Temporary Internet Files folder emptied: 134692648 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\NTUSER.DAT scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\NTUSER.dat.LOG scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 2873443 bytes

User: TEMP
->Temp folder emptied: 184 bytes
->Temporary Internet Files folder emptied: 3141 bytes

User: Tony
->Temp folder emptied: 93426 bytes
->Temporary Internet Files folder emptied: 441289171 bytes

User: Tony.ADR
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\Tony.ADR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tony.ADR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tony.ADR\Desktop\OTL.exe scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tony.ADR\ntuser.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tony.ADR\ntuser.dat.LOG scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1328406365 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5c0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 98562098 bytes
RecycleBin emptied: shell32.dll unable to determine bytes removed.

Total Files Cleaned = -1703.51 mb


OTL by OldTimer - Version 3.0.14.0 log created on 09292009_211034

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\NTUSER.DAT scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\NTUSER.dat.LOG scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\NetworkService\NTUSER.DAT scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\NetworkService\NTUSER.dat.LOG scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Tony.ADR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Tony.ADR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG scheduled to be moved on reboot.
C:\Documents and Settings\Tony.ADR\Desktop\OTL.exe moved successfully.
File move failed. C:\Documents and Settings\Tony.ADR\ntuser.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Tony.ADR\ntuser.dat.LOG scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_5c0.dat moved successfully.

Registry entries deleted on Reboot...

* This did not go as I expected. When the computer booted back up and I saw all the icons gone from the desktop I attempted a system restore and was unable to access that program. HELP !!!!
tdml694
Active Member
 
Posts: 11
Joined: September 16th, 2009, 10:41 pm

Re: Win32:Kavos (Kamso) trojan on Sony pc

Unread postby NonSuch » October 1st, 2009, 1:41 am

We're sorry, but it is necessary to close your topic because you have replied to it prior to receiving a response from a helper.

Due to adding on to your topic with your second post it is highly unlikely that you would have received a response. Our helpers are looking for topics with zero responses. When you post replies to your own topic, it no longer has zero responses, and so it appears that you have received help when in fact, you have not.

If you still require help, please open a new thread in the Malware Removal forum and wait for assistance. Please do not run additional programs and/or post additional logs. Just your HijackThis log to start with is adequate. Your helper will ask for additional logs as needed. DO NOT reply to your own topic until you have received a response from a helper. Be patient. There are others who have been waiting longer than you, so do not expect an immediate reply.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27299
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware