Re: kZObaV.exe
From: Bigbruva (Richardh_at_dontusethis.ws)
Date: 01/30/05
- Next message: Cecil: "fovoriteman spyware"
- Previous message: Jason: "Re: No help here"
- In reply to: RipperT: "Re: kZObaV.exe"
- Next in thread: RipperT: "Re: kZObaV.exe"
- Reply: RipperT: "Re: kZObaV.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jan 2005 15:30:47 -0800
If the files lead to a running process they are not benign!
These are not Windows System files so the worst case scenario if you remove
them would be an application or device you have installed might not work. I
would suggest booting into Safe mode again and moving these files to a new
location changing the three letter suffix to something like .OLD so they
cannot be executed. I would also recommend getting the latest version of
AdAware and or Spybot S&D and doing a scan using them in safe mode as your
problem might be more spyware then a virus.
Then reboot and test the system fully (it would really help to see the error
message you mentioned).
If you are sure everything is ok delete the files.
Make sure your firewall, OS,AV, and antispyware applications are all up to
date and working and you should be ok.
Let us know how you get on.
BB
"RipperT" <RipperT@discussions.microsoft.com> wrote in message
news:7A1376B7-5F4D-4CDF-B975-6BF07883523D@microsoft.com...
> In safe mode, Adaware found 44 more objects (mostly cookies), Spybot found
> nothing, an online TrendMicro scan yielded:
>
> TROJ_DLOADER.BE
> TROJ_APROPOS.A
> TROJ_BDI.A
>
> All 3 were deleted by HouseCall. I also downloaded and ran AVG Anti virus
> and it scanned right thru C:\WINDOWS\SYSTEM32\kZObaV.exe and labeled it
> OK. I
> also found it in the SYSTEM32 folder after changing some view settings in
> folder options. It also shows up in MSCONFIG as well. If I disable it in
> MSCONFIG, then restart, I see a quick error message (something about
> initialization, I can't catch it before it disappears on the restart).
> After
> restart, lo and behold, there it is again, enabled in MSCONFIG, and two
> instances of it running in the background. C:\WINDOWS\SYSTEM32 shows the
> following two files:
>
> kZObaV.exe
> kZObaV.dll
>
> It seems benign. Should I just try and delete them or would that be fool
> hardy? It sure is a stubborn little B$$trd!
>
> RipperT
>
> "Bigbruva" wrote:
>
>> You are unlikely to find a match to this file name as this looks very
>> much
>> like a random file name generated to help hide the true identity of the
>> malware. Have you tried booting into Safe mode (press F8 during a reboot)
>> and doing the scans from there?
>>
>> If not, try this and see if the scanners are able to remove the malware.
>>
>> Let us know how you get on.
>>
>> BB
>>
>> "RipperT" <RipperT@discussions.microsoft.com> wrote in message
>> news:53ABEBD8-C77A-4F90-BF9F-4BA27D3E0D83@microsoft.com...
>> > Hello all,
>> > I have two instances of a running process called kZObaV.exe. The path,
>> > according to HijackThis, is C:\Windows\System32\kZObaV.exe. I cannot
>> > find
>> > it
>> > in that folder. Running a search does not find it. I cannot end it's
>> > process
>> > from task manager. I have updated and run: McAfee Anti-virus, Adaware,
>> > Spybot, CWSShredder, HijackThis and run an online virus scan,
>> > (TrendMicro's
>> > Housecall). HijackThis is the only program that found it and I
>> > attempted
>> > to
>> > 'fix' it through HijackThis, but it just won't budge. I have deleted
>> > every
>> > instance of it from the registry. Its still there. Googling it returns
>> > nothing so I can't find any info on it. Anybody seen it before or have
>> > any
>> > ideas?
>> >
>> > Thanx,
>> >
>> > RipperT
>>
>>
>>
- Next message: Cecil: "fovoriteman spyware"
- Previous message: Jason: "Re: No help here"
- In reply to: RipperT: "Re: kZObaV.exe"
- Next in thread: RipperT: "Re: kZObaV.exe"
- Reply: RipperT: "Re: kZObaV.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
