Friday, March 14, 2008

Removing Kavo.exe Virus

Just recently, Yahoo Messenger in my computer acted strangely, first it disappeared every time I log in then after some time even before logging in it will now display an "exception breakpoint error." What's this?

I scanned my system with McAffee however, No virus or trojan found and yet the problem is still there. I uninstalled yahoo messenger and installed it again. No success, still same problem. I hit the net and researched more about my problem. I got lots of hits but no real viable solution. However, I found temporal solution:
  1. Run Task Manager (CTRL-ALT-DEL)
  2. End explorer.exe process
  3. Then run it again as a new task.
  4. After which, YM! will run successfully.
Well, my Y! Messenger worked but I don't feel comfortable doing that process everytime I started my computer and decided to run YM! Plus the fact that there maybe some malicious code or program responsible for such mess.

So i tried researching more about it trough with good ol Google. You can see the search result from google when I keyed in "yahoo messenger disappear during login" in the search bar. Browsing through the results I found out that it was somewhat related to certain virus (e.g. AMVO.exe). You should find this amvo.exe when you look into your windows task manager. Problem is there's not AVMO listed in my task manager processes. Although, there is one suspicious looking program: Kavo.

So coming back to google, this time looking for Kavo. Whoa! this time I think I was finally able to hit the culprit. Kava.exe is trojan or malware!

Here's a little bit of info about Kavo.exe from TrendMicro Virus-trojan-work encyclopedia

Arrival and Installation - This worm arrives via removable drives and physical drives. […] Autostart Technique - It creates a registry entry to enable automatic execution at every system startup. […] Propagation Routine - This malware propagates via removable drives and physical drives by dropping a copy of itself as NTDELECT.COM. It also drops its non-malicious component file AUTORUN.INF to automatically execute dropped copies when the said drives are accessed. […]


So now its time to look for a removal procedure to eliminate this as my anti-virus programs are incapable of detecting and removing it. Luckily, after half an hour of surfing I came across this blog which provided a quick and easy solution to remove this trojan.

To remove Kavo-NTdelect go to this link


Thursday, March 13, 2008

Being Cautious with those Widgets

A few days ago my wife greeted me in the morning with a news that her blog is acting strangely. A friend commented that her blog has been popping up ads with some malicious and adult content. So without having a chance to do my morning routine, I sat down in front of our notebook and immediately noticed that there indeed was something strange about her blog. Logging into her blog, it immediately started popping out unwanted ads. I also noticed that there were some ad links that is evident in her blog. Checking it out it, I noticed that those ads were from clicksor. The scary thing is I couldn't remember installing any codes in her blog that would correspond with those ads. You see when it comes to the nitty gritty HTML codes of her blog, my wife normally would ask me to do things for her. So since I did not put any codes there, I suspect either here account was hacked and somebody placed those codes in there.

So I started to to log into her account and read the HTML code of her blog one by one, yup! you read it right, I did analyzed everything line by line. Still, I was not able to see any malicious code that would point me to the culprit.

The next thing I did was, from instinct, started to remove each widget which have its own script. and lo and behold! when I removed the widget responsible in displaying her pagerank, those ads disappeared!

I did it three times (delete & insert the widget) to make sure the ads was really associated with that PR widget. Having isolated the problem I permanently removed it.

Thinking about it, that was a sneaky way for that widget to earn ad bucks from bloggers. The things is as far as I remember, that widget was there ever since my wife's blog was PR3 and it didn't pop up any ads during that time. The ads started to pop up when her PR was increased to PR4.

I can't remember if it was part of their TOS for using their widget. If it was then my bad for not understanding it. Still, even if it was I don't find there strategy amusing, or much less, ethical.

just my two cents.

Wednesday, March 12, 2008

Back on Track

Weeks after our computer broke down making some of my personal files and applications being unaccessible, I finally was able to set up and install a replacement pc. Thus, here I am back at blogging trying to recover some lost ground...