«
»

Snikivv.exe – information and removal

By xerom

My system got infected with snikivv.exe and systime.exe when I double clicked a usb of my friend while using it. didn’t run the scan before. I ll post some safety tips to keep the viruses at bay later. Anyways the virus infected the system and it made life kinda hell. I cant live without my pc. So I started doing stuff and I wrote how I managed to get the virus in the end. I found out the name of the virus , after running a scan at my friends place. And then worked manually to delete the virus. Took almost two days to completely fix it.

Found this info on the virus. Edited it a little.

*Begin Quote*

DEFINITION OF: SNIKIVV.EXE

  • Safety Rating: Known Malware, do not run
  • Malware Family: Part of Malware group – Polynomial Code Exploit
  • Determination: Automatically determined using Prevx centralized heuristics
  • Malware Form: EXPLOIT
  • Known Protection: as of August 22, 2007, Prevx. (could only find this) others might also offer protection, through heuristics till they can get definitions out.
  • First seen: Aug 9 2007 (GMT)
  • Last seen: Aug 22 2007 (GMT) (my system)
  • File Size: 55,230 bytes

MALWARE ASSESSMENT

1. COVERT ANALYSIS OF: SNIKIVV.EXE

  • File Names Used: 3
  • Paths Used: 2
  • Common File Name: SNIKIVV.EXE
  • Common Path: Usually the root folders. In my system it hit the all drives except the C drives. Copied asyuycx and huqkgej in the %systemroot%system32 folder and ran processes on startup
  • SNIKIVV.EXE may use 3 or more path and file names, these are the most common:
  • 1 :%SystemRoot%\SYSTEM32\ASYUYCX.EXE
  • 2 :%SystemRoot%\SYSTEM32\HUQKGEJ.EXE
  • File Name Structure: Normal
  • File and Path Structure: Normal

2. RELATIONSHIP ANALYSIS OF: SNIKIVV.EXE

  • Malicious Objects Created: 1 objects
  • Malicious Creators: 1
  • Malware Run Keys: None
  • Antivirus Detection: NOD32 picked up virus based on heuristics on scanning of the carrier folder. NOD32 was not run on the infected pc
  • Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: SNIKIVV.EXE

  • The following behaviors have been observed for this object:
  • Installs programs.
  • Deletes programs.
  • Runs other programs.
  • Has outbound communications.
  • Creates known malware.
  • Creates copies of itself.
  • (my addition)Makes numerous registry entries on the run folder in HKCU and a registry entry in the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
      • Both asyuycx and huqkgej registered. Are persistent.

 

4. PROPAGATION ANALYSIS OF: SNIKIVV.EXE

  • Malware Group Propagation Rate: Moderate (spreading)
  • Malware Group: Polynomial Code Exploit

*End Quote*

My method Removal of the virus:

People who aren’t experience, keep your virus definitions up to date and let your virus scanner do the rest. If nothing else, take your system to a recognized computer expert who will fix the pc for you. Do not try these steps if you don’t know what you are doing.

The steps are for Experienced users only whose antivirus is not picking the virus up. And try the steps at your own risk. I did them on my own risks.

Step one: try switching on the safe mode. In my system it didn’t hanged on the safe mode.

Step two: run windows task manager , end processes asyuycx and huqkgej

Step three: if these start automatically, they persisted in my system. reinstall windows , using the repair option. Don’t install a fresh copy!!

Step four: try step two , if successful. Open %systemroot%system32 and delete the files asyuycx and huqkgej

Step five: fix the date, if the system is infected with systime.exe and the date is November 11, 1980. presumably the authors birth date.

Step six: fix registry entries. There will be random entries of the HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN folder by random names in the HKCU\SOFTWARE folder.

There will be registry entries of asyuycx and huqkgej in HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN folder and in the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN folder

Step seven: delete all instance of snikivv.exe from the drives. Do not double click on the infected drive. Use the address option in the explorer to open root folders. Double clicking of the infected drives will copy everything again.

To identify the infected drive, right click and the open option will be replaced by some unreadable characters.

Source: http://fileinfo.prevx.com/adware/qqd7f4102462328-SNIK43412495/SNIKIVV.EXE.html

And my personal experience

 

 

 

Computer Blogs - BlogCatalog Blog Directory

This entry was posted on August 22, 2007 at 7:31 am and is filed under Virus removal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Snikivv.exe – information and removal”

  1. Anthony Says:
    August 22, 2007 at 8:19 am

    Or alternatively, you could have saved yourself 2 days and just installed Prevx and fixed the problem since they clearly knew about it.

  2. xerom Says:
    August 22, 2007 at 8:53 am

    wheres the fun in that :P
    the reasons being :
    one, i didnt want to expose my vulnerable system to more threats. i didnt know what the virus actually did, maybe going online could have done more harm than good.
    two, i found out about prevex after the removal of the virus.
    three, my system got so slow it was annoying.
    four, i use a dial-up and it would have taken me ages to download the software they gave.
    five, i have done this registry editing thing before so i know what to do.
    six, it seems like a new virus, so there was a small chance i would have found it on the net.

    and it wasnt two whole days. if you count hours , it must have took around ten max. which includes finding about the virus, installing windows, realizing the damage done, and the talking to my gf about other stuff.

    :)

Leave a Reply