Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

Scholar

Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

F-Secure found four viruses titled "Gen:Variant.Kazy.79682" from my pc last night. 

 

F-Secure said the files infected by the virus are packed (like in a zip-file) and F-Secure can´t handle them automatically. 

F-Secure said the files infected by the virus are titled "fi6F51EA7D8..." and "stream 3".

F-Secure suggested me to open the zip-files and remove the files infected by the virus manually, but when I searched from my computer (with Windows Explorer) "fi6F51EA7D8..." and "stream 3", my computer wasn´t able to find these "fi6F51EA7D8..." and "stream 3" files. 

 

How am I able to remove the Gen:Variant.Kazy.79682-virus without losing my important master´s thesis files on my computer, when the computer can´t find the files infected by the virus?

 

Does anyone have an idea what Gen:Variant.Kazy.79682-virus usually does?

I´m writing my master´s thesis and I´m wondering is it wise to open my computer at all before Monday when I hopefully get customersupport from F-Secure?

 

Thank you so much for your replies!!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
F-Secure Product Expert

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

Hello Minde

 

I am truly sorry it took us so long to respond to your unsettling situation. The good news is that almost certain neither your PC nor your thesis were in real danger at any time Smiley Happy

 

When a Security Product of ours reports anything malicious on your computer it has already detected and stopped it, preventing it from causing any harm to your system or your data.

So the message you saw did not mean that your system is compromised, but exactly the opposite, that an attack on your system was stopped.

 

As for where the attack originated from I can only speculate. Possible scenarios would be:

 

1)      The file is stored on an unprotected file server in your network.
In this case the malware, although not causing any harm to that server, will try to infect your computer (and fail) every time you try to access that file.

2)      There is an unprotected and infected computer with active malware in your network.

If in addition your firewall allows for some reason traffic from that computer to your PC (which it usually will not)- or it is switched off, that compromised machine will try to infect your PC over and over again, causing sometimes a lot of virus messages within a short time.

3)      You are accessing an exploited web page (usually a trusted page like a news service that has been "hacked") that tries to infect you via drive by download.
If your browser remembers your open tabs you might see the same virus warning repeatedly, every time you open your browser- or otherwise whenever you visit or reload that page.

 

It is true that our security software under some circumstances will not remove infected files, they will however do no more harm than wasting your disk space. And of course cause additional virus warnings whenever you or a system process is accessing that file.

Reasons for _not_ deleting an infected file can be:

 

1)      We deliberately do not remove the file because it is an important system file and removing it would render your computer unusable. Naturally also in those cases we prevent the malware embedded in those files from causing any harm your system or your data, so you will be protected despite the frequent virus warning you will get in this case (whenever the infected file is executed, or otherwise accessed)

2)      The file is inside an archive. In that case we would have to delete the complete archive to remove it, including all clean files therein.

3)      The file is a temporary file created by an application, like browser downloads in progress, network streams and similar. Those files are usually locked by the application creating them, which means they cannot be opened or executed to do their damage, but also not deleted by an Antivirus at that point. Those files are then either replaced with a permanent version or automatically discarded when the process is finished.

I suspect that is what happened in your case which is why you couldn’t find those files afterwards.

 

It is very likely that your system is in fact clean, and in any case safe, but to be absolutely sure and get peace of mind I would recommend to do a manual full scan:

 

1)      Update the virus definitions manually to make sure your Antivirus has the latest database updates installed.

2)      Run a full scan from the menu you see when right-clicking the F-Secure icon. “Advanced heuristics” are by default enabled, please keep it that way or if you changed that setting please enable it again. This will allows for a more through scan and is highly recommended especially if you suspect an infection.

3)      For additional safety please enable “advanced process monitoring” in the real-time scanning settings and let the computer run in that regime for one to two days depending on how much you use it. This setting will slow your computer down somewhat, albeit insignificantly unless your computer runs only with the minimum hardware recommended for the operating system alone. This setting is specifically recommended in case you suspect an infection, and not needed otherwise in everyday use (unless you work in a high security or high risk environment).

 

For “extra triple safety” you can run in addition a full scan with our OnlineScanner. Although somewhat redundant it can provide an extra bit of peace of mind Smiley Happy

 

I hope my explanations and instructions were helpful, if something wasn’t clear please let me know and will try to do better.  Smiley Wink

 

Again my sincere apologies for letting you hanging for so long,
Ondrej

 

P.S.:
Needless to say that it is also recommended to make sure that your computer has the latest hotfixes, patches and updates, and just as important your other applications like office programs, PDF reader, browsers, mediaplayers etc. are updated with the latest patches and fixes or upgraded to the latest versions.
Using outdated software will open the most common attack vectors to your computer which can, even if not leading to your PC being actually taken over result in a lot of virus warnings of this sort.

Tags (1)
16 REPLIES 16
Superuser

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

Sounds nasty, and I hope you get the help you need - but I think it's best left to someone more professional then me.

 

I guess this begs the question though, how did the machine become infected in the first place?  Did it get past FS, or was FS not installed when the machine was infected? 

Senior Advisor

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

It looks like a nasty little trojan;http://www.enigmasoftware.com/genvariantkazy-removal/

 

 

Emsisoft state that they know of this infection and that their AntiMalware product can detect it. http://www.emsisoft.com/en/malware/?Gen.Variant.Kazy.79682.AMN

 

You can sign up for their Forum where they have a separate section devoted to helping with malware removal; http://support.emsisoft.com/

 

Maybe worth a shot while waiting for the experts at F-Secure to get back to you. As you say, you will have to manually delete the infected files.

 

In the future I would highly recommend layered protection where you are not just relying on an AntiVirus; I can highly recommend Sandboxie/AppGuard/NoVirusThanks as excellent companions to an AV.

 

More importantly, I would always have imaging backup on any computer so you can revert back to a clean state; AX 64 Time Machine or Macrium Reflect are highly recommended in this regards.

 

Important thing here is not to panic as your thesis is still there together with the malware.

 

Once up and running clean again, take a backup to an external drive/load copies of your thesis on an external drive/flashdrive/online storage site.

 

Good luck.

Scholar

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

Thank You for your reply!! Unfortunately it did get past F-Secure. Seems to be nasty.

Superuser

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

BlackCat's advice sounds worth a try.

If it was my machine, what I might try is going into Task Manager and manually closing all running processes, except explorer.exe, and those belonging to F-Secure. Hopefully one of the processes will be the virus, and then I would try another scan with FS to see if it can deal with it. If at any time things go haywire, a reboot should get you (and the virus) up and running again.

But, as I've said, that's what I would do, sitting at my own machine, and it's a pure guess as to whether it would work. I would still recommend you get professional help by raising a support ticket with F-Secure, or perhaps try the Live Chat facility.

Good luck!
Superuser

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

Would it be unfair to suggest that it's a little disappointing that F-Secure didn't block this in the first place, given that it appears to be quite a well established trojan?  It's all very well detecting the virus after it's infected the machine, but I thought the whole idea of security software was to prevent infections, not just detect them once it had let them in.  It's a bit like shutting the stable door after the horse has bolted, but in reverse!

 


@Blackcat wrote:
In the future I would highly recommend layered protection where you are not just relying on an AntiVirus; I can highly recommend Sandboxie/AppGuard/NoVirusThanks as excellent companions to an AV.

 



I agree, but would FS allow those to run alongside it?  One thing I've often found irritating is that many vendors, FS included, claim that their product offers a 'complete solution', and that no other security software should be running on the machine.  They even go to the point of insisting on removing other software upon installation of their own.  In this case, it seems that solution was rather IN-complete, and does suggest that one product alone cannot be entirely bullet proof.

Senior Advisor

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

IME, F-Secure IS 2013 and the beta 2014 run happily with either Sandboxie, AppGuard, or NoVirusThanks EXE Radar Pro.

 

I have even ran Malwarebytes Pro in real-time alongside F-Secure for several weeks even though until recently F-Secure removed this program as "it was considered incompatible".

 

I have ran layered defences for years now with an AV backed up by some sandbox or an anti-executable.

 

But much more important than security software IMHO is having a reliable backup procedure to an external drive. No security software can guarantee 100% protection so reliable backup procedures are essential. 

 

So ANY Antivirus should not be considered as the only defense barrier to malware.

Superuser

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

I have MWB installed, but only the on-demand version. FS kicked out SuperAntiSpyware back in 2012, but I do have Windows Defender running, which has never caused any problems. I tried PrevX, but things went a bit pear shaped from what I recall. I'll check out the ones you've mentioned, but I agree, backing up is essential too.
Senior Advisor

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

@Minde

 

Did you manage to remove the infection?

 

If so can you share the solution as it may help other F-Secure users in the future. Smiley Wink

Highlighted
F-Secure Product Expert

Re: Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?

Hello Minde

 

I am truly sorry it took us so long to respond to your unsettling situation. The good news is that almost certain neither your PC nor your thesis were in real danger at any time Smiley Happy

 

When a Security Product of ours reports anything malicious on your computer it has already detected and stopped it, preventing it from causing any harm to your system or your data.

So the message you saw did not mean that your system is compromised, but exactly the opposite, that an attack on your system was stopped.

 

As for where the attack originated from I can only speculate. Possible scenarios would be:

 

1)      The file is stored on an unprotected file server in your network.
In this case the malware, although not causing any harm to that server, will try to infect your computer (and fail) every time you try to access that file.

2)      There is an unprotected and infected computer with active malware in your network.

If in addition your firewall allows for some reason traffic from that computer to your PC (which it usually will not)- or it is switched off, that compromised machine will try to infect your PC over and over again, causing sometimes a lot of virus messages within a short time.

3)      You are accessing an exploited web page (usually a trusted page like a news service that has been "hacked") that tries to infect you via drive by download.
If your browser remembers your open tabs you might see the same virus warning repeatedly, every time you open your browser- or otherwise whenever you visit or reload that page.

 

It is true that our security software under some circumstances will not remove infected files, they will however do no more harm than wasting your disk space. And of course cause additional virus warnings whenever you or a system process is accessing that file.

Reasons for _not_ deleting an infected file can be:

 

1)      We deliberately do not remove the file because it is an important system file and removing it would render your computer unusable. Naturally also in those cases we prevent the malware embedded in those files from causing any harm your system or your data, so you will be protected despite the frequent virus warning you will get in this case (whenever the infected file is executed, or otherwise accessed)

2)      The file is inside an archive. In that case we would have to delete the complete archive to remove it, including all clean files therein.

3)      The file is a temporary file created by an application, like browser downloads in progress, network streams and similar. Those files are usually locked by the application creating them, which means they cannot be opened or executed to do their damage, but also not deleted by an Antivirus at that point. Those files are then either replaced with a permanent version or automatically discarded when the process is finished.

I suspect that is what happened in your case which is why you couldn’t find those files afterwards.

 

It is very likely that your system is in fact clean, and in any case safe, but to be absolutely sure and get peace of mind I would recommend to do a manual full scan:

 

1)      Update the virus definitions manually to make sure your Antivirus has the latest database updates installed.

2)      Run a full scan from the menu you see when right-clicking the F-Secure icon. “Advanced heuristics” are by default enabled, please keep it that way or if you changed that setting please enable it again. This will allows for a more through scan and is highly recommended especially if you suspect an infection.

3)      For additional safety please enable “advanced process monitoring” in the real-time scanning settings and let the computer run in that regime for one to two days depending on how much you use it. This setting will slow your computer down somewhat, albeit insignificantly unless your computer runs only with the minimum hardware recommended for the operating system alone. This setting is specifically recommended in case you suspect an infection, and not needed otherwise in everyday use (unless you work in a high security or high risk environment).

 

For “extra triple safety” you can run in addition a full scan with our OnlineScanner. Although somewhat redundant it can provide an extra bit of peace of mind Smiley Happy

 

I hope my explanations and instructions were helpful, if something wasn’t clear please let me know and will try to do better.  Smiley Wink

 

Again my sincere apologies for letting you hanging for so long,
Ondrej

 

P.S.:
Needless to say that it is also recommended to make sure that your computer has the latest hotfixes, patches and updates, and just as important your other applications like office programs, PDF reader, browsers, mediaplayers etc. are updated with the latest patches and fixes or upgraded to the latest versions.
Using outdated software will open the most common attack vectors to your computer which can, even if not leading to your PC being actually taken over result in a lot of virus warnings of this sort.

Tags (1)