Infected with unknown virus(es)

Hello,
A few days back my PC (AMD Athlon 3200+, 512 MB RAM, Windows XP Pro+SP2) started behaving erratically - minor freezing, delays etc. I put it down to ol’ nerves :wink:
Since yesterday, I have been unable to use any of my USB ports as the system doesn’t recognize them! Also, there was some problem with the volume control centre - no vol. on starting up; or sometimes start-up has the known Windows log-on tune, but on trying to manually adjust the vol. levels, no sound output happens. None of the audio files play with any standard players (Winamp etc) - all give a lack of output error. Along with this there was also a peculiar error: I could not toggle the “View hidden files/folders” option, i.e. despite toggling it on, it did not show the hidden files/folders, and on reviewing the Folder Options list, the item was unchecked (in fact it was uncheckable!).
Funnily, Avast! did not detect any virus/malware on running a full system scan!
Now, I tried Quick Heal (trial version) & it detected & quarantined a lot of ‘viruses’ - a lot were .bat files, some .cmd, .acx. & a few even .com (e.g.: V.COM). I of course couldn’t make head or tail of it, but thankfully the audio came on, songs can now be played, & USB ports are accessible again. The system is still a bit on the slower side, but I think that is OK. But, the problem with the “View hidden files/folders” option still persists - this forces me to think that the system is still not secure. Both the Quick Heal & Avast! scans do not show anything now.
I dunno how to solve this problem.
I’d be grateful if anyone can help. I don’t have any technical background, so please give instructions in a non-technical language.
I had some problems before & Essexboy helped me immensely. Earlier a Hijackthis log was asked to be submitted, hence am doing that now too. I don’t know if it’ll be of use. Please excuse the lack of knowledge.
Thanks in advance to those who do help.
Shantanu.

Well, well, well… As it happens, all is not at all hunky-dory as I thought it was…
No sooner had I finished my post & re-ran a C:\ scan, that it (i.e. Quick Heal - by this time now, I am quite cheesed off with Avast!) detected a spate of viruses. Again!
So this time, I ran a boot scan & it detected & deleted a total of 243 files, with all weird extensions like .c, .r, .cgo, .snt, .csj, .skw, .ryx, .cur, .cmd, .NSAnti.r etc etc. Most of them were (probably) trojans as they had names like: Trojan downloader.Agent.kgv, Trojan.Onlinegames.dll etc etc…
Now even after this my system is still responding quite slowly & the pre-mentioned hidden files/folders problem persists. Perhaps the infection has still not been eradicated…
I am reposting a new hijackthis log (after the boot scan). Hope it helps.
P.S.: I am thinking of changing to another antivirus, so dunno if this forum will continue to help me or not, but I really think Avast owes me this much as it has not really been of use in this situation! I do hope that it upgrades quickly (I run a Home edition) as I am fond of it.

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run SUPERantispyware or Spyware Terminator.
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
    About legit antispyware applications or the bad ones: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster (for XP/Vista). For XP only: Panda (for XP).

  6. Besides making a HijackThis log to post here, you can scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

  7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Hi shatanusapru,

amvo.exe
We suggest you to remove amvo.exe from your computer as soon as possible.
Amvo.exe is Trojan/Backdoor.
Kill the process amvo.exe and remove amvo.exe from Windows startup.
There are more items in your hjt that can be fixed, but this amvo.exe needs to be fixed first using hjt,

The unsafe files using this name are associated with the malware group Covert.Sys.Exec.Some files using the name AMVO.EXE are also associated with the malware groups:

* KAVKOP:Trojan-A
* Worm/AutoRun.Y

These files may have the following Vendor, Product, Version Information in the file header Microsoft Corporation; Utilidad de ayuda de la línea de comandos; 5.1.2600.0

* The following Vendor, Product, Version Information has also been reported:

Microsoft Corporation; Command Line Help Utility; 5.1.2600.0
AMVO.EXE has been seen to perform the following behavior(s):

* The Process is packed and/or encrypted using a software packing process
* This Process Creates Other Processes On Disk
* This Process Deletes Other Processes From Disk
* Loads and Executes a System Driver File
* Writes to another Process's Virtual Memory (Process Hijacking)
* Adds a Registry Key (RUN) to auto start Programs on system start up
* Executes a Process
* Registers a Dynamic Link Library File
* The Process is polymorphic and can change its structure
* Violates Prevx File Security Settings
* The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
* Modifies Windows Initialization And System Settings Used On Start up

AMVO.EXE has been the subject of the following behavior(s):

* Executed by Internet Explorer
* Added as a Registry auto start to load Program on Boot up
* Created as a process on disk
* Deleted as a process from disk
* Executed as a Process
* Executed from Temporary Folders
* Terminated as a Process
* Writes to another Process's Virtual Memory (Process Hijacking)

AMVO.EXE can also use the following file names:

* MGG.EXE
* MGG[1].EXE
* HELP.EXE
* Y82TD3TD.COM
* 60462029.EXE
* 49334849.EXE
* HELP[1].EXE
* HELP[2].EXE
* N1DEIECT.COM
* 50150025.EXE
* 83552644.EXE
* 82025395.DAT
* SAMPLE.COM
* 50440177.DAT
* 72475039.SVD
* U.BAT
* 19391225.SVD
* 19494435.EXE
* 77413359.EXE
* DE2.BAT
* 27532653.EXE
* 88314671.BAT
* HELP[7].EXE
* 23415841.EXE
* 91512667.EXE
* 97397848.EXE
* 27320641.EXE
* YLR.EXE
* HELP.EXE.TMP
* 33696698.EXE
* 45661038.EXE
* 22382451.SVD
* 59059933.EXE
* 64971974.EXE
* 77288131.SVD
* 38522214.EXE
* 62754831.DAT
* 79188269.EXE
* 02846852.EXE
* DOSOCOM.COM
* 33888159.DAT
* 46346561.DAT
* 68270529.COM
* 21602715.EXE
* 09239156.EXE
* 03516526.COM
* 95253272.COM
* NIDEIECT.COM
* 79837464.SVD
* 38254215.DAT
* 29276564.COM
* 36898313.DAT

polonus

Hello all,
First off, thanks to Polonus & Tech for their very helpful comments & advice.
I have done the following:

  • Uninstalled Quick Heal & reinstalled (& upgraded+registered) the latest version of Avast! Home Ed.
  • Installed Advanced WindowsCare Personal (AWC) (free version).
  • Installed the latest version of Spyware Blaster (SB).
  • Boot scanned with Avast! → Scanned with the latest versions of AWC, SuperAntiSpyware (SAS) (free version) (that I already had) & Spyware Blaster. Boot scan did not detect any threat (but of course it did not the last time either, so…).
  • Ran Trend RootkitBuster. It did not show up any exotic vulerabilities - a few registry keys/entries (if that is the term) were deleted - mostly related to old uninstalled programmes/versions (e.g.: older version of java, some media player etc)
  • Patched the system with the appropriate AWC, SAS and SB downloads/settings.
    System is working OK. Sort of.
    The aforementioned ‘problem’ with ‘Show hidden files/folders’ still persists. I dunno why!!
  • Scanned with hijackthis. Log file did not show any amvo (or other threats) - in my cursory viewing & superficial knowledge. The log file is being appended for expert review & opinion.
  • Checked for insecure apps with Secunia - mostly browser or media player related warnings(e.g. Opera/Winamp/QT+iTunes is older version etc etc).
  • Am hoping this won’t happen again. Sigh… :slight_smile:

P.S.: Thanks to all for their wonderful help.
P.P.S.: Am still hooked to Avast! I am rather fond of it…
P.P.P.S.: I am sorry for my borderline rude/sassy remarks in my last post. I was quite cheesed off that Avast did not detect anything till the system almost crashed & that other AV’s did!! (Incidentally, I’ve always run a home edition, that is auto-updated daily & the settings are mostly set to the “High” level.
Perhaps something can be done at the technical level…
Thanks again for the help.

:slight_smile: Hi :

After “reviewing” your latest HijackThis Log, I offer the following :

  1. Flashget - this is considered an Adware program; see
    www.spywareguide.com .
  2. Sun’s Java - 2 “versions/updates” behind, a semi-serious security risk ;
    should Uninstall ALL versions of this program, then go to
    www.majorgeeks.com/download4648.html for the latest .
  3. Adobe - the program is under increasing “attack” from the Makers of
    spyware; should seriously consider “removing” it and using the
    FREE “Foxit Reader”, with Info at www.foxitsoftware.com/pdf/rd_intro.php

Can I get a help for this virus Win32:OnLineGames-CUX [trj] (amvo0.dll)…At first I tried to delete it by Avast, but Avast couldn’t delete it…I tried to remove manually and it was removed…but every time when I open the Windows Avast shows me that My computer contain the worm that is called Win32:OnLineGames-CUX [trj]…I again opened folder that contain the virus but i can’t see it…I opened FOLDER OPTION to put it in (SHOW ALL SYSTEM AND HIDDEN FOLDER choice)to see if the virus was hidden, but it wasn’t there.
Can really someone help me to remove this virus?

You should start your own ‘New Topic’ (button at the top of the list of topics on the viruses and worms forum) as this is unrelated to the current Topic. You could also try a forum search for Win32:OnLineGames-CUX or the file name as this has been discussed before and that should give an idea of what is required.

Hello Spiritsongs.
Thank you for your comments.

  • I use both Adobe as well as Foxit for my .pdf viewing (& sometimes editing) purposes. I find Adobe to be better at editing. So would like to keep it.
  • Flashget is a nifty download accelerator which I find quite useful.
  • I have now downloaded & installed the latest Java version (Java SE version 6 update 5).
    Once again, thanks for all your comments & advice.

Shantanu.