Hi all,
I have almost no technical knowledge about computers. Lately (for the last 2-3 wks or so), my installed Avast! has been regularly detecting a trojan. The exact msg is:
“C:\WINDOWS\System32\amvo0.dll
Win32: Onlinegames-CAZ (Trj)”
Now even though on all the occasions I have either clicked the “Delete” & followed by “Delete all” option; or the “Send to chest” option, despite this the trojan doesn’t seem to have been contained as it comes up each time I reboot.
Furthermore, I have noticed that it has integrated itself in the start-up (as confirmed by the msconfig->start-up menu). I tried to uncheck it from Start-up, but it still reappears. Also, none of my hidden files/folders are now seen. In fact, even on checking the “Show hidden files/folders” in the Folder Options, that tab remains unchecked on repeated viewings & even repeated checking.
I have, obviously, been thru the forum & searched reg. this amvo thing, but unfortunately, most of the replies are either half-baked (as in ppl are doing a trial-or-error thing), or are machine specific, or look like an advanced anti-virus/registry hacking class!
Nevertheless, I have downloaded Hijackthis & obtained a logfile after a system scan.
I am hoping some one here can help me get rid of this annoyance without using gibberish (just kidding!), remembering that I am lower than a ‘newbie’!
My system specifications are:
AMD Athlon 64; 3200+ with 2.01 G Hz processor, 512 MB RAM; and the OS is Windows XP Pro + SP2.
I have the Avast 4.7 Home Edition that is automatically updated daily (despite this the trojan is not being contained).
I will be submitting 2 logfiles: hijackthis 1 & 2. The 1st file was generated after I chose “delete all” from the avast! warning menu; but later I gathered in the forum somewhere that perhaps choosing “Send to chest” was a better option. Hence I did just that & then re-scanned & obtained logfile 2. I have no idea if they will be different, or not…
I thank any one willing to help, in advance.
Thank you,
Shantanu.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O2 - BHO: (no name) - {02C11078-7ABB-4E2C-9A4A-2B4703B8B90c} - C:\WINDOWS\system32\hjaqncpy.dll (file missing)
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\efcdeca.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKCU..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKLM..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe
O20 - Winlogon Notify: efcdeca - efcdeca.dll (file missing)
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)
O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Video ActiveX

Please note any other programs that you dont recognize in that list in your next response

THEN

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Essexboy: Thank you very much for a very comprehensive solution, in a very simple language. There is one wee problem - more of a not-understanding-the-instructions thing.
After I’ve booted in Safe Mode & deleted the Video Active X programme (if present), then I’m supposed to download ComboFix (incidentally, the .exe. file downloaded from the 1st link is a bad/incompl file - the 2nd link is OK. Thought you should know…) & then execute it. Now, am I supposed to reboot in normal mode after deleting Video Active X (& before starting ComboFix) or am I supposed to use ComboFix in Safe Mode? ???
Another query is that after following the ComboFix commands & saving its log, do I re-scan with HijackThis & obtain a new log? And do I need to scan with Avast! again? What do I do if it still detects it - Delete, or Send to Chest, or nothing?? I ask these specifically because when I scanned with HijackThis the 1st time I couldn’t find a few of the files you’d asked to click in the hijackthis FixThis menu, so at first I thought that either the log was incorrect, or the instructions. But then by trial & error I figured out what had happened:- This amvo.exe. has integrated itself in my Start Up & as soon as I boot up & log-on into Windows it appears (i.e. Avast! detects it). Now, as a reflex I either delete it, or send it to chest; and this is what I’d done. Thus (I guess) the hijackthis log/menu was incomplete. So, I deliberately opened some folders (which I know activates the trojan) & this time did nothing at the avast! warning…

I know these are really silly questions, but…
As usual,
Thanks in advance for your help,
Shantanu.
P.S.:- Incidentally, I still haven’t followed your instructions completely to the end as I didn’t know/understand them completely. So I will post the complete thing (i.e. the ComboFix & hijackthis logs) after I understand the instructions fully. Thanks.

Hi there it was probably my bad phrasing

Uninstall Video ActiveX from safe mode then reboot

Do not allow Avast to quarantine files untill after combofix has been run

Run combofix from normal mode (both links work for me ??? )

Some of the Hijackthis deletions may not be present - do the ones that are

Run Hijackthis again after the combofix run and post the new log

I will require the Combofix log and the new Hijackthis

Hello Essexboy,
Thanks for the clarifications. I have done what all you instructed, and am attaching the ComboFix & hijackthis log-files. As an aside, after I ran ComboFix, there have been no more avast! warnings reg. amvo trojan. This can mean 2 things: either my system is clean, or avast! has stopped detecting it!
I think you may be able to tell by the log-files.
Thank you so much for your help.
If there are any other things to follow, please do instruct me.
Thanks again,
Shantanu.

P.S.: Correct me if I am wrong, ComboFix sort of restores my system to some arbitrarily created restore point - I think I got to this as I usually turn my Windows Automatic Updates “off”, but after going thru all that and rebooting, that Automatic-Updates-Are-Off warning popped up. Also, cuz the ComboFix module says something about resetting my system clock. I know I am lower than a newbie, but perhaps you can take some time off to explain a bit… Thank you.

Combofix will try to reset your system restore, Automatic updates, Taskmanager as these are usually disabled by malware. It does not restore your computer. The time should be reset to 12 hour when it is completed

You have SpywareBot on your system. This is a suspect programme which relies on the similarity to SpyBot search and destroy to make money. I would highly recommend uninstalling it

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vcO6ecR7.exe
C:\188qsm.bat
C:\2ifetri.cmd
C:\qd.cmd
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\vcO6ecR7.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpywareBot]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1999fd72-d282-11dc-bdd4-001109e9e8fc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{219e9cd0-945b-11dc-bd99-001109e9e8fc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99aaaaa0-d0c9-11dc-bdd3-001109e9e8fc}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new HijackThis log.

this realy helpme Whow!!
Thnks all! :

Essexboy: As you had advised, I have done the following things:-

1. Uninstalled Spybot.
2. Followed all your commands and created the new CFScript.txt. Ran ComboFix using that file.
3. Rebooted & obtained a new ComboFix as well as Hijackthis logs (posted as attachments).
   Is there anything else to do now?
   Thanks again,
   Yours,
   Shantanu.

P.S.: I noticed something interesting. I have a broadband connection (nominally ‘broadband’; actually is a 256 kbps cable connxn). Every time I use ComboFix & try to connect to the Net using the broadband, it gives a LAN cable/LAN settings error. The first time around I tried to connect to the Net to post the log-files & got this error, I called my ISP & despite half an hour of his work (at his end) he couldn’t really figure it out. Some guy,huh?!! Then I discovered that this was resolved simply by rebooting. I think ppl who try this solution may do better (i.e. be less alarmed) if they detach their cable & then use ComboFix (or simply reboot! ). Also, it is possible that this may be an idiosyncratic reaction of my ISP cable/computer to ComboFix

Also, it is possible that this may be an idiosyncratic reaction of my ISP cable/computer to ComboFix

Looks good, I usually like to run Superantispyware after to pick off any registry entries that I miss

Download and then run SuperAntispyware

[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply

If you could post the log and let me know how your system is now

Hi Essexboy:
I followed your instructions regarding the usage of SuperAntiSpyware. It caught a few adware trojans (which were deleted via avast! That is to say, that on running this programme whatever warnings were flashed were in/from the avast! module, and I used the standard avast! Delete All option for this) I am attaching its log with this mail. Also attached is the hijackthis logfile after running SuperAntiSpyware (dunno if it’ll be of any use, but still…)
If there is any other thing for me to do please do instruct me.
Thank you very much for your time and help.
Yours,
Shantanu.

Hi shantanusapru both logs look good SAS took out mainly registry items and cookies. Plus the remnants of spywarebot.

How is your computer running now ?

Essexboy,
Thank you so much for all your help, and for taking the time & trouble to explain each step with clarity & celerity.
My comp is running quite OK now. No more annoying avast! warnings reg. amvo. Hidden folders can be made visible; and the folders even open in the same window when double clicked! I guess peace has been restored
Thanks again,
Yours gratefully,
Shantanu.

Essexboy:
I dunno if this thread is the appropriate forum for this or whether I should start a new thread, but since I discovered this problem only after I’d this ‘dealing’ with the amvo thingy, hence am using this thread itself.
Today (after peace had been restored ), I tried to defrag my C:\ but was unable to do so due to an error msg from the system: “Connection to engine has been lost. Please restart engine.” This is unusual as I’ve defragged my drive many times & this is the first time that such a msg appeared. Anyway, I continued and eventually after 5-6 tries this error msg appeared:
“The scan has been cancelled because an error occurred in the file: C:\WINDOWS\NTBTLOG.txt”
Now, I wanted to attach a copy of my ntbtlog.txt from my Windows folder for your appraisal, but unfortunately, the innate .txt file is more than 200 kb in size & .zip & .doc formats are not allowed as attachments (am stumped!). I’ll be grateful if you could help…so that I can defrag my main drive. (Other drives I can defrag. I tried & it worked!). I think this might be related somehow to the amvo cleansing thing. I sure hope I don’t have to reload XP as there’s tons of data I’ll lose!
Sorry to bother you yet again.
Shantanu.

NTBTLOG.txt is a windows file that collects errors when you reboot. It is a non- essential file and is used for problem solving so you can delete it.

Let me know what happens

Hi Essexboy.
I deleted ntbtlog.txt & tried to defrag C:\ but the foll. error msg occurred: “The scan has been cancelled because an error occurred in file: C:\WINDOWS\OSIRIS.INI”.
Now what? I dared not delete it & try again without proper supervision. Sighh…

Lets try a different defragger to start with download this one and try it - if that fails we may need to do a checkdisk

http://www.auslogics.com/disk-defrag

Hi.
I installed Auslogics Disk Defrag & it worked. I defragged C:. But is this a long term solution? I mean, there is some problem with my system & I dunno what, & more importantly, should I not do something about it? Also, I think the Windows defragger is quite OK. But if you say, then I’ll switch to this one instead.
Thanks for helping me on a non-virus related problem too.
Shantanu.

It may be a problem with the windows defrag - as Auslogics did it with no problem, although having said that it does defrag your other drives. Curious There may be a corruption within windows defrag although this is the first time I have come across the problem where it will only show errors on one drive. Auslogics is free and it does a better job than windows. I will carry out some research on this problem and if I find a solution I will pass it on

Now the best part of the day House cleaning time

You may now delete the programmes I had you download

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe

P.S.: How can I send you a personal msg, or chat in real time? We have been online simultaneously many times & I searched the Help forum, but unfortunately there doesn’t seem to be a way for this (e.g.: your profile doesn’t have the “Send this member a personal msg” option at all!)
Shantanu.

P.P.S.: While I was typing this your reply came up. Thanks for the instructions. I shall follow them. And I shall check this thread for anything that you may dig up on this problem of mine. Cheers.

Unfortunately, a while back we had spammers abusing the PM system - so now a minimum of 20 posts is needed before it is activated