[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Amvo.exe, Nideiect.com     Remove Category Malware: Covert.Sys.Exec/Kavkop:Trojan-A

Posted on 2007-12-09
6
Medium Priority
?
4,305 Views
Last Modified: 2012-08-13
Hi

My computer has been infected with a worm due to transfer of some files from a USB drive. Some characteristics of it are:

- Now when i am opening any drive, its contents are opened in a new window!

- I believe its communicating on the Internet

- Its trying to set a program for startup 'IMVO.exe' stored in System32 folder depite my deleting of all registry entries related to 'Imvo.exe'

- Its also running an executable "Nideiect.com"

-  Hidden files and protected operating system files as usual after these attacks cant be viewed.

Avast hasnt been able to remove this. Prevx CSI has detected this but is asking for payment for removal. Please guide me through the removal of this. I could have formatted the HDD and reinstalled Windows but i have very intensive s/w like VS2005 and Illustrator installed, so cant waste that much time. Thank you.

0
Comment
Question by:theNab
4 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 20438009
1.  Run this tool and follow the prompts.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

2.  If problem persists, also run Combofix and attach the log.
Download ComboFix to your Desktop, from either of these locations:
http://www.forospyware.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Attach the log as a "Code Snippet" so we can check it please.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Combofix will terminate your connection while scanning, and will resume connection when it's done.
If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
0
 
LVL 10

Expert Comment

by:frostburn
ID: 20883094
Hi there...I had the same problem on a few machines so I spent a while studying the virus.

I created this set of commands and slapped them in a batch file. It works well for me.
**************************************************************************************************************************
attrib -S -H -R c:\*.*
attrib -S -H -R C:\windows\system32\amvo*.*

taskkill /F /IM amvo.exe /T
taskkill /f /fi "modules eq amvo0.dll"

del c:\autorun.inf
del c:\d6fagcs8.cmd
del c:\windows\system32\amvo.exe
del c:\windows\system32\amvo1.dll
del c:\windows\system32\amvo0.dll

REG DELETE HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /v amva /f
REG DELETE HKLM\SOFTWARE\CLASSES\CLSID\{f26a699a-bcbb-4e37-abf9-7325da15f931} /f
REG ADD HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\FOLDER\HIDDEN\SHOWALL /V Checkedvalue /t REG_DWORD /d 1 /f
REG ADD HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED /v Hidden /t REG_DWORD /d 1 /f
PAUSE

***********************************************************************************************
Regards
FB
0
 

Expert Comment

by:kellykln
ID: 21085413
this virus can also appear as fppg1.exe, and autorun.inf in your root drive or flash drive. As soon as you double click on your flash drive it will reinstall itself so you should not open "my computer". Instead go into DOS. One of the symtoms is that when you double click on the drive in my computer, instead of viewing your files you are get the "open with program" dialog. Another symtom is not being able to enable viewing hidden files. The tool RRT.exe takes care of that
do a dir /ah which will show you these files which are hidden.
Do as frostburn says above to delete the amvo files from your drive as well as from your registry also deleting  fppg1.exe and autorun.inf. Do not open my computer until you are all clean.
The following article also explains about the virus.

The reanimator.exe tool and rrt.exe are also helpful for removal.
http://rahulhackingarticles.wetpaint.com/thread/1155520/hidden+files+problem+and+%22amvo.exe+trojan%22/post/8673184/hidden+files+problem+and+%22amvo.exe+trojan%22?t=anon
0
 
LVL 7

Expert Comment

by:manu4u
ID: 21997977
Easiest way is ,  download and run  COMBOFIX  ;

You can get it from http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question