MisVh55_Fichiers.exe has infected my flash drive and phone

[polonus]

Hi jamesieza,

You have a nasty infection of amvo.exe
    I suggest you to remove amvo.exe from your computer as soon as possible.
    Amvo.exe is Trojan/Backdoor.
    Kill the process amvo.exe and remove amvo.exe from Windows startup.

How to get rid off it?

Step 1
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.

Step 2
Reboot and do the following changes to the Registry using regedit


HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchsystemdirs en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced hidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced showsuperhiden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced superhiden en 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN DefaultValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL DefaultValue 1


HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun 0x00000091 (145)



-- OR --

Reboot into a different OS and do the following

Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.

Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.

I hope that will do it
Install a good antivirus update it.
Prevent Autorun from USBs.

To disable Autoplay of all drives
Start > Run > gpedit.msc

Enable : Computer Configuration > Administrative Templates > System > Turn Off AutoplayPopularity: 20%

polonus

[oldman]

okay different tool.

Plug your drives in before running this one.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:

     -Tools->Options->Main tab
     -Set to "Always ask me where to Save the files".

• During the download, rename Combofix to Combo-Fix as follows:

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


DSS should have downloaded hijackthis for you.

[jamesieza]

Hi polonus

I am unable to access the run command or msconfig. oldman and I think that the virus has interfered here.

I am going to try this combo-fix tool.

other wise I may install Linux on one of my hard drives and try follow your advice. I'm not very clued up on Linux though so it may be tricky for me.

[jamesieza]

YAY finally i've managed to run one of the tools you've suggested.

Ok I ran Combo-fix, without any errors 

here are the logfiles from combofix and a new hijackthis scan:

[DavidR]

<snip>
other wise I may install Linux on one of my hard drives and try follow your advice. I'm not very clued up on Linux though so it may be tricky for me.

Although not directly related to you immediate problem, something for the future.

You don't actually have to install it on your system, there are what are know as Live CD versions which will run from a bootable CD like Knopix, there are others. You ensure your BIOS is set to first boot from the CD drive, you put the live CD in and reboot, this is handy because you don't have to install and allows you to rummage round in your windows partitions, etc.

You could do a google search, http://www.google.com/search?q=Knopix+live+CD or try Linux Live CD and that would give other Linux versions http://www.google.com/search?q=Linux+live+CD. There are plenty to choose from in both those searches.

[jamesieza]

ah yes I had one of these live CDs once, i've lost it though. Infact I have used this trick once before to recover data from a installation of windows that went bad (power cut or something).

I'm gonna leave linux as my last option for now. Also I would  need to know exactly what to delete.

[DavidR]

You are looking for autorun.inf to delete as in polonus's instruction step 3.

Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.

You could go a step further and open the autorun.inf with whatever text editor on the live cd, inside the autorun.inf would be run commands to run files, you also search for and remove those files.

I would try to get things prepared as in find a linux live cd or download an iso of a bootable live cd and burn a copy. That way if the worst came to the worst you already had the live cd.

[jamesieza]

I got a live cd.

gonna wait for oldman to comment on the results of my combo-fix attempt. before I do linux.

[oldman]

Now that we can see it, let's get it's attention. You didn't tell me the drive letters so  I went from c-h. This autorun is a little diferent, it runs from a reg key or possibly just the windows .inf. However it doesn't show in the log. We'll search for it at the end. Don't be alarmed if the search doesn't show anything, as it can run from a runonce key.

There are also signs of other, perhaps previous autorun infections.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
 

Close all other browsers/windows, click fix, close HJT.

We'll use OTMOVEIT2, plug in both drives, don't try to open them or access them. When OTMOVEIT2 is finished, remove the usb devices and we'll concentrate on your computer.   


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\MisVh55.exe /s
D:\MisVh55.exe /s
E:\MisVh55.exe /s
F:\MisVh55.exe /s
G:\MisVh55.exe /s
H:\MisVh55.exe /s
C:\*_Fichiers.exe /s
D:\*_Fichiers.exe /s
E:\*_Fichiers.exe /s
F:\*_Fichiers.exe /s
G:\*_Fichiers.exe /s
H:\*_Fichiers.exe /s
C:\*_Saves.exe
D:\*_Saves.exe
E:\*_Saves.exe
F:\*_Saves.exe
G:\*_Saves.exe
H:\*_Saves.exe
C:\autorun.inf
D:\autorun.inf
E:\autorun.inf
F:\autorun.inf
G:\autorun.inf
H:\autorun.inf
C:\ntde1ect.com /s
D:\ntde1ect.com /s
E\:ntde1ect.com /s
F:\ntde1ect.com /s
G:\ntde1ect.com /s
C:\avpo.* /s
D:\avpo.* /s
E:\avpo.* /s
F:\avpo.* /s
G:\avpo.* /s
C:\avpo*.* /s
D:\avpo*.* /s
E:\avpo*.* /s
F:\avpo*.* /s
G:\avpo*.* /s
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60110454-e51d-11dc-9281-001485e36973}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4b7d6d-df2c-11dc-9272-001485e36973}




Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Now we'll search for the reg key

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 
 

RegSearch Options File 
 
[Search] 

MisVh55.exe
 


[Exclude] 
 

[Options] 
Filter=KVDLUI

 

2. Download Registry Search to your desktop.

• Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe
  
• Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  
• Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
• Please reply here with the entire contents of the Notepad file from RegSearch.

[jamesieza]

i'm still wroking through the rest of the procedure.

OTMoveit Results:

[Custom Input]
< C:\MisVh55.exe /s >
File/Folder C:\MisVh55.exe not found.
< D:\MisVh55.exe /s >
File/Folder D:\MisVh55.exe not found.
< E:\MisVh55.exe /s >
File/Folder E:\MisVh55.exe not found.
< F:\MisVh55.exe /s >
F:\MisVh55.exe moved successfully.
< G:\MisVh55.exe /s >
File/Folder G:\MisVh55.exe not found.
< H:\MisVh55.exe /s >
File/Folder H:\MisVh55.exe not found.
< C:\*_Fichiers.exe /s >
File/Folder C:\*_Fichiers.exe not found.
< D:\*_Fichiers.exe /s >
File/Folder D:\*_Fichiers.exe not found.
< E:\*_Fichiers.exe /s >
File/Folder E:\*_Fichiers.exe not found.
< F:\*_Fichiers.exe /s >
F:\MisVh55_Fichiers.exe moved successfully.
< G:\*_Fichiers.exe /s >
File/Folder G:\*_Fichiers.exe not found.
< H:\*_Fichiers.exe /s >
File/Folder H:\*_Fichiers.exe not found.
< C:\*_Saves.exe >
File/Folder C:\*_Saves.exe not found.
< D:\*_Saves.exe >
File/Folder D:\*_Saves.exe not found.
< E:\*_Saves.exe >
File/Folder E:\*_Saves.exe not found.
< F:\*_Saves.exe >
File/Folder F:\*_Saves.exe not found.
< G:\*_Saves.exe >
File/Folder G:\*_Saves.exe not found.
< H:\*_Saves.exe >
File/Folder H:\*_Saves.exe not found.
< C:\autorun.inf >
File/Folder C:\autorun.inf not found.
< D:\autorun.inf >
File/Folder D:\autorun.inf not found.
< E:\autorun.inf >
File/Folder E:\autorun.inf not found.
< F:\autorun.inf >
File/Folder F:\autorun.inf not found.
< G:\autorun.inf >
G:\autorun.inf moved successfully.
< H:\autorun.inf >
File/Folder H:\autorun.inf not found.
< C:\ntde1ect.com /s >
File/Folder C:\ntde1ect.com not found.
< D:\ntde1ect.com /s >
File/Folder D:\ntde1ect.com not found.
< E\:ntde1ect.com /s >
File/Folder E\:ntde1ect.com not found.
< F:\ntde1ect.com /s >
File/Folder F:\ntde1ect.com not found.
< G:\ntde1ect.com /s >
G:\ntde1ect.com moved successfully.
< C:\avpo.* /s >
File/Folder C:\avpo.* not found.
< D:\avpo.* /s >
D:\WINDOWS\Prefetch\AVPO.EXE-2CB0A90C.pf moved successfully.
< E:\avpo.* /s >
File/Folder E:\avpo.* not found.
< F:\avpo.* /s >
File/Folder F:\avpo.* not found.
< G:\avpo.* /s >
File/Folder G:\avpo.* not found.
< C:\avpo*.* /s >
C:\_OTMoveIt\MovedFiles\03272008_103720\WINDOWS\Prefetch\AVPO.EXE-2CB0A90C.pf moved successfully.
< D:\avpo*.* /s >
File/Folder D:\avpo*.* not found.
< E:\avpo*.* /s >
File/Folder E:\avpo*.* not found.
< F:\avpo*.* /s >
File/Folder F:\avpo*.* not found.
< G:\avpo*.* /s >
File/Folder G:\avpo*.* not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60110454-e51d-11dc-9281-001485e36973} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60110454-e51d-11dc-9281-001485e36973}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4b7d6d-df2c-11dc-9272-001485e36973} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4b7d6d-df2c-11dc-9272-001485e36973}\\ deleted successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03272008_103720

[jamesieza]

ok results of regsearch are attached

[oldman]

Avast seems to have gotten most of the files that where present.

Any luck with regedit or viewing hidden files.

There wasn't a key present that it was running from and avast removed the file from windows.inf.

[jamesieza]

There wasn't a key present that it was running from and avast removed the file from windows.inf.

not quite sure what you mean here?

YES I CAN:

RUN from the start menu
MSCONFIG
and REGEDIT


I am VERY HAPPY NOW !!!!

I will go and disable autoruns now, They appear to do more harm than good.

Also I think I'll do another Boot sceduled scan.

then Im going to change my passwords.

All that remains Is to wait and see if the service center has any luck with my cell phone.

  :DTHANK YOU ALL 

[oldman]

If you're happy so are we. I meant this thing wasn't running from a reg key.

Maybe we are seeing a new generation of autoruuns, this one was reported in march 08. No autorun.inf reported with it.

We have one more file to look for.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

Close all other browsers/windows, click fix, close HJT.


Use OTMOVEIT2 like you did before, with the drives plugged in

C:\amvo.* /s
D:\amvo.* /s
E:\amvo.* /s
F:\amvo.* /s
G:\amvo.* /s
H:\amvo.* /s
C:\amvo*.* /s
D:\amvo*.* /s
E:\amvo*.* /s
F:\amvo*.* /s
G:\amvo*.* /s
H:\amvo*.* /s

A fter OTMOVEIT2 is finished, run Flash Drive Disinfecter, with the drives still plugged in. This will help prevent autorun infections.

You should now be able to clean up the tools you use.

* Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u



*Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


* If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0


* Check if you have insecure applications with Secunia Software Inspector

Let me know how you make out and if you still have problems. Plug your phone in and run flashdrive disinfecter on it too.