Help. Possible fake avast warning

[cajun]

Hi

I have a virus on all three machines in our house. 2 are running avast and it started on one of those. A few days ago the machine was reformatted and windows reinstalled, one of the others is brand new (it has avg free on it).

The first thing i did was install avast and update it. Then somehow in the next few hours I got infected. this is what id did, one of these actions must have put me at risk:
I plugged in my external hardrive,
dongle (a modem that uses celphone sim card to connet to the internet)
and also my memory stick.
I stopped the autorun window and scanned them first!
i also got data off a number of disks from years ago, maybe it was on one of those although I also scanned everything before opening it.
I also can't play dvd's as there is only windows mp 9 on the machine, so I downloaded divx from what looked like the official website.


All 3 machines are running xp pro by the way

So how do I know I have a virus?

firstly a window keeps popping up that looks like the image attached. I have tried both options, ignore and delete, either way it asks to run a boot time scan which detects nothing. I have also scheduled a boottime scan from the avast consol which also picked up nothing.
The warning window doesn't send off the usual siren and it does not have the black&yellow hazard warning picture. Is it the virus creating this window?

I can't turn on see hidden system files. as soon as I say ok, it resets to don't see them.

I have looked in my system32 folder and there is no visible NMDFGDS0.DLL

i have an autorun on my memory stick that just has one line in to make me see an icon I chose (i have so many plug in devices and can't tell them apart at a glance) This autorun disappeared. When i copied it back onto the memory stick i got a window asking if I wanted to replace autorun.ini (which is obviously invisible) with the one I was copying. I said yes. The one being replaced was about 350kb. after ejecting my memstick, when i put it back the autorun was gone again.

i now have exactly the same issue with my other old machine. The new laptop however, the one running avast, has not said anything except it found 2 infections, win32\Heur.dll and .dat which it deleted. I cant see hidden files on it either

I have done numerous scans, including a full deep scan of each machine and all usb devices (this has taken many hours)
avast still picks up nothing, however the inability to see hidden files is a big warning of a virus right?
So how do i find it and fix it?
And if i can't fix it and have to re-install windows (aaargh) how do I make sure not to get it again from my external drive (which i am not reformatting, it has 300gb of data on it)

please help/advise/reassure

thanks

I recently had a virus that

[Maxx_original]

this thing is related to http://avast.com/eng/win32-kavos.html and it is not a false detection..

[Maxx_original]

btw: it is better to use some file manager, which has no dependencies to explorer settings... you'll see the files probably in Total commander, FAR etc.

[cajun]

"this thing is related to http://avast.com/eng/win32-kavos.html and it is not a false detection.."

So how do I fix it. the page says update and run boot scan. I've been doing that for 3 days and nothing changes. And avast still detects nothing wrong. What else can I do?
   


"btw: it is better to use some file manager, which has no dependencies to explorer settings... you'll see the files probably in Total commander, FAR etc."

What do you mean? Is this to see hidden files?

[Maxx_original]

many malware families are targeting the hidden files visibility in explorer.. you've sent the file to us, we'll analyse it and update the detection, if necessary... things are going a bit slower during last few days, because we plan to release a new program version (very soon, the beta is out already) and finish some tasks related to the upcoming av-comparatives..

[cajun]

So it may just be a new virus then?
I will wait and keep updating and scanning.

In the meantime, is it safe for me to write to cd? I am teaching a class tonight and wanted to hand out my notes on disk (I go paper free as often as possible)
Or is there a chance the virus will write a copy to the disk (hidden of course)

[cajun]

Sorry another question...
When the window pops up, as it does throughout the ay, should I say delete or ignore? And then when it asks to shutdown an run a scan do I say yes or no?

[Maxx_original]

it is probably a new variant of known malware.. you can select the delete option... i would be not so afraid of burning data to the CD/DVD, your burning program should not be hijacked by the malware and it should burn only what you want..

[cajun]

Thank you

OK so I think I found something that may help. I used filesyc to compare my mem stick backup to whats currently on the stick. 2 things stood out. Theres the autorun, here are the contents

[AutoRun]
;k3Loq4s2drs7rl9oj3wasAL0s245D11Aik34r22wqaCKSdq33dDkDfil0rASOKs0scJl4Fidsr33r0
open=hl80c6b1.com
;14oawkK0Jw5owa7k2nOaD27kfk5De3js
shell\open\Command=hl80c6b1.com


and then there is a file called  hl80c6b1.com

if i delete either of them they come back

i also did a search for hl80c6b1.com and found three entries in the c:\WINDOW\prefetch folder

HL80C6B1.COM-1D184247.pf
HL80C6B1.COM-216C1556.pf
HL80C6B1.COM-2478B41E.pf

should I delete them?

it will be harder to find on the external hardrive as it has so much data on it

thanks again for your help. I'm sorry if I wasn't following a friendly protocol when I started, just feeling under a lot of pressure.

[Maxx_original]

you can remove these autoruns, if you are able to do that within the file manager...

[cajun]

I tried to delete the autorun from within filesync, but it cames back again.
Are you saying I should delete the prefetch files?
Will that enable me to clean out the autoruns and virus from my drives?

the avast window still keeps popping up saying delete or ignore, either way nothing happens. Or maybe it does delete the file but it comes back again.

[Mr.Agent]

if you think you got a virus on your pc i think the best thing is the boot scan if boot scan didnt find nothing then do a full scan with avast

[Maxx_original]

nope.. the prefetch files are *useless* from this point of view... the detection of Kavo family of malware will be updated during next week (we're still collecting the samples of this new variant)..

[cajun]

I ran AVG free on the machine, as it seems to have found the virus on the other laptop which ism't running avast.

It found and quarantined a file called olhrwef.exe in the windows system32 folder

if that helps your data collection.

[cajun]

What I've read about this virus type is that it's a keylogger right?

Is it safe for me to do internet banking with this machine? ie log onto my bank account