Can't view hidden files and folders?

Symptoms

  1. You can't see hidden files and folders, even if you try modifying registry.
  2. Whenever you double click on drive icon on My Computer, it takes some time to open and always opens in new window.
  3. Your PC becomes a little slower.
  4. The Process is packed and/or encrypted using a software packing process
  5. This Process Creates Other Processes On Disk
  6. This Process Deletes Other Processes From Disk
  7. Loads and Executes a System Driver File
  8. Writes to another Process's Virtual Memory (Process Hijacking)
  9. Registers a Dynamic Link Library File
  10. The Process is polymorphic and can change its structure
  11. Violates Prevx File Security Settings
  12. Executes a Process
  13. Adds a Registry Key (RUN) to auto start Programs on system start up
  14. The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
  15. Modifies Windows Initialization And System Settings Used On Start up
Causes
  1. This problem can be a caused by a backdoor/Trojan amvo.exe
  2. amvo.exe is bundled with several other worms/files some of them are
    1. 80avp08.com
    2. dosocom.com
    3. usdeiect.com
    4. xfoolavp.com
    5. autorun.inf
    6. Nideiect.com
    7. u.bat etc..
  3. These files are stored on the directories i.e. C:\, D:\ etc. and also on C:\windows\system32\amvo.exe
  4. You wouldn't be able to delete any of these files. Not even in Safe mode because it adds a autorun registry which loads amvo on boot.
Solution

  1. KILL all the processes like AMVO.exe or AVPO.exe
  2. Type "msconfig" without quote in run and press Enter.
    1. Go to startup tab and uncheck any entry on amvo.
  3. Type "cmd" without quote in run
    1. type "d:" and then press Enter
    2. type autorun.inf and then press Enter
    3. a file will open in notepad. this would have the name of the .exe/.bat/.com file in it, which is mounted at the boot time.
  4. Type "regedit" without quote in run and press Enter.
    1. Press Ctrl+F and type amvo, do the search again and again and delete all the related entries.
    2. Press Ctrl+F and type u.bat, do the search again and again and delete all the related entries.
    3. Press Ctrl+F and type amva, do the search again and again and delete all the related entries. Generally it should be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\amva
    4. search for the registry of file name which was entered in autorun.inf and delete all entries.
Now restart the computer. and do the followings
  1. Go to regedit and then HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Advanced\Folder\Hidden\SHOWALL
  2. Double click on the entry called CheckedValue and replace the 0 with 1.
  1. Now Close all the windows and Press Ctrl+E to open the explorer.
  2. Enable the hidden option from the folder options.
  3. Delete all the malicious files as mentioned above.
  4. Your computer is now trojan free.
  5. Find all the amvo related files and delete them. (some of them are amvo0.dll, amvo1.dll etc.)
Prevention

Generally this Trojan travels through a USB drive. so better explorer USB drive rather than opening it.
Posted by aditya at 7:24 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)