techian.com

Drivemonitor.exe flashguard.exe driveguard.exe
all are same..invariants of Win32.Worm.Autoit.AL

The presence of

%programfiles%\FlashGuard\FlashGuard.exe
%windrive%\FlashGuard\ReadMe.txt
%windrive%\FlashGuard\FlashGuard.exe

The presence of autorun.inf on removable drives that contains

[autorun]
open=System\Security\DriveGuard.exe -run
shell\Open=&Open
shell\Open\Command=System\Security\DriveGuard.exe -run
shell\Explore=&Explore
shell\Explore\Command=System\Security\DriveGuard.exe -run

technical description:
This worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

The malicious file would copy itself to %programfiles%\FlashGuard\FlashGuard.exe

It also includes a readme file that reads:
“This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. “

It creates the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run

Copies the readme file to %windrive%\FlashGuard\ReadMe.txt

It checks if any of the following processes are running,
iexplore.exe,alg.exe,csrss.exe,cssrs.exe,cssrss.exe,explore.exe,
expIorer.exe,csrss.exe,iexplorer.exe,lexplore.exe,lsass.exe,lssas.exe,
lssass.exe,scshost.exe,scvhost.exe,scvhsot.exe,smss.exe,smsss.exe,
spoolss.exe,spoolsv.exe,spoolvs.exe,ssms.exe,sssms.exe,ssvhost.exe,
svchost.exe,svchsot.exe,serivces.exe,taskmgr.exe,wilnogon.exe,winl0g0n.exe,
winlgoon.exe,winlogno.exe,winlogon.exe,wlnlogon.exe
and if is not one of:
\Program Files\Internet Explorer\iexplore.exe,
\system32\svchost.exe,
\system32\lsass.exe,
\system32\csrss.exe,
\system32\alg.exe,
\system32\winlogon.exe,
\system32\smss.exe,
\system32\spoolsv.exe,
\system32\taskmgr.exe
the process would terminated and the file would get renamed with a “.bak” extension

this worm will remove all files from C:\heap41a that are related to other malicious programs

it enables TaskManager if is disabled

will infect any removable drive writing autorun.inf and a copy of itself
in %drv%\System\Security\DriveGuard.exe with hidden attribute

payload:

will download from http://[removed]/lndexnew.jpg
and http://[removed]/lndexnew.txt
executable files that will be copied to temporary directory with a random name
and reg key HKLM\software\microsoft\windows\currentversion\RunOnce\temp_cleanup
with value “%temp_path%\[random].exe” will be created
All downloaded files are backdoors

Portable Autorun Virus Remover 2.3 | 1.45 MB

Autorun Virus Remover provides protection against any malicious programs trying to attack via USB drive. When a USB device is inserted into your computer, Autorun Virus Remover will automatically scan it, block and delete autorun virus, trojans, and malicious code. Also, it can detect and remove USB virus such as autorun.inf virus in your computer. Autorun Virus Remover can also remove the autorun virus due to which you can’t open your hard disk and USB drive (Pen drive, Memory card) by double clicking. Autorun Virus Remover USB antivirus software to permanently protect offline computer against any USB virus without the need for signature updates. This light and easy to use solution is compatible with all software and doesn’t slow down your computer at all.

File: portable_autorun_virus_remover_2.3_-_www.freshwap.net.rar
Download
File-Size: 1.41 MB

Many time many of us have faced this problem that on double clicking the drives they don’t open instead it will ask to “open with” ..

what the hell.. how can u open your drives with some other soft??

its happening because your system is affected with some virus which has created autorun.inf file in your drives.

try to find the root cause of it.. some copy.exe virus or some stupid virus has caused it and is still active.

so open the task manager and see the process tab and try to identify the unknown process and click on end task after selecting it

process explorer from microsoft might help u if you are not good in these stuffs.. you may download it after googling for link

after killing the process delete its entry from startup too..[registry startup also]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

then our task is to remove the autorun.inf file

click on start>run>then type cmd and press enter

type the following commands

cd\

attrib -s -h -r autorun.inf

del autorun.inf

repeat these commands for each drive you have

for changing drives in cmd you may type

like for d:

just type

d: and press enter

simple

amvo

removal methods

Amvo virus attacks Yahoo! messenger,
It consists of 3 files,
windows\system32\amvo.exe
windows\system32\amvo1.dll
windows\system32\amvo0.dll

just delete these 3 files and the virus is gone, and donot forget to remove the startup entry for amvo.exe, either from msconfig or regedit or any 3rd party tool

1. Open Task Manager
2. End Task Explorer.exe
3. Select Run from File Menu
4. Type cmd (press enter)
5. In Command Prompt Type: cd %windir%\system32
6. Type: attrib -s -h -r amvo*.*
7. Type del amvo*.*
8. Remove startup entries and virus is gone

http://mtaram.wordpress.com/2008/01/03/computer-troubleshooting-virus-issues/

Posted on January 3, 2008 by mtaram

Recently I had a big time trouble with my computer as all the drives failed to open on double clicking and showed me a application selection window instead. After searching through the running processes and other settings I found that the show hidden files options in the folder options was also not working.

With the help of one of my friends [MOHIT] I fixed the issues.

The problem was due to amvo.exe amvo0.dll ampo.exe amvol.dll xfoolavp.com usdeiect.com and autorun.inf present in every drive’s root.

The fix works as follows…

open task manager (if ur task manager doesnt open and shows errors and warnings then use this tool
http://www.brothersoft.com/rrt-(remove-restrictions-tool)-60879.html
and end task the above mentioned processes if u see them in the running process list from the processes pane. Then goto applications pane and click on new task and type in cmd or command. Once at the command prompt type in “cd\” without the quotes to goto the root of the current drive. Then type “del /f /a /s /q”

where of the files above mentioned (this menthod can also be used to force delete any unwanted file ) use this method to delete all above mentioned from the root of every drive.

After this open registry editor by clicking on new task and typing in “regedit” without quotes. Then goto HKCU > software >microsoft >windows >current version > explorer > advanced > then look for the hidden key in the right pane and change the value to 1 from 2.

And to fix the issues with drives not opening or search opening up on double click download this .reg
http://megamachine.infinites.net/open.reg
(right click and save target as) file and double click it and add to your registry.

or do this…

copy every under this line paste in notepad save with .reg extension on ur desktop and double click it

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell]
@=”Open”
[HKEY_CLASSES_ROOT\Directory\shell\Explo

Removal of Driveguard.exe virus is very easy. just open taskmanager and end the process driveguard.exe and also of any .tmp extension is running then also end that process. Now remove its entry from startup by going to msconfig. also dont forget to del your temp files.

How i found it:
Today one of my frnd came to me for some files from my system.. he inserted his pen drive and clicked here ..there… result: pc got infected

i found the process driveguard . exe in task manager

it was trying to access site
http://www.freewebs.com/microsotf/
and download some Update-KB684903-x86. exe file..
http://rapidshare.com/files/127625927/Update-KB684903-x86.rar.html

which was detected by nod as a trojan

the site is still alive as the admins of freewebs are damn lazy to take actions

download link for driveguard file
http://rapidshare.com/files/127625326/WinDriveGuard.rar.html

read the text file.. it claims it to be “spyware removal tool”

if your Getting

“svchost.exe” errors with RPC messeges and reboots

OR

“NT Authority…shut down in 1 min”

Soundslike youve got the “Blaster Worm”
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remove the Virus with
http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:SOPHTEMPRESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the ‘End Process’ (in Windows 95/98/Me ‘End Task’) button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type ‘Regedit’ and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.

Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.

How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft’s DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to “Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly”. This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click ‘Change settings of this connection’
click Advanced
click ‘Protect my computer…..’
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect ‘Enable distributed COM’, click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect ‘Enable distributed COM on this computer’, click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

Safe Computing (-: