About Computers
| About Computers |
|---|
 About Linux: Useful information made mainly for Linux users |
 Yayahuic: I designed a framework originally in Java, recoded in Php |
 Web Programming: PHP, Java, HTML, CSS, Javascript, XML, XSL, etc. |
 LEGO Mindstorm: I made some libraries for LEGO robot on Java |
 Japanese Support: Enable Japanese in Linux, in web pages, etc |
 Computer Blog: My general thoughts about technology |
| Other Links |
| » Flash Projects made in Flash |
| » ExpPlayer A system to assist experiments that uses multimedia presentations |
Computer Blog
MMVO Virus Removal
Recently (Jun, 2008), some of the computers in my University's laboratory were infected by a Trojan Virus. The name of the virus differ according to some companies:- Trojan-PSW.Win32.OnLineGames.alex [Kaspersky Lab]
- Packed.Generic.61 [Symantec]
- W32/Autorun.worm.bx.gen.dll [McAfee]
- WORM_ONLINEG.UGZ [Trend Micro]
How do you know if you computer is infected?
Open the windows console: Start -> Run -> (type:) cmd, and click "OK".
C:\> del C:\windows\system32\mmvo (and press TAB key).
If automatically the last part change from "mmvo" to "mmvo.exe" or "mmv0.dll" or something similar, then you computer is infected.
Even you press "Enter key" after the last command you would not be able to deleted it.
So I will explain how to do it in a moment.
How do you know if you USB is infected?
If you find any file ending with ".cmd" and a "autorun.inf" file, it is very probable it is infected.
Antispyware, Antimalware and Antivirus Software
I tried with some applications to detect and remove the virus obtaining these results:
| Software | Virus in Memory | Virus Files | Remove |
| Symantec Antivirus | Partial | Failed | Failed |
| CLAMWin Antivirus (Free) | Good | Failed | Failed |
| Lavasoft Ad-aware (Free) | Failed | Failed | |
| Panda Software | Partial | Failed | License Required |
| PrevxFree | Good | Good | License Required |
| Windows Defender (Free) | Failed | Failed | |
| Microsoft Malware Removal Tool (Free) | Failed | Failed |
According to the previous table, Prevx seems to be the only (I tested) that fully detects the virus. However, in order to proceed to try to remove the virus, a license must be bought.
I will explain how to remove the virus manually.
How do I remove that virus from my USB?
Removing the trojan from your USB is easiest than removing it from your Windows computer.
The best way is to open your USB in a Mac or Linux system (to prevent the system to be infected). Locate and remove any file that ends with .cmd, autorun.inf and any other file that looks like random generated code (e.g.,6KTHP0.cmd). I recommend to remove the RECYCLER folder (if present). In case some file cannot be removed, rename it to something else.If you don't have a Linux or Mac computer near, you may proceed first to remove the virus from the USB before removing it from your computer. I cannot be sure that the virus will not reinfect your USB at any moment after you "clean" it.
How do I remove the virus from my Windows Computer (the free way)?
I recommend to download PrevxFree in order to scan your computer (for this particular virus). This application will show you the files that are need to be deleted from your system. Take note of the location and names.
Once you confirmed your computer is infected proceed as follows:
1) You will need to enter Windows in safe mode
- Restart your computer
- Before it shows the "windows" logo, press "F8"
- Select "Safe Mode"
- Start -> Run -> (type:) msconfig, and click "OK".
- Got to "Startup" tab
- Uncheck any item that ends with "mmvo.exe" or similar.
- In the same window, go to "Services" tab
- Uncheck any item that looks like a code (without name), for example:
$kajsd-orisnd-23danf-asjd34... - Uncheck "System Restore" service to prevent the viruses to be restored by windows.
- Click on "Accept" and exit.
- Start -> Run -> (type:) regedit, and click "OK".
- Press "F3" key and type "mmvo" and click on "search"
- Delete any item you find with that name.
5) Delete the files: (basic MSDOS commands required)
- Open the windows console ("cmd" command previously introduced).
- Go to "\" and list the directory files: "dir /a"
- locate "autorun.inf" or any file that looks like a generated code (e.g.,6KTHP0.cmd).
- execute these commands:
- attrib +a -s -h autorun.inf
- del autorun.inf
- (in case you cannot remove it, rename it to anything else:) move autorun.inf trash1.txt
- Repeat the same 2 steps (attrib, del or move) for each of the files:
- C:\windows\system32\mmvo.exe
- C:\windows\system32\mmv0.dll
- C:\windows\system32\mmv1.dll
- Empty this folder: C:\Documents and Settings\__USER__NAME__\Local Settings\Temp
- (subtitute __USER__NAME__ for your login name, for example: Administrator)
- Repeat the "attrib, del (or move)" steps for each of the files found with Prevx.
Final steps:
- Restart your computer and login as usual.
- Delete all those files that you couldn't delete and that you moved, for example: trash1.txt
- Run again Prevx (clicking on the "options" menu at the right hand corner).
Before buying any antivirus software, I recommend you to install a free Personal Firewall (e.g., Comodo , Core Force , PCTools Firewall) that will be more useful to keep your computer away from unwanted malware applications.
Personally I don't understand why Microsoft haven't removed that vulnerability that automatically launch any application listed in a "autorun.inf" file in a USB, without asking you! Ideally for any virus...
The previous procedure may also work for other similar viruses such as:
- kavo.exe / kav0.dll
- avpo.exe / avp0.dll
- amvo.exe / amv0.dll
- tavo.exe / tav0.dll
- taso.exe / tas0.dll
- mnso.exe / mns0.dll
http://www.prevx.com/filenames/X1591482110620292974-0/MMVO.EXE.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LEGMIR.VF&VSect=T
http://www.threatexpert.com/report.aspx?uid=b942c82a-9647-4f57-83be-d0e5c17ba917
http://zatu.blog10.fc2.com/blog-entry-1147.html
http://www.wilderssecurity.com/showthread.php?t=186594
I hope it was useful this information :)
