Your best source of information and news about software, drivers and windows on the internet

Vista ARTICLES TOP 50 Vista VIDEOS Vista SOFT Vista HELP

amvo.exe Virus Manual Removal Steps



This is a nasty virus, dont know who dropped it on me. It spreads via USB Memory Sticks. It cannot be seen in the process list, hides itself and hides all files. And my antivirus doesn't seem to find a problem! :(

symptoms



How to get rid off?

Step 1
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.

Step 2
Reboot and do the following changes to the Registry using regedit

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchsystemdirs en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced hidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced showsuperhiden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced superhiden en 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN DefaultValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL DefaultValue 1


HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun 0x00000091 (145)



-- OR --

Reboot into a different OS and do the following

Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.

Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.

I hope that will do it
Install a good antivirus update it.
Prevent Autorun from USBs.

To disable Autoplay of all drives
Start > Run > gpedit.msc

Enable : Computer Configuration > Administrative Templates > System > Turn Off AutoplayPopularity: 22%


Written by ????... Read more great feeds at is source WEBSITE
11 comments.
Read more articles on Virus and otherSoftware.

Related articles

11 comments

Read the comments left by other users below, or:

Get your own gravatar by visiting gravatar.com Shivank
#1. April 8th, 2008, at 12:05 PM.

Worked For Me!!!
Thanks a lot!

Get your own gravatar by visiting gravatar.com Cliff Miller
#2. April 11th, 2008, at 2:30 AM.

This totally worked where anti-virus software didn’t, so thank you VERY MUCH. It was really annoying me. The instructions weren’t presented in the most basic ways, but I searched around on the internet to find how to do some of the suggested things.

I couldn’t delete the files via the cmd, even though I could see them, but once I disabled autoplay on all drives I was able to use windows explorer to find and delete them without activating them.

Get your own gravatar by visiting gravatar.com magus
#3. April 11th, 2008, at 11:12 AM.

hi
it worked for me. I want to add:

-I booted in safe mode F8
-did a search with cmd.exe (dir/ah) for a hidden file named “t.com” and found it on every attached HD.
after i deleted all entries in the registry named “amvo” i also did a search for “t.com” and deleted all entries with exact that name.
-then deleted in cmd.exe all hidden files “autorun.inf” (del /F /ah autorun.inf) and “t.com” (del /F /ah t.com)

now it seems i got rid of the sucker!
cheers
m

Get your own gravatar by visiting gravatar.com magus
#4. April 12th, 2008, at 1:37 PM.

something more to add
these instructions also helped a lot
http://wiki.answers.com/Q/My_system_got_attacked_by_a_virus_The_hidden_files_and_folders_are_not_shown_even_if_you_give_the_show_hidden_files_n_folders_radio_button_how_to_get_rid_of_the_virus_virus_resides_in_each_partition

http://bleuken.i.ph/blogs/bleuken/2007/06/29/viruses-that-uses-autoruninf/

because the sucker has different names, e.g. “t.com” like in my case.
if you locate the autorun.inf using the dir/ah command, then open it using “edit”, you see what name the actual process has and kill it.

Get your own gravatar by visiting gravatar.com ??????
#5. April 18th, 2008, at 1:43 AM.

Russion version of this article is terrible! I’m native speaker I know this language very well and I just don’t understand anything in russian version. Translating articles using translating programms is not serious. Nobody will understand the meaning of the text. You should edit is or there is no sense in posting it. The language of the russian version of the article is NOT russian!

Get your own gravatar by visiting gravatar.com Dixit
#6. April 23rd, 2008, at 10:04 AM.

Hy, thank u so much…..
I was about to format my computer but by reading this article,
i had successfully deleted this virus…..

Get your own gravatar by visiting gravatar.com batu
#7. April 23rd, 2008, at 10:58 AM.

magus thanx. i did it and delete viruses :]

Get your own gravatar by visiting gravatar.com Daniel
#8. April 24th, 2008, at 2:35 AM.

Thank for this solution…
You says ” Install a good antivirus update it”
avast and norton can’t dĂ©tect amvo, what antirus can detect amvo ?

Get your own gravatar by visiting gravatar.com bino
#9. April 30th, 2008, at 11:54 AM.

this really worked dude….usually i always format my drive wen i am not able to the hidden files….but nw it totally worked…thanks buddy.it rockz!!

Get your own gravatar by visiting gravatar.com mohammedfirouz
#10. May 1st, 2008, at 12:22 PM.

Hi!
I was infected with this virus as well, but i got rid of it, in about 30minutes.
It’s very simple:
1) Download Autorun.zip…its from a company, that later on Microsoft bought it (like everyother good one!)
2) Look under Logon, and uncheck amvo.exe, and amvo0.dll
3) Restart the computer into Safemode With Command Prompt… doesn’t load the explorer.exe (amvo infected it, so it automatically loads amvo!)
4) Delete the “amvo.exe” and “amvo0.dll” from the system32 folder
5) Delete “autorun.inf” from the root of EVERY single drive, or edit them using notepad…. DELETE THEM USING the COMMAND PROMPT, otherwise, it’s pointless.
6) After all above done, restart to normal windows, using Task Manager. DO NOT LOAD EXPLORER.exe,
7) Modify the registry keys, so you can see hidden files (instruction above)
9) Delete the .exe or .com file in the root of each drive……..
10) *** YOU ARE DONE! ***

Get your own gravatar by visiting gravatar.com mohammedfirouz
#11. May 1st, 2008, at 12:25 PM.

Also, I forgot to say this…
As I was so upset with this virus, i decided to write a removal tool for it, but as i had a different .exe name in my drive root folder, it only therefore delete that file.

I was wondering if anyone was kind enough to drop me an email with the name that they saw in their root folder, so i can include in removal tool.

And then, if you want, i can send you a copy of the removal tool, with the name of the .exe file that you are infected so it does all the above in one go…

Thanks very much
Mo

Leave your comment...

If you want to leave your comment on this article, simply fill out the next form:




You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> .