Vista ARTICLES TOP 50 Spyware Virus Vista SOFT Vista HELP

amvo.exe Virus Manual Removal Steps

This is a nasty virus, dont know who dropped it on me. It spreads via USB Memory Sticks. It cannot be seen in the process list, hides itself and hides all files. And my antivirus doesn’t seem to find a problem! :(

symptoms

Cannot show hidden files

Slows down USB devices

Adds infections to plugged in USB devices

Drives open in new windows from My Computer

How to get rid off?

Step 1
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.

Step 2
Reboot and do the following changes to the Registry using regedit

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer searchidden en 1

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer searchsystemdirs en 1

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced hidden en 1

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced showsuperhiden en 1

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced superhiden en 1

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN CheckedValue 1

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN DefaultValue 1

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL CheckedValue 1

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL DefaultValue 1

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NoDriveTypeAutoRun 0×00000091 (145)

– OR –

Reboot into a different OS and do the following

Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.

Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.

I hope that will do it
Install a good antivirus update it.
Prevent Autorun from USBs.

To disable Autoplay of all drives
Start > Run > gpedit.msc

Enable : Computer Configuration > Administrative Templates > System > Turn Off Autoplay

Popularity: 4%

Written by ????... Read more great feeds at is source WEBSITE
18 comments.
Read more articles on Virus and otherSoftware.

[+] Digg: Feature this article
[+] Del.icio.us: Bookmark this article
[+] Furl: Bookmark this article

Malware infection strikes US Justice Department (May 26th, 2009)
Remove Personal Antivirus - Personal Antivirus Removal Instructions (April 18th, 2009)
Remove Virus Doctor - Virus Doctor Removal Instructions (February 3rd, 2009)
Remove SpywareGuard 2009 - SpywareGuard 2009 Removal Instructions (January 15th, 2009)
The Dreaded Conficker Worm (January 14th, 2009)

18 comments

Read the comments left by other users below, or:

Shivank
#1. April 8th, 2008, at 12:05 PM.

Worked For Me!!!
Thanks a lot!

Cliff Miller
#2. April 11th, 2008, at 2:30 AM.

This totally worked where anti-virus software didn’t, so thank you VERY MUCH. It was really annoying me. The instructions weren’t presented in the most basic ways, but I searched around on the internet to find how to do some of the suggested things.

I couldn’t delete the files via the cmd, even though I could see them, but once I disabled autoplay on all drives I was able to use windows explorer to find and delete them without activating them.

magus
#3. April 11th, 2008, at 11:12 AM.

hi
it worked for me. I want to add:

-I booted in safe mode F8
-did a search with cmd.exe (dir/ah) for a hidden file named “t.com” and found it on every attached HD.
after i deleted all entries in the registry named “amvo” i also did a search for “t.com” and deleted all entries with exact that name.
-then deleted in cmd.exe all hidden files “autorun.inf” (del /F /ah autorun.inf) and “t.com” (del /F /ah t.com)

now it seems i got rid of the sucker!
cheers
m

magus
#4. April 12th, 2008, at 1:37 PM.

something more to add
these instructions also helped a lot
http://wiki.answers.com/Q/My_system_got_attacked_by_a_virus_The_hidden_files_and_folders_are_not_shown_even_if_you_give_the_show_hidden_files_n_folders_radio_button_how_to_get_rid_of_the_virus_virus_resides_in_each_partition

http://bleuken.i.ph/blogs/bleuken/2007/06/29/viruses-that-uses-autoruninf/

because the sucker has different names, e.g. “t.com” like in my case.
if you locate the autorun.inf using the dir/ah command, then open it using “edit”, you see what name the actual process has and kill it.

??????
#5. April 18th, 2008, at 1:43 AM.

Russion version of this article is terrible! I’m native speaker I know this language very well and I just don’t understand anything in russian version. Translating articles using translating programms is not serious. Nobody will understand the meaning of the text. You should edit is or there is no sense in posting it. The language of the russian version of the article is NOT russian!

Dixit
#6. April 23rd, 2008, at 10:04 AM.

Hy, thank u so much…..
I was about to format my computer but by reading this article,
i had successfully deleted this virus…..

batu
#7. April 23rd, 2008, at 10:58 AM.

magus thanx. i did it and delete viruses :]

Daniel
#8. April 24th, 2008, at 2:35 AM.

Thank for this solution…
You says ” Install a good antivirus update it”
avast and norton can’t détect amvo, what antirus can detect amvo ?

bino
#9. April 30th, 2008, at 11:54 AM.

this really worked dude….usually i always format my drive wen i am not able to the hidden files….but nw it totally worked…thanks buddy.it rockz!!

mohammedfirouz
#10. May 1st, 2008, at 12:22 PM.

Hi!
I was infected with this virus as well, but i got rid of it, in about 30minutes.
It’s very simple:
1) Download Autorun.zip…its from a company, that later on Microsoft bought it (like everyother good one!)
2) Look under Logon, and uncheck amvo.exe, and amvo0.dll
3) Restart the computer into Safemode With Command Prompt… doesn’t load the explorer.exe (amvo infected it, so it automatically loads amvo!)
4) Delete the “amvo.exe” and “amvo0.dll” from the system32 folder
5) Delete “autorun.inf” from the root of EVERY single drive, or edit them using notepad…. DELETE THEM USING the COMMAND PROMPT, otherwise, it’s pointless.
6) After all above done, restart to normal windows, using Task Manager. DO NOT LOAD EXPLORER.exe,
7) Modify the registry keys, so you can see hidden files (instruction above)
9) Delete the .exe or .com file in the root of each drive……..
10) *** YOU ARE DONE! ***

mohammedfirouz
#11. May 1st, 2008, at 12:25 PM.

Also, I forgot to say this…
As I was so upset with this virus, i decided to write a removal tool for it, but as i had a different .exe name in my drive root folder, it only therefore delete that file.

I was wondering if anyone was kind enough to drop me an email with the name that they saw in their root folder, so i can include in removal tool.

And then, if you want, i can send you a copy of the removal tool, with the name of the .exe file that you are infected so it does all the above in one go…

Thanks very much
Mo

xingmao
#12. May 26th, 2008, at 12:50 AM.

How do i do the regedit thing? what are the changes to be made?

I don’t understand it

Naim Bazzi
#13. June 13th, 2008, at 6:26 AM.

the values you’ve posted are croped !!

Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue (here should be the value but it’s croped by the page)

paulinhow
#14. July 8th, 2008, at 12:44 AM.

peguei dois virus e naum to conseguindo apagar um eo amvo.exe e o outro eo AVG.sys parece q o amvo.exe ta iniciando com o xp pq achei ele no msconfig o outro ta na system32/na pasta de drives meu anti virus detecto o AVG.sys mais o amvo.exe ele nau decto com eu fasso pra remover esses virus.ja usei o combo fix mais o amvo.exe ainda cont aparecendo ajudem plis agrade?o desde ja ..

ComboFix 08-07-05.1 - Administrador 2008-07-08 0:59:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1556 [GMT -3:00]
Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((( Outras Exclus?es )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\AutoRun.inf

.
((((((((((((((((((((((( Ficheiros criados de 2008-06-08 to 2008-07-08 ))))))))))))))))))))))))))))))))
.

2008-07-07 21:04 . 2008-07-07 22:42 151 –a—— C:\WINDOWS\PhotoSnapViewer.INI
2008-07-07 19:49 . 2008-06-29 16:54 8,288,681 –a—— C:\imagelys_ps.exe
2008-07-07 19:34 . 2008-07-07 23:03 2,858 –a—— C:\WINDOWS\ips.INI
2008-07-07 19:32 . 2008-07-07 19:47 1,065 –a—— C:\WINDOWS\winamp.ini
2008-07-07 16:59 . 2008-07-07 17:22 d——– C:\Arquivos de programas\Conduit
2008-07-07 16:08 . 2008-07-07 16:08 0 –a—— C:\WINDOWS\nsreg.dat
2008-07-06 13:38 . 2008-07-06 13:38 30,946 –a—— C:\WINDOWS\system32\drivers\Partizan.sys
2008-07-06 13:38 . 2008-07-06 13:38 25,088 –a—— C:\WINDOWS\system32\Partizan.exe
2008-07-06 13:38 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-07-06 13:07 . 2008-07-06 13:07 116,932 -r-hs—- C:\qxbx9blb.com
2008-07-05 16:23 . 2008-07-05 16:23 d——– C:\Documents and Settings\All Users\Dados de aplicativos\Yahoo! Companion
2008-07-05 16:11 . 2008-07-05 16:11 d——– C:\Arquivos de programas\Yahoo!
2008-07-05 16:11 . 2008-07-05 16:17 d——– C:\Arquivos de programas\CCleaner
2008-07-05 12:32 . 2008-07-05 12:32 d——– C:\Dicionario
2008-07-05 12:32 . 2008-07-05 12:33 8,257 –a—— C:\WINDOWS\WDIC.INI
2008-07-05 12:32 . 2008-07-05 12:32 550 –a—— C:\Dic Michaelis - UOL.LNK
2008-07-05 12:02 . 2008-07-05 12:02 d——– C:\new P2KTools
2008-07-05 12:00 . 2004-08-03 23:08 25,600 –a—— C:\WINDOWS\system32\drivers\usbser.sys
2008-07-05 12:00 . 2004-08-03 23:08 25,600 –a–c— C:\WINDOWS\system32\dllcache\usbser.sys
2008-07-05 11:59 . 2004-05-27 14:49 16,032 –a—— C:\WINDOWS\system32\drivers\P2k.sys
2008-07-04 19:49 . 2008-07-07 19:28 115,811 -r-hs—- C:0hoeav.com
2008-07-04 19:30 . 2008-07-04 19:31 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\AdobeUM
2008-07-04 18:53 . 2008-07-04 19:25 d——– C:\CloneDVDTemp
2008-07-04 17:50 . 2008-07-04 17:50 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\Elaborate Bytes
2008-07-04 14:50 . 2008-07-05 18:00 d——– C:\Arquivos de programas\Google
2008-07-04 14:30 . 2008-07-04 14:30 268 –ah—– C:\sqmdata00.sqm
2008-07-04 14:30 . 2008-07-04 14:30 244 –ah—– C:\sqmnoopt00.sqm
2008-07-04 14:05 . 2008-07-04 18:29 d——– C:\Arquivos de programas\Valve
2008-07-04 13:42 . 2008-07-04 13:42 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\Media Player Classic
2008-07-04 13:39 . 2008-07-04 13:39 d——– C:\Arquivos de programas\Dicionario_Michaelis-UOL
2008-07-04 13:39 . 2007-07-08 21:57 18,029,424 –a—— C:\Arquivos de programas\Windows Live Messenger 8.exe
2008-07-04 13:35 . 2008-07-04 13:35 d——– C:\Arquivos de programas\NOD32 v.2.70.16 Final WinXP
2008-07-04 13:31 . 2008-07-05 12:29 d——– C:\Filmes
2008-07-04 13:26 . 2008-07-04 13:26 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\SlySoft
2008-07-04 13:25 . 2008-07-06 22:47 d——– C:\Documents and Settings\Administrador\Contacts
2008-07-04 13:24 . 2008-07-07 21:58 d——– C:\Arquivos de programas\Eset
2008-07-04 13:24 . 2008-07-04 13:36 512,096 –a—— C:\WINDOWS\system32\drivers\amon.sys
2008-07-04 13:24 . 2008-07-04 13:36 299,392 –a—— C:\WINDOWS\system32\imon.dll
2008-07-04 13:24 . 2008-07-04 13:36 15,424 –a—— C:\WINDOWS\system32\drivers\nod32drv.sys
2008-07-04 13:23 . 2008-07-04 13:23 d——– C:\Documents and Settings\All Users\Dados de aplicativos\Windows Live Toolbar
2008-07-04 13:23 . 2008-07-04 13:23 d——– C:\Arquivos de programas\Windows Live Toolbar
2008-07-04 13:22 . 2008-07-04 13:22 d——– C:\Arquivos de programas\MSN Messenger
2008-07-04 13:20 . 2008-07-04 13:20 d——– C:\SlySoft Pack Clone CD
2008-07-04 13:20 . 2008-07-04 13:20 d——– C:\Arquivos de programas\Elaborate Bytes
2008-07-04 13:19 . 2008-07-04 13:20 d——– C:\Arquivos de programas\SlySoft
2008-07-04 13:19 . 2008-07-04 13:19 d——– C:\Arquivos de programas\K-Lite Codec Pack
2008-07-04 13:19 . 2007-04-23 02:15 3,596,288 –a—— C:\WINDOWS\system32\qt-dx331.dll
2008-07-04 13:19 . 2007-05-31 08:44 740,442 –a—— C:\WINDOWS\system32\divx.dll
2008-07-04 13:19 . 2007-04-28 14:54 593,920 –a—— C:\WINDOWS\system32\xvidcore.dll
2008-07-04 13:19 . 2007-06-07 21:11 380,928 –a—— C:\WINDOWS\system32\ac3filter.acm
2008-07-04 13:19 . 2004-01-25 18:18 217,088 –a—— C:\WINDOWS\system32\yv12vfw.dll
2008-07-04 13:19 . 2006-11-01 14:54 180,224 –a—— C:\WINDOWS\system32\xvidvfw.dll
2008-07-04 13:19 . 2007-04-23 02:02 73,728 –a—— C:\WINDOWS\system32\dpl100.dll
2008-07-04 13:19 . 2007-06-03 14:31 10,752 –a—— C:\WINDOWS\system32\ff_vfw.dll
2008-07-04 13:19 . 2005-02-24 18:56 547 –a—— C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-07-03 18:36 . 2008-07-03 18:36 d—s—- C:\Documents and Settings\Administrador\UserData
2008-07-03 16:31 . 2008-07-03 16:31 d——– C:\Arquivos de programas\RALINK
2008-07-03 16:31 . 2006-08-02 17:44 384,384 –a—— C:\WINDOWS\system32\drivers\rt61.sys
2008-07-03 16:31 . 2006-06-20 22:53 319,488 –a—— C:\WINDOWS\system32\AegisI5.exe
2008-07-03 16:31 . 2006-06-17 12:05 295,018 –a—— C:\WINDOWS\system32\Install6x.dll
2008-07-03 16:31 . 2008-07-03 16:31 21,419 –a—— C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-03 16:31 . 2006-04-06 13:15 8,192 –a—— C:\WINDOWS\system32\drivers\RT2661.bin
2008-07-03 16:31 . 2006-04-06 13:15 8,192 –a—— C:\WINDOWS\system32\drivers\RT2561s.bin
2008-07-03 16:31 . 2006-04-06 13:15 8,192 –a—— C:\WINDOWS\system32\drivers\RT2561.bin
2008-07-03 16:31 . 2006-03-10 15:33 78 –a—— C:\WINDOWS\filespec6x
2008-07-03 13:35 . 2008-07-03 13:35 d——– C:\Arquivos de programas\Arquivos comuns\Adobe
2008-07-03 13:12 . 2008-07-03 13:12 7,680 –ahs—- C:\WINDOWS\Thumbs.db
2008-07-03 11:54 . 2008-07-03 19:30 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\HPAppData
2008-07-01 15:58 . 2008-07-01 15:58 d——– C:\Documents and Settings\All Users\Dados de aplicativos\WEBREG
2008-07-01 15:57 . 2008-07-01 15:57 d——– C:\Documents and Settings\All Users\Dados de aplicativos\HPSSUPPLY
2008-07-01 15:56 . 2008-07-01 15:56 d——– C:\Documents and Settings\All Users\Dados de aplicativos\HP Product Assistant
2008-07-01 15:54 . 2008-07-02 10:00 150,775 –a—— C:\WINDOWS\hpoins15.dat
2008-07-01 15:54 . 2007-03-08 01:20 49,920 -ra—— C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-01 15:54 . 2007-03-08 01:20 16,496 -ra—— C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-01 15:54 . 2007-09-20 17:05 1,039 ——— C:\WINDOWS\hpomdl15.dat
2008-07-01 15:53 . 2007-03-17 03:39 958,464 -ra—— C:\WINDOWS\system32\hpotiop4.dll
2008-07-01 15:53 . 2007-03-17 03:39 675,840 -ra—— C:\WINDOWS\system32\hpowiax4.dll
2008-07-01 15:53 . 2007-03-08 01:20 364,544 -ra—— C:\WINDOWS\system32\hppldcoi.dll
2008-07-01 15:53 . 2007-03-08 01:20 309,760 -ra—— C:\WINDOWS\system32\difxapi.dll
2008-07-01 15:53 . 2007-03-17 03:39 303,104 -ra—— C:\WINDOWS\system32\hpovst11.dll
2008-07-01 15:53 . 2007-03-08 01:20 21,568 -ra—— C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-01 15:53 . 2004-08-03 22:58 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-01 15:53 . 2004-08-03 22:58 15,104 –a–c— C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-01 14:57 . 2008-07-01 14:57 d——– C:\Documents and Settings\All Users\Dados de aplicativos\Hewlett-Packard
2008-07-01 14:57 . 2007-03-30 12:29 267,864 -ra—— C:\WINDOWS\system32\hpzids01.dll
2008-07-01 14:57 . 2007-03-28 14:01 118,272 –a—— C:\WINDOWS\system32\hpz3l5ha.dll
2008-07-01 14:09 . 2008-07-01 14:30 d——– C:\Arquivos de programas\Max Payne
2008-07-01 13:37 . 2008-07-01 13:37 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\HP
2008-07-01 13:19 . 2008-07-01 13:18 150,672 ——— C:\WINDOWS\hpoins15.dat.temp
2008-07-01 13:19 . 2007-09-20 17:05 1,039 ——— C:\WINDOWS\hpomdl15.dat.temp
2008-07-01 13:13 . 2008-07-01 15:22 d——– C:\Documents and Settings\All Users\Dados de aplicativos\HP
2008-07-01 13:13 . 2008-07-01 13:13 d——– C:\Arquivos de programas\Arquivos comuns\HP
2008-07-01 13:13 . 2008-07-01 13:13 d——– C:\Arquivos de programas\Arquivos comuns\Hewlett-Packard
2008-07-01 13:12 . 2008-07-03 16:31 d—-c— C:\WINDOWS\system32\DRVSTORE
2008-07-01 13:12 . 2008-07-01 15:57 d——– C:\Arquivos de programas\HP
2008-07-01 13:12 . 2004-08-03 23:08 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-01 13:12 . 2004-08-03 23:08 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-01 13:12 . 2004-08-03 23:08 26,496 –a–c— C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-01 13:12 . 2004-08-03 23:01 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-01 13:12 . 2004-08-03 23:01 25,856 –a–c— C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-01 12:21 . 2008-06-25 10:39 1,992 –a—— C:\Atualiza??o Online do Nero.lnk
2008-07-01 11:37 . 2008-07-07 19:26 d——– C:\M?sicas
2008-07-01 09:50 . 2008-07-01 09:50 d——– C:\Documents and Settings\All Users\Dados de aplicativos\NVIDIA
2008-07-01 09:40 . 2008-07-07 19:32 69 –a—— C:\WINDOWS\NeroDigital.ini
2008-06-25 11:02 . 2008-06-25 11:02 d——– C:\Arquivos de programas\Microsoft.NET
2008-06-25 11:02 . 2003-06-19 01:31 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
2008-06-25 11:02 . 2008-06-25 11:02 421 –a—— C:\WINDOWS\ODBC.INI
2008-06-25 11:01 . 2008-06-25 11:02 d——– C:\WINDOWS\SHELLNEW
2008-06-25 11:01 . 2008-06-25 11:01 d——– C:\Arquivos de programas\Microsoft Works

.
((((((((((((((((((((((((((((((((((((( Relat?rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 17:05 ——— d–h–w C:\Arquivos de programas\InstallShield Installation Information
2008-07-03 16:37 1,780 —-a-w C:\Arquivos de programas\Adobe Reader 7.0.lnk
2008-07-03 16:03 ——— d—–w C:\Documents and Settings\Administrador\Dados de aplicativos\Ahead
2008-07-01 17:27 28,400 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-01 17:09 ——— d—–w C:\Arquivos de programas\Arquivos comuns\InstallShield
2008-06-25 13:55 315,392 —-a-w C:\WINDOWS\HideWin.exe
2008-06-25 13:55 ——— d—–w C:\Arquivos de programas\Realtek
2008-06-25 13:37 ——— d—–w C:\Documents and Settings\All Users\Dados de aplicativos\Ahead
2008-06-25 13:37 ——— d—–w C:\Arquivos de programas\Arquivos comuns\Ahead
2008-06-25 13:35 ——— d—–w C:\Documents and Settings\All Users\Dados de aplicativos\Nero
2008-06-25 13:35 ——— d—–w C:\Arquivos de programas\Nero
2008-06-25 13:24 ——— d—–w C:\Arquivos de programas\microsoft frontpage
2008-06-25 13:22 ——— d—–w C:\Arquivos de programas\Servi?os on-line
2008-06-25 13:21 ——— d—–w C:\Arquivos de programas\Arquivos comuns\Servi?os
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg?timas por defeito n?o s?o mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=”C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:45 15360]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=”C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe” [2007-06-01 10:21 153136]
“swg”=”C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-07-04 14:53 171448]
“msnmsgr”=”C:\Arquivos de programas\MSN Messenger\msnmsgr.exe” [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=”C:\WINDOWS\system32\NvCpl.dll” [2006-10-31 03:35 7634944]
“NvMediaCenter”=”C:\WINDOWS\system32\NvMcTray.dll” [2006-10-31 03:35 86016]
“NeroFilterCheck”=”C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57 153136]
“HP Software Update”=”C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe” [2007-03-11 21:34 49152]
“nod32kui”=”C:\Arquivos de programas\Eset\nod32kui.exe” [2008-07-04 13:36 950664]
“nwiz”=”nwiz.exe” [2006-10-31 03:35 1622016 C:\WINDOWS\system32\nwiz.exe]
“RTHDCPL”=”RTHDCPL.EXE” [2007-07-05 05:08 16380416 C:\WINDOWS\RTHDCPL.exe]
“SkyTel”=”SkyTel.EXE” [2007-06-15 05:45 1826816 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=”C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:45 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Ralink Wireless Utility.lnk - C:\Arquivos de programas\RALINK\Common\RaUI.exe [2008-07-03 16:31:41 659456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12″= yv12vfw.dll
“msacm.ac3filter”= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
–a—— 2006-02-24 19:17 462848 C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
–a—— 2005-05-19 10:47 57344 C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
–a—— 2007-01-19 12:54 5674352 C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“C:\\Arquivos de programas\\Messenger\\msmsgs.exe”=
“C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe”=
“C:\\Arquivos de programas\\MSN Messenger\\livecall.exe”=
“C:\\Arquivos de programas\\Valve\\hl.exe”=
“C:\\Arquivos de programas\\Valve\\hlds.exe”=

S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-07-06 13:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52978624-4a1a-11dd-9250-001e90c045ac}]
\Shell\AutoRun\command - E:\qxbx9blb.com
\Shell\explore\Command - E:\qxbx9blb.com
\Shell\open\Command - E:\qxbx9blb.com

.
Conte?do da pasta ‘Tarefas Agendadas’
“2008-07-08 03:58:00 C:\WINDOWS\Tasks\Verificar Atualiza??es para a Barra de Ferramentas do Windows Live.job”

lokesh
#15. September 10th, 2008, at 12:31 PM.

I have One script run that and remove it in 2 minut.

jm
#16. September 21st, 2008, at 2:22 PM.

I have had issues with this virus as well, and my concern is why leading antivirus software is not able to find this virus.

I’m really starting to think that companies who make antivirus software such as AVG, NOD32, MCAFFE, KASPERSKY, AVAST! are letting this to happen since they should be the first to come up with a solution!

Timo
#17. November 26th, 2008, at 3:32 PM.

Hey thanks. I used your Registry settings to show my hidden folders by using VB.net broserFolderDialog.
Greetings

Jason Boos
#18. December 11th, 2008, at 10:01 AM.

Thanks for the info, but i got a question. The hidden files on the desktop are showing also - is there a way to hide them?

Leave your comment...

If you want to leave your comment on this article, simply fill out the next form:

You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> .

amvo.exe Virus Manual Removal Steps

Related articles

18 comments

Leave your comment...

Last articles

windows vista Friends