Comments on: amvo.exe Virus Manual Removal Steps

By: jm

jm — Sun, 21 Sep 2008 18:22:51 +0000

I have had issues with this virus as well, and my concern is why leading antivirus software is not able to find this virus.

I’m really starting to think that companies who make antivirus software such as AVG, NOD32, MCAFFE, KASPERSKY, AVAST! are letting this to happen since they should be the first to come up with a solution!

By: lokesh

lokesh — Wed, 10 Sep 2008 16:31:27 +0000

I have One script run that and remove it in 2 minut.

By: paulinhow

paulinhow — Tue, 08 Jul 2008 04:44:28 +0000

peguei dois virus e naum to conseguindo apagar um eo amvo.exe e o outro eo AVG.sys parece q o amvo.exe ta iniciando com o xp pq achei ele no msconfig o outro ta na system32/na pasta de drives meu anti virus detecto o AVG.sys mais o amvo.exe ele nau decto com eu fasso pra remover esses virus.ja usei o combo fix mais o amvo.exe ainda cont aparecendo ajudem plis agrade?o desde ja ..

ComboFix 08-07-05.1 - Administrador 2008-07-08 0:59:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1556 [GMT -3:00]
Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((( Outras Exclus?es )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\AutoRun.inf

.
((((((((((((((((((((((( Ficheiros criados de 2008-06-08 to 2008-07-08 ))))))))))))))))))))))))))))))))
.

2008-07-07 21:04 . 2008-07-07 22:42 151 –a—— C:\WINDOWS\PhotoSnapViewer.INI
2008-07-07 19:49 . 2008-06-29 16:54 8,288,681 –a—— C:\imagelys_ps.exe
2008-07-07 19:34 . 2008-07-07 23:03 2,858 –a—— C:\WINDOWS\ips.INI
2008-07-07 19:32 . 2008-07-07 19:47 1,065 –a—— C:\WINDOWS\winamp.ini
2008-07-07 16:59 . 2008-07-07 17:22 d——– C:\Arquivos de programas\Conduit
2008-07-07 16:08 . 2008-07-07 16:08 0 –a—— C:\WINDOWS\nsreg.dat
2008-07-06 13:38 . 2008-07-06 13:38 30,946 –a—— C:\WINDOWS\system32\drivers\Partizan.sys
2008-07-06 13:38 . 2008-07-06 13:38 25,088 –a—— C:\WINDOWS\system32\Partizan.exe
2008-07-06 13:38 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-07-06 13:07 . 2008-07-06 13:07 116,932 -r-hs—- C:\qxbx9blb.com
2008-07-05 16:23 . 2008-07-05 16:23 d——– C:\Documents and Settings\All Users\Dados de aplicativos\Yahoo! Companion
2008-07-05 16:11 . 2008-07-05 16:11 d——– C:\Arquivos de programas\Yahoo!
2008-07-05 16:11 . 2008-07-05 16:17 d——– C:\Arquivos de programas\CCleaner
2008-07-05 12:32 . 2008-07-05 12:32 d——– C:\Dicionario
2008-07-05 12:32 . 2008-07-05 12:33 8,257 –a—— C:\WINDOWS\WDIC.INI
2008-07-05 12:32 . 2008-07-05 12:32 550 –a—— C:\Dic Michaelis - UOL.LNK
2008-07-05 12:02 . 2008-07-05 12:02 d——– C:\new P2KTools
2008-07-05 12:00 . 2004-08-03 23:08 25,600 –a—— C:\WINDOWS\system32\drivers\usbser.sys
2008-07-05 12:00 . 2004-08-03 23:08 25,600 –a–c— C:\WINDOWS\system32\dllcache\usbser.sys
2008-07-05 11:59 . 2004-05-27 14:49 16,032 –a—— C:\WINDOWS\system32\drivers\P2k.sys
2008-07-04 19:49 . 2008-07-07 19:28 115,811 -r-hs—- C:0hoeav.com
2008-07-04 19:30 . 2008-07-04 19:31 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\AdobeUM
2008-07-04 18:53 . 2008-07-04 19:25 d——– C:\CloneDVDTemp
2008-07-04 17:50 . 2008-07-04 17:50 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\Elaborate Bytes
2008-07-04 14:50 . 2008-07-05 18:00 d——– C:\Arquivos de programas\Google
2008-07-04 14:30 . 2008-07-04 14:30 268 –ah—– C:\sqmdata00.sqm
2008-07-04 14:30 . 2008-07-04 14:30 244 –ah—– C:\sqmnoopt00.sqm
2008-07-04 14:05 . 2008-07-04 18:29 d——– C:\Arquivos de programas\Valve
2008-07-04 13:42 . 2008-07-04 13:42 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\Media Player Classic
2008-07-04 13:39 . 2008-07-04 13:39 d——– C:\Arquivos de programas\Dicionario_Michaelis-UOL
2008-07-04 13:39 . 2007-07-08 21:57 18,029,424 –a—— C:\Arquivos de programas\Windows Live Messenger 8.exe
2008-07-04 13:35 . 2008-07-04 13:35 d——– C:\Arquivos de programas\NOD32 v.2.70.16 Final WinXP
2008-07-04 13:31 . 2008-07-05 12:29 d——– C:\Filmes
2008-07-04 13:26 . 2008-07-04 13:26 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\SlySoft
2008-07-04 13:25 . 2008-07-06 22:47 d——– C:\Documents and Settings\Administrador\Contacts
2008-07-04 13:24 . 2008-07-07 21:58 d——– C:\Arquivos de programas\Eset
2008-07-04 13:24 . 2008-07-04 13:36 512,096 –a—— C:\WINDOWS\system32\drivers\amon.sys
2008-07-04 13:24 . 2008-07-04 13:36 299,392 –a—— C:\WINDOWS\system32\imon.dll
2008-07-04 13:24 . 2008-07-04 13:36 15,424 –a—— C:\WINDOWS\system32\drivers\nod32drv.sys
2008-07-04 13:23 . 2008-07-04 13:23 d——– C:\Documents and Settings\All Users\Dados de aplicativos\Windows Live Toolbar
2008-07-04 13:23 . 2008-07-04 13:23 d——– C:\Arquivos de programas\Windows Live Toolbar
2008-07-04 13:22 . 2008-07-04 13:22 d——– C:\Arquivos de programas\MSN Messenger
2008-07-04 13:20 . 2008-07-04 13:20 d——– C:\SlySoft Pack Clone CD
2008-07-04 13:20 . 2008-07-04 13:20 d——– C:\Arquivos de programas\Elaborate Bytes
2008-07-04 13:19 . 2008-07-04 13:20 d——– C:\Arquivos de programas\SlySoft
2008-07-04 13:19 . 2008-07-04 13:19 d——– C:\Arquivos de programas\K-Lite Codec Pack
2008-07-04 13:19 . 2007-04-23 02:15 3,596,288 –a—— C:\WINDOWS\system32\qt-dx331.dll
2008-07-04 13:19 . 2007-05-31 08:44 740,442 –a—— C:\WINDOWS\system32\divx.dll
2008-07-04 13:19 . 2007-04-28 14:54 593,920 –a—— C:\WINDOWS\system32\xvidcore.dll
2008-07-04 13:19 . 2007-06-07 21:11 380,928 –a—— C:\WINDOWS\system32\ac3filter.acm
2008-07-04 13:19 . 2004-01-25 18:18 217,088 –a—— C:\WINDOWS\system32\yv12vfw.dll
2008-07-04 13:19 . 2006-11-01 14:54 180,224 –a—— C:\WINDOWS\system32\xvidvfw.dll
2008-07-04 13:19 . 2007-04-23 02:02 73,728 –a—— C:\WINDOWS\system32\dpl100.dll
2008-07-04 13:19 . 2007-06-03 14:31 10,752 –a—— C:\WINDOWS\system32\ff_vfw.dll
2008-07-04 13:19 . 2005-02-24 18:56 547 –a—— C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-07-03 18:36 . 2008-07-03 18:36 d—s—- C:\Documents and Settings\Administrador\UserData
2008-07-03 16:31 . 2008-07-03 16:31 d——– C:\Arquivos de programas\RALINK
2008-07-03 16:31 . 2006-08-02 17:44 384,384 –a—— C:\WINDOWS\system32\drivers\rt61.sys
2008-07-03 16:31 . 2006-06-20 22:53 319,488 –a—— C:\WINDOWS\system32\AegisI5.exe
2008-07-03 16:31 . 2006-06-17 12:05 295,018 –a—— C:\WINDOWS\system32\Install6x.dll
2008-07-03 16:31 . 2008-07-03 16:31 21,419 –a—— C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-03 16:31 . 2006-04-06 13:15 8,192 –a—— C:\WINDOWS\system32\drivers\RT2661.bin
2008-07-03 16:31 . 2006-04-06 13:15 8,192 –a—— C:\WINDOWS\system32\drivers\RT2561s.bin
2008-07-03 16:31 . 2006-04-06 13:15 8,192 –a—— C:\WINDOWS\system32\drivers\RT2561.bin
2008-07-03 16:31 . 2006-03-10 15:33 78 –a—— C:\WINDOWS\filespec6x
2008-07-03 13:35 . 2008-07-03 13:35 d——– C:\Arquivos de programas\Arquivos comuns\Adobe
2008-07-03 13:12 . 2008-07-03 13:12 7,680 –ahs—- C:\WINDOWS\Thumbs.db
2008-07-03 11:54 . 2008-07-03 19:30 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\HPAppData
2008-07-01 15:58 . 2008-07-01 15:58 d——– C:\Documents and Settings\All Users\Dados de aplicativos\WEBREG
2008-07-01 15:57 . 2008-07-01 15:57 d——– C:\Documents and Settings\All Users\Dados de aplicativos\HPSSUPPLY
2008-07-01 15:56 . 2008-07-01 15:56 d——– C:\Documents and Settings\All Users\Dados de aplicativos\HP Product Assistant
2008-07-01 15:54 . 2008-07-02 10:00 150,775 –a—— C:\WINDOWS\hpoins15.dat
2008-07-01 15:54 . 2007-03-08 01:20 49,920 -ra—— C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-01 15:54 . 2007-03-08 01:20 16,496 -ra—— C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-01 15:54 . 2007-09-20 17:05 1,039 ——— C:\WINDOWS\hpomdl15.dat
2008-07-01 15:53 . 2007-03-17 03:39 958,464 -ra—— C:\WINDOWS\system32\hpotiop4.dll
2008-07-01 15:53 . 2007-03-17 03:39 675,840 -ra—— C:\WINDOWS\system32\hpowiax4.dll
2008-07-01 15:53 . 2007-03-08 01:20 364,544 -ra—— C:\WINDOWS\system32\hppldcoi.dll
2008-07-01 15:53 . 2007-03-08 01:20 309,760 -ra—— C:\WINDOWS\system32\difxapi.dll
2008-07-01 15:53 . 2007-03-17 03:39 303,104 -ra—— C:\WINDOWS\system32\hpovst11.dll
2008-07-01 15:53 . 2007-03-08 01:20 21,568 -ra—— C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-01 15:53 . 2004-08-03 22:58 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-01 15:53 . 2004-08-03 22:58 15,104 –a–c— C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-01 14:57 . 2008-07-01 14:57 d——– C:\Documents and Settings\All Users\Dados de aplicativos\Hewlett-Packard
2008-07-01 14:57 . 2007-03-30 12:29 267,864 -ra—— C:\WINDOWS\system32\hpzids01.dll
2008-07-01 14:57 . 2007-03-28 14:01 118,272 –a—— C:\WINDOWS\system32\hpz3l5ha.dll
2008-07-01 14:09 . 2008-07-01 14:30 d——– C:\Arquivos de programas\Max Payne
2008-07-01 13:37 . 2008-07-01 13:37 d——– C:\Documents and Settings\Administrador\Dados de aplicativos\HP
2008-07-01 13:19 . 2008-07-01 13:18 150,672 ——— C:\WINDOWS\hpoins15.dat.temp
2008-07-01 13:19 . 2007-09-20 17:05 1,039 ——— C:\WINDOWS\hpomdl15.dat.temp
2008-07-01 13:13 . 2008-07-01 15:22 d——– C:\Documents and Settings\All Users\Dados de aplicativos\HP
2008-07-01 13:13 . 2008-07-01 13:13 d——– C:\Arquivos de programas\Arquivos comuns\HP
2008-07-01 13:13 . 2008-07-01 13:13 d——– C:\Arquivos de programas\Arquivos comuns\Hewlett-Packard
2008-07-01 13:12 . 2008-07-03 16:31 d—-c— C:\WINDOWS\system32\DRVSTORE
2008-07-01 13:12 . 2008-07-01 15:57 d——– C:\Arquivos de programas\HP
2008-07-01 13:12 . 2004-08-03 23:08 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-01 13:12 . 2004-08-03 23:08 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-01 13:12 . 2004-08-03 23:08 26,496 –a–c— C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-01 13:12 . 2004-08-03 23:01 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-01 13:12 . 2004-08-03 23:01 25,856 –a–c— C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-01 12:21 . 2008-06-25 10:39 1,992 –a—— C:\Atualiza??o Online do Nero.lnk
2008-07-01 11:37 . 2008-07-07 19:26 d——– C:\M?sicas
2008-07-01 09:50 . 2008-07-01 09:50 d——– C:\Documents and Settings\All Users\Dados de aplicativos\NVIDIA
2008-07-01 09:40 . 2008-07-07 19:32 69 –a—— C:\WINDOWS\NeroDigital.ini
2008-06-25 11:02 . 2008-06-25 11:02 d——– C:\Arquivos de programas\Microsoft.NET
2008-06-25 11:02 . 2003-06-19 01:31 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
2008-06-25 11:02 . 2008-06-25 11:02 421 –a—— C:\WINDOWS\ODBC.INI
2008-06-25 11:01 . 2008-06-25 11:02 d——– C:\WINDOWS\SHELLNEW
2008-06-25 11:01 . 2008-06-25 11:01 d——– C:\Arquivos de programas\Microsoft Works

.
((((((((((((((((((((((((((((((((((((( Relat?rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 17:05 ——— d–h–w C:\Arquivos de programas\InstallShield Installation Information
2008-07-03 16:37 1,780 —-a-w C:\Arquivos de programas\Adobe Reader 7.0.lnk
2008-07-03 16:03 ——— d—–w C:\Documents and Settings\Administrador\Dados de aplicativos\Ahead
2008-07-01 17:27 28,400 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-01 17:09 ——— d—–w C:\Arquivos de programas\Arquivos comuns\InstallShield
2008-06-25 13:55 315,392 —-a-w C:\WINDOWS\HideWin.exe
2008-06-25 13:55 ——— d—–w C:\Arquivos de programas\Realtek
2008-06-25 13:37 ——— d—–w C:\Documents and Settings\All Users\Dados de aplicativos\Ahead
2008-06-25 13:37 ——— d—–w C:\Arquivos de programas\Arquivos comuns\Ahead
2008-06-25 13:35 ——— d—–w C:\Documents and Settings\All Users\Dados de aplicativos\Nero
2008-06-25 13:35 ——— d—–w C:\Arquivos de programas\Nero
2008-06-25 13:24 ——— d—–w C:\Arquivos de programas\microsoft frontpage
2008-06-25 13:22 ——— d—–w C:\Arquivos de programas\Servi?os on-line
2008-06-25 13:21 ——— d—–w C:\Arquivos de programas\Arquivos comuns\Servi?os
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg?timas por defeito n?o s?o mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=”C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:45 15360]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=”C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe” [2007-06-01 10:21 153136]
“swg”=”C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-07-04 14:53 171448]
“msnmsgr”=”C:\Arquivos de programas\MSN Messenger\msnmsgr.exe” [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=”C:\WINDOWS\system32\NvCpl.dll” [2006-10-31 03:35 7634944]
“NvMediaCenter”=”C:\WINDOWS\system32\NvMcTray.dll” [2006-10-31 03:35 86016]
“NeroFilterCheck”=”C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57 153136]
“HP Software Update”=”C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe” [2007-03-11 21:34 49152]
“nod32kui”=”C:\Arquivos de programas\Eset\nod32kui.exe” [2008-07-04 13:36 950664]
“nwiz”=”nwiz.exe” [2006-10-31 03:35 1622016 C:\WINDOWS\system32\nwiz.exe]
“RTHDCPL”=”RTHDCPL.EXE” [2007-07-05 05:08 16380416 C:\WINDOWS\RTHDCPL.exe]
“SkyTel”=”SkyTel.EXE” [2007-06-15 05:45 1826816 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=”C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:45 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Ralink Wireless Utility.lnk - C:\Arquivos de programas\RALINK\Common\RaUI.exe [2008-07-03 16:31:41 659456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12″= yv12vfw.dll
“msacm.ac3filter”= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
–a—— 2006-02-24 19:17 462848 C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
–a—— 2005-05-19 10:47 57344 C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
–a—— 2007-01-19 12:54 5674352 C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“C:\\Arquivos de programas\\Messenger\\msmsgs.exe”=
“C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe”=
“C:\\Arquivos de programas\\MSN Messenger\\livecall.exe”=
“C:\\Arquivos de programas\\Valve\\hl.exe”=
“C:\\Arquivos de programas\\Valve\\hlds.exe”=

S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-07-06 13:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52978624-4a1a-11dd-9250-001e90c045ac}]
\Shell\AutoRun\command - E:\qxbx9blb.com
\Shell\explore\Command - E:\qxbx9blb.com
\Shell\open\Command - E:\qxbx9blb.com

.
Conte?do da pasta ‘Tarefas Agendadas’
“2008-07-08 03:58:00 C:\WINDOWS\Tasks\Verificar Atualiza??es para a Barra de Ferramentas do Windows Live.job”

By: Naim Bazzi

Naim Bazzi — Fri, 13 Jun 2008 10:26:11 +0000

the values you’ve posted are croped !!

Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue (here should be the value but it’s croped by the page)

By: xingmao

xingmao — Mon, 26 May 2008 04:50:48 +0000

How do i do the regedit thing? what are the changes to be made?

I don’t understand it

By: mohammedfirouz

mohammedfirouz — Thu, 01 May 2008 16:25:37 +0000

Also, I forgot to say this…
As I was so upset with this virus, i decided to write a removal tool for it, but as i had a different .exe name in my drive root folder, it only therefore delete that file.

I was wondering if anyone was kind enough to drop me an email with the name that they saw in their root folder, so i can include in removal tool.

And then, if you want, i can send you a copy of the removal tool, with the name of the .exe file that you are infected so it does all the above in one go…

Thanks very much
Mo

By: mohammedfirouz

mohammedfirouz — Thu, 01 May 2008 16:22:28 +0000

Hi!
I was infected with this virus as well, but i got rid of it, in about 30minutes.
It’s very simple:
1) Download Autorun.zip…its from a company, that later on Microsoft bought it (like everyother good one!)
2) Look under Logon, and uncheck amvo.exe, and amvo0.dll
3) Restart the computer into Safemode With Command Prompt… doesn’t load the explorer.exe (amvo infected it, so it automatically loads amvo!)
4) Delete the “amvo.exe” and “amvo0.dll” from the system32 folder
5) Delete “autorun.inf” from the root of EVERY single drive, or edit them using notepad…. DELETE THEM USING the COMMAND PROMPT, otherwise, it’s pointless.
6) After all above done, restart to normal windows, using Task Manager. DO NOT LOAD EXPLORER.exe,
7) Modify the registry keys, so you can see hidden files (instruction above)
9) Delete the .exe or .com file in the root of each drive……..
10) *** YOU ARE DONE! ***

By: bino

bino — Wed, 30 Apr 2008 15:54:23 +0000

this really worked dude….usually i always format my drive wen i am not able to the hidden files….but nw it totally worked…thanks buddy.it rockz!!

By: Daniel

Daniel — Thu, 24 Apr 2008 06:35:44 +0000

Thank for this solution…
You says ” Install a good antivirus update it”
avast and norton can’t détect amvo, what antirus can detect amvo ?

By: batu

batu — Wed, 23 Apr 2008 14:58:47 +0000

magus thanx. i did it and delete viruses :]

By: Dixit

Dixit — Wed, 23 Apr 2008 14:04:44 +0000

Hy, thank u so much…..
I was about to format my computer but by reading this article,
i had successfully deleted this virus…..

By: ??????

?????? — Fri, 18 Apr 2008 05:43:51 +0000

Russion version of this article is terrible! I’m native speaker I know this language very well and I just don’t understand anything in russian version. Translating articles using translating programms is not serious. Nobody will understand the meaning of the text. You should edit is or there is no sense in posting it. The language of the russian version of the article is NOT russian!

By: magus

magus — Sat, 12 Apr 2008 17:37:11 +0000

something more to add
these instructions also helped a lot
http://wiki.answers.com/Q/My_system_got_attacked_by_a_virus_The_hidden_files_and_folders_are_not_shown_even_if_you_give_the_show_hidden_files_n_folders_radio_button_how_to_get_rid_of_the_virus_virus_resides_in_each_partition

http://bleuken.i.ph/blogs/bleuken/2007/06/29/viruses-that-uses-autoruninf/

because the sucker has different names, e.g. “t.com” like in my case.
if you locate the autorun.inf using the dir/ah command, then open it using “edit”, you see what name the actual process has and kill it.

By: magus

magus — Fri, 11 Apr 2008 15:12:14 +0000

hi
it worked for me. I want to add:

-I booted in safe mode F8
-did a search with cmd.exe (dir/ah) for a hidden file named “t.com” and found it on every attached HD.
after i deleted all entries in the registry named “amvo” i also did a search for “t.com” and deleted all entries with exact that name.
-then deleted in cmd.exe all hidden files “autorun.inf” (del /F /ah autorun.inf) and “t.com” (del /F /ah t.com)

now it seems i got rid of the sucker!
cheers
m

By: Cliff Miller

Cliff Miller — Fri, 11 Apr 2008 06:30:01 +0000

This totally worked where anti-virus software didn’t, so thank you VERY MUCH. It was really annoying me. The instructions weren’t presented in the most basic ways, but I searched around on the internet to find how to do some of the suggested things.

I couldn’t delete the files via the cmd, even though I could see them, but once I disabled autoplay on all drives I was able to use windows explorer to find and delete them without activating them.

By: Shivank

Shivank — Tue, 08 Apr 2008 16:05:26 +0000

Worked For Me!!!
Thanks a lot!