amvo.exe Virus Manual Removal Steps
Intro
This is a nasty virus, dont know who dropped it on me. It spreads via USB Memory Sticks. It cannot be seen in the process list, hides itself and hides all files. And my antivirus doesn't seem to find a problem! :(
Some Symptoms
- Cannot show hidden files
- Slows down USB devices
- Adds infections to plugged in USB devices
- Drives open in new windows from My Computer
How to get rid off?
Step 1
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.
Step 2
Reboot and do the following changes to the Registry using regedit
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchidden en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchsystemdirs en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced hidden en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced showsuperhiden en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced superhiden en 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN DefaultValue 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL DefaultValue 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun 0x00000091 (145)
-- OR --
Reboot into a different OS and do the following
Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.
Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.
I hope that will do it
Install a good antivirus update it.
Prevent Autorun from USBs.
To disable Autoplay of all drives
Start > Run > gpedit.msc
Enable : Computer Configuration > Administrative Templates > System > Turn Off Autoplay
Anything more ?
Related Pages
Amvo Removal Tool
Labels:
Virus Removal,
Windows
Bookmark me on :
45 comments:
Thanks, I really owe you muuuuucccchhhhh
I need your help with my Windows Media skin... Ive posted several times but havent gotten a reply..
hey Binary Man,
sorry... me was busy fighting these virus,...
What help do yo need?
Eh well heres what I need help with:
I was able to get like the WMS file right, and I was able to get it toread off from the js file. But im having problems with starting the js file. You said to put a base for control view with a proper background, and then after the view nodes to put the subview code you gave. I'm just really confused here. I'm a complete newbie at javascript, this project of making my own WMP skin being my first attempt at it.
Could you help?
How do i do step do
i dont know how to use regedit
i already did the first step where you asked me to run regedit and i used find to find amvo and deleted everything i found
but when you ask me to report and change all that code i get lost
and how do i use the command line to delete files on other drives??
i am using windows xp pro
i am pretty good with computers
just not to familiar with regedit
for a short intro about the regedit
chk out http://digitalpbk.blogspot.com/2007/03/windows-registry-something-you-must.html
To delete files using command line
Run cmd
Navigate to the drive by typing
X: where X is the drive letter.
Then del filename.
--OR--
You could disable autoplay on all drives, which is given above and use the explorer to delete the files listed.
AMVO.exe
Symptoms
Hidden file problem
Always open new windows
Error occur of memory reference
Solution
Friends here is the complete solution for hidden file and amvo.exe file:
First of all download the BulletProof FTP Client for Windows software from the http://www.bpftp.com/ ,its free software and then run it it will show you your all hidden files and system file in all drives, Then after u will explore them by right click view explorer then u found the all files like amvo.exe,amvo.dll,amvo0.dll,amvo1.dll,etc.Some file also remove from that software but some r not.So open in safe mode and again choose view explorer from that software.Now u can show that all file into c:\windows\system32\
Delete all that files।and restart ur computer.
Do this for all drives .
Write in address bar of that software like D:, F:, C:, etc.
And you found some file like *.cmd,autorun.inf in all drive, All that file are same in all drive so before delete them u’ll check its remain in the all drive, otherwise by mistake u’ll remove system file, So take care and remove the mentioned file.
still u can’t find them then in bpft software u can edit amvo.dll file by changing its content or by removing all data and rename that file. and again open in safe mode and delete all the file.
Now ur computer is free of virus and follow the below instruction:
Now hidden file problem
1.Click Start > Run and type REGEDIT
2. Click the plus sign next to HKEY_CURRENT_USERthen SOFTWAREthen Microsoftthen Windowsthen CurrentVersionthen Explorerthen Advanced
On the right side, double click the hidden value and give it a value of 1.
3.same for HKEY_LOCAL_MACHINEthen SOFTWAREthen Microsoftthen Windowsthen CurrentVersionthen Explorerthen Advancedthen Folderthen Hiddenthen SHOW ALL
Change the value of Checked Value to 1.
Its really works for meNow i’ve no problem of hidden file.
I think this is the complete solution for amvo.exe. And I had gone through and successed.
i think it's better done this way
run cmd
enter the follwoing commands
taskkill /im explorer.exe /f
cd %systemroot%\system32
del amvo* /f /q /as
cd \
dir /ah
the name the virus uses shld be ***.com,(note not ntdetect.com), delete the virus using
del ***.com autorun.inf /f /q /as
//change to the other drives say, d: and repeat the same thing and then e: and repeat the same thing, etc
then
start explorer
this will clear the virus, follow the registry commands to show hidden files and folders *****
logbon72@gmail.com
smi had this amvo.exe virus.
and then when i tried to restart my computer it load till the windows and then restart by it self .. plz help me out. on how to remove tis stupid virus ..
smi had this amvo.exe virus.
and then when i tried to restart my computer it load till the windows and then restart by it self .. plz help me out. on how to remove tis stupid virus ..
for autorun disabling,
it's not computer config rather it is frm user configuration.....
Olalekan thank you very much, you saved me from a lot of trouble! silektis(a_t)gmail.com
not working for me man
hey thnks a lot it really saved me
Thanks a lot... it was really helpful. betsuper@gmail.com
HEEELP my computer starts and as soon as the desktop is seen there are mssgs from erros amvo.exe + avpo.exe! and after that my computer freezes and i cant do nogthing but turn it off by unplugging it, pleaseee i really need my computer!!!!
email me as soon as possible
life_aint_chess@hotmail.com
"To disable Autoplay of all drives
Start > Run > gpedit.msc
Enable : Computer Configuration > Administrative Templates > System > Turn Off Autoplay"
Thanks for the above tip, dint think about till I read this :D
Hey guys if you create a bat or .cmd file to delete the files with the /ah and /f switches and immediately create a directory with the same name as the file you are deleting it prevents the virus from re-creating itself. Then you can do the registry resets. This virus is usually present in the root of all drives infected and also the windows\system32 or winnt\system32 directory on the system drive. Question - Why haven't the main players in the av marketplace go a handle on this one yet? C'mon you av guys!
Really thanks to convey removing amvo.exe virus
thnks a lot to every1
i got rid of amvo.exe at last
Hey Arun Prabhakar,
thanks for your help man. I just did the second step only. Didnt do the step 1. Seems that everything is ok now. Explorer is cool and no more bugging message... Is it necessary that i should do the first step also.... If so please tell me how to find files once u enter regedit. I couldnt decode what u meant in first step.
Hey also when ever my system restarts it shows
C:\Windows\System32\VirusRemoval.vbs missing... How to solve that. PLease do post a reply....
Thanks
AMAL
hey AMAL,
you need to do step 1 if u want to get rid of the annoying messages on startup.
Press WindowsKey + R
to start Run
and type msconfig
Goto the startup tab and untick the C:\...\VirusRemoval.vbs from it.
Arun,
Unfortunately i couldnt find that in the msconfig.... But there are 2 amovo . I am going to repeat the process... Step 1 to step 4... But how to do this :
To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
I am sorry. I am doing this for the first time... Thats why i am asking u all these. At one side i am sad that my lappy is ill, and at other side, i am bit excited that i am learning this :) THanks for that. PLease send me a reply as soon as possible. Or if u have a gmail, please add me spyamal@gmail.com . I ll wait for ur reply... Good day
Which Operating system ?
When I will install OS again, So i will have to do again this process or not?
Nop
But if you could tell me which is your OS
I could know how to find the msconfig.
Arun,
June 17, 2008 6:26:00 AM PDT Was send by me and i didnt get ur response for that :(
My OS is windows xp.
Now all my hidden files are missing no matter what i do.....
Also how to do the step 3. I mean how to find and delete from command prompt. What are the commands for that.
Amal
Hey amal, I think your system is not only infected by amvo but many others as well.
These steps work only for amvo
If you have other viruses as well you might have to delete them also.
The easiest way for you now would be to get an antivirus.
AVG Free can remove some for you.
Hi Arun,
Now its better to ask u only. From today morning, my system has this problem:
windows dont login past login
When i type my password, it shows my wallpper and then logs off. Dont know what to do. I cannnot think about formatting it. I have lots and lots of work data in it.
See i ll tell u how my adventure started... I did like u said, the with the help of my friend, corrected the rest of the problems...
But when i was alone, i searched for virusremoval.vbs in the registry and found one. Immediately deleted. Then it was the beggining.. When i restarted... phoooooooooooo gone...
Seems like u can get me out of this situation... I tried all modes.. same.... F8 & all...
Also i dont see any chance of going to CMD ... Could u please help..
Lenovo Laptop.
XP Prof:
Think Pad....
Atleast tell me how to get my data out safely
Amal.
spyamal@gmail.com
Also,
My Anti virus is Kaspersky..... Fully updated.
Amal
I have solved my problem! It's Very easy..
Thank You.........
Thank You................. :-)
Thank You :-)
It worked
thanks
hi dude,i need ur help.......i also hav tis nasty amvo.exe virus...i go thro the steps to remove it...is there a way tat deleting tat virus witout formatting the system....
oleakani steps worked like a champ
thhanks man
Arun,i got this amvo virus about a month ago, i have kaspersky, it can detect a hidden install but it cannot remove it, i just keep denying it but yet it still persists. now, my pc just keeps on restarting up to chkdsk, then restarts all over again. also, before the pc restarts, a blue screen appears in a split second. then the whole load and restart process runs all over again and again and again. i cant also run it in safe mode. HELP!!
-julZ
Hey Guys, seems there are multiple versions of this virus, some are very easy to remove & others that are herder to remove; first time i got it it was a disaster on my pc, today i got it on my laptop, it was a 15 minutes time only to remove it
Dear Arun Prabhakar
I am trying to remove this virus since morning and now its 10 evening. I tried lot of tricks to remove this bastard but in vain. Your post helped me out and at last i can leave my office.
Really thanks dear
Sameer
but at STEP 2 if you want to choose>
Do not show hidden ... or
Show hidden ... (later in folder option)
...\NOHIDDEN CheckedValue 0
...\NOHIDDEN DefaultValue 0
...\SHOWALL CheckedValue 1
...\SHOWALL DefaultValue 1
F5 Refresh registry
Copy all of the following into notepad, save as a batch (.bat) file. Plug in any removable media which may be infected. Run the batch after all files are plugged in.
I discovered this virus in my class at school (go figure, a computer class finds a virus that no one else noticed) and wrote this almost entirely myself, with help from tutorial sites for simplifying my commands. It's still long and choppy, but simply deleting "amvo.exe" will not fix your computer, as it takes many names. (You can see these names listed at the top-- amvo, avpo, avno, avmo, etc.) Simply deleting the *.com will also not fix the problem, as they are replicated in seconds by the .exe.
Preform a reboot after running this selection. Then, open a window (any explorer window) and Tools > Folder Options > View > Show Hidden Files and Folders. If hidden files still do not show (visit your C:\ or OS drive for the easiest test of this) you may have a "new" mutation or variation, or simply another virus.
As a final note, this batch no longer erases all of the strings in registry that contain amvo.exe. You may want to search that manually, for housekeepings sake. Only the 2 at the bottom are absolutely needed for the problems I encountered.
Here goes! Copy this into a .bat...
@echo off
tskill explorer
tskill wscriptd
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\autorun.inf /f /a /q
attrib %systemroot%\system32avpo*.* -r -s -h
attrib %systemroot%\system32avmo*.* -r -s -h
attrib %systemroot%\system32avno*.* -r -s -h
attrib %systemroot%\system32amvo*.* -r -s -h
attrib %systemroot%\system32amno*.* -r -s -h
attrib %systemroot%\system32imvo*.* -r -s -h
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\windows\system32\avpo*.* /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\windows\system32\avmo*.* /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\windows\system32\avno*.* /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\windows\system32\amvo*.* /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\windows\system32\amno*.* /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\windows\system32\imvo*.* /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\ntde1ect.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\tio8x6.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\t1ak.2 /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\semo2x.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\d.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\n1deiect.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\uxdeiect.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\nudeiect.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\u.bat /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\xn1i9x.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\ylr.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\ylr.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\awda2.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\h.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\juok3st.bat /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\qd.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\qd.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\xo8wr9.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\nideiect.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\2ifetri.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\3wcxx91.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\x.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\0hct8ybw.bat /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\d6fagcs8.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\ekugb3.bat /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\gumkrhf.bat /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\oufddh.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\u2.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\uisvkqr.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\xpbkh.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\y82td3td.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\a3g3.bat /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\v.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\ta2.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\8.bat /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\i.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\uisvkqr.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\xpbkh.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\mvxm.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\f.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\rthrw.com /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\v.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\yo2mq6.exe /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\h6o0re.cmd /f /a /q
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do del %%d:\b.com /f /a /q
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /v CheckedValue /t reg_dword /d 0x00000001 /f
real thanx for d solution for dis virus
i did all d steps everython is fyn
but dude still cant use explorer to open the drives
help me !!!!!
hi I just came across this post; I have amvo.exe on the windows partition of my macbook. i'm trying to delete the file while in OSX using the terminal, but I keep getting that autorun.inf is a read-only file, and can't change the properties. Any thoughts on this? Thanks
for windows, i use attrib -h autorun.inf.. idunnofor mac
Post a Comment