Sunday, February 10, 2008

Cleaned amvo.exe virus manually

Today I got one virus in my system. When I try to login to the Yahoo messenger, it is closing without logging in. I have found a virus (don't know name) and cleaned it manually. I have taken the below steps to remove this virus manually.

  • First I have checked in task manager, I didn't find any suspicious processes.
  • Next I opened MSConfig (Go to run, and type msconfig). I have found one process with the name amvo.exe under the startup tab. It is located in Windows\System32 folder.
  • I unchecked the process, and closed the msconfig window.
  • Next I open Registry Editor (go to run, and type regedit). I have searched for "amvo.exe" and found one entry. I have deleted the whole key.
  • Next I have tried to set the option to "show hidden files" (Go to Tools> View in windows explorer), as virus file is hidden. But it is not allowing me. As soon as I set it to show hidden files and clicked on ok, it is changing back to "Don't show hidden files".
  • Then I have used Bullet Proof FTP software to browse the local disk, because it shows all files even hidden files. (I have already installed FTP software in my system. You can get free trial version from the website.)
  • Then I have browsed to Windows\System32 folder, and deleted amvo.exe, amvo0.dll, amvo1.dll.
  • This virus put an Autorun.inf file, and .cmd file in every drive's root. I have removed all those.
Thats it. Virus was cleaned. Now, I am able to use my messenger.

Don't forget to disable system restore before starting the cleaning process, and open windows in safe mode.

Update: I built two files to clean this virus automatically. After downloading the AMVO Cleaner, unzip the file to get a folder. Open that folder, and double click on the file named AMVO_Delete. It should have cleaned the virus. Please let me know whether your problem solved in the comments section below.

If you find this information, please leave a comment below. See the following links for more information:
Important steps when cleaning virus
Disable auto play
Task Manager disabled?
Unable to open Registry?
Know about process?
How I removed Funny UST Scandal virus from my system
Removed fun.exe, dc.exe, SVIQ.exe manually


Subscribe to my site feed for receiving more tips. You can get more tips in your email for free.

Get Firefox, and safely browse the Internet.

48 comments:

  1. Hello,
    thanks to you and to your advices i have been able to solve some of my pc's problem concernig bad items.
    I have downloaded a trial for scanning my system, PREVXCSIFREE, a free program that detects bad stuff on pc. Then i found very usefull BulletProof, i've searched the files that the previous scanning logged as bad and so, i procede to delete everyone of them.
    However, after deleting amvo.exe and similar, i've tried to delete amvo1.dll but it doesn't work and i do not why.So, i ask to you...

    Maybe because i made mystakes since the beginning: i have not understand HOW i hav to scan my pc. Before turning on my antivirus, what i have to do? Do i have to turn off in the control panel the system restore so it will be able to clean even in the back up of my pc???
    thank for your help
    and sorry if my english is not so good :P

    ReplyDelete
  2. Thank you. You don't need to turn off system restore before installing anti virus. After turning off the system restore, reboot your system into the safe mode, and do a full system scan.
    I hope it helps you.

    ReplyDelete
  3. Could you please kindly explain how do I perform the last step in manually removing the amvo.exe virus? It says there that you have removed the autorun.inf file from every drive's root. I'm an amatuer do not know what this means and how it is done.

    ReplyDelete
  4. This Autorun.inf file will be there in the hidden state. So, I have used Bulletproof FTP client software to view and delete this file. This file is usually used by movie CDs, or game CDs to play them automatically.
    When Autorun.inf file is found in a drive's root folder, windows executes the commands given in the that file, whenever you double click on the drive. You can see this by right clicking on the drive. The default action (shown in bold) will be changed to Auto Play instead of Open.
    Viruses uses this file to create another copy of the virus. Whenever you double click on the drive, the commands in this file will be executed, and a new copy of the virus is created.
    By deleting this file you will ensure that you won't accidentally execute the virus.

    ReplyDelete
  5. I had the same problem, one user brought the virus in his usb flash memory. Panda detected the virus but still was copying itself to any drive. The thing with this virus is that if you try the attrib command you wont be able to show the file, so instead of using bulletproof, I used FileAssassin (just 200 KB) also I searched for u2.cmd in the registry and erased a couple of entries and theres is another dll to erase bpvcrq29.dll in ..\documents and settings\user\temp
    hope this helps.
    BTW this virus was driving me nuts...

    ReplyDelete
  6. another thing, THANKS A LOT to 4 Paisa, this post helped me a lot.

    ReplyDelete
  7. Thank you < enriquexx for the information. The virus was hidden from the processes list in the task manager. I wonder how it can be done?

    ReplyDelete
  8. Thank u so much. Love u........ ^_^

    ReplyDelete
  9. Thanks millions for this tip. I got this virus from my flash drive which I had taken to my friends place to copy some marriage photos. I had disabled the same from startup, but could not find it under the c:\progr.... because it was in hidden state. Since I needed to use the computer on some urgent work, i did a system restore and that seemed to help. Now I plan to got back to the restore point when the virus was there (had created another restore point for experimenting) and will remove as per your instructions. Seems the autorun.inf in the pen drive was the biggest culprit

    ReplyDelete
  10. i was able to delete all the amvo's and .inf and .cmd files, but i still can't get the show all files to work , it went back to hidden all files after i click ok, can you tell me what else i need to do? thx

    ReplyDelete
  11. Hi Anonymous.... try this link http://technize.com/2007/05/13/show-hidden-files-and-folders-not-working/

    ReplyDelete
  12. Thanks a lot, now i kicked this AMVO....Salamat po (Many Thanks). erwin

    ReplyDelete
  13. Had the infection on two systems, once I had identified it, I was able to get rid of the files by going to safe mode command prompt and using the Attrib command c:>attrib -h -s -r *.*
    This removes the attributes Hidden, System and Readonly so I could delete them.
    Some days I just can't life without a command prompt.

    ReplyDelete
  14. hi
    Really the information given by u is very useful
    I am facing problem with an USB pen of 1GB. It is not opening by clicking in explorer. Right click=>explore is working oK. But i am unable to write or delete any file or folder in it. it is showing drive is write protected.
    kindly help

    DC shukla

    ReplyDelete
  15. Thank you DC shukla. I think your USB drive is having some infection. Fist Disable Auto Play.

    Go to Folder Options > View. Select "Show All files", uncheck "Hide protected operating system files". Click on ok, when it prompts you. Close Options window by clicking on ok.

    Now insert your pen drive. Open it by right clicking on it, select explore. If you find any hidden files suspicious, delete them. It should work now.

    I like to open pen drives in explorer (Win+E) by clicking on left pane or by right clicking. Pen drives are main source of infections these days.

    ReplyDelete
  16. Sigh! the younger generation will just not move without a pen-drive and the music players (like ones by transcend) come without a charger and they have to be charged through the usb (unless one wants to spend more on a separate, paid charger).

    ReplyDelete
  17. @Sanjay: Yea... I would like to have a pen drive with me always, it will be very useful. But, I will be very careful with that like don't double clicking on it, disabling auto play - so that even if pen drive contains any virus it won't harm my computer.

    ReplyDelete
  18. And will you believe it? I got this `amvo' virus from a friend's computer which has a legal and regularly updated mcafee av? sigh

    ReplyDelete
  19. I will definitely believe it, because my friend also got this one when his McAfee is regularly updating. May be they dint find solution yet.

    ReplyDelete
  20. use this script to remove amvo.exe
    ( tested by me ) :
    http://www.box.net/shared/7619h1x4wo
    after that run this tool to remove the virus restrictions :
    http://www.box.net/shared/45wyyx9gk0

    Enjoy :)

    ReplyDelete
  21. http://www.bleepingcomputer.com/tutorials/tutorial61.html
    hey guys thats a link showing how to boot your system in safe mode, ok guys at start i was like, man safe mode i cbf doing it and just do it without safe mode, but you definitely need to start it in safe in-order to kill the trojan, its not hard it is very easy. just a tip for people who are lazy like me :P

    ReplyDelete
  22. Hi,

    I could remove amvo.exe, amvo1.dll but can't remove amvo0.dll

    Even tried doing an attrib -r -s -h amvo0.dll but still cannot delete it. Since it is an NTFS partition cannot even delete from my Knoppix cd. Can you tell me what to do to delete this file?

    ReplyDelete
  23. @Anonymous: Thank you very much.

    @dc: Did you try in safe mode? Is it showing any message when you try to delete it?

    ReplyDelete
  24. Hi,
    thanks a ton...at first i deleted amvo.exe, amvo1.dll but couldn't remove amvo0.dll.Then i took ur advice n tried in safe mode and was able to remove amvo0.dll.Though i am am amateur ur post helped me to resolve the problem.Thanx again

    ReplyDelete
  25. Hi. i dont have amvo1.dll.. but i experience the same thing that you are experiencing

    please help!

    ReplyDelete
  26. Thanks a lot 4 Paisa!!!!
    You helped me a lot!!!!
    I had to use the 2nd Method explained on the Technize site to view my hidden folders.

    ReplyDelete
  27. Yo man, thanx a mil for that batch file. It's flippen cool. you made my life alot easier. i wanted to format my pc but you came to the rescue. thank you so much. blessings. G

    ReplyDelete
  28. thanks Reddy. Your post help me a lot.

    ReplyDelete
  29. tnxxxx man, 1000 karma to you!!!! you rock

    ReplyDelete
  30. thanks 4 d help.my pc was infected by amvo............i could remove amvo,but still I am not able to enable the option"Show hidden files and folders".hey why is it so?plz i need help

    ReplyDelete
  31. thanks so much, i'm a bit retarded when dealing with PCs, but i was capable to follow the instructions :)

    ReplyDelete
  32. Thanks a lot, i removed the amvo.exe frm registry, but cant find it in system32 folder, added i cant delete all those autorun.inf folders frm my drives..... any suggestions???


    p.s.ur doing a great service....keep it up

    ReplyDelete
  33. well I have just finished all the steps and haven't rebooted yet to check whether this works or not. hope this will work...thanks for the nice information.

    ReplyDelete
  34. @Karthick Krishna CS: Try deleting them by booting windows into safe mode. It should work. All the Best.

    ReplyDelete
  35. Thank you so much for the amvo cure!
    That trick of using an FTP browser was just BRILLIANT :D
    You are my hero!
    Greetz

    ReplyDelete
  36. thanxxx brother for d useful post ...

    BulletProof FTP is not the only solution to view hidden files ...

    A much SIMPLER way of viewing al hiden content is thru WINRAR and browse all ur hidden folder s...

    ReplyDelete
  37. The virus is easy to remove especially since it can be done manually and probably the reason most antivirus don't bother about it. :P
    I'm not too sure why would i want to use a FTP client to locate hidden files. Have you used any alternative file managers, so called clones of norton commander? Do give freecommander a try. Its not a trial version. Its fully featured freeware and so chock full of file managing features, your readers sure would ask a post on how to make it the default file manager.
    One thing i observed is that havin alternate software like a 3rd party startup manager or a 3rd party file manager, makes it easier to locate virus entries as the virus is unable to guess that such a product exists. More the alternates, more the chances. Maybe when freecommander gets popular and disabled by the virus someday, i might as well give bulletproof a try, the option is always there although i don't like trial versions. Leaves a lot of junk when time is up. Oh well, there is ccleaner. :)
    i need autoplay on pen drive to run portableapps, the reason i just can't let go of my pen drive at all. I keep a backup of the clean autorun.inf in a subfolder on the pen drive. Btw startupcpl is a very lightweight, standalone startup manager.
    Your blog looks like a nice read.
    Hope you visit and like mine at http://pintooo15.livejournal.com/

    ReplyDelete
  38. i tried to use the zip file you sent but my folder options still do not work.

    i tried going to regedit and deleted the checked value entry and replaced with a DWORD Value edit but when i looked again, checkedvalue was restored into the file.

    when i run msconfig, there is a blank entry, meaning there is no name but it is running in the startup.

    ReplyDelete
  39. Bro, It was a nice job.
    Anyway.. I've seen that virus before and cleaned manually..

    The same amvo.exe virus be seen in another name 'ckvo.exe' with similar files ckvo0.dll and ckvo1.dll, and also all other files u specified.

    And also this virus creates some dos applications like bsb9u.exe, tyktjfww.exe in the root of every drive ( including removable medias, that's how they spread)
    You would better delete them all.

    Remember to repair the registry
    with these values
    1. Locate HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
    then,
    set Hidden:dword=2 to 1
    set ShowSupperHidden:dword=0 to 1

    2.Locate HKLM\software\microsoft\windows\currentversion\explorer\advanced\hidden\SHOWALL
    then,
    set checkedvalue:dword=0 to 1

    if anyone see that virus in some other name.. please let me know also..
    ssanjul@gmail[dot]com

    Regards..
    Sanjul.A.S

    ReplyDelete
  40. Use Total Commander or other File Managers to view hidden files on disc. But deleting some dll's possible only in Safe Mode. So do it firstly.
    After all you may unhidden files by:
    1. Locate HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
    then,
    set Hidden:dword=2 to 1
    set ShowSupperHidden:dword=0 to 1

    2.Locate HKLM\software\microsoft\windows\currentversion\explorer\advanced\hidden\SHOWALL
    then,
    set checkedvalue:dword=0 to 1

    ReplyDelete
  41. Thanks a lot man, saved me a whole lot of trouble, your an Angel...Amvo remover worked like a charm!

    ReplyDelete
  42. VEry well written, my issue is resolved.

    Thanks!

    ReplyDelete
  43. Thanks buddy. You saved my day! Great work. Keep it up!

    ReplyDelete
  44. I tried to use AMVO REMOVAL but when I clicked on AMVO DELETE, my laptop shuts down automatically. What should I do?

    ReplyDelete
  45. hey guys ,

    had some problem so thought you could help,

    i had amvo.exe on my pc and it was getting detected as a warning in my QUICK HEAL 9.0 and the file got quarantined so i thought to delete the file manually

    i did it several times but no help

    so i thought to take net's help

    but when i've followed ur steps (after deleting amvo.exe from system32)
    i am not finding the files amvo.exe, amvo0.dll, amvo1.dll. anywhere ,also that autorun file

    but then also i am still not able to view my hidden files, and my local drives are not getting opened in the explorer by double-clicking

    i have also deleted a 'pf' file of amvo

    ReplyDelete
  46. Thanx a ton for solving the issue..
    God Bless

    ReplyDelete
  47. Thanks for the articles..

    I have some good solutions for this removing amvo.exe virus here:

    http://guideandtips.blogspot.com/2008/03/how-to-remove-amvoexe-virus-manually.html

    ReplyDelete
  48. Thanx a lot for solving the issue..
    God Bless

    del /f /a -rhsa %Windir%\System32\amvo.exe
    del /f /a -rhsa %Windir%\System32\amvo0.dll
    del /f /a -rhsa %Windir%\System32\amvo1.dll

    ReplyDelete

Latest Posts