Today I got one virus in my system. When I try to login to the Yahoo messenger, it is closing without logging in. I have found a virus (don't know name) and cleaned it manually. I have taken the below steps to remove this virus manually.
- First I have checked in task manager, I didn't find any suspicious processes.
- Next I opened MSConfig (Go to run, and type msconfig). I have found one process with the name amvo.exe under the startup tab. It is located in Windows\System32 folder.
- I unchecked the process, and closed the msconfig window.
- Next I open Registry Editor (go to run, and type regedit). I have searched for "amvo.exe" and found one entry. I have deleted the whole key.
- Next I have tried to set the option to "show hidden files" (Go to Tools> View in windows explorer), as virus file is hidden. But it is not allowing me. As soon as I set it to show hidden files and clicked on ok, it is changing back to "Don't show hidden files".
- Then I have used Bullet Proof FTP software to browse the local disk, because it shows all files even hidden files. (I have already installed FTP software in my system. You can get free trial version from the website.)
- Then I have browsed to Windows\System32 folder, and deleted amvo.exe, amvo0.dll, amvo1.dll.
- This virus put an Autorun.inf file, and .cmd file in every drive's root. I have removed all those.
Don't forget to disable system restore before starting the cleaning process, and open windows in safe mode.
Update: I built two files to clean this virus automatically. After downloading the AMVO Cleaner, unzip the file to get a folder. Open that folder, and double click on the file named AMVO_Delete. It should have cleaned the virus. Please let me know whether your problem solved in the comments section below.
If you find this information, please leave a comment below. See the following links for more information:
Important steps when cleaning virus
Disable auto play
Task Manager disabled?
Unable to open Registry?
Know about process?
How I removed Funny UST Scandal virus from my system
Removed fun.exe, dc.exe, SVIQ.exe manually
Subscribe to my site feed for receiving more tips. You can get more tips in your email for free.
Get Firefox, and safely browse the Internet.
Hello,
ReplyDeletethanks to you and to your advices i have been able to solve some of my pc's problem concernig bad items.
I have downloaded a trial for scanning my system, PREVXCSIFREE, a free program that detects bad stuff on pc. Then i found very usefull BulletProof, i've searched the files that the previous scanning logged as bad and so, i procede to delete everyone of them.
However, after deleting amvo.exe and similar, i've tried to delete amvo1.dll but it doesn't work and i do not why.So, i ask to you...
Maybe because i made mystakes since the beginning: i have not understand HOW i hav to scan my pc. Before turning on my antivirus, what i have to do? Do i have to turn off in the control panel the system restore so it will be able to clean even in the back up of my pc???
thank for your help
and sorry if my english is not so good :P
Thank you. You don't need to turn off system restore before installing anti virus. After turning off the system restore, reboot your system into the safe mode, and do a full system scan.
ReplyDeleteI hope it helps you.
Could you please kindly explain how do I perform the last step in manually removing the amvo.exe virus? It says there that you have removed the autorun.inf file from every drive's root. I'm an amatuer do not know what this means and how it is done.
ReplyDeleteThis Autorun.inf file will be there in the hidden state. So, I have used Bulletproof FTP client software to view and delete this file. This file is usually used by movie CDs, or game CDs to play them automatically.
ReplyDeleteWhen Autorun.inf file is found in a drive's root folder, windows executes the commands given in the that file, whenever you double click on the drive. You can see this by right clicking on the drive. The default action (shown in bold) will be changed to Auto Play instead of Open.
Viruses uses this file to create another copy of the virus. Whenever you double click on the drive, the commands in this file will be executed, and a new copy of the virus is created.
By deleting this file you will ensure that you won't accidentally execute the virus.
I had the same problem, one user brought the virus in his usb flash memory. Panda detected the virus but still was copying itself to any drive. The thing with this virus is that if you try the attrib command you wont be able to show the file, so instead of using bulletproof, I used FileAssassin (just 200 KB) also I searched for u2.cmd in the registry and erased a couple of entries and theres is another dll to erase bpvcrq29.dll in ..\documents and settings\user\temp
ReplyDeletehope this helps.
BTW this virus was driving me nuts...
another thing, THANKS A LOT to 4 Paisa, this post helped me a lot.
ReplyDeleteThank you < enriquexx for the information. The virus was hidden from the processes list in the task manager. I wonder how it can be done?
ReplyDeleteThank u so much. Love u........ ^_^
ReplyDeleteThanks millions for this tip. I got this virus from my flash drive which I had taken to my friends place to copy some marriage photos. I had disabled the same from startup, but could not find it under the c:\progr.... because it was in hidden state. Since I needed to use the computer on some urgent work, i did a system restore and that seemed to help. Now I plan to got back to the restore point when the virus was there (had created another restore point for experimenting) and will remove as per your instructions. Seems the autorun.inf in the pen drive was the biggest culprit
ReplyDeletei was able to delete all the amvo's and .inf and .cmd files, but i still can't get the show all files to work , it went back to hidden all files after i click ok, can you tell me what else i need to do? thx
ReplyDeleteHi Anonymous.... try this link http://technize.com/2007/05/13/show-hidden-files-and-folders-not-working/
ReplyDeleteThanks a lot, now i kicked this AMVO....Salamat po (Many Thanks). erwin
ReplyDeleteHad the infection on two systems, once I had identified it, I was able to get rid of the files by going to safe mode command prompt and using the Attrib command c:>attrib -h -s -r *.*
ReplyDeleteThis removes the attributes Hidden, System and Readonly so I could delete them.
Some days I just can't life without a command prompt.
hi
ReplyDeleteReally the information given by u is very useful
I am facing problem with an USB pen of 1GB. It is not opening by clicking in explorer. Right click=>explore is working oK. But i am unable to write or delete any file or folder in it. it is showing drive is write protected.
kindly help
DC shukla
Thank you DC shukla. I think your USB drive is having some infection. Fist Disable Auto Play.
ReplyDeleteGo to Folder Options > View. Select "Show All files", uncheck "Hide protected operating system files". Click on ok, when it prompts you. Close Options window by clicking on ok.
Now insert your pen drive. Open it by right clicking on it, select explore. If you find any hidden files suspicious, delete them. It should work now.
I like to open pen drives in explorer (Win+E) by clicking on left pane or by right clicking. Pen drives are main source of infections these days.
Sigh! the younger generation will just not move without a pen-drive and the music players (like ones by transcend) come without a charger and they have to be charged through the usb (unless one wants to spend more on a separate, paid charger).
ReplyDelete@Sanjay: Yea... I would like to have a pen drive with me always, it will be very useful. But, I will be very careful with that like don't double clicking on it, disabling auto play - so that even if pen drive contains any virus it won't harm my computer.
ReplyDeleteAnd will you believe it? I got this `amvo' virus from a friend's computer which has a legal and regularly updated mcafee av? sigh
ReplyDeleteI will definitely believe it, because my friend also got this one when his McAfee is regularly updating. May be they dint find solution yet.
ReplyDeleteuse this script to remove amvo.exe
ReplyDelete( tested by me ) :
http://www.box.net/shared/7619h1x4wo
after that run this tool to remove the virus restrictions :
http://www.box.net/shared/45wyyx9gk0
Enjoy :)
http://www.bleepingcomputer.com/tutorials/tutorial61.html
ReplyDeletehey guys thats a link showing how to boot your system in safe mode, ok guys at start i was like, man safe mode i cbf doing it and just do it without safe mode, but you definitely need to start it in safe in-order to kill the trojan, its not hard it is very easy. just a tip for people who are lazy like me :P
Hi,
ReplyDeleteI could remove amvo.exe, amvo1.dll but can't remove amvo0.dll
Even tried doing an attrib -r -s -h amvo0.dll but still cannot delete it. Since it is an NTFS partition cannot even delete from my Knoppix cd. Can you tell me what to do to delete this file?
@Anonymous: Thank you very much.
ReplyDelete@dc: Did you try in safe mode? Is it showing any message when you try to delete it?
Hi,
ReplyDeletethanks a ton...at first i deleted amvo.exe, amvo1.dll but couldn't remove amvo0.dll.Then i took ur advice n tried in safe mode and was able to remove amvo0.dll.Though i am am amateur ur post helped me to resolve the problem.Thanx again
Hi. i dont have amvo1.dll.. but i experience the same thing that you are experiencing
ReplyDeleteplease help!
Thanks a lot 4 Paisa!!!!
ReplyDeleteYou helped me a lot!!!!
I had to use the 2nd Method explained on the Technize site to view my hidden folders.
Yo man, thanx a mil for that batch file. It's flippen cool. you made my life alot easier. i wanted to format my pc but you came to the rescue. thank you so much. blessings. G
ReplyDeletethanks Reddy. Your post help me a lot.
ReplyDeletetnxxxx man, 1000 karma to you!!!! you rock
ReplyDeletethanks 4 d help.my pc was infected by amvo............i could remove amvo,but still I am not able to enable the option"Show hidden files and folders".hey why is it so?plz i need help
ReplyDeletethanks so much, i'm a bit retarded when dealing with PCs, but i was capable to follow the instructions :)
ReplyDeleteThanks a lot, i removed the amvo.exe frm registry, but cant find it in system32 folder, added i cant delete all those autorun.inf folders frm my drives..... any suggestions???
ReplyDeletep.s.ur doing a great service....keep it up
well I have just finished all the steps and haven't rebooted yet to check whether this works or not. hope this will work...thanks for the nice information.
ReplyDelete@Karthick Krishna CS: Try deleting them by booting windows into safe mode. It should work. All the Best.
ReplyDeleteThank you so much for the amvo cure!
ReplyDeleteThat trick of using an FTP browser was just BRILLIANT :D
You are my hero!
Greetz
thanxxx brother for d useful post ...
ReplyDeleteBulletProof FTP is not the only solution to view hidden files ...
A much SIMPLER way of viewing al hiden content is thru WINRAR and browse all ur hidden folder s...
The virus is easy to remove especially since it can be done manually and probably the reason most antivirus don't bother about it. :P
ReplyDeleteI'm not too sure why would i want to use a FTP client to locate hidden files. Have you used any alternative file managers, so called clones of norton commander? Do give freecommander a try. Its not a trial version. Its fully featured freeware and so chock full of file managing features, your readers sure would ask a post on how to make it the default file manager.
One thing i observed is that havin alternate software like a 3rd party startup manager or a 3rd party file manager, makes it easier to locate virus entries as the virus is unable to guess that such a product exists. More the alternates, more the chances. Maybe when freecommander gets popular and disabled by the virus someday, i might as well give bulletproof a try, the option is always there although i don't like trial versions. Leaves a lot of junk when time is up. Oh well, there is ccleaner. :)
i need autoplay on pen drive to run portableapps, the reason i just can't let go of my pen drive at all. I keep a backup of the clean autorun.inf in a subfolder on the pen drive. Btw startupcpl is a very lightweight, standalone startup manager.
Your blog looks like a nice read.
Hope you visit and like mine at http://pintooo15.livejournal.com/
i tried to use the zip file you sent but my folder options still do not work.
ReplyDeletei tried going to regedit and deleted the checked value entry and replaced with a DWORD Value edit but when i looked again, checkedvalue was restored into the file.
when i run msconfig, there is a blank entry, meaning there is no name but it is running in the startup.
Bro, It was a nice job.
ReplyDeleteAnyway.. I've seen that virus before and cleaned manually..
The same amvo.exe virus be seen in another name 'ckvo.exe' with similar files ckvo0.dll and ckvo1.dll, and also all other files u specified.
And also this virus creates some dos applications like bsb9u.exe, tyktjfww.exe in the root of every drive ( including removable medias, that's how they spread)
You would better delete them all.
Remember to repair the registry
with these values
1. Locate HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
then,
set Hidden:dword=2 to 1
set ShowSupperHidden:dword=0 to 1
2.Locate HKLM\software\microsoft\windows\currentversion\explorer\advanced\hidden\SHOWALL
then,
set checkedvalue:dword=0 to 1
if anyone see that virus in some other name.. please let me know also..
ssanjul@gmail[dot]com
Regards..
Sanjul.A.S
Use Total Commander or other File Managers to view hidden files on disc. But deleting some dll's possible only in Safe Mode. So do it firstly.
ReplyDeleteAfter all you may unhidden files by:
1. Locate HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced
then,
set Hidden:dword=2 to 1
set ShowSupperHidden:dword=0 to 1
2.Locate HKLM\software\microsoft\windows\currentversion\explorer\advanced\hidden\SHOWALL
then,
set checkedvalue:dword=0 to 1
VEry well written, my issue is resolved.
ReplyDeleteThanks!
Thanks buddy. You saved my day! Great work. Keep it up!
ReplyDeleteI tried to use AMVO REMOVAL but when I clicked on AMVO DELETE, my laptop shuts down automatically. What should I do?
ReplyDeletehey guys ,
ReplyDeletehad some problem so thought you could help,
i had amvo.exe on my pc and it was getting detected as a warning in my QUICK HEAL 9.0 and the file got quarantined so i thought to delete the file manually
i did it several times but no help
so i thought to take net's help
but when i've followed ur steps (after deleting amvo.exe from system32)
i am not finding the files amvo.exe, amvo0.dll, amvo1.dll. anywhere ,also that autorun file
but then also i am still not able to view my hidden files, and my local drives are not getting opened in the explorer by double-clicking
i have also deleted a 'pf' file of amvo
Thanx a ton for solving the issue..
ReplyDeleteGod Bless
Thanks for the articles..
ReplyDeleteI have some good solutions for this removing amvo.exe virus here:
http://guideandtips.blogspot.com/2008/03/how-to-remove-amvoexe-virus-manually.html
Thanx a lot for solving the issue..
ReplyDeleteGod Bless
del /f /a -rhsa %Windir%\System32\amvo.exe
del /f /a -rhsa %Windir%\System32\amvo0.dll
del /f /a -rhsa %Windir%\System32\amvo1.dll