Symptoms
- You can't see hidden files and folders, even if you try modifying registry.
- Whenever you double click on drive icon on My Computer, it takes some time to open and always opens in new window.
- Your PC becomes a little slower.
- The Process is packed and/or encrypted using a software packing process
- This Process Creates Other Processes On Disk
- This Process Deletes Other Processes From Disk
- Loads and Executes a System Driver File
- Writes to another Process's Virtual Memory (Process Hijacking)
- Registers a Dynamic Link Library File
- The Process is polymorphic and can change its structure
- Violates Prevx File Security Settings
- Executes a Process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Modifies Windows Initialization And System Settings Used On Start up
- This problem can be a caused by a backdoor/Trojan amvo.exe.
- amvo.exe is bundled with several other worms/files some of them are
- 80avp08.com
- dosocom.com
- usdeiect.com
- xfoolavp.com
- autorun.inf
- Nideiect.com
- u.bat etc.. (a list of files is available here )
- These files are stored on the directories i.e. C:\, D:\ etc. and also on C:\windows\system32\amvo.exe
- You wouldn't be able to delete any of these files. Not even in Safe mode because it adds a autorun registry which loads amvo on boot.
- KILL all the processes like AMVO.exe or AVPO.exe
- Type "msconfig" without quote in run and press Enter.
- Go to startup tab and uncheck any entry on amvo.
- Type "cmd" without quote in run
- type "d:" and then press Enter
- type autorun.inf and then press Enter
- a file will open in notepad. this would have the name of the .exe/.bat/.com file in it, which is mounted at the boot time.
- Type "regedit" without quote in run and press Enter.
- Press Ctrl+F and type amvo, do the search again and again and delete all the related entries.
- Press Ctrl+F and type u.bat, do the search again and again and delete all the related entries.
- Press Ctrl+F and type amva, do the search again and again and delete all the related entries. Generally it should be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\amva
- search for the registry of file name which was entered in autorun.inf and delete all entries.
- Go to regedit and then HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Advanced\Folder\Hidden\SHOWALL
- Double click on the entry called CheckedValue and replace the 0 with 1.
- Now Close all the windows and Press Ctrl+E to open the explorer.
- Enable the hidden option from the folder options.
- Delete all the malicious files as mentioned above.
- Your computer is now trojan free.
- Find all the amvo related files and delete them. (some of them are amvo0.dll, amvo1.dll etc.)
Generally this Trojan travels through a USB drive. so better explorer USB drive rather than opening it.
Comments are welcome. You may seek help or reply me @ spgarg04@gmail.com
32 comments:
Hi SP,
Nice post on the AMVO... Its the latest menace in our campus... The steps have been nicely illustrated so that even a novice guy can understand and get rid of it. Good work, Keep it up :)
Yours Rockingly,
Rohit Rocker
Thank you rocker sir
Thanks a lot surya.
I am also one of the victims of that virus.I was in lookout for the remedy.
Great work.
Computer Genius!!!!
are bhai,
without ur help it was very hard to keep my data safe .....just because of you I am able to access my data...thnks a lot dear..u r really f****r of computer.....
F**K all the viruses for the safety of our internet access.
U r truly doing a gr8 work.....
WOW,...we still have guys like you...
keep going...save everybody..
Best Of Luck....
Raj ....Rocky....
many thanks man :)
Thank you for you helpful knowledge. The second Symptoms:"Whenever you double click on drive icon on My Computer, it takes some time to open and always opens in new window" This still happens.
@ Nangoon
""Thank you for you helpful knowledge. The second Symptoms:"Whenever you double click on drive icon on My Computer, it takes some time to open and always opens in new window" This still happens.""
Hi it means the virus still exists. and the drives have the files which i mentioned. If it is not there then do the followings:
Go to folder options > General tab > browse folders
click on "Open each folder in same window"
also in view tab uncheck "Launch folder window in ... "
I hope it will work.
thanks
Thanks ... buddy :-)
gr8 job.
@ anonymous
welcome dude
Great really great bravo but...
the symptions and couses described are almost the same as I am facing but the damn problem is lsass.exe CANNOT BE KILLED FROM TASK MANAGER !!! When I "End Process" this lsass.exe from Task Manager, this messege appears :
This is a critical system process. Task Manager cannot end this process.
I created a system account this way:
DOS prompt
at Time /interactive "cmd.exe"
Then I tried to kill thhis process through this system account but NO WAY !!!
The problem persists.
Now what.....???
@ Wespa. thanks for posting here. See there will be two lsass.exe running in your system. one would be the original and other one would be the fake. the fake will have its user as either your name or the administrator. Kill that one.
If now also you are not able to kill take help of this tool
http://download.sysinternals.com/Files/ProcessExplorer.zip
thanks
I am very much thankful to SP Garg for solving my problem.
Though it was a small inconvenience, but it was irking me since long. I was searching over the net for its solution since few days and one lucky day I found your blog through Google search.
I would like to add the following to your post which would help others
Symptoms
1. My APC UPS was not able to shutdown / hibernate my system when the power was down
2. My “Yahoo Messenger” would hang after I enter my username
3. I was able to intiate shutdown from Command Prompt, but was not able to abort it with the command “shutdown –a” from DOS.
Causes
h) Xn1i9x.com
Solution:
1. Know what virus/worm has infected you and where’s the file located in your hard drive:
a) Scan your computer with Kaspersky Online Scanner(http://www.kaspersky.com/kos/english/kavwebscan.html) to know what virus/worm you are infected with and where are their location on your hard drive. Write them on a paper along with their paths.
b) This scan may take quite some time (My 160GB hard drive took 2hrs). After the scan it’ll show you the culprit files and will ask to buy the AV software to cure those virus. Just note down the virus/worm names and their location and disconnect the internet.
I recommend
i) to do an online scan, because after changing the registry and everything, I didn't know which files and where are the files to delete.
ii) You should also delete the 'autorun.inf' files in all local root drives
Hi nangoon! If you did everything right, and still have your drives open in new window, then, its possible that you didnt delete the 'autorun.inf' in the local drives. Enable "show hidden files" in folder options, and see if there's any 'autorun.inf' file. If yes, delete that file, your problem is solve
Thanks Krishna.. nice post by you.. it will help several users. Thanks once again
Hello People,
Still being irked by the autorun.inf file (It sux i know). Still opening ur Drives in the new folders?? Heres the solution:
Go to the command prompt
Change the directory to C:\ using the cd command- cd c:\
Dos prompt will now show c:\>
Now write autorun.inf and press enter
A notepad will open with a lot of shit in it :D If it opens then u are still infected...
Delete it like this:
Write: attrib autorun.inf -s -h -r
press enter
write: del autorun.inf
press enter
the file gets deleted. Write autorun.inf again and press enter. If it says 'cannot find autorun.inf' then its gone! :)
Do the same for D:\ also by using the cd command in DOS (Change directory).
Congratulations! U have solved the problem...
Important
Follow these steps along with the steps illustrated by SP on removing the AMVO.
It is the most effective when you run the processes in SAFE MODE of Windows.
To go to safe mode, restart the computer and repeatedly press F8 of Ctrl right from the begining.
A menu opens, select Safe mode option.
Get back to me for more help. :)
Hi,
Thanks for you solution.
but even after implementing the solution that you have mentioned, I am unable to resolve this issue.
so whats next..
kewl...
Hi
could you tell me how to find out if the trojan been deleted completely? How do i check? My d,e,f folders doesn't open up instead comes up with program to choose. Does it mean still i have trojan problem? Please give me the info. Thanks in advance.
Thanks a lot buddy. This really helped, you rock!
But I would like to share my experience. My symptom was that I was not able to see hidden folders. I followed the procedure mentioned by you but my processes did not have any AMVO.exe or AVPO.exe neither my regestry had amvo or amva or u.bat and my startup also did not contain any such terms but my startup had a blank entry and I disabled it and restarted my PC and horray! It woked! But I am still worried whether that Virus is still there on my PC or not. I also downloaded remove restrictio tool from -> http://onlyfreeware.net/download/details-143.html <- It is a freeware. All my problems are cleared. Thanks.
Hey I forgot to mention that my windows update is also disabled and still I am facing this problem. i am also not able to open "Automatic Updates" from Windows security Center (Control Panel).. please help!
Hey my automatic updates got open but my updates are not getting downloaded.. it is stuck at 0%
@ Rohit Rocker ... thanks for that tutorial to delete autorun.inf file
but when i followed your instructions -
Delete it like this:
Write: attrib autorun.inf -s -h -r
press enter
write: del autorun.inf
press enter
I got the error that autorun.inf cannot be found.
but then .typed autorun.inf and a file in notepad opened..can you help me on this..
check out this pic -->
http://img357.imageshack.us/img357/8720/autorun1bw7.jpg
@ Vibrantkiller
Please send me your hijackthis report so that i can diagnose your problem and solve it throughly.
Regards,
Surya
Hey thanks for the reply Surya. I wasn't knowing what is hijackthis. I searched it and found a freeware whichis "Trend Micro HijackThis 2.0.2"
I have scanned my PC with it and here is the log report..
http://cstutorials.50webs.com/vibrentkiller%20-%20hijackthis.txt
Hey everything seems to be working fine now... My automatic updates are on & I am able to see hidden files and folders..
Thanks for your help!
http://krojamsoft.com/filecleaner.php
[url=http://cpcheat.org/]Club Penguin[/url] provides you with a [url=http://cpcheat.org/club-penguin-money-maker/]Club Penguin Money Maker[/url] that permits you to gain a lot of coins in Club Penguin.
[url=http://cpcheat.org/]Club Penguin Cheats[/url] also provides you with [url=http://cpcheat.org/club-penguin-trackers/]Club Penguin Trackers[/url] such as a [url=http://cpcheat.org/club-penguin-aunt-arctic-tracker/]Club Penguin Aunt Arctic Tracker[/url], a [url=http://cpcheat.org/club-penguin-cadence-tracker/]Club Penguin Cadence Tracker[/url], a [url=http://cpcheat.org/club-penguin-gary-tracker/]Club Penguin Gary Tracker[/url], a [url=http://cpcheat.org/club-penguin-band-tracker/]Club Penguin Band Tracker[/url], a [url=http://cpcheat.org/club-penguin-rockhopper-tracker/]Club Penguin Rockhopper Tracker[/url], and a [url=http://cpcheat.org/club-penguin-sensei-tracker/]Club Penguin Sensei Tracker[/url].
Finally,[url=http://cpcheat.org/]Club Penguin Cheats[/url] gives you [url=http://cpcheat.org/club-penguin-bots/]Club Penguin Bots[/url] and [url=http://cpcheat.org/]Club Penguin Mission Cheats[/url] and [url=http://cpcheat.org/]Club Penguin Coin Cheats[/url]
Wanna Get HIGH? Running out of Supply? Then Check Out My Shit!
>>>>> http://bestlegalhighsdrugs.info <<<<
If you have questions, you can email my boy at online.mentor [at] gmail.com
[size=1] IGNORE THIS----------------------------
kratom extract how to physical map of the united states [url=http://bestlegalhighsdrugs.info] legal highs online [/url] anti meth commercial kratom salvia [url=http://buybudshoplegalherbs.info] legal herbs[/url] sallvia idvinorum lipstick ingredients [url=HTTP://BUYINGMARIJUANASALE.INFO] Purchase Cannabis Sativa [/url] buof alvariius Black Magic Herbal Solid Concentrate [url=HTTP://BUYLEGALBUDSCOMREVIEWS.INFO] legal buds [/url] hashish bbufo alvairus [url=HTTP://CANNABISHIGH-PILLSHIGH.INFO] Cannabis High[/url] ananita musscaria coxaine [url=HTTP://HOWTOBUYWEED-BUYINGWEED.INFO] how to bargain marihuana[/url] byfo alcarius Salvia Divinorum A Illegal [url=http://legalbud.drugreviews.info] legal bud [/url]
Plants With Psychedelic Properties plus size scrubs [url=http://legalweed.lamodalatina.com] legalweeds [/url] ecstaay ppills Salvia Shop [url=http://buysalvia.lamodalatina.com] get salvia plant[/url] meth lab cleanup cstasy piills
Consequences Of Shrooms impatiens hawkeri [url=http://legalweed.lamodalatina.com] legal weed [/url] Meth Withdrawal sslvia divinorjm [url=http://buysalviacheap.com] order salvia plants[/url] legla nuds Crack Cocaine
[url=http://guaranteedheightincrease.info/]height increase[/url] - http://guaranteedheightincrease.info/
height increase - http://guaranteedheightincrease.info
[url=http://provenpenisenlargement.info/]proven penis growth[/url] - http://provenpenisenlargement.info/
proven penis enhancement - http://provenpenisenlargement.info/
[url=http://provenskincareadvice.info/]skin care techniques[/url] - http://provenskincareadvice.info/
skin care techniques - http://provenskincareadvice.info/
[url=http://getrichgambling.info/]get rich gambling[/url] - http://getrichgambling.info/
get money gambling - http://getrichgambling.info/
[url=http://herpesoutbreak-gentalwarts.info/]herpes outbreak[/url] - http://herpesoutbreak-gentalwarts.info/
herpes outbreaks - http://herpesoutbreak-gentalwarts.info/
[url=http://STOP-PREMATURE-EJACULATION-SOLUTIONS.INFO]cure premature ejaculation[/url] - http://STOP-PREMATURE-EJACULATION-SOLUTIONS.INFO
stop premature ejaculation - http://STOP-PREMATURE-EJACULATION-SOLUTIONS.INFO
[url=http://3GMOBILEPHONESFORSALE.INFO]3g mobile cell phone for sale[/url] - http://3GMOBILEPHONESFORSALE.INFO
used mobile phone on sale - http://3GMOBILEPHONESFORSALE.INFO
[url=http://internationaloddities.reviewsdiscountsonline.com] internationaloddities scams[/url]
international oddities scams
[url=http://drobuds.reviewsdiscountsonline.com]reviews of dro buds [/url]
review of dro bud
[url=http://bestacnetreatmentreviews.info] acne treatment reviews[/url] http://bestacnetreatmentreviews.info
acne treatment review http://bestacnetreatmentreviews.info
[url=HTTP://LEARN-HYPNOSIS-ONLINE.INFO]learn hypnotism online[/url]
learn hypnotism online
New here,
I'm here online for the kids of Haiti.
I'm doing my part for a non-profit group that is devoted to giving time to
building oppurtunities for the kids in haiti. If anybody wants to donate then this is the place:
[url=http://universallearningcentre.org]Donate to Haiti[/url] or Help Haiti
They give children in Haiti a positive outlook through education.
Please check them out, they're a real cause.
Anything would be appreciated
quite interesting article. I would love to follow you on twitter.
[url=http://www.adidasforum.com/adidas-retro-kicks-come-with-a-retro-game/]Adidas Forum[/url]
Now here's a shoe-in for the list of the year's best gaming-related clothing : Adidas has brought back its ZX 5 hundred running shoe, and, since it originally hails from the '80s, the gaming inspired design and coloring is an easy choice ... Right? The kicks may not be the coolest part of the deal, either ; they come packed with a combination bracelet/USB flashdrive containing ZX Runner, a software game based on ... The shoe itself.
GameCulture writes that the game stars a personality named'DJ Zed' who, according to Adidas, has five mins to'run, moon-walk, climb walls, avoid some dodgy-looking thugs, collect power-ups, and pull off loony rooftop-to-rooftop stunts' to get on-stage before his set starts. It appears to be fittingly retro -- see for yourself in the video we've included after the breakdance.
More info
Adidas Forum
Hello, as you may already found I'm fresh here.
I will be happy to receive some assistance at the beginning.
Thanks in advance and good luck! :)
I am able to make link exchange with HIGH pr pages on related keywords like [url=http://www.usainstantpayday.com]bad credit loans[/url] and other financial keywords.
My web page is www.usainstantpayday.com
If your page is important contact me.
please only good pages, wih PR>2 and related to financial keywords
Thanks
Briettecrutty
Post a Comment