Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

amvo Virus detailed removal instructions

Discussion in 'Tech, Gadgets & Science Forum' started by Invisible, Jun 21, 2008.

  1. Invisible

    Invisible Admin Staff Member

    #1
    Jun 21, 2008
    Joined: Feb 11, 2006
    Messages: 9,095
    Likes Received: 140
    Trophy Points: 160
    I previously wrote some details on JF which I later on discovered they couldn't work for some users. I now need to put it like this:-

    ABOUT THE VIRUS:

    It consists of 3 files,
    windows\system32\amvo.exe
    windows\system32\amvo1.dll
    windows\system32\amvo0.dll

    The 1st Drive ID will depend on whether you installed the OS on C or D or K etc... This means, if you installed your OS on C (drive C) then this will read as

    C:\windows\system32\amvo.exe
    C:\windows\system32\amvo1.dll
    C:\windows\system32\amvo0.dll

    WHAT TO DO:

    Just delete those 3 files and the virus is gone, and do not forget to remove the startup entry for amvo.exe, either from msconfig or regedit or any 3rd party tool.

    1. Open Task Manager
    2. End Task Explorer.exe
    3. Select Run from File Menu
    4. Type cmd (press enter)
    5. In Command Prompt Type: cd %windir%\system32
    6. Type: attrib -s -h -r amvo*.*
    7. Type del amvo*.*
    8. Remove startup entries and virus is gone :)

    The task Manager will come by pressing CTRL + ALT + DEL on your keyboard.

    When you try to open Windows Task Manger, the following error may appear: "Task Manager has been disabled by your administrator".

    CAUSE:

    There following

    1. You use account that was blocked via the "Local Group Policy" or "Domain Group Policy".

    2. Some registry settings block you from using "Task Manager".

    RESOLUTION

    1. Verity that the "Local Group Policy" or "Domain Group Policy" doesnÂ’t block you from using

    "Task Manager".

    1.1 "Local Group Policy"

    a. Go to "Start" -> "Run" -> Write "Gpedit.msc" and press on "Enter" button.

    b. Navigate to "User Configuration" -> "Administrative Templates" -> "System" -> "Ctrl+Alt+Del Options"

    c. In the right side of the screen verity that "Remove Task Manager" option set to "Disable" or "Not Configured".

    d. Close "Gpedit.msc" MMC.

    e. Go to "Start" -> "Run" -> Write "gpupdate /force" and press on "Enter" button.

    Note: If you are using Windows 2000, please follow KB q227302 instead stage "e".

    Using SECEDIT to Force a Group Policy Refresh Immediately
    http://support.microsoft.com/kb/q227302/


    1.2 "Domain Group Policy"

    a. Contact you local IT support team.


    2. Verity correct registry settings::

    a. Go to "Start" -> "Run" -> Write "regedit" and press on "Enter" button.


    Warning: Modifying your registry can cause serious problems that may require you to reinstall your operating system.

    Always backup your files before doing this registry hack.

    b. Navigate to the following registry keys and verity that following settings set to default:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
    "DisableTaskMgr"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "DisableCAD"=dword:00000000

    c. Reboot the computer.

    IF YOUR PC DOES NOT ALLOW MSCONFIG:

    You'll need to use AutoRuns for Windows.

    This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
    Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.
    You'll probably be surprised at how many executables are launched automatically!
    Autoruns works on all versions of Windows including 64-bit versions.

    Screenshot:

    [​IMG]


    DOWNLOAD IT HERE


    Then use it to disable any amva or amvo underground running processes.

    Hope this works for you guys.

    I recommend Kaspersky Antivirus 2009 after you get rid of this virus!

    Stay safe & virus free.

    Invisible
     
Loading...