Tuesday, January 15, 2008

How to remove 'amvo.exe' Trojan horse?

don't know the official name of the Trojan but it comes in form of an executable file 'amvo.exe' and a process 'u.bat'.

problem:

1) whenever i try to open any drive it waits for a while and then opens in new window. i checked with the Task Manager for the delay and found that a process named "u.bat" is created as soon as i click any drive and then ends quickly.
2) I cannot see my hidden files.

i have not faced any more problems so i don't know.

files found

autorun.inf
u.bat
d.com

these three files are found on every drive and are super hidden(so cannot be deleted).

amvo.exe
amvo(n).dll
-- where n varies from 0 to .....

these two files are found in %windir%/windows/system32, again these are super hiddden.


solution:

First of all exit all the programs and now open task manager using 'ctrl+alt+del', go to processes and end the process named 'explorer.exe'.(before this disable the 'system restore')

Now, using Task Manager open New Task(Run), type 'cmd'.
in the command prompt type ->

cd c:\windows\system32
attrib -h -s -r -a amvo.exe
del amvo.exe
attrib -h -s -r -a amvo0.dll
del amvo0.dll


now the files from system32 folder are deleted.

now type 'cd\' in command prompt to goto root directory.

type ->
c:\> attrib -h -s -r -a autorun.inf
attrib -h -s -r -a u.bat
attrib -h -s -r -a d.com
del autorun.inf
del u.bat
del d.com

this will only clean the files form the c:, to remove from all the drives repeat all the commands for all the drives(including the pen drive). [ d:, e:, f:, g:,......]

Now the files are removed from your PC but the registry entries must be deleted. So, you may now close the the command prompt and open registry editor by going to New Task(run) and type-> regedit

In the registry editor goto Find and search for 'amvo', delete all the entries related to it.
again search for 'u.bat' and delete all the entries related to it.

Now your PC is free from the Trojan. Restart your PC and check if the problem persists then repeat the above steps.

Note: Your PC is now free from virus but the changes that it has done to the registry will not change you will have to do it manually. If you have a backup copy of your registry then restore it . Otherwise manual process is given below.


Goto Run and type 'regedit'(without quotes)

now navigate to

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\NOHIDDEN

on the right window look for the DWORD 'CheckedValue' and
make its value 2, look for another DWORD 'DefaultValue' and make its value 2

again navigate to

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL

on the right window look for the DWORD 'CheckedValue' and
make its value 1, look for another DWORD 'DefaultValue' and make its value 2

Restart your PC and you may now be abale to see the hidden files.



Regards

Ayush