problem:
1) whenever i try to open any drive it waits for a while and then opens in new window. i checked with the Task Manager for the delay and found that a process named "u.bat" is created as soon as i click any drive and then ends quickly.
2) I cannot see my hidden files.
i have not faced any more problems so i don't know.
files found
autorun.inf
u.bat
d.com
these three files are found on every drive and are super hidden(so cannot be deleted).
amvo.exe-- where n varies from 0 to .....
amvo(n).dll
these two files are found in %windir%/windows/system32, again these are super hiddden.
solution:
First of all exit all the programs and now open task manager using 'ctrl+alt+del', go to processes and end the process named 'explorer.exe'.(before this disable the 'system restore')
Now, using Task Manager open New Task(Run), type 'cmd'.
in the command prompt type ->
cd c:\windows\system32
attrib -h -s -r -a amvo.exe
del amvo.exe
attrib -h -s -r -a amvo0.dll
del amvo0.dll
now the files from system32 folder are deleted.
now type 'cd\' in command prompt to goto root directory.
type ->
c:\> attrib -h -s -r -a autorun.inf
attrib -h -s -r -a u.bat
attrib -h -s -r -a d.com
del autorun.inf
del u.bat
del d.com
this will only clean the files form the c:, to remove from all the drives repeat all the commands for all the drives(including the pen drive). [ d:, e:, f:, g:,......]
Now the files are removed from your PC but the registry entries must be deleted. So, you may now close the the command prompt and open registry editor by going to New Task(run) and type-> regedit
In the registry editor goto Find and search for 'amvo', delete all the entries related to it.
again search for 'u.bat' and delete all the entries related to it.
Now your PC is free from the Trojan. Restart your PC and check if the problem persists then repeat the above steps.
Note: Your PC is now free from virus but the changes that it has done to the registry will not change you will have to do it manually. If you have a backup copy of your registry then restore it . Otherwise manual process is given below.
Goto Run and type 'regedit'(without quotes)
now navigate to
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\NOHIDDEN
on the right window look for the DWORD 'CheckedValue' and
make its value 2, look for another DWORD 'DefaultValue' and make its value 2
again navigate to
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL
on the right window look for the DWORD 'CheckedValue' and
make its value 1, look for another DWORD 'DefaultValue' and make its value 2
Restart your PC and you may now be abale to see the hidden files.
Regards
Ayush
