Friday, May 30, 2008

Cant Set "Show Hidden Files" aka Removing AMVO.EXE

0 comments Posted by Naveen at Friday, May 30, 2008
Beware when Plugging USBs to another System.
You will get a nasty amvo.exe!

First I got a memory reference error as alert.
I didn't mind it then, why bother with a silly alert?

After few days I noticed problems like
  • Cannot set "show hidden files and folders" inside the Tools-->Folder Options-->View

  • Contaminating every USBs plugged into it.
As most of us do, I googled it.
They asked me to check whether amvo.exe is the culprit.

To check that I Run msconfig. In the "Startup" Tab I found amvo.exe (Details)
Bingo! Got the virus/malware!

Now how to remove it?

Again I googled it. (What will be life without Google?) [:)]
Saw some options at the Digital me 's Blog.
Since it was based on manipulations on Windows Registry, I opted not to go for it.
Was totally at sea, on what to do next.
Then I started reading Comments for the topic at the Digital me 's blog.
I came across a splendid method by Olalekan
Based on that some steps were formulated.

Login inside Windows as Administrator or with Administrator previleges.

Run cmd (Opens DOS Window)
Now type C: to get to the C Prompt inside the DOS
Type: taskkill /im explorer.exe /f (Ends the Process "Explorer.exe". Important since virus spreads through Explorer)
Type: cd %systemroot%\system32 (Accessing System32)
Type: del amvo* /f /q /as (Deleting every file starting with amvo)
Type: cd \ (Going to Root Directory)
Type: dir /ah (List Hidden Files)

Now the Virus will be listed as"blahblah.com".We should delete it.
Note: The virus can never use NTDETECT.com ( Deleting it will cause big time troubles for you)
Now delete the virus using
del blahblah.com autorun.inf /f /q /as (My amvo used something like "iw1eg.com")

The virus is disposed from C:/ .

Now its the turn of other drives.

Suppose you have C:/, D:/, E:/ in your system. Repeat these processes for each drive.
ie. inside cmd type: D:
Now we have reached D: prompt, repeat the steps mentioned above for it too.
Do the same for E:/ and F:/ (if there is one)

After deleting from all these drives, restart the explorer by typing "explorer.exe"

Now the prevention from future attacks

Disabling AutoPlay for all drives

Start > Run > gpedit.msc
Inside it go to --> Computer Configuration > Administrative Templates > System > Turn Off Autoplay --> Enable


Now if you wanna View hidden Files a small Change in Registry is required.

Start > Run > regedit

Inside it Set
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue as 1


Thats all to it Guys! [:)]
Read more...
Subscribe to: Posts (Atom)