VIRUS REMOVAL [Computer Troubleshooting... [amvo.exe amvo0.dll ampo.exe amvol.dll xfoolavp.com and autorun.inf] virus issues…]

January 3, 2008

By Utkarsh

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

[UPDATE] Download USB FIREWALL to protect your computer from this virus or remove it.

Recently I had a big time trouble with my computer as all the drives failed to open on double clicking and showed me a application selection window instead. After searching through the running processes and other settings I found that the show hidden files options in the folder options was also not working.

With the help of one of my friends [MOHIT] I fixed the issues.

The problem was due to amvo.exe amvo0.dll ampo.exe amvol.dll xfoolavp.com usdeiect.com and autorun.inf present in every drive’s root.

The fix works as follows…

open task manager (if ur task manager doesnt open and shows errors and warnings then use this tool ) and end task the above mentioned processes if u see them in the running process list from the processes pane. Then goto applications pane and click on new task and type in cmd or command. Once at the command prompt type in “cd\” without the quotes to goto the root of the current drive. Then type “del <name.extension> /f /a /s /q”

where <name.extension is the name> of the files above mentioned (this menthod can also be used to force delete any unwanted file ) use this method to delete all above mentioned from the root of every drive.

After this open registry editor by clicking on new task and typing in “regedit” without quotes. Then goto HKCU > software >microsoft >windows >current version > explorer > advanced > then look for the hidden key in the right pane and change the value to 1 from 2.

And to fix the issues with drives not opening or search opening up on double click download this .reg (right click and save target as) file and double click it and add to your registry.

or do this…

copy every under this line paste in notepad save with .reg extension on ur desktop and double click it

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell]

@=”Open”

[HKEY_CLASSES_ROOT\Directory\shell\Explore]

[HKEY_CLASSES_ROOT\Directory\shell\Explore\command]

@=”%SystemRoot%\\Explorer.exe /e,/root,\”%1″

[HKEY_CLASSES_ROOT\Directory\shell\Explore\ddeexec]

@=”[ExploreFolder(\"%l\", %I, %S)]”

“NoActivateHandler”=”"

[HKEY_CLASSES_ROOT\Directory\shell\Explore\ddeexec\application]

@=”Folders”

[HKEY_CLASSES_ROOT\Directory\shell\Explore\ddeexec\topic]

@=”AppProperties”

[HKEY_CLASSES_ROOT\Directory\shell\find]

“SuppressionPolicy”=dword:00000080

[HKEY_CLASSES_ROOT\Directory\shell\find\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\

65,00,00,00

[HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec]

@=”[FindFolder(\"%l\", %I)]”

“NoActivateHandler”=”"

[HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec\application]

@=”Folders”

[HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec\topic]

@=”AppProperties”

[HKEY_CLASSES_ROOT\Directory\shell\Open]

“BrowserFlags”=dword:00000010

“ExplorerFlags”=dword:00000012

[HKEY_CLASSES_ROOT\Directory\shell\Open\command]

@=”%SystemRoot%\\Explorer.exe /idlist”

[HKEY_CLASSES_ROOT\Directory\shell\Open\ddeexec]

@=”[ViewFolder(\"%l\", %I, %S)]”

“NoActivateHandler”=”"

[HKEY_CLASSES_ROOT\Directory\shell\Open\ddeexec\application]

@=”Folders”

[HKEY_CLASSES_ROOT\Directory\shell\Open\ddeexec\topic]

@=”AppProperties”

[HKEY_CLASSES_ROOT\Directory\shell\Openddeexec]

[HKEY_CLASSES_ROOT\Directory\shell\Openddeexec\ifexec]

@=”[]”

[HKEY_CLASSES_ROOT\Folder\shell]

@=”open”

[HKEY_CLASSES_ROOT\Folder\shell\explore]

“BrowserFlags”=dword:00000022

“ExplorerFlags”=dword:00000021

[HKEY_CLASSES_ROOT\Folder\shell\explore\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\

65,00,20,00,2f,00,65,00,2c,00,2f,00,69,00,64,00,6c,00,69,00,73,00,74,00,2c,\

00,25,00,49,00,2c,00,25,00,4c,00,00,00

[HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec]

@=”[ExploreFolder(\"%l\", %I, %S)]”

“NoActivateHandler”=”"

[HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec\application]

@=”Folders”

[HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec\ifexec]

@=”[]”

[HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec\topic]

@=”AppProperties”

[HKEY_CLASSES_ROOT\Folder\shell\open]

“BrowserFlags”=dword:00000010

“ExplorerFlags”=dword:00000012

[HKEY_CLASSES_ROOT\Folder\shell\open\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\

65,00,20,00,2f,00,69,00,64,00,6c,00,69,00,73,00,74,00,2c,00,25,00,49,00,2c,\

00,25,00,4c,00,00,00

[HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec]

@=”[ViewFolder(\"%l\", %I, %S)]”

“NoActivateHandler”=”"

[HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\application]

@=”Folders”

[HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\ifexec]

@=”[]”

[HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\topic]

@=”AppProperties”

[HKEY_CLASSES_ROOT\Drive\shell]

@=”open_[1]”

[HKEY_CLASSES_ROOT\Drive\shell\find]

“SuppressionPolicy”=dword:00000080

[HKEY_CLASSES_ROOT\Drive\shell\find\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\

65,00,00,00

[HKEY_CLASSES_ROOT\Drive\shell\find\ddeexec]

@=”[FindFolder(\"%l\", %I)]”

“NoActivateHandler”=”"

[HKEY_CLASSES_ROOT\Drive\shell\find\ddeexec\application]

@=”Folders”

[HKEY_CLASSES_ROOT\Drive\shell\find\ddeexec\topic]

@=”AppProperties”

[HKEY_CLASSES_ROOT\Drive\shell\open]

[HKEY_CLASSES_ROOT\Drive\shell\open\command]

@=”%SystemRoot%\\Explorer.exe /idlist,%I,%L”

[HKEY_CLASSES_ROOT\Drive\shell\open\ddeexec]

[HKEY_CLASSES_ROOT\Drive\shell\open\ddeexec\topic]

@=”AppProperties”

_______________________________________ dont copy this line only till the above line.

These methods fixed all my issues without reinstalling windows which no i don’t like a all. I am thankful to Google and MOHIT.

find some more about this issue

This is the best explanation and solution

Popularity: 2% [?]

MtaraM Recommends

Remove the newest variant of Yahoo Messenger virus (LiveDeviL)
Cincinnati Area Wineries (My Wine Education)
Has KBR Changed It’s “Electrician” Hiring Policy For Iraq and Afghanistan? (Ms Sparky)

Tags: amvo.exe amvo0.dll ampo.exe xfoolavp.com autorun.inf mt

‹‹‹ Previous Post: HAPPY NEW YEAR Next Post: Five Lil’ Mice ›››

sreejith on January 16, 2008 at 5:36 am

for me the file name was amvo1.dll

Ramana on January 26, 2008 at 5:43 pm

Visit this site….to remove amvo virus…
http://www.en.mygeekside.com/?p=18#comment-193

Bhupendra on February 4, 2008 at 5:36 am

Plese send me above tool

mtaram on February 4, 2008 at 8:23 pm

Download by clicking the link above….

murali on February 7, 2008 at 3:05 am

Plese send me Download antivirus files

murali on February 7, 2008 at 3:06 am

Download antivirus files

anil on February 9, 2008 at 11:11 am

Thanks Ramana
Your VB programme is very good i get rid off by it for the virus of amvo.exe
thanks

Apocalypse on February 9, 2008 at 3:47 pm

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer’s registry.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
amva = “%System%\amvo.exe”
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Restoring Modified Registry Entries

1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows> CurrentVersion>Explorer>Advanced
2. In the right panel, locate the entry:
Hidden = “1″
3. Right-click on the value name and choose Modify. Change the value data of this entry to:
2
4. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows> CurrentVersion>Explorer>Advanced
5. In the right panel, locate the entry:
ShowSuperHidden = “0″
6. Right-click on the value name and choose Modify. Change the value data of this entry to:
1
7. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows> CurrentVersion>Explorer>Advanced>Folder>Hidden>SHOWALL
8. In the right panel, locate the entry:
CheckedValue = “0″
9. Right-click on the value name and choose Modify. Change the value data of this entry to:
1

Removing Other Malware Key from the Registry

1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>CLSID
2. In the left panel, locate and delete the key:
MADOWN
3. Close Registry Editor.

Deleting Malware-created AUTORUN.INF/s

1. Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
2. In the Named input box, type:
AUTORUN.INF
3. In the Look In drop-down list, select a drive, then press Enter.
4. Select the file, then open using Notepad.
5. Check if the following lines are present in the file:
[AutoRun]
;{Garbage}
open=xn1i9x.com
;{Garbage}
shell\open\Command=xn1i9x.com
;{Garbage}
shell\open\Default=1
;{Garbage}
shell\explore\Command=xn1i9x.com
;{Garbage}
6. If the lines are present, delete the file.
7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
8. Close Search Results.

Deleting the Malware File(s)

1. Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
2. In the Named input box, type:
%System%\amvo.exe
3. In the Look In drop-down list, select My Computer, then press Enter.
4. Once located, select the file then press SHIFT+DELETE.
5. Repeat steps 2 to 4 to delete the following file:
%System%\amvo0.dll
%Temp%\zhklagpv.dll
(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp or C:\WINNT\Temp.)

Arun Pradeep. K on February 15, 2008 at 6:53 pm

Thanks for the AMVO virus removal, can any one help me to solve a problem, the problem is, whenever i boot the system disk checking is running even if i shut down the system corrrectly, please help

Prashant on February 21, 2008 at 2:06 am

Thanks mtaram. Your solution worked!!

Tunde on March 4, 2008 at 9:57 am

Thanks for the info on the removal of amvo (and it’s friends)!

God bless you big time!!!

arun on March 4, 2008 at 11:53 am

plz send this virus remove software site link

andback on March 20, 2008 at 8:48 pm

Ive written a detailed blog about removing the autorun.inf virus and other issues at http://andback.wordpress.com

also talks about removing those viruses which even the antivirus cant remove and to revert back to settings prior to infection.

Hope this helps too.

chirs on March 26, 2008 at 11:24 pm

The best way to delete autorun.inf and its files associated is to use USB FireWall in this link
http://www.net-studio.org/application/usb_firewall.php

It stops too the spreading of virus from USB key or external drive.

Faroque on April 7, 2008 at 5:39 am

Thanks a lot……..

mtaram on April 7, 2008 at 10:55 am

you are welcome I am glad this has helped so many ppl…

Siliwangi on April 11, 2008 at 8:31 am

thank`s guys…:D

cmcminh on April 28, 2008 at 11:39 am

thanks

dileep on May 2, 2008 at 7:00 am

recently attacked with emv.exe. Its coming in the opening window with some error message. Also yahhomessanger after sign in automatically diconects. how to get rid of this?

andreas04: close to attraction on May 18, 2008 at 12:51 am

[...] линк 1 , линк 2 , линк 3 [...]

thompson on June 23, 2008 at 11:01 am

please tell me some proper way to combat against the malicious files that keep retrieving on my desktop even after being removed for quite some time !

solano on June 26, 2008 at 11:24 am

either use xoftspy.exe or if you don’t have crucial data on your pc just reinstall windows dude !

mtaram on June 27, 2008 at 6:40 am

ya u can do it but once u reinstall windows and double click on any of the infected drives u are a gonner…..
I tried it several times. Your Idea is good….
Thank you

solano on June 27, 2008 at 11:40 am

glad to help you friend……hope that was helpful

Vijay on June 29, 2008 at 11:23 am

Thanks a lot for the instructions. I think i removed the amvo malware but I am facing a problem with hidden files. The radio for the show hidden files in the view tab of Folder options in explorer was unchecked for both options (show/hide). I set to Show hidden files but once i click on Apply, it hides all the hiddent files.
I have to repeat steps from Apocalypse to show the files again! Any idea why this could be happening?
TIA

Vijay on June 29, 2008 at 11:29 am

never mind I skipped a step. Got it. Thanks again!

mtaram on June 30, 2008 at 2:10 pm

Glad to know that it helped you…. I am doing my MBA right now it started in june so i dont get time to check comments often.
Thank u.

james on July 2, 2008 at 10:39 am

Please send amvo virus removal software

amit on August 6, 2008 at 3:09 pm

Sir my hidden files are showing but i cannot open my drives after running the registry file. Please help me to open my drives.

amvo.exe virus removal « Cracksandhacks’s Weblog on September 7, 2008 at 8:53 am

[...] http://mtaram.wordpress.com/2008/01/03/computer-troubleshooting-virus-issues/ [...]

Deniz on October 1, 2008 at 11:34 pm

Hi.
That is a certain solution.
http://www.msproficient.com/2008/about-amvoexe-virus-how-to-clean-amvoexe/

sincerely

Deniz on October 28, 2008 at 11:39 pm

That is a response. You dowload and run this program(ComboFix).

http://www.msproficient.com/2008/about-amvoexe-virus-how-to-clean-amvoexe/

Jaklin on December 22, 2008 at 5:11 pm

Hi.. this solved my problem related to hidden files. But I cannot open my drives after running reg file. help pls ;(

mtaram on December 23, 2008 at 5:53 am

please follow the post that is regarding the autrun.inf virus and follow the steps and see if it resolves ur issue.

Jaklin on December 26, 2008 at 6:34 pm

Hi. 10x for your replay… but it didn’t solve my problem I uninstalled the old version of MS office and want to reinstall , but during the installation I’m getting alert about error and the installation interrupts..