Professional Documents
Culture Documents
First of all you we must know what is the amvo.exe is? what the symptoms when we
have amvo.exe in our PC and how to remove it manually without using any software. Ok
here we go!
What is Amvo.exe?
Amvo.exe is Trojan/Backdoor
Symptoms
Folder Option is not working - you cannot enable the Folder Option or show the
hidden files running into you computer.
Hidden file problem
Always open new windows in all drives
Error occur of the memory reference (Low Disk Space)
This is the solution on how to remove the amvo.exe and to fix the folder option problem.
Just follow this steps:
1. Uncheck amvo.exe from msconfig>> startup (type msconfig in run and click on
the startup tab) also and restart your system
Go to your Folder Option and enable the show all the hidden files and you remove the
following files if they are exist in the exact location or directory:
c:\autorun.inf
c:\u.bat
c:\amvo.exe
c:\awda2.exe
c:\d.com
c:\mvo.dll
c:\amvo1.dll
c:\windows\system32\ amvo.exe
c:\windows\system32\ awda2.exe
c:\windows\system32\ d.com
c:\windows\system32\ mvo.dll
c:\windows\system32\ amvo1.dll
c:\windows\system32\u.bat
Lastly go to Run and type cmd then type regedit, press Ctrl + F to find the files amvo.exe
and delete it. After that, reboot your PC. OK that's it. Guys please your comments if your
PC is working now for using this procedure.. Thank you..
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
amva
<System>\amvo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}\InProcServer32
Creates value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}\InProcServer32
(Defaul) = <Windows>\HELP\F3C74E3FA248.dll
ThreadingModel = Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}
(Default) = SSUUDL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore
r\ShellExecuteHooks
{1DBD6574-D6D0-4782-94C3-69619E719765} = ""
Startup locations
HKCU refers to HKEY_CURRENT_USER
HKLM refers to HKEY_LOCAL_MACHINE
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
(In right-pane, Value named "Run" & "Load")
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
you will also see the path of the amvo.exe (where it is lying in your machine) when you
find its entries in search of registry.
once you know the path of it then just go to that path using Explorer then delete it. If you
can not see this file on the specified path, it means this Attributes are assigned to System
Or Read Only, then just go to command prompt and type this command.
C:\>attrib -a -s -h amvo.exe
The computer virus/worm that hides itself using the name SCVHOST.EXE or
SCVHOSTS.EXE, (don’t get mistaken for SVCHOST.EXE. It is one of the vital
programs of Windows,take a look in the spelling). One of my friends emailed me that this
virus first spread out through Yahoo Messenger. So if you happen to have some invites
from unknown friends please ignore.
Furthermore, it copies itself through all the shared folders on your computers
throughout the network and installs itself in the registry entries remotely using a
GUEST account (through System:Remote).
This virus/worm blocks the task manager when ypressing Ctrl+Alt+Del to launch
the task manager
It blocks the registry (The worm changes the registry to prevent running task
manager and registry for harder detection). "Error says that Registry Editing has
been blocked by an administrator".
It also restarts the computer when you try to go to the command prompt. (This
happens during my ways of disinfecting my PC Manually. See related article How
to get rid of autorun.inf)
It duplicates itself to different locations of the shared folders. The duplicated
virus/worm uses a FOLDER icon with an .exe file extension. WARNING!
DONOT double click these folders.
McAfeealleged that it changes the configuration of your Yahoo Messenger (see
McAfee info)
It autostart via registry keys Windows->Run and add itself to WinNT-
>WinLogon->Explorer.exe
How to remove the virus manually? (Try this it works with my PC and other systems I
have deal with. But if you can’t, try using an ANTI-VIRUS like McAfee or NOD32):
1. Boot your system in Safe Mode Command Prompt Only (Press F8 when your
computer restarts, a menu will be shown and select the option)
2. After you log-in the command prompt will be opened (LOG-IN AS
ADMINISTRATOR).
3. Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System
files are located at Drive C)
4. Type DIR /ah, this will display all hidden files on this directory folder. You will
see the following files which is used by the virus to spread itself:
AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
5. Type ATTRIB -H -R -S SCVHOST.EXE
6. Type ATTRIB -H -R -S BLASTCLNNN.EXE
7. Type ATTRIB -H -R -S AUTORUN.INI
8. Type DEL SCVHOST.EXE
9. Type DEL BLASTCLNNNN.EXE
10. Type DEL AUTORUN.INI
11. Type CD\
12. Type ATTRIB -H -R -S AUTORUN.INF
13. Type DEL AUTORUN.INF
After removing the virus/worm files, IT MUST be removed from the registry of your
system.
1. In the command prompt type REGEDIT and press ENTER key. This will run the
Registry Editor
2. From the registry, look for the keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , you will
see an entry Yahoo! Messengger (it’s spelled like this) with a value
c:\windows\system32\scvhost.exe, Delete this entry.
3. Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value =
Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and
REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains
from this registry entry.