How to Remove the Amvo.

exe Virus Manually

First of all you we must know what is the amvo.exe is? what the symptoms when we
have amvo.exe in our PC and how to remove it manually without using any software. Ok
here we go!

What is Amvo.exe?
 Amvo.exe is Trojan/Backdoor

Symptoms
 Folder Option is not working - you cannot enable the Folder Option or show the
hidden files running into you computer.
 Hidden file problem
 Always open new windows in all drives
 Error occur of the memory reference (Low Disk Space)

How to solve this?

This is the solution on how to remove the amvo.exe and to fix the folder option problem.
Just follow this steps:
1. Uncheck amvo.exe from msconfig>> startup (type msconfig in run and click on
the startup tab) also and restart your system

1. Click Start > Run and type REGEDIT

2. Go to HKEY_CURRENT_USER > SOFTWARE > Microsoft > Windows >
CurrentVersion > Explorer > Advanced
3. On the right side, double click the hidden value and give it a value of 1.
4. Same for HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft >
Windows > CurrentVersion > Explorer > Advanced > Folder > Hidden >
SHOW ALL Change the value of Checked Value to 1.
5. Check if your Folder Option if its working now. If it works! OK you are now
ready to delete the Amvo.exe virus now.

Go to your Folder Option and enable the show all the hidden files and you remove the
following files if they are exist in the exact location or directory:

c:\autorun.inf
c:\u.bat
c:\amvo.exe
c:\awda2.exe
c:\d.com
c:\mvo.dll
c:\amvo1.dll
c:\windows\system32\ amvo.exe
c:\windows\system32\ awda2.exe
c:\windows\system32\ d.com
c:\windows\system32\ mvo.dll
c:\windows\system32\ amvo1.dll
c:\windows\system32\u.bat

Lastly go to Run and type cmd then type regedit, press Ctrl + F to find the files amvo.exe
and delete it. After that, reboot your PC. OK that's it. Guys please your comments if your
PC is working now for using this procedure.. Thank you..

The following Registry Keys were created:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
amva
<System>\amvo.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}\InProcServer32

Creates value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}\InProcServer32
(Defaul) = <Windows>\HELP\F3C74E3FA248.dll
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-
94C3-69619E719765}
(Default) = SSUUDL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore
r\ShellExecuteHooks
{1DBD6574-D6D0-4782-94C3-69619E719765} = ""

This is the list which contain startup entries

Startup locations
HKCU refers to HKEY_CURRENT_USER
HKLM refers to HKEY_LOCAL_MACHINE

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
(In right-pane, Value named "Run" & "Load")

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\{Username}\Start Menu\Programs\Startup

you will also see the path of the amvo.exe (where it is lying in your machine) when you
find its entries in search of registry.
once you know the path of it then just go to that path using Explorer then delete it. If you
can not see this file on the specified path, it means this Attributes are assigned to System
Or Read Only, then just go to command prompt and type this command.

C:\>attrib -a -s -h amvo.exe

where command C:\ refers to the path of amvo.exe

Note: Please perform the procedures in Safe Mode.

How to Remove SCVHOST.exe or W32/YahLover.Worm.gen

February 12, 2008

The computer virus/worm that hides itself using the name SCVHOST.EXE or
SCVHOSTS.EXE, (don’t get mistaken for SVCHOST.EXE. It is one of the vital
programs of Windows,take a look in the spelling). One of my friends emailed me that this
virus first spread out through Yahoo Messenger. So if you happen to have some invites
from unknown friends please ignore.

The virus is detected as W32/YahLover.Worm.gen of McAfee Antivirus and as

Win32/Autorun.R.worm by NOD32. This virus/worm infects your computer in one of
these means.
  firstly it installs itself in autorun.inf in Open option of the AUTORUN. Once you
happen to double click it, this will run and start spreading itself unto your system.

 Furthermore, it copies itself through all the shared folders on your computers
throughout the network and installs itself in the registry entries remotely using a
GUEST account (through System:Remote).

Attributes of the Virus 

  This virus/worm blocks the task manager when ypressing Ctrl+Alt+Del to launch
the task manager
 It blocks the registry  (The worm changes the registry to prevent running task
manager and registry for harder detection). "Error says that Registry Editing has
been blocked by an administrator".
 It also restarts the computer when you try to go to the command prompt. (This
happens during my ways of disinfecting my PC Manually. See related article How
to get rid of autorun.inf)
 It duplicates itself to different locations of the shared folders. The duplicated
virus/worm uses a FOLDER icon with an .exe file extension. WARNING!
DONOT double click these folders.
 McAfeealleged that it changes the configuration of your Yahoo Messenger (see
McAfee info)
 It autostart via registry keys Windows->Run and add itself to WinNT-
>WinLogon->Explorer.exe

How to remove the virus manually? (Try this it works with my PC and other systems I
have deal with. But if you can’t, try using an ANTI-VIRUS like McAfee or NOD32):

1.  Boot your system in Safe Mode Command Prompt Only (Press F8 when your
computer restarts, a menu will be shown and select the option)
2.  After you log-in the command prompt will be opened (LOG-IN AS
ADMINISTRATOR).
3. Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System
files are located at Drive C)
4. Type DIR /ah, this will display all hidden files on this directory folder. You will
see the following files which is used by the virus to spread itself:
AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
5. Type ATTRIB -H -R -S SCVHOST.EXE
6. Type ATTRIB -H -R -S BLASTCLNNN.EXE
7. Type ATTRIB -H -R -S AUTORUN.INI
8. Type DEL SCVHOST.EXE
9. Type DEL BLASTCLNNNN.EXE
10. Type DEL AUTORUN.INI
11. Type CD\
12. Type ATTRIB -H -R -S AUTORUN.INF
13. Type DEL AUTORUN.INF
After removing the virus/worm files, IT MUST be removed from the registry of your
system.

1. In the command prompt type REGEDIT and press ENTER key. This will run the
Registry Editor
2. From the registry, look for the keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , you will
see an entry Yahoo! Messengger (it’s spelled like this) with a value
c:\windows\system32\scvhost.exe, Delete this entry.
3. Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value =
Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and
REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains
from this registry entry.