Monday, January 14, 2008

Cure d.com, amvo.exe, amvo0.dll Virus...

My drives inundated with d.com and autorun.inf. Is this a virus? I don’t know. I have tried with avast, macfee, avg, but none of them detect it as a virus. The main problem I detect it put d.com and autorun.inf in every drive. I tried with filemon to sort out who is the writer? I found explorer itself is the writer. So I guess it is a shell extension. I open a shell extension viewer and disable all extensions as I can’t recognize which one is responsible for all this. Then kill explorer process with procmon and start explorer again. So no shell extension is loaded this time. Now don’t open your explorer. Using other file browser which doesn’t use explorer engine I delete all the d.com, autorun.inf, amvo.exe and amvo0.dll. Last two will be found at WIN_DIR/shell32 folder. Now my PC is clean. That fucking shit is no more active. Now I am trying to sort out which shell extension is responsible for this. As soon as I sort out this hopefully you need not disable all shell extensions. Until you have to disable all of them. I will be grateful if anyone knows the shell extension name. I upload downloadable version of the programs I used.


16 comments:

  1. Thanks a lot!
    Seems that the only wirking thing in Google SERP is your article.
    By the way - I was OUT OF RAGE when Symantec Antivirus Pro was unable 2 find and eliminate this sh*t.
    Thanks a lot!!!

    ReplyDelete
  2. oh shit i also had this virus. i'm from singapore. i've used a virus scanner called avira, and it successfully removed d.com and the autorun. however, i am still unable to view hidden files and folders. I am also not able to open C:\ folder by doubleclicking it from my computer. Do u know what might be the problem?

    ReplyDelete
  3. Oooooooops! One more thing to do, run msconfig from your run box. Uncheck amvo from your startup item. And delete that file from specified location. Don't forget to enable trusted shell extensions, otherwise your explorer may behave unexpectedly.

    ReplyDelete
  4. steps to clear it :

    1. kill explorer.exe
    2. dont run it explorer in between
    3. run cmd and
    use these commands to delete the following files from each drive

    del / P /F /A :SH d.com
    del /P /F /A : SH autorun.inf


    from windows/system32 folder
    use these
    del /P /F /A : SH amvo.exe
    del /P /F /A : SH amvoO.exe

    and this wud no more disturb you ..

    for any queries/help contact me at atul.iiitm@gmail.com

    ReplyDelete
  5. Thanks!!!
    and u miss one thing that is remove from startup, otherwise windows will show some error message at startup.
    Thanks once again for participate!!!

    ReplyDelete
  6. I upload a small batch file for all these jobs named "ddotcomremover.bat". Try it out. I am not good enough in batch programming. :(
    Topu bhai is that culprit who insist me for such worthless stuff.

    ReplyDelete
  7. I also studied it.
    The file it creates is amvo0.dll amvo1.dll.
    all are hidden files.
    first unhide at command prompt by
    attrib -S -R -H C:\autorun.inf
    attrib -S -R -H C:\windows\system32\avmo*.*
    then delete them

    use Avira Antivir. or clam AV. it will detect and clean.

    But how to make the folder options-> view-> show all files and folder option TO WORK !!????
    whenever i do it , it again hides the files.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Go to registry editor by running regedit in the run box.
    Go to this key:
    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Explorer\Advanced

    In the right hand area, double click hidden and change the value to 1.

    Now you’re all set to go. Check it in your tools menu if the changes have taken effect. Mine have already been fixed :-)

    ReplyDelete
  10. I am able to change my Show hidden file option through changing registry key, located at, HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> Explorer -> Advanced -> Folder -> Hidden -> SHOWALL. Change the value of CheckedValue to 1, and thats it. Thank u back to life for youe suggestion i don't check that out. I guess both of them are should work.

    ReplyDelete
  11. thank u so much i have no more word to thank u ..really m happy .i was suffering last 20 days now i find yr blog and sloved my problem...thanks for such a nice help all of us..keep it.....

    ReplyDelete
  12. You can permanently disable the autorun feature so that these sorts of viruses can’t inundate through removable media. Here is how to Disable autorun

    ReplyDelete
  13. HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Explorer\Advanced doesnt works for me.... the value itself changes to 0 or 2 and if it 1 even then hidden files doesnt shows up.. any suggestions regarding this???

    ReplyDelete
  14. Ooops!!! there is an alternative suggestion already, anyway for your convenience I write it once again, change the value to 1 "HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft /Windows/CurrentVersion/Explorer/Advanced /Folder/Hidden/SHOWALL"

    ReplyDelete
  15. Hey bhoboghure jhor this is cool.
    Thanks!

    ReplyDelete
  16. Thanks for help.

    Zeljko, Bosnia

    ReplyDelete

Please, no abusive word, no spam.