http://net-studio.org >> patch>
    logininscription
 

amvo.exe and its variants

   
Google
 
  Patchs for virus
  Tutorials
  Tips
  Forum
  Windows Optimum
USB FireWall
Boost Google Search
 

 

 
Virus Information  

The virus Amvo.exe is propagated through partition and removable disk, the virus copies periodically "autorun.inf" and other files depending on the variant of the virus in all the partition of your system, if you remove them, these two files will go back to their places a few seconds after his suppression.

We are not going to tell you its particularity of each virus but we will tell you in totality.
Just a little precision, all virus that patchs are already availables in this site are not included in this patch.

  
File  

The virus puts files in system repertory:

  • <System>\amvo.exe
  • <System>\amvo0.dll
  • <System>\amvo1.dll

And stores too two files in the temporary repertory:

  • fq9.dll
  • help.exe
  • 2nux4.dll
  • 5.dll
  • 92izu.dll
  • dykvagp.dll
  • e.dll
  • e7sf4.dll
  • ezk.dll
  • fqlq.dll
  • pelqe.dll
  • vupin8b.dll
  • w4enx.dll
  • zmcc.dll
  • k2fvpt.dll
  • e7sf4.dll
  • fgshabuifhdvmis32.exe
  • RarSFX0\32.exe
  • 2m9mdmy.dll
  • w2e.sys
  • ...

And puts two files per variant in the root folder of all partition and removable disk:

  • Autorun.inf
  • 3o.exe
  • y82td3td.com
  • i.cmd
  • fppg1.exe
  • ekugb3.bat
  • ...

 

  
Registry  

The following Registry Keys were created:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
amva
<System>\amvo.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32

Creates value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32
(Defaul) = <Windows>\HELP\F3C74E3FA248.dll
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}
(Default) = SSUUDL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{1DBD6574-D6D0-4782-94C3-69619E719765} = ""

 

  
WARNING  

This virus runs automatically each time you open or explore a partition, it is preferable to download the patch and unpack it on the desktop, reboot your machine in Safe Mode and run the patch, always in safe mode.

This virus attempt to connect to this adresses

  • http://www.microsoftmg.com/gut/mgg.exe
  • http://www.om7890.com/mf2/help.rar

Which engenders the downloading of this two files.

Instruction on how to restart your computer in safe mode.

  
 

Télécharger

  
 

Latest fixs:

Top  
 
 
COPYRIGHT (C) 2008 NET STUDIO, ALL RIGHT RESERVED