-
Step 1
Back up your registry:
For Vista, click the Start button, then in the search field type: systempropertiesprotection. Press Enter, then type your password if prompted and click Allow. Once the most recent restore points display, go to the System Properties dialog box on the System Protection tab and click Create. Type a name for the backup and click Create. Once the backup has been created, click OK twice to exit.
For XP, click Start, then Run, then type: Windows\system32\restore\rstrui.exe. Click OK. Select a restore point on the Welcome page and click Next. Enter a name for the backup on the Create a Restore Point page and click Create. Once the backup has been created, click Close.
For Windows 2000, use the backup utility to create an Emergency Repair Disk.
For Windows 95, restart the computer in safe mode and log in as an administrator. Press F8 after the first beep you hear during start up, before the display of the Microsoft Windows 95 logo. Select the first option, to run Windows in Safe Mode from the menu. Click Start, Run, and type cmd in the text box, then press Enter. At the command prompt, type the following lines, pressing Enter after each:
cd windows
attrib -r -h -s system.dat
attrib -r -h -s user.dat
copy system.dat *.bu
copy user.dat *.bu
For Windows 98 and Windows Me, click Start, Run, and type: scanregw. Then click OK. Click Yes when prompted to back up the registry. Click OK when notified that the backup is complete.
For Windows NT, click Start, Run, and type: Ntbackup.exe. Click OK to use the NT backup tool to back up the registry. -
Step 2
For Windows Me or Windows XP, turn off System Restore while this fix is being done.
In Windows Me, click Start, Settings, and Control Panel. Double-click on the System icon and select File System from the Performance tab. Click on the Troubleshooting tab and check the Disable System Restore box. Click OK.
In Windows XP, log in as an administrator and click Start. Right-click on My Computer, and select Properties from the shortcut menu. Check the Turn off System Restore option for each drive on the System Restore tab. Click Apply, then Yes to confirm. Click OK. -
Step 3
Restart the computer in safe mode and log in as an administrator. Press F8 after the first beep you hear, before the display of the Microsoft Windows logo. Select the first option, to run Windows in Safe Mode from the selection menu.
-
Step 4
Remove any program files from the computer. Go to Start, Control Panel, and Add/Remove Programs. Remove any programs that include mgg.exe or amvo.exe. If none are listed, continue to Step 5. The malware program contains hidden files that might not be deleted as part of the software removal process.
-
Step 5
Use the Windows Search tool to determine if mgg.exe exists on the hard drive. Go to Start, Search, and All Files and Folders. Type mgg.exe in the All or Part of the File Name section. Select All Local Hard Drives from the Look In: drop-down list. Click Search. Repeat this process for the following files:
amvo.exe
avpo.exe
amva.exe
autorun.inf -
Step 6
Use the Windows Task Manager to end any mgg.exe processes that are running. Press Ctrl+Alt+Del to open Task Manager. Select the Processes tab, select mgg.exe and End Process. Repeat these steps for the following processes:
amvo.exe
avpo.exe
amva.exe -
Step 7
Click on Start, Run, and type: msconfig. Press Enter. Remove checkmarks next to any mgg.exe entries on the Startup tab. These entries may include references to autorun.inf, amva.exe, amvo.exe, and avpo.exe. Save changes and exit to the desktop.
-
Step 8
Click Start, Run and type: notepad. Press Enter. This will open a blank text document. Click File, then Open. Change the listed location to the folder housing the autorun.inf file (usually the root of the specified drive). Select autorun.inf and click Open. Make a note of the file name of the .exe, .bat or .com file that launches at startup.
-
Step 9
Click Start, Run, and type: regedit. Press Enter. Press Ctrl and F, type ylr in the search field and delete all related entries. Repeat this process for the file name that was referenced to launch in autorun.inf, as well as the following terms:
amvo
avpo
amva
Then delete the following entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run amva
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
(In right-pane, Value named "Run" & "Load")
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run amva
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb nextinstance
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb\0000 class
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb\0000 classguid
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb\0000 configflags
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb\0000 devicedesc
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb\0000 legacy
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_poikjnvb\0000 service
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty nextinstance
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000 class
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000 classguid
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000 configflags
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000 devicedesc
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000 legacy
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000 service
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000\control
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000\control *newlycreated*
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_zdfrty\0000\control activeservice
Double-click on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Advanced\Folder\Hidden\SHOWALL and change the CheckedValue from 0 to 1. -
Step 10
Click on Start, Run, and type: cmd. Press Enter to access the command prompt and unprotect any files that need to be deleted. Type cd, press the space bar and type \windows\system to access the directory where the virus DLL files reside. From the command prompt, type: attrib -a -s -h -r mgg.exe.
Repeat this process for each of the following:
attrib -a -s -h -r 2kc.dll
attrib -a -s -h -r 3wcxx91.cmd
attrib -a -s -h -r amvo.exe
attrib -a -s -h -r avpo.exe
attrib -a -s -h -r amva.exe
attrib -a -s -h -r amvo0.dll
attrib -a -s -h -r amvo1.dll
attrib -a -s -h -r avpo.exe2kc.dll
attrib -a -s -h -r avpo0.dll
attrib -a -s -h -r dosocom.com
attrib -a -s -h -r help.exe.tmp
attrib -a -s -h -r nknem5p8.dll
attrib -a -s -h -r old10.tmp
attrib -a -s -h -r q8k4m7wy.dll
attrib -a -s -h -r tru32b.tmp
attrib -a -s -h -r v.com
attrib -a -s -h -r vga.sys
attrib -a -s -h -r z2muafn9.dll
attrib -a -s -h -r C:\autorun.inf -
Step 11
Type: regsvr32 /u 2kc.dll and press Enter to unregister the virus DLL file. Repeat this process for the following related DLL files:
2kc.dll
amvo0.dll
amvo1.dll
avpo.exe2kc.dll
avpo0.dll
nknem5p8.dll
q8k4m7wy.dll
z2muafn9.dll -
Step 12
Use the Windows Search tool to locate and remove all temp files associated with the virus. Go to Start, Search, and All Files and Folders. Type *.tmp in the All or Part of the File Name section. Select All Local Hard Drives from the Look In: drop-down list. Click Search. Right-click on each occurrence of the file and select Delete from the shortcut menu. Repeat the removal process for each of the following related files.
mgg.exe
2kc.dll
3wcxx91.cmd
amvo.exe
avpo.exe
amva.exe
amvo0.dll
amvo1.dll
avpo.exe2kc.dll
avpo0.dll
dosocom.com
help.exe.tmp
nknem5p8.dll
old10.tmp
q8k4m7wy.dll
tru32b.tmp
v.com
vga.sys
z2muafn9.dll
autorun.inf -
Step 13
Reboot your computer.
-
Step 14
If mgg.exe still resides on the computer, repeat the above steps or try using a free automatic removal program from Trend Micro or AVG (See References). If the files have been successfully removed, System Restore can be reactivated.
In Windows Me, click Start, Settings and Control Panel. Double-click on the System icon and select File System from the Performance tab. Click on the Troubleshooting tab and remove the check from the Disable System Restore box. Click OK.
In Windows XP, log in as an administrator and click Start. Right-click on My Computer and select Properties from the shortcut menu. Check the Turn on System Restore option for each drive on the System Restore tab. Click Apply and Yes to confirm when prompted. Click OK.
