W32.Amtian

This page contains detailed analysis on W32.Amtian. To get rid of this Trojan, please use the removal guide below.

W32.Amtian is a computer virus that will propagate by infecting executable files on the compromised computer. This virus also downloads more threats from a remote server. The longer the virus stays on the PC, the more infection it can cause. It is vital to remove this virus on initial attack to prevent further damage on the computer.

If W32.Amtian executes on the computer, it will make a copy of itself under Windows folder. This virus may also configure itself to run each time Windows starts by providing entries on the registry. Apart from that, it may also add a Windows service with the following information:

Display Name: Windows AV v1.0
Image Path: %Windir%\Amti\svchost.exe
Startup Type: Boot

The virus then, add another batch or registry entries that will register itself as a legacy drives service and in-process server.

To upgrade the code to a more prevalent module, it will connect to a remote server and download a configuration file.

W32.Amtian spreads through a number of means usually applied by other known threats. There is also an observation that malicious links will direct target user to Trojan location. These links will reach user via spam email messages, instant messaging software and malicious blogs that tackle most recent issues.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Manual Removal of W32.Amtian:

1. Temporarily Disable System Restore.
2. Update the virus definitions.
3. Restart Windows in Safe Mode.
4. Run a full system scan and clean/delete all infected files.
5. Delete/Modify any values added to the registry.
6. Exit registry editor and restart Windows.

Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.

Technical Details and Additional Information:

Malicious Files Added by W32.Amtian:
%Windir%\Amti\Amti.dll
%Windir%\Amti\svchost.exe

Associated Windows Registry Entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Windows rundll32 updater” = “Rundll32.exe %Windir%\Amti\Amti.dll B” HKLM\SYSTEM\CurrentControlSet\Services\Amti\”Type” = “10″ HKLM\SYSTEM\CurrentControlSet\Services\Amti\”ObjectName” = “LocalSystem” HKLM\SYSTEM\CurrentControlSet\Services\Amti\”ImagePath” = “%Windir%\Amti\svchost.exe” HKLM\SYSTEM\CurrentControlSet\Services\Amti\”ErrorControl” = “1″ HKLM\SYSTEM\CurrentControlSet\Services\Amti\”DisplayName” = “Windows AV v1.0″ HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMTI\0000\”Service” = “Amti” HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMTI\0000\”Legacy” = “1″ HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMTI\0000\”DeviceDesc” = “Windows AV v1.0″ HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMTI\0000\”ConfigFlags” = “0″

Alternative Removal Method for W32.Amtian

Option 1 : Use Windows System Restore to return Windows to previous state

If W32.Amtian enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Amtian infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.