> VilmaTech Blog > Trojan.Win32.Runner.amo, Remove Trojan.Win32.Runner from Windows

Trojan.Win32.Runner.amo, Remove Trojan.Win32.Runner from Windows

Brief Introduction on Trojan.Win32.Runner.amo

Trojan.Win32.Runner.amo is one of the variants of Trojan.Win32.Runner that can be traced back to the year of 2008. Adopting UPX technique, trojan.win32.runner.amo manages to compress its original program code to a size an approximately 35,328 bytes, making it easy to piggyback on whatever programs intended. As a consequence, PC users with less carefulness may very well end up with trojan.win32.runner.amo affection by:

  • Downloading and installing freeware/shareware from websites, including famous and reputable sites offering downloads.
  • Inserting external devices via USB port without checking or disinfection before hand.
  • Streaming/ watching prohibited content.
  • Visiting unknown/foreign web sites without checking credibility.
  • Clicking open alluring emails/links without second thought.

Whereas its belonging group has contributed few documents given the fact that Trojan.Win32.Runner.amo has given rise to virulent riot in the computing world, VilmaTech Research Lab launched a special test on it to bring to light its infiltration routine and damages. If you have been plagued by trojan.win32.runner.amo for quite a while to the death of a computer, it is wise to get help from VilmaTech online experts as the steps herein are applied exclusively to the situation where trojan.win32.runner.amo has been caught for just a while. Subsequent infections and mechanical problems caused by the Trojan will require extra steps to deal with.

live chat


Test on Trojan.Win32.Runner.amo

As soon as trojan.win32.runner.amo successfully attacks a vulnerable computer via some loopholes, it releases some vicious items into Temp and System file under C Disk, among them, %system%\drivers\winsawids.sys and %system%\System.exe hold the greatest camouflage to escape easy removal by automatic means like anti-virus programs. That’s why alert warnings are given away all the time without an efficient and instant removal.

Traversal on running processes in the background comes next. Its arbitrary process will terminate the ones related to secure defense like Kaspersky and Norton. After eliminating direct threats to it and making a roughly suitable habitats, trojan.win32.runner.amo manages to access Database and adding the following keys to conduct its malicious deeds correspondingly:

  • Add System.exe under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: to make Windows launch an automatic launch of trojan.win32.runner.amo.
  • Add %system%\drivers\winsawids.sys under HKLM\SYSTEM\CurrentControlSet\Services\: to load down drivers to activate its multiple codes.
  • Add .DLL files whose names can be random numbers/letters into system processes like explorer.exe and system.exe: to stay ready for information theft. One final step is to download complementary file from designated sites so as to consolidate the protection for its vicious codes and transfer collected information to its remote server.


Dangerous Trojan.Win32.Runner.amo

Considering the fact that Trojan.Win32.Runner.amo prejudices the overall computer performance by imposing vicious items and codes into a target machine, it can be dangerous to incur additional affections as such modifications would lead to backdoor and vulnerability that are usually taken advantage. And thus some following undesirable issues may occur:

  • Computer may get stuck to death from time to time.
  • Resource is significantly consumed even few programs are running in the background.
  • Search redirect issues happen occasionally.
  • Countless unknown items are suddenly found to be installed in somewhere of a compromised computer.

It is clear that trojan.win32.runner.amo needs an efficient and instant removal way to withhold its vicious deeds and remove it radically. As what mentioned in the preceding paragraphs that trojan.win32.runner.amo cannot be efficiently removed by automatic way, it is advisable to choose manual method. Follow the steps hereinafter and help yourself. Should there be any confusion or uncertainty on the steps, on-demand assistance can always be reached if you contact VilmaTech Online Support by clicking on the button below.

live chat


Step by Step to Remove Trojan.Win32.Runner.amo from Windows


Run full scan with reputable anti-virus program again, try to remove any possible items.



Show hidden files and folders and remove related and generated items by Trojan.Win32.Runner.amo.

Windows 8
Open Windows Explorer from Start screen and hit View tab to Tick ‘File name extensions’ and ‘Hidden items’ options. Press “OK” button to show all the hidden files including system ones. So extra carefulness is needed when removing vicious items.

win8 hidden file
Windows 7/XP/Vista
Access ‘Control Panel’ to bring up ‘Folder Options’ and tap its View tab to tick ‘Show hidden files and folders and non-tick Hide protected operating system files (Recommended)’. Press “OK” button to confirm the change.

folder options1

After all the hidden files are shown, victims need to navigate to C:\windows\winstart.bat, C:\windows\wininit.ini and C:\windows\Autoexec.bat to find and delete every files and folders related to Trojan.Win32.Runner.amo, and access C:\Windows\system as well as C:\Windows\Temp,C:\Windows\system\Temp to remove System.exe.



Go to Regedit and manage database there to remove added key by Trojan.Win32.Runner.amo.

Windows 8
Move mouse to borders of any direction to enable search charm bar and type ‘regedit’/‘regedit.exe’. Bring up Database by hitting Enter key.

registry enditor2
Windows 7/XP/Vista
Hold Win key and R key together to bring up search box and put in  ‘regedit’ to access Database by hitting Enter key.


When in, navigate to the following registries to find suspicious key value started with “Run” and delete accordingly:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Startup=”C:\windows\start menu\programs\startup

Next navigate to the below given registry to remove the key “System.exe” there:


Finally navigate to the below given registry to remove the keys HBmhly.dll、HBWOW.dll、HBJTLQ.dll、HBTL.dll、HBDNF.dll、HBQQXX.dll:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs



Trojan.Win32.Runner.amo is a Trojan horse designed to steal victim’s account information, log-in information and the like to generate money for its writer backstage. By injecting its vicious code into system process under the cover of UPX, Trojan.Win32.Runner.amo manages to escape automatic removal and implement its malicious deeds compliance to SHA1(2D11BC6A0EA27FF88EC09658605E659D2DA11D5C). These enable trojan.win32.runner.amo to arouse computer problems like sluggishness and damages like additional vicious attacks. One thing to which attention should be paid is that any delay in trojan.win32.runner.amo removal may end up with information theft. Thus it is recommended to change all account and password once typed on the infected computer once trojan.win32.runner.amo is removed thoroughly. Should there be any unfortunate that other affiliate troubles arise to overwhelm you, you are welcome to get professional help from VilmaTech Online Support.

live chat

Comments are closed.

Latest Posts