How to remove autorun.inf worm
Previously there was a worm (not sure if it’s a virus or spyware or something but it was a worm), basically known as autorun.inf. Mostly, it is accompanied by other files like “amvo.exe, amv01.dll” or “ckvo.exe / ckv01.dll” stored at the directory of:
C:\Windows\system32\
If you want to see other suspicious files containing virus, what I do is this:
From “C:\windows\system32” type “dir /ah”
Basically if you find something like a file with a .exe extension being hidden, you can further check them out by typing “attrib [filename]” and see their properties, whether they are a SYSTEM file, HIDDEN file, READ-ONLY file. If the file you entered has all these attributes, most likely they are virus. I’m not saying they are already virus. I’m just saying they are a suspect of virus. But anyway searching the net about their info is great to truly tell you what they are. And basically observing their behavior they are definitely a worm.
Anyway enough with the background / introduction. Removing this, you have to remove first its attribute, since you cannot delete this if it’s hidden or a read-only file. You then must type “attrib [filename] –s –h –r” (meaning you are removing their attributes), and after which, you can now delete them…BUT before doing this, it is best you are in “safe mode”. There are other sites that show how to remove autorun.inf, just google them out… J
But recently a different kind of autorun.inf made me go nuts… it’s still a worm, but tried to remove it by this kind of step, but I failed to do it.
This kind of autorun.inf has a companion which is “FOUND.000” directory and inside it would be the “USB_Files.chk” file also having the same “SHR” attributes(in other words its hidden and unable to easily delete it).
Having googled it on the net I found this site showing it’s info.
http://www.avira.com/ro/threats/section/fulldetails/id_vir/4331/worm_autorun.xtl.html
you will see the files accompanied by it and what affects in the registry
How to remove it? This is what I did….
First, re-start your computer in 'safe mode' probably best using "safe mode with command prompt”
press “alt + ctrl + del” to go to ‘task manager’
go to ‘processes’ tab and ‘end process’ suspecting virus or malware running in memory on safemode
some examples I ‘end process’ are named as
“system” (make sure you don’t end the other system) there could be two ‘system’ running in the safemode, end process the one who has bigger amount of mem usage. The safe one has at least 240K, the evil ‘system’ is going about 1000K
Other processes that you have to end may be ‘hate.sys’ and some unnecessary processes like ‘userinit’.
You must also end process “explorer.exe” (I know this is a needed program but the virus seem to use this to spread out itself…. Anyway that’s the reason we need to be in command prompt). This will put off some exploring abilities….
Next, having been disabled some programs that may help the virus / worm be active in the memory storage, it’s time for deletion…
Delete the files shown at the site i gave…..
Basically start at c drive or where windows is stored….
*Note: if you can’t delete it, check its attribute by typing “attrib [filename]” If it has an attribute of S H & R, remove it by typing “attrib [filename] –s –h –r”
Delete “hate.sys” found at c:\Windows\system32\drivers\
Delete “system” found at c:\Windows\system32\
Delete also the file winsis_x.inf (may be accompanied by other file so type it as “del winsis*.*”)
found at c:\windows\inf\
*removing autorun.inf
Type “CD found.000” entering the directory
Type “attrib USB_Files.chk –s –h –r” and “del USB_Files.chk”
Type “CD..”
Type “RD FOUND.000” (sometimes even after deleting the file inside this directory you can’t remove this folder, if that happens, that’s ok…. Just ignore for the mean time, or perhaps type "attrib FOUND.000 -S -H -R" and try removing it again using the "RD")
Type “attrib autorun.inf –s –h –r” and “del autorun.inf” to remove autorun.inf
Next go to other drives or USB flash drives and do the same at *removing autorun.inf
After deleting every file, you will need to edit some changed entry at registry so
Type “regedit” and press enter
A window will appear and basing from the site I have given, you will see which values were changed.
Although you can ignore the change in HKCU but still you must edit the one at HKCR (HKCU means HKEY_CURRENT_USER and HKCR means HKEY_CLASSES_ROOT)
*Take note “a change in the registry is a risky part. One change may make your computer not work well.” So if you are unsure, try asking help from someone who knows this stuff…. I tell you I made a bad move when editing this, good thing it wasn’t that bad and was able to fix it.
What you only need to change is the one at “HKCR\exefile\shell\open\command” which was changed to:
"%SYSDIR%\drivers\hate.sys %1 %*"
The value you must place should be exactly what is on “HKCR\exefile\shell\runas\command”. If I am right, the data value of “HKCR\exefile\shell\runas\command” is
“%1” %*
After this you may now close it and do you restart, and after which, check your computer if it will still have the worm.
Hope this could help. Although I warn also, I do not recommend this if you don’t know what you are doing… :)
No comments:
Post a Comment