How to Remove Autorun Virus

By Zolkiflee M S

zolkiflee@yahoo.com

Preface

Not all computer users are aware of virus attack on their systems. The reason being

users do not apply force to protect their systems from being infected by computer

virus.

With widely use of thumbdrive and external hardisk, one would not realise virus

worm or trojan are embedded in their systems untill something weird happen.

I take this opportunity to share what i have in solving current virus problems.

The system

Before i proceed with steps to remove the autorun virus, lets think back who users

your computer or laptop. Take note of these users and the mobile device that they

use including yourself.

Thumbdrive, external hardisk and mobile phone memory cards are carriers of

trojan virus.

Even with strong antivirus in your system, it would not detect the presence of the

core file that execute these viruses, because your anti virus program will only start

when window starts and exec all the .ini files. Your antivirus program will only

detect and kill the worm virus called the autorun.inf or others like secret.exe, but it

will not detect othe files like 9.cmd or kavo.exe or maybe using ada file name suck

as nmoho.bat.

Symptoms

The first thing to take note is whether your systems can display hidden file or

folders. The core virus file will disable your View Hidden File.

To display Hidden File

1. Click on My Computer

2. Click On C: Drive

3. From the menu Tools click on Folder Options

4. Select the View tab

5. Look For the section Hidden Files And Folders

6. The default selection would be Do Not Show Hidden File And Folder

7. Click on the selector Display Hidden File And Folder

8. Click the box to remove the selection on Hide Extension and Hide Protected

9. Click Ok

10. If your system is not infected new files will be displayed in yor C:drive such

as AUTOEXEC.BAT boot.ini CONFIG.SYS IO.SYS MSDOS.SYS

NTDETECT.COM ntldr pagefile.sys

11. If you do see any of this files repeat step 4 to step 6

12. If The default is still similar to step 6 this means your system is infected

How to remove

1. Shut down your system

2. Disconnect from any mobile device, networking and internet connection.

3. Restart your system while pressing the F8 button on your keyboard until it

display a Menu that gives you the selection to start windows.

4. You should be seing the following start menu

a. Start in safe mode

b. Start in safe mode with networking

c. Start in safe mode with command prompt

5. Use your up arrow key to select the Start In Safe Mode With Command

Prompt

6. Once windows start it will display the screen below

7. At this point you have to use DOS command to operate

8. Type in the screen the following

a) CD\WINDOWS\SYSTEM32 and press Enter this is to change

directory to windows\system32

b) DIR /A:H and press Enter this is to display all hidden files

d) take note of any file with extension .exe .cmd .dll such as 9.cmd ,

kavo.exe , ckvo.exe ckvo0.dll nmsogt.exe

e) If you see any of the files above not related to windows or the date

shown beside these files as latest dates, then this files are the culprit. These

files are hidden write protected

f) You need to remove the hidden attrib first befor deleting by typing the

following command:

g) ATTRIB KAVO.EXE -H -R -S this is to change the attributes

h) DEL KAVO.EXE this is to del the file.

i) Repeat steps g) and h) above for other files to be deleted. Make sure

you delete only the suspected files.

j) Repeat step b) above to make sure the suspected files are deleted

permanently.

9. The next step to to go to your root directory of your C: drive

a) type this command in your screen CD\ and press Enter you will see

this in your screen >> c:\>_

10. Type in DIR /A:H and press enter

11. If your systems in infected you will see this files

9.cmd , autorun.inf , ckvo.exe ,

12. You have to change attrib and del these file like you did in 8(g) to 8(j)

above.

13. If you have D: drives you have to do the same thing as what you did for

your C: DRIVE

14. To change to your D: drive type in your screen the command D: and repeat

steps 8(g) to 8(j) above.

15. You can check your thumbdrive at this stage if you remember the drive

used when you insert your thumbdrive or memory cards.

16. If your drive name for your thumbdrive is F or G or H type the command F:

or G: or H: to change to that particular drive and repeat steps 8(g) to 8(j)

above.

17. WARNING : DO NOT DELETE THE FOLLOWING IN YOUR C: DRIVE Directory of C:\ boot.ini IO.SYS MSDOS.SYS NTDETECT.COM ntldr pagefile.sys <DIR> RECYCLER <DIR> System Volume Information

18. Next step is to restart your system by typing :

SHUTDOWN -R

19. Let the windows start normally and do not connect to your network or

internet. The reason is that your explorer.exe might be also the main cause of

virus infection.

20. Once windows start go to your START menu and select RUN

21. Type in REGEDIT and click OK

22. You will see this screen

23. Please be careful do not simply delete or change any parameters

24. Make sure the item HKEY_LOCAL_MACHINE is selected if not, please

click once to select

25. From the menu Edit select Find. In the box that appear type in Showall and

click Find Next button

26. You will see this screen

27. Double c lcik on the item CheckedValue

28. In the box Value Data type in figure 1 and press OK

29. Click on the menu File and Exit

30. Double clcik on your My Computer and double click your C: drive

31. From the menu Tools click on Folder Options

32. Select the View tab

33. Look For the section Hidden Files And Folders

34. The default selection would be Do Not Show Hidden File And Folder

35. Click on the selector Display Hidden File And Folder

36. Click the box to remove the selection on Hide Extension and Hide Protected

37. Click Ok

38. If your system is not infected new files will be displayed in your C:drive

such as AUTOEXEC.BAT boot.ini CONFIG.SYS IO.SYS MSDOS.SYS

NTDETECT.COM ntldr pagefile.sys

39. If you succeeded to this stage , and able to display all the hidden and

systems file, you are cool.

40. Now what you have to do is scan your hardisk using your anti virus

program. Again do not connect to internet yet until you have completed the

virus scanning.

PRECAUTIONS

Before inserting any thumbdrive that you are not sure its free from virus

scan first by starting your system using Safe Mode With Command Prompt.

Display the content of the thumbdrive using the command DIR /A:H and

removing the autorun.inf and any suspected virus file.

After scanning your hardisk for virus infected file. If you find out that your

file explorer.exe is not infected you can proceed to connect to the internet, or

else if the explorer.exe is infected heal it first or move to vault.

OK fellas , good luck in your scanning.