|
Been infected with spyware? Tell us about your problem. For fast automatic spyware removal, try CounterSpy, SUPERAntiSpyware |
How to remove trojans that uses autorun.inf file
These trojans uses autorun.inf file for infects systems. If your computer was infected, you can to get many popups, Internet Explorer start page can to be change, new files with strange names on the your disks. (for example: selamat_berposa_dari_umt.js)
Step1: removing autorun.inf files from all your drives, include any usb/flash drives.
1. Manually:
Reboot your PC in Safe mode.
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Click Start -> Run
In the type box enter: del /a:h /f c:\autorun.*
Repeat this step to all drives, make replacing “c” with the appropriate drive letter.
2. Automatically.
Download Combofix.
Run, follow the prompts.
If combofix have removed autorun.inf, you have found message in the output log.
For example:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
Step 2: removing trojans autorun points in the windows registry.
Download and install HijackThis.
Run HijackThis and scan, put a checkmark next to the following items (if exists):
O4 - HKCU\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKCU\..\Run: [TaskMonitor] C:\WINDOWS\system32\TaskMonitor.exe
O4 - HKCU\..\Run: [Realshade] C:\WINDOWS\system32\realshade.exe
O4 - HKCU\..\Run: [cftmonn] C:\WINDOWS\system32\cftmonn.exe
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Step 3: deleting trojans files.
Download Avenger and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Files to delete:
C:\WINDOWS\system32\avp.exe
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\kxvo.exe
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\SCVVHSOT.exe
C:\WINDOWS\system32\TaskMonitor.exe
C:\WINDOWS\system32\realshade.exe
C:\WINDOWS\system32\cftmonn.exe
C:\WINDOWS\system32\wincab.sys
Then click on ‘Execute’.
Your computer will be reloaded.
Step 4: disinfecting and protecting any flash drives connected to the system.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. Reboot your computer when done.
Note1: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.
Note2: if you are still having problems with your PC, I would recommend that you follow the instructions - how to use Spyware Removal Forum.
Note3: Read more: How to disable the autorun feature to prevent malware from spreading.
May 26, 2008 on 5:24 am | In Trojan, Tutorials - HowTo | |Submit to: Digg | SlashDot | Del.icio.us
11 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Previous Posts:
- How to remove AntispywareXP 2009
- Removal instructions for SpywareGuard2008
- How to remove PersonalAntispy malware
- How to remove VideoActiveXCodec malware
- How to remove rogue anti-spyware application eAntivirusPro
- How to remove VirusResponseLab
- How to remove rogue antispyware application Cleaner2009
- How to remove SpyDevastator
- How to remove Antispyware PRO XP
- How to remove XP Protector 2009
- How to remove System Antivirus 2008
- How to remove Smartantivirus2009
- How to remove Total Secure 2009
- MalwareBytes Anti-malware - free spyware, malware, trojan remover.
- How to remove Antivirus XP 2008 and tdssserv.sys trojan
- How to remove rogue antispyware: XP Guard, AntiVir64, MSAntivirus, Power Antivirus, SpywarePrevent, XpertAntivirus
- How to remove cnn.com and msnbc.com fake breaking news spam-virus and joke-bluescreen malware
- XLGuarder - fresh rogue antispyware | How to remove
- VirusRemover2008 - fake antispyware | How to remove
- Fresh rogue antispyware: WistaAntivirus, WinDefender, SpywareScanner2008
Forum posts:
- Removing CiD pop-ups
- Win:32KdCrypt(Cryp)
- Have a Joke-Bluescreen and XP Antivirus 2008 problem
- Adware and PUA - i need help
- Combofix Virus [W32.Scrapkut worm]
- Need help with antivirus spyware
- XP Antivirus 2008/2009, Malaware
- autorun malware removal
- Popup Problems
- xpsecuritycenter infection, as well as braviax
- Empty Device manager list = (apropos virus??)
- HijackThis log here, help please :) [ AntivirusXP ]
- False Pop-UPs Help
- Joke Bluescreen - HELP!!! [Antivirus XP]
- Windows Explorer closes by itself.
- prorat infection that doesnt go away
- Please help w/ Vundo
- Infected with Trojan.Vundo PLEASE HELP
- Infected with Zinaps7 virus. Hijackthis log included.
- Bifrose detected, what to do? using combofix?
Categories:
- Pop-Up Blockers and Firewalls (rss) (5)
- Adware (rss) (10)
- Anti Virus Software (rss) (11)
- Best Programs (rss) (6)
- Browser Hijacking (rss) (14)
- Critical patch (rss) (22)
- Exploits & Vulnerabilities (rss) (58)
- FAQ (rss) (8)
- Free Software (rss) (65)
- Identity Theft (rss) (8)
- Internet Browsers and Mail and News readers (rss) (12)
- Linux (rss) (4)
- Malware (rss) (11)
- Online Scanners (rss) (11)
- Phishing (rss) (2)
- Rogue Anti Spyware (rss) (60)
- Rookit (rss) (3)
- spyware (rss) (3)
- Spyware protection and removal (rss) (79)
- Tips (rss) (80)
- Trojan (rss) (37)
- Tutorials - HowTo (rss) (85)
- Updates (rss) (16)
- Virus (rss) (20)
- Worms (rss) (14)
Archives:
- October 2008 (3)
- September 2008 (10)
- August 2008 (5)
- July 2008 (3)
- June 2008 (4)
- May 2008 (5)
- April 2008 (1)
- March 2008 (4)
- February 2008 (3)
- January 2008 (2)
- December 2007 (7)
- November 2007 (27)
- October 2007 (4)
- July 2007 (2)
- June 2007 (3)
- April 2007 (1)
- March 2007 (6)
- February 2007 (6)
- December 2006 (1)
- November 2006 (2)
- October 2006 (7)
- September 2006 (2)
- August 2006 (10)
- July 2006 (7)
- June 2006 (22)
- May 2006 (18)
- April 2006 (12)
- March 2006 (24)
- February 2006 (33)
- January 2006 (52)
- December 2005 (50)
- November 2005 (66)
Blogroll
- PC Tips
- Sans Org - Internet Storm Center
- Spyware RU
- Sun Belt Blog
Help Us:
- MyAntiSpyware needs your support. Please make link from your site to us.
Use the button:
Bookmark Us:
MY ANTI SPYWARE Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
It is very much pleasing that you have floated free virus removal tools which are very much effective. God may bless you and give more opportinuties to serve the humenity in a more better way. Thanks.
Comment by Malik Akram — August 14, 2008 #
Iam very great thankful to you fro providing these
virus removal tools,it is working perfectly for my
problem,Thanks a lot .
Comment by adithya — August 17, 2008 #
this is helpful alright but got virus ….detected: virus Heur.Invader (modification) URL: download.bleepingcomputer.com/sUBs/ComboFix.exe//PE_Patch.UPX//327882R2FWJFW/catchme.cfexe//PE_Patch.UPX
..
Comment by wesaxis — August 17, 2008 #
it`s false alert
Comment by Patrik — August 20, 2008 #
if the problem is just to get rid of autorun.inf worm, do I have to do steps 1 to 4 or can i just do step 1. thanks.
Comment by Sandy — September 5, 2008 #
If the problem of my pc and flashdrive is the presence of autorun.inf do I still need to do steps 1 to 4 or can I just do steps 1 and 4. Thanks.
Comment by Sandy — September 5, 2008 #
When I had the autorun.inf worm in the PC system, I could no longer use Yahoo Messenger. Will it help if I uninstall Yahoo MS and download another Yahoo MS? Thanks.
Comment by Sandy — September 5, 2008 #
Minimum do steps: 1,2 and 4.
Yes, uninstall, donwload a fresh Yahoo MS and install it.
Comment by Patrik — September 5, 2008 #
it worked well for me buddy. Thnx for the valuble service. I appreciate it.
Comment by srivenu paturi — September 13, 2008 #
Hi again! My kids classmate used a flashdrive in our PC that has redtube virus. Now each time we used the Explorer we see the pornographic site redtube.com. How can we fix this problem without affecting our files? Thanks.
Comment by Sandy — September 15, 2008 #
Please try Flash_Disinfector.exe by sUBs(read above, how to use it), if you are still having problems with your PC, I would recommend that you follow these instructions.
Comment by Patrik — September 15, 2008 #