How to remove Trojan that uses an autorun.inf file
Lately we discover a new Trojan/virus that uses autorun.inf to infect other drive. Most of the time it infect any removable media (external HDD or Flash Drive) that is connected to the infected unit. You will not notice it since the script runs at startup.
Note: This procedure is applicable to all Trojan/virus that uses a .inf file, but will use “hbq.exe” for this example:
Here is how you can get rid of them:
- Open Task Manager and in Processes tab end explorer.exe and wscript.exe process
- Open up File –> New Task (Run) in the Task manager
- Type cmd and hit Enter
Type
del /a:h /f c:\autorun.*
if you have multiple drive/partition, repeat this step to all drive/partition, make replacing “C:” with the appropriate drive letter.
- Go to your Windows\System32 directory by typing cd c:\windows\system32
Type dir /a:h /f hbq*.*
- If you see any files named hbq0.dll or hbq0.exe or hbo.exe, use the
Del /a:h /f avp*.exe
Del /a:h /f avp*.dll
to delete.
- Open up File –> New Task (Run) in the Task manager, Type regedit
- Navigate to:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If there are any entries for kxvo.exe, delete them. Also delete all suspicious items
- Do a complete search of your registry for ntdelect.com or hbq.exe or kxvo.exe and delete any entries you find.
- To Restore Folder Options (“Show hidden files & folders”) Settings, Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
- Look at the “CheckedValue” key… This should be a DWORD key. If it isn’t, delete the key. Create a new key called “CheckedValue” as a DWORD (hexadecimal) with a value of 1. The “Show hidden files & folders” check box should now work normally.
NOTE: I Also included a “Script Killer” in my download section for those very hard kill autoruns & vbs script. You need WinRar to extract these files
~ by Thorsenine on February 20, 2008.
Posted in Beware, Computer Related, Tweaks
Tags: Computer, Registry, Removal, Trojan, Tweak, Viruses
good there’s a removal procedure. im having big prob with this. hbq.exe makes or is related to ieso0.dl, kxvo.exe, fool0.dll and 0hq2fn.dll (looks like that). it was very stubborn. when you open a partition, flash drive etc., it copies itself to temp dir showing cy.dll and wiashext (cant remember).
Another thing, try to open the autorun.inf using TYPE command in command prompt. Study the codes, look for the .exe file, then after killing “explorer.exe” also kill that .exe file Task Manager and in Processes tab. Sometimes even if you delete all the related files,if you dont end the process of that .exe, the virus will still come back… I experience this in “taga-Lipa Are!” Virus…
once you know the name of the exe just search the registry for it, i got rid of kavo.exe this way. thanks for the help on this page!
sources of this virus:
a.) Local Internet cafes
b.) Unauthorized Flash Drive access (this really pisses me)
c.) Authorized Flash Drive access without scanning first.
d.) Friend’s Computer during Networking hours.
best prevention:
Either:
Freeze your system when in public access.
-and-/-or-
Never allow unauthorized flash drive
connection to your system.
i use spybvt in dealing with these pesky uhhhh!!! however, i think it cannot delete kxvo.exe
“i use spybvt in dealing with these pesky uhhhh!!! however, i think it cannot delete kxvo.exe”
actually you can! just need to know the right procedure…
this thing is so annoying! it’s infected a lot of my campus’ computers and many students’ flash drives
i came across this and the Chinese/Taiwan kavo killer exe file managed to fix this really quickly and easily
http://www.filination.com/tech/2007/11/29/kill-kavo-the-ntdelect-worm-trojan-removal-tool-patch/
right now i’m having trouble getting rid of PSW.OnlineGames trojan >___<
thank you so much, thorsenine. removing the hidden autorun.inf was the last step in cleaning my computer which was infected by the ta2.cmd and avmo.exe virus. thanks
its a big help to us to solve the related issue
tnks for this procedure…i deleted kxvo.exe…and my YM is working just fine..tnks!!
hey ive got another solution.. for example hbq.exe is in drive C: goto Start meny -> RUN -> type “CMD”(without asterisk) -> type “attrib -s -h -r C:\hbq.exe” (without asterisk) then press enter then type “Del C:\hbq.exe” <–you can apply this steps to any pests and apply other methods in undoing to damage done by the pests. -Jezreel
ui pinoy ba ang webmaster d2?
Thks a lot for this invaluable tip!!!
But how do I ‘clean’ my infected flash drive after this??
Thank for all the replies…
@ gotchi
Tnx for the link…
@ Doc_Jim , cris & kira
Welcome! After removing these “crap” be sure to install a decent antivirus (I prefer Kaspersky), keep it updated…
@ Jezreel Jariolne
Opo Pinoy po… Its just the same, but in a different approach…
@ Senio
after cleaning your PC, do the same procedure in your flash drive… using command prompt, apply the same commands that you use in your cleaning your PC…
Another Blogger from WordPress also tackles about this virus… Here is the link: http://andback.wordpress.com/2008/03/20/removing-the-flashdrive-autoruninf-virus-v13/
Tnx sir andback!
Thanx for sharing your knowledge thorsenine. i’ve wasted a lot of time searching for a solution to this malicious viruses…
it’s really a big help to our company.
thanx a lot.
NOTE: I Also included a “Script Killer” in my download section for those very hard kill autoruns & vbs script. You need WinRar to extract these files
Removing only the autorun.inf file is useless unless you delete the virus causing it because the virus will return it to its previous place after the deleting of the file.
The best way is to stop the virus first and after you’re free to delete the autorun.inf file and the file associated with it.
The best way to remove this file is to use USB FireWall at http://www.net-studio.org or USBDesinfector.
There are also number of fix to this type of virus (avpo, kavo, kxvo, lmvo etc…) in this site.
hi,can you help me how to remove the cy.dll windows virus and the kxvo virus tnx..
my computer was infected with kxvo.exe. i did a virus scan and my comp seemed to work fine. i’m now able to view hidden files. but i’m still having a problem opening my flash drive. every time i click it, it’s asking me what program to use. any idea how to fix this? T_T
it’s useless to just “provide” information no how to remove virus or unwanted files if you don¡t explain what you are doing, because if you explain, ppl will understand better and they will be able to solve major problems when presented in the future. in example, the command “attrib -h -s -a ” is used to remove the hidden (-h), system archive (-s) and archive (-a) properties of the file, just when you right click a file and see the properties, there you have the checkboxes for this options.
bood luck on your next projects ^^
@ reena
try to eraser a file named “autorun.inf”… if you can’t find it, try to enable “shoe hidden files” at the “Folder Option”.
@ W3nd
Noted! Thanx…
uhh…question lang po, where is the download section of your blog located? Can’t seem to find it kasi. I’m also having problems with the kxvo.exe/uulaqvl.cmd in one of our office computers and I’m going to try your solution ‘coz the one from TrendMicro doesn’t work (everything keeps coming back even if I erase the Registry entry this worm created)
Thanks a lot…
@ wishbear
ung download section po ay ung “box.net widget” sa right side nito blog… if ever na hindi mo makita, try installing the latest version of flash player…
To all:
I also added “Kaizer Killer” in my Download Section… this is a very handy utility against those “script-driven” viruses…
hi. thanks dude! ur really a great help! i can now use my YM! after removing kxvo.exe from my pc. God bless! hope u guys not get tired of sharing all your knowledge! share your blessings! thanks!
@cup
Later I’ll be also posting a trick or tweak on how to disable autorun…
Hello,
Please aknowledge me the solution of my pc following problem:
When i click on show all file then i can not find the hiden files,
Thanks for you help
use super antispyware, its freeware. use along with antivir antivirus its also freeware. and last use autorunkiller created by me. you can can download it at http://www.ak0n.tk. it will erase all autorun.inf in all drives after running just reboot your system and it will work fine. don’t forget also to use ccleaner to clean your pc.
FREEWARE Rocks, Filipino Tops
-Mitchelle V. dela Cruz (www.ak0n.tk)
Hello,
I scan kxvo.exe with Avast antivirus in boot mode.But when i turn on my computer,IE6 is auto run with url:”c://.vbs”
How can i fix it?
Try this one … remove all your special viruses… http://martinperez.asia/2007/03/03/winning-the-fight-against-the-taga-lipa-are-virus/
(pinoy ang may gawa astig)
http://jezreeljg.bravehost.com/image001.exe
try nyo poh..virus yan..give nyo comments on how i cn improve it..or juz anything..tnx..
Hey what’s up.
Can you please help me get the download plugin that you have on the right side of this page. please
http://www.jezreeljg.bravehost.com\image001.exe
try nyo po please..virus yan..
juz tell me its weaknesses so that i can make a good antidote for it. thnx poh..
-jezreel
http://www.jezreeljg.bravehost.com\image001.exe
try nyo po please..virus yan..
juz tell me its weaknesses so that i can make a good antidote for it. thnx poh..
-jezreel
Yah right!!! only you can do is a anti virus with a license and updated through internet to prevent that viruses. Almost all anti virus i can get in internet is freeware and some are not good to detect. what is th best anti virus to use????
dude thanks for the help on your forum and would you give some advise on how to create an anti-virus and what programs should I learn… could you also help me on creating my own website too…
salamat! astig ung kavo killer! ang lupit! tanggal ung kxvo.exe saka 9h.bat!
recommend ko sa inyo ang kavo killer!
MANY THANKS. nuff said.
Men tanung ko lang kasi ung Pc ko pagbukas ko ng drive C: nag coclose pag pumapasok ako tapos magbubukas uli. tapos i have autorun.inf sa drive C: pagbinubura ko bumabalik lang uli.
tapos may lumalabas na Windows – No Disk
tnx men
Explore=Found.000\USB_Files.chk
shellexecute=Found.000\USB_Files.chk
shell\Explore\command=Found.000\USB_Files.chk
Open=Found.000\USB_Files.chk
shell\Open\command=Found.000\USB_Files.chk
help me on this tnx bro
@ kimpoy
I think kailangan mo ng script killer… sa download area ko, download mo ung “noob.killer” and I hope i would help…
there is no (wscript.exe) process in task manager to delete in my pc (win XP)…and when i typed (del /a:h /f c:\autorun.*) it says it cant find that file !!! so what should i do ? pls help me !
thanks this reaLly helps..:)
I went to a copier shop to print my docs and unfortunately, all the folders in my thumdribe is corrupted with worms and trojans and cannot be opened! I seem to notice this “autorun.inf” under the quarantine list. My MCAFEE is only able to quarantine all my folders.. any idea on how to remove the virus but keep my file??