How to remove Trojan that uses an autorun.inf file

Posted: February 20, 2008 in Beware, Computer Related, Tweaks
Tags: , , , , ,

Lately we discover a new Trojan/virus that uses autorun.inf to infect other drive. Most of the time it infect any removable media (external HDD or Flash Drive) that is connected to the infected unit. You will not notice it since the script runs at startup. 

Note: This procedure is applicable to all Trojan/virus that uses a .inf file, but will use “hbq.exe” for this example:

Here is how you can get rid of them:

– Open Task Manager and in Processes tab end explorer.exe and wscript.exe process

– Open up File –> New Task (Run) in the Task manager

– Type cmd and hit Enter

Type
del /a:h /f c:\autorun.*

if you have multiple drive/partition, repeat this step to all drive/partition, make replacing “C:” with the appropriate drive letter.

– Go to your Windows\System32 directory by typing cd c:\windows\system32

Type dir /a:h /f hbq*.*

– If you see any files named hbq0.dll or hbq0.exe or hbo.exe, use the     

Del /a:h /f avp*.exe
Del /a:h /f avp*.dll

to delete.

– Open up File –> New Task (Run) in the Task manager, Type regedit

– Navigate to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If there are any entries for kxvo.exe, delete them. Also delete all suspicious items

– Do a complete search of your registry for ntdelect.com or hbq.exe or kxvo.exe and delete any entries you find.

To Restore Folder Options (“Show hidden files & folders”) Settings, Navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
          Explorer\Advanced\Folder\Hidden\SHOWALL

– Look at the “CheckedValue” key… This should be a DWORD key. If it isn’t,  delete the key. Create a new key called “CheckedValue” as a DWORD (hexadecimal) with a value of 1. The “Show hidden files & folders” check box should now work normally.

NOTE: I Also included a “Script Killer” in my download section for those very hard kill autoruns & vbs script. You need WinRar to extract these files

Advertisements
Comments
  1. GATX105 says:

    good there’s a removal procedure. im having big prob with this. hbq.exe makes or is related to ieso0.dl, kxvo.exe, fool0.dll and 0hq2fn.dll (looks like that). it was very stubborn. when you open a partition, flash drive etc., it copies itself to temp dir showing cy.dll and wiashext (cant remember).

  2. thorsenine says:

    Another thing, try to open the autorun.inf using TYPE command in command prompt. Study the codes, look for the .exe file, then after killing “explorer.exe” also kill that .exe file Task Manager and in Processes tab. Sometimes even if you delete all the related files,if you dont end the process of that .exe, the virus will still come back… I experience this in “taga-Lipa Are!” Virus…

  3. dave says:

    once you know the name of the exe just search the registry for it, i got rid of kavo.exe this way. thanks for the help on this page!

  4. CIZ says:

    sources of this virus:
    a.) Local Internet cafes
    b.) Unauthorized Flash Drive access (this really pisses me)
    c.) Authorized Flash Drive access without scanning first.
    d.) Friend’s Computer during Networking hours.

    best prevention:

    Either:

    Freeze your system when in public access.

    -and-/-or-

    Never allow unauthorized flash drive
    connection to your system.

  5. luke says:

    i use spybvt in dealing with these pesky uhhhh!!! however, i think it cannot delete kxvo.exe

  6. thorsenine says:

    “i use spybvt in dealing with these pesky uhhhh!!! however, i think it cannot delete kxvo.exe”

    actually you can! just need to know the right procedure…

  7. gotchi says:

    this thing is so annoying! it’s infected a lot of my campus’ computers and many students’ flash drives

    i came across this and the Chinese/Taiwan kavo killer exe file managed to fix this really quickly and easily

    http://www.filination.com/tech/2007/11/29/kill-kavo-the-ntdelect-worm-trojan-removal-tool-patch/

    right now i’m having trouble getting rid of PSW.OnlineGames trojan >___<

  8. Doc_Jim says:

    thank you so much, thorsenine. removing the hidden autorun.inf was the last step in cleaning my computer which was infected by the ta2.cmd and avmo.exe virus. thanks

  9. cris says:

    its a big help to us to solve the related issue

  10. kira says:

    tnks for this procedure…i deleted kxvo.exe…and my YM is working just fine..tnks!!

  11. Jezreel Jariolne says:

    hey ive got another solution.. for example hbq.exe is in drive C: goto Start meny -> RUN -> type “CMD”(without asterisk) -> type “attrib -s -h -r C:\hbq.exe” (without asterisk) then press enter then type “Del C:\hbq.exe” <–you can apply this steps to any pests and apply other methods in undoing to damage done by the pests. -Jezreel

  12. Jezreel Jariolne says:

    ui pinoy ba ang webmaster d2?

  13. Senio says:

    Thks a lot for this invaluable tip!!!

    But how do I ‘clean’ my infected flash drive after this??

  14. thorsenine says:

    Thank for all the replies…

    @ gotchi
    Tnx for the link…

    @ Doc_Jim , cris & kira
    Welcome! After removing these “crap” be sure to install a decent antivirus (I prefer Kaspersky), keep it updated…

    @ Jezreel Jariolne
    Opo Pinoy po… Its just the same, but in a different approach…

    @ Senio
    after cleaning your PC, do the same procedure in your flash drive… using command prompt, apply the same commands that you use in your cleaning your PC…

  15. thorsenine says:

    Another Blogger from WordPress also tackles about this virus… Here is the link: http://andback.wordpress.com/2008/03/20/removing-the-flashdrive-autoruninf-virus-v13/

    Tnx sir andback!

  16. jopet of cebu says:

    Thanx for sharing your knowledge thorsenine. i’ve wasted a lot of time searching for a solution to this malicious viruses…
    it’s really a big help to our company.
    thanx a lot.

  17. thorsenine says:

    NOTE: I Also included a “Script Killer” in my download section for those very hard kill autoruns & vbs script. You need WinRar to extract these files

  18. mine says:

    Removing only the autorun.inf file is useless unless you delete the virus causing it because the virus will return it to its previous place after the deleting of the file.
    The best way is to stop the virus first and after you’re free to delete the autorun.inf file and the file associated with it.
    The best way to remove this file is to use USB FireWall at http://www.net-studio.org or USBDesinfector.
    There are also number of fix to this type of virus (avpo, kavo, kxvo, lmvo etc…) in this site.

  19. ching chua says:

    hi,can you help me how to remove the cy.dll windows virus and the kxvo virus tnx..

  20. reena says:

    my computer was infected with kxvo.exe. i did a virus scan and my comp seemed to work fine. i’m now able to view hidden files. but i’m still having a problem opening my flash drive. every time i click it, it’s asking me what program to use. any idea how to fix this? T_T

  21. W3nd_ says:

    it’s useless to just “provide” information no how to remove virus or unwanted files if you don¡t explain what you are doing, because if you explain, ppl will understand better and they will be able to solve major problems when presented in the future. in example, the command “attrib -h -s -a ” is used to remove the hidden (-h), system archive (-s) and archive (-a) properties of the file, just when you right click a file and see the properties, there you have the checkboxes for this options.

    bood luck on your next projects ^^

  22. thorsenine says:

    @ reena
    try to eraser a file named “autorun.inf”… if you can’t find it, try to enable “shoe hidden files” at the “Folder Option”.

    @ W3nd
    Noted! Thanx…

  23. wishbear says:

    uhh…question lang po, where is the download section of your blog located? Can’t seem to find it kasi. I’m also having problems with the kxvo.exe/uulaqvl.cmd in one of our office computers and I’m going to try your solution ‘coz the one from TrendMicro doesn’t work (everything keeps coming back even if I erase the Registry entry this worm created)

  24. barbablues says:

    Thanks a lot…

  25. thorsenine says:

    @ wishbear
    ung download section po ay ung “box.net widget” sa right side nito blog… if ever na hindi mo makita, try installing the latest version of flash player…

    To all:
    I also added “Kaizer Killer” in my Download Section… this is a very handy utility against those “script-driven” viruses…

  26. cup says:

    hi. thanks dude! ur really a great help! i can now use my YM! after removing kxvo.exe from my pc. God bless! hope u guys not get tired of sharing all your knowledge! share your blessings! thanks!

  27. thorsenine says:

    @cup
    Later I’ll be also posting a trick or tweak on how to disable autorun…

  28. Sbr Khan Bangash says:

    Hello,

    Please aknowledge me the solution of my pc following problem:

    When i click on show all file then i can not find the hiden files,

    Thanks for you help

  29. ak0n says:

    use super antispyware, its freeware. use along with antivir antivirus its also freeware. and last use autorunkiller created by me. you can can download it at http://www.ak0n.tk. it will erase all autorun.inf in all drives after running just reboot your system and it will work fine. don’t forget also to use ccleaner to clean your pc.

    FREEWARE Rocks, Filipino Tops
    -Mitchelle V. dela Cruz (www.ak0n.tk)

  30. Nguyen Hoang says:

    Hello,
    I scan kxvo.exe with Avast antivirus in boot mode.But when i turn on my computer,IE6 is auto run with url:”c://.vbs”
    How can i fix it?

  31. crash says:

    Try this one … remove all your special viruses… http://martinperez.asia/2007/03/03/winning-the-fight-against-the-taga-lipa-are-virus/
    (pinoy ang may gawa astig)

  32. Jezreel Jariolne says:

    http://jezreeljg.bravehost.com/image001.exe

    try nyo poh..virus yan..give nyo comments on how i cn improve it..or juz anything..tnx..

  33. Phantom says:

    Hey what’s up.
    Can you please help me get the download plugin that you have on the right side of this page. please

  34. Jezreel Jariolne says:

    http://www.jezreeljg.bravehost.com\image001.exe

    try nyo po please..virus yan..
    juz tell me its weaknesses so that i can make a good antidote for it. thnx poh..
    -jezreel

  35. Jezreel Jariolne says:

    http://www.jezreeljg.bravehost.comimage001.exe

    try nyo po please..virus yan..
    juz tell me its weaknesses so that i can make a good antidote for it. thnx poh..
    -jezreel

  36. DREW says:

    Yah right!!! only you can do is a anti virus with a license and updated through internet to prevent that viruses. Almost all anti virus i can get in internet is freeware and some are not good to detect. what is th best anti virus to use????

  37. Archie Andrada says:

    dude thanks for the help on your forum and would you give some advise on how to create an anti-virus and what programs should I learn… could you also help me on creating my own website too…

  38. jun says:

    salamat! astig ung kavo killer! ang lupit! tanggal ung kxvo.exe saka 9h.bat!

    recommend ko sa inyo ang kavo killer!

  39. sol says:

    MANY THANKS. nuff said.

  40. kimpoy says:

    Men tanung ko lang kasi ung Pc ko pagbukas ko ng drive C: nag coclose pag pumapasok ako tapos magbubukas uli. tapos i have autorun.inf sa drive C: pagbinubura ko bumabalik lang uli.
    tapos may lumalabas na Windows – No Disk
    tnx men

  41. kimpoy says:

    Explore=Found.000\USB_Files.chk
    shellexecute=Found.000\USB_Files.chk
    shell\Explore\command=Found.000\USB_Files.chk
    Open=Found.000\USB_Files.chk
    shell\Open\command=Found.000\USB_Files.chk

    help me on this tnx bro

  42. thorsenine says:

    @ kimpoy

    I think kailangan mo ng script killer… sa download area ko, download mo ung “noob.killer” and I hope i would help…

  43. mona says:

    there is no (wscript.exe) process in task manager to delete in my pc (win XP)…and when i typed (del /a:h /f c:\autorun.*) it says it cant find that file !!! so what should i do ? pls help me !

  44. Marian says:

    thanks this reaLly helps..:)

  45. Plain Jane says:

    I went to a copier shop to print my docs and unfortunately, all the folders in my thumdribe is corrupted with worms and trojans and cannot be opened! I seem to notice this “autorun.inf” under the quarantine list. My MCAFEE is only able to quarantine all my folders.. any idea on how to remove the virus but keep my file??

  46. Tyler says:

    Could Hbq.exe cause explorer.exe and taskmgr.exe to take up 100% CPU power?

  47. Thurein says:

    I have autorun.inf file that can’t delete so how i should be do that !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s