Fix for “uncurable” virus – but…
Hey guys & gals,
Loads of you have got the “uncurable” virus, which, if you use Norton Anti-Virus, Symantec Anti-Virus, or Kaspersky – it’ll delete some crucial stuff, which will cause your computer NOT to be able to login (i.e, after you log in, it logs you off, imediately).
Here’re the details – your thumbdrive is stuck with an auto.exe file, and you’ve autorun.inf all over the place.. It hides itself as a System folder, and.. well, nothing removes it, not even HijackThis, nor Autoruns, nor any anti-virus – since it’s polymorphic.
I honestly belief this virus *is* part of an organization – probably Government, even… which government? That’s not for me to state. It has super clean code, and a sophisicated spreading/hooking mechanism……. shows proper planning for the whole process 
Sounds familiar, eh? Well.. there’s a cure, but I want your input:
Loading ...How much, if any, are you willing to *PAY* for it – if a GURANTEED FIX IS ENSURED? Since, technically speaking, very, very, very, very few technicians will EVER be able to fix it. You might wish to try any repair store you know, or any Helpdesk/service centre – they’ll tell you to reformat, reinstall Windows, and charge you almost a hundred bucks.
Your call.
(PS: If by popular demand, it’d rather be free, I’ll release it for free, too)
NOD32 seems to be able to fix the problem and able to log-in unlike Symantec.
I have no idea if mine’s a virus or anything like that, I have a auto.exe in every single one of my hard disk but only one autorun.inf folder in my C drive. When I open up my C drive every thing is fine, but when i open my other disks, they will open in a new window and close the My computer window.
If you have the time perhaps u could take a look at these files and tell me what they are? They are all of the auto.exe and autorun.inf I could find in my computer http://mihd.net/hxo1n3
come on!
it shouldn’t be free if very FEW people can fix this damn thing.
at least let him earn a few bucks T_T
To manually remove it, follow the following steps (These are the steps I took to repair my computer from the same virus that you are facing.)
1. Boot your system in Safemode
2. Go to command prompt, in Drive C do the following commands.
3. Type -> ATTRIB -H -R -S AUTORUN.INF then press enter
4. Type -> DEL AUTORUN.INF then press enter
5. Type -> ATTRIB -H -R -S Recycled then press enter
6. In Windows Explorer in Safemode, remove the folder Recycled in drive C use Shift-Delete to delete the folder.
7. Repeat Step 3 to 6 for all drives of your system including the USB drive.
Actually theres no need to buy any fix ma because the ‘incurable’ isn’t that incurable afterall.
But before we start, make sure that you disable your anti-virus before you do anything, and make sure its disabled for good until you finished step 7.
Also make sure you are NOT connected to internet during this whole process. When you are ready, proceed on by following step 1.
1. Disable all your anti-virus softwares (AVG or whatever) and make sure they don’t run.
2. Download SD Fix @ http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
& Download combo fix @
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save both applications to C drive first because we will need them later.
3. Now restart and boot as save mode(keep pressing f8 when startup)
4. After you boot into safe mode, extract SDfix out and run the software by double clicking ‘RunThis.cmd’. After you are done, let it auto-run itself , after the runthis.cmd is done, you have to restart your computer into the normal windows XP mode.
5. After the system restarts, fixtool will run itself again and remove all trojan services and registry entries that are invalid.
6. Once you boot into windows properly, run your combofix now and please do not click anything or open any program. Just let it run by itself. (Before opening combofix please ensure you are not connected to internet and anti-virus is disabled)
7. When combofix is done(takes abt 10 mins), re-enable your anti-virus. It should work fine now (:
Hehehe. Go on.. try those methods above
By the way, Eclipse-Sama: chiobu.net.. is my domain. If you’re interested in getting a *real* account there, can drop me an email. I’m looking for someone to share it
Also, if got coders around… I’ll pass you the info and code you need to fix it.. Just don’t have the time to compile & test. If you need hardware and a working space (aka office) I can supply also.
Email’s hot_wired13[at]hotmail.com.
dheaven: No la, it’s not just about the few bucks.. I make more then I can spend in a month
Just wanna test market.. see people willing to pay or not.
@Eclipse-Sama: I did try ur method before at the start, but nope, this virus seems to overcome it easily.. Haha..
just wanted to say thanks! i will donate soon as my paypal account comes on.(3 days) and i thank you for making it free for everyone. this kinda thing just sucks and you really do rock for doing this! thank you thank you thank you!
nyaweh———noah
i dont know if what i have is this virus.. i got it over msn via a picture file i ran my anti virus but it came up that my computer is clean. im getting reall fustrated on how to get rid of it… cuz this week sucks hairy balls (but thats a nother story) and i cant seem to do anything to get rid of it. can someone please help me.
does the method above really works?
Since kelvin haven’t come out with the fix yet, trying the methods specified has no harm and you have nothing to lose either.
But backup everything properly in case something cocks up.
rahh.. when will the poll end? and this auto.exe and autorun.inf really caused my comp to not allow me to reveal hidden files.. this holidays really sucks. even my friends all got the stupid virus lah. smy worse detection for this virus was 30 cases.. and i thought 3 weeks was short.
It should remain FREE!, how ever you should emphasize more that donations are appreciated.
anyone can share with me how to fix it on my psp??
oh my oh my…
when will be de fix be release for de auto logoff???
i dun wanna go helpdesk everyday to repair moi windows…
and i will be having moi ut once de sch reopens…
HELP!!!
=(
I have a problem, my com go in to any Logging in web ,
example,
friendster.com
facebook.com etc
Other than that the NET IS PERFECTLY FINE
what’s wrong? anyone care to shed some light?
** cant go into any “logging” in web” **
I support the idea of paying, its a token of appreciation rather than a reward. $10 bucks wud be great man:razz::cool:
Hey, my com has this virus win32.cd where i cannot access my thumbdrive. Some of my friends cant access C: drive
yea some program found on some online security forum fixed it for me after running!
really are weird eh ….. I was wondering what the hell is this blog message for to get yourself well known … Gain Fame… get a name for yourself blah….. forget it eh….
Those who are looking for solution…..
email me : rxs2k5@gmail.com….
We can have a little chat about fixing it…
for free
Think this autorun.inf has “evolved” into something else , now ,auto.exe , info.exe , recycled.exe and others have been poping out. and that even when removed using CMD , attrib , will only remove it untill your next computer restart. need advice on how to remove it.
Till then.
i agree with Shaun Wang, and btw kelvin is not the only smart ass ard, he is just a another geek trying to gain fame! >>>why did u ever start his POLL? <<<<
If u had the intention of helping people u would have released a tweak a loooooooooooooooooooooooonnnnnnnnnnnnnnnngggggggggggggg time ago, but it seems otherwise,
Thanks shaun wang for helping me solve the problem , autorun.inf and info.exe is no more … for free
why are people so ungrateful, when he found a cure, all u all do is thank him, when he is too busy to fix whatever virus u all have, u all say such bad things abt people.so sad.
There is another virus which is in the form of recycled (info.exe). It cannot be detected by commercial anti-virus.
It creates
- %Windir%\Config\Svchost.exe (Virus.Win32.AutoRun.aim)
- %Windir%\Config\System.exe (Virus.Win32.AutoRun.aim)
- %Windir%\System.exe
- Recycled (in all drives)
The only problem i cant solve is that the “hide known operating system files (recommended) ” cannot be shown after the virus is deleted. Used combo fix also no use.
The only temporary method is attrib -s -h C:/*.*
Hope this helps. Thnx Kelvin for the fix for auto.exe
Haiz…. kelvin is not as bad as wad you all think… ai yo… see la now he withdrawing to release public fixes… you all too haix.. kelvin is not just anyguy who wans to gain fame or wad… see how much he has done for republicans
I seriously think you all should think of being grateful rather than being so unreasonable.
yup, totally agree with reuel. he has done LOTS of fixing of computers and virus for SO MANY REPUBLICANS and people outside. I really do think that we should appreciate it and say hi or thank u to him when we see him around in sch. I guess those ungrateful people do not know how much time is wasted on fixing viruses and it is NOT EASY to fix a virus. APPRECIATE PEOPLEE =)
LOL… so fast got reply… hahaha LL… anyway i think society nowadays see things only in the negative view, perhaps we should reconsider looking things in a positive view so that everyone benefits from it… Peeps out there please consider my comment and i really hope things like that will be a lesson learnt.
When there are no learning for a day
You have wasted that very single day
- Reuel -
Kelvin.. Now the auto.exe has “mutated” itself . System.exe is no longer present.
Will try to find out the problem and post it here
for that, i would really say, you guys are really bad, kelvin dun gain fame. no bootlicking here. i haven seen this guy *kelvin*, nor heard much of him around, but from this web, i would give all the salutes i have to him. his good, one word to say.
My friends has made good use of his “msn proxy” and stuff. Thumbdrive immunize *in the past* and even had fun playing with webcams. Without him, there aint much fun.
Comments on ur uncurable virus fix, thanks alot on it. It helps alot
erm kelvin ~
is there anyway to trace the “seed” of the file?…
like i get tis virus fjuyqnsa.dll … but whenever i deleted it, it returns once I click on C: / D: / all drives. ..
any help plz?
thanks x.x
Hide ~ fjuyqnsa.dll is a “Trojan-PSW.Win32.OnLineGames.obb” variant. If i am not wrong, there should be a copy of an autorun in your C and D drive. Open the autorun.inf using notepad and see the extension.
Download Eset Nod32 from http://www.eset.com and delete the virus =DD
cool ~ tnx xD … woolala … trial ver. though lol …
opsi wrong name lOL … tt above one was mine ~ =X
Kelvin don’t know shit, just wants attention LOL True techies share their knowledge, not make a buck. That’s what a real job is for, not posting polls asking if anyone will pay for his non-existant fix.
Liar: yep, i don’t know shit. so fuck off, don’t use my site, alright?
– my site costs MONEY to sustain, it costs BANDWIDTH, and your post takes up BYTES (or maybe even kilobytes) of my server space.
have a great day, kid. oh, and yes, true kids don’t pay the MRT fare, too because they’re under 0.9metres…. are you? “That’s what a real kid does, not bitching about a person in that person’s OWN blog”.
i have this thing everytime i scan my laptop…win32.worm.autorun…it seems that i cant remove it…how to remove it???HELP ME!!!I DON WANNA GO IT HELPDESK AND REFORMAT MY LAPTOP!!!-.-”…kelvin help!!!
barbar: drop me a msn message at hot_wired13[at]hotmail.com
[b]SDFix: Version 1.199 [/b]
Run by adriano naves on seg 30/06/2008 at 21:29
Microsoft Windows XP [versÆo 5.1.2600]
Running From: C:\DOCUME~1\ADRIAN~1\Desktop\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\blackster.scr – Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 21:34:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden services & system hive …
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
“s1″=dword:2df9c43f
“s2″=dword:110480d0
“h0″=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
“p0″=”C:\Arquivos de programas\DAEMON Tools Lite\”
“h0″=dword:00000000
“khjeh”=hex:c0,04,cb,69,dd,09,4b,82,43,f5,55,6a,74,4b,fb,75,97,d7,a6,d4,04,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA40000001]
“a0″=hex:20,01,00,00,98,c9,7a,37,d8,e5,5d,cc,18,98,a2,d9,1c,b0,b8,33,be,..
“khjeh”=hex:12,75,69,2d,cb,84,c6,f5,4d,90,da,1f,35,fc,90,bd,39,0b,12,2f,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA40000001Jf40]
“khjeh”=hex:40,31,de,a0,f3,54,55,96,5d,f5,37,d7,79,6e,26,7a,ee,a4,75,56,da,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
“p0″=”C:\Arquivos de programas\DAEMON Tools Lite\”
“h0″=dword:00000000
“khjeh”=hex:c0,04,cb,69,dd,09,4b,82,43,f5,55,6a,74,4b,fb,75,97,d7,a6,d4,04,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA40000001]
“a0″=hex:20,01,00,00,98,c9,7a,37,d8,e5,5d,cc,18,98,a2,d9,1c,b0,b8,33,be,..
“khjeh”=hex:12,75,69,2d,cb,84,c6,f5,4d,90,da,1f,35,fc,90,bd,39,0b,12,2f,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA40000001Jf40]
“khjeh”=hex:8c,6e,4e,60,fb,a8,fa,2a,3b,3d,5b,e6,42,5f,64,1d,ec,9f,b0,c7,84,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
“p0″=”C:\Arquivos de programas\DAEMON Tools Lite\”
“h0″=dword:00000000
“khjeh”=hex:c0,04,cb,69,dd,09,4b,82,43,f5,55,6a,74,4b,fb,75,97,d7,a6,d4,04,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA40000001]
“a0″=hex:20,01,00,00,98,c9,7a,37,d8,e5,5d,cc,18,98,a2,d9,1c,b0,b8,33,be,..
“khjeh”=hex:12,75,69,2d,cb,84,c6,f5,4d,90,da,1f,35,fc,90,bd,39,0b,12,2f,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA40000001Jf40]
“khjeh”=hex:40,31,de,a0,f3,54,55,96,5d,f5,37,d7,79,6e,26,7a,ee,a4,75,56,da,..
scanning hidden registry entries …
scanning hidden files …
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″
“C:\\Arquivos de programas\\uTorrent\\uTorrent.exe”=”C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent”
“C:\\Arquivos de programas\\Valve\\hl.exe”=”C:\\Arquivos de programas\\Valve\\hl.exe:*:Enabled:Half-Life Launcher”
“C:\\Program Files\\Bluehell Productions\\Red Alert – A Path Beyond\\renalert.exe”=”C:\\Program Files\\Bluehell Productions\\Red Alert – A Path Beyond\\renalert.exe:*:Enabled:Renegade”
“C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe”=”C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer”
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=”%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000″
“C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe”=”C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)”
“C:\\WINDOWS\\system32\\dpvsetup.exe”=”C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test”
“C:\\WINDOWS\\system32\\rundll32.exe”=”C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Executa uma DLL como um aplicativo”
“C:\\Arquivos de programas\\Megacubo\\bin\\minifly.exe”=”C:\\Arquivos de programas\\Megacubo\\bin\\minifly.exe:*:Enabled:MiniFly”
“C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe”=”C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour”
“C:\\Arquivos de programas\\Valve\\hlds.exe”=”C:\\Arquivos de programas\\Valve\\hlds.exe:*:Enabled:HLDS Launcher”
“C:\\Arquivos de programas\\Arquivos comuns\\Nero\\Nero Web\\SetupX.exe”=”C:\\Arquivos de programas\\Arquivos comuns\\Nero\\Nero Web\\SetupX.exe:*:Enabled:Nero ControlCenter”
“C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe”=”C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger”
“C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe”=”C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)”
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=”%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000″
“C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe”=”C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)”
“C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe”=”C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger”
“C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe”=”C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)”
[b]Remaining Files [/b]:
File Backups: – C:\DOCUME~1\ADRIAN~1\Desktop\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Mon 23 Jun 2008 24 ..SH. — “C:\WINDOWS\SFE70518A.tmp”
Fri 27 Jun 2008 88 ..SHR — “C:\Documents and Settings\All Users\Dados de aplicativos\2CF270BC7D.sys”
Fri 27 Jun 2008 2,516 A.SH. — “C:\Documents and Settings\All Users\Dados de aplicativos\KGyGaAvL.sys”
Mon 22 Jul 2002 418,816 …HR — “C:\WINDOWS\system32\Tools\All.exe”
Fri 19 Jul 2002 390,144 …HR — “C:\WINDOWS\system32\Tools\Change.exe”
Fri 19 Jul 2002 574,464 …HR — “C:\WINDOWS\system32\Tools\CheckPath.exe”
Tue 20 Aug 2002 430,592 …HR — “C:\WINDOWS\system32\Tools\Counter.exe”
Tue 23 Jul 2002 390,656 …HR — “C:\WINDOWS\system32\Tools\DelFolders.exe”
Fri 22 Nov 2002 399,872 …HR — “C:\WINDOWS\system32\Tools\DirectSetup.exe”
Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RegClean.exe”
Fri 19 Jul 2002 388,608 …HR — “C:\WINDOWS\system32\Tools\Regexe.exe”
Mon 2 Dec 2002 431,616 …HR — “C:\WINDOWS\system32\Tools\Restart.exe”
Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RunRegexe.exe”
Fri 11 Apr 2008 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”
Sun 29 Jun 2008 0 A..H. — “C:\WINDOWS\SoftwareDistribution\Downloada67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT3.tmp”
Sun 29 Jun 2008 0 A..H. — “C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT2.tmp”
Sun 29 Jun 2008 0 A..H. — “C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT6.tmp”
Sun 29 Jun 2008 0 A..H. — “C:\WINDOWS\SoftwareDistribution\Download\b2278ac3b8a7d329217f0fb7c7d9ee91\BIT7.tmp”
Sun 29 Jun 2008 0 A..H. — “C:\WINDOWS\SoftwareDistribution\Download\cacdd1fedba0fe9a5b113a33f1a018a0\BIT4.tmp”
Sun 29 Jun 2008 0 A..H. — “C:\WINDOWS\SoftwareDistribution\Download\f27fd20411af7f646de7b03ed7660aa5\BIT5.tmp”
[b]Finished![/b]
You should definitely find a better job… actually that was pretty well written
I hate svchost sometimes btw.
consolidation ics debt consolidation ics debt
Hi,I discover that your blog is extremely beneficial and helpful,it’s so helpful to me, you’ve done a great job. I’m a frequent visitor to your blog and can return again soon.