How to Remove Autorun Virus

By Zolkiflee M S
zolkiflee@yahoo.com

Preface
Not all computer users are aware of virus attack on their systems. The reason being
users do not apply force to protect their systems from being infected by computer
virus.
With widely use of thumbdrive and external hardisk, one would not realise virus
worm or trojan are embedded in their systems untill something weird happen.
I take this opportunity to share what i have in solving current virus problems.

The system
Before i proceed with steps to remove the autorun virus, lets think back who users
your computer or laptop. Take note of these users and the mobile device that they
use including yourself.
Thumbdrive, external hardisk and mobile phone memory cards are carriers of
trojan virus.

Even with strong antivirus in your system, it would not detect the presence of the
core file that execute these viruses, because your anti virus program will only start
when window starts and exec all the .ini files. Your antivirus program will only
detect and kill the worm virus called the autorun.inf or others like secret.exe, but it
will not detect othe files like 9.cmd or kavo.exe or maybe using ada file name suck
as nmoho.bat.
Symptoms
The first thing to take note is whether your systems can display hidden file or
folders. The core virus file will disable your View Hidden File.
To display Hidden File
1. Click on My Computer
2. Click On C: Drive
3. From the menu Tools click on Folder Options
4. Select the View tab
5. Look For the section Hidden Files And Folders
6. The default selection would be Do Not Show Hidden File And Folder
7. Click on the selector Display Hidden File And Folder
8. Click the box to remove the selection on Hide Extension and Hide Protected
9. Click Ok
10. If your system is not infected new files will be displayed in yor C:drive such
as AUTOEXEC.BAT boot.ini CONFIG.SYS IO.SYS MSDOS.SYS
NTDETECT.COM ntldr pagefile.sys
11. If you do see any of this files repeat step 4 to step 6
12. If The default is still similar to step 6 this means your system is infected
How to remove
1. Shut down your system
2. Disconnect from any mobile device, networking and internet connection.
3. Restart your system while pressing the F8 button on your keyboard until it
display a Menu that gives you the selection to start windows.
4. You should be seing the following start menu
a. Start in safe mode
b. Start in safe mode with networking
c. Start in safe mode with command prompt
5. Use your up arrow key to select the Start In Safe Mode With Command
Prompt
6. Once windows start it will display the screen below

7. At this point you have to use DOS command to operate

8. Type in the screen the following
a) CD\WINDOWS\SYSTEM32 and press Enter this is to change
directory to windows\system32
b) DIR /A:H and press Enter this is to display all hidden files
d) take note of any file with extension .exe .cmd .dll such as 9.cmd ,
 kavo.exe , ckvo.exe ckvo0.dll nmsogt.exe
e) If you see any of the files above not related to windows or the date
shown beside these files as latest dates, then this files are the culprit. These
files are hidden write protected
f) You need to remove the hidden attrib first befor deleting by typing the
following command:
g) ATTRIB KAVO.EXE -H -R -S this is to change the attributes
h) DEL KAVO.EXE this is to del the file.
i) Repeat steps g) and h) above for other files to be deleted. Make sure
you delete only the suspected files.
j) Repeat step b) above to make sure the suspected files are deleted
permanently.

9. The next step to to go to your root directory of your C: drive

a) type this command in your screen CD\ and press Enter you will see
this in your screen >> c:\>_
10. Type in DIR /A:H and press enter
11. If your systems in infected you will see this files
9.cmd , autorun.inf , ckvo.exe ,
12. You have to change attrib and del these file like you did in 8(g) to 8(j)
above.
13. If you have D: drives you have to do the same thing as what you did for
your C: DRIVE
14. To change to your D: drive type in your screen the command D: and repeat
steps 8(g) to 8(j) above.
15. You can check your thumbdrive at this stage if you remember the drive
used when you insert your thumbdrive or memory cards.
16. If your drive name for your thumbdrive is F or G or H type the command F:
or G: or H: to change to that particular drive and repeat steps 8(g) to 8(j)
above.
17. WARNING : DO NOT DELETE THE FOLLOWING IN YOUR C:
DRIVE
Directory of C:\
boot.ini
IO.SYS
MSDOS.SYS
NTDETECT.COM
ntldr
pagefile.sys
<DIR> RECYCLER
<DIR> System Volume Information

18. Next step is to restart your system by typing :

SHUTDOWN -R
19. Let the windows start normally and do not connect to your network or
internet. The reason is that your explorer.exe might be also the main cause of
virus infection.
20. Once windows start go to your START menu and select RUN
21. Type in REGEDIT and click OK
22. You will see this screen

23. Please be careful do not simply delete or change any parameters

24. Make sure the item HKEY_LOCAL_MACHINE is selected if not, please
click once to select
25. From the menu Edit select Find. In the box that appear type in Showall and
click Find Next button
26. You will see this screen

27. Double c lcik on the item CheckedValue

28. In the box Value Data type in figure 1 and press OK
29. Click on the menu File and Exit
30. Double clcik on your My Computer and double click your C: drive
31. From the menu Tools click on Folder Options
32. Select the View tab
33. Look For the section Hidden Files And Folders
34. The default selection would be Do Not Show Hidden File And Folder
35. Click on the selector Display Hidden File And Folder
36. Click the box to remove the selection on Hide Extension and Hide Protected
37. Click Ok
38. If your system is not infected new files will be displayed in your C:drive
such as AUTOEXEC.BAT boot.ini CONFIG.SYS IO.SYS MSDOS.SYS
NTDETECT.COM ntldr pagefile.sys

39. If you succeeded to this stage , and able to display all the hidden and
systems file, you are cool.
40. Now what you have to do is scan your hardisk using your anti virus
program. Again do not connect to internet yet until you have completed the
virus scanning.
PRECAUTIONS
Before inserting any thumbdrive that you are not sure its free from virus
scan first by starting your system using Safe Mode With Command Prompt.
Display the content of the thumbdrive using the command DIR /A:H and
removing the autorun.inf and any suspected virus file.

After scanning your hardisk for virus infected file. If you find out that your
file explorer.exe is not infected you can proceed to connect to the internet, or
else if the explorer.exe is infected heal it first or move to vault.

OK fellas , good luck in your scanning.