Вы находитесь на странице: 1из 4

Recently i noticed that quite of number visitor came to my blog view my

post 'how to disable autorun.inf to prevent virus attack computer ' .I don't
know either they want to get the preventive action or need to find the
solution that computer infected by autorun virus.Here i will conclude my
solution or method to help all of you.(i use this solution help my friend to
'kill' these virus and worked).

1 - Disable system restore.


step 1 - Click 'Control Panel' -> 'System',
step 2 - Select 'system restore',then put check for 'turn off system store on
all devices'.

2 - Clear IE temporary internet files.


step 1 - In IE,select 'Tool' -> 'internet option',
step 2 - In internet temporary file,select 'delete file' -> check for 'delete all
offline content'.,then click 'ok'.

3 - Disk clean up.


step 1 - 'Start' ->'All Program' ->'Accessories' ->'System Tool' ->'Disk
cleanup',
step 2 - Select C drive and click 'ok'.then starting C drive cleanup.
step 3 - After complete disk cleanup,put check to all file and click 'ok'.
step 4 - Repeat step 2 to step 3 for other drive ( D,E,F...) to have disk
cleanup.

Now all the temporary internet files clean up already.Normally autorun virus
are caused by flash memory or other removable devices to transfer,save
file from one computer to another computer,these autorun virus have three
execute file,kavo.exe,autorun.inf and ntdelect.com .

These 3 files all are hidden files,they will disable or hidden your folder
option 'show hidden files and folder' and make you can't run in 'show
hidden files and folder',then you can't search for these 3 files in window
and deleted it (very clever,isn't ?).

How to showed these 3 files in window ?you have to use DOS


command.Below are the step to show you how to delete autorun virus.

step 1 - Click 'Start' -> 'Run' ->key in 'cmd',then 'Enter',it will show
command prompt,
step 2 - Check every drive (C,D,E,...).If you wanted to check the Cdrive,
key in dir c:\ /a/w in command prompt.

If for drive D,key in


dir d:\ /a/w

step 3 - All the system and exe.files will show up in the command
prompt,please check is there any autorun.inf and ntdeleted.com
inside.Before delete these 2 files.we need to disable 'hidden','system' and
'read only' attributes.

For C drive,key in (in command prompt)


attrib -s -h -r c:\autorun.inf
attrib -s -h -r c:\ntdelect.com

For D drive
attrib -s -h -r d:\autorun.inf
attrib -s -h -r d:\ntdelect.com

step 4 - after disable the attributes,then start to manual delete these 2 files.
(Be careful don't key in ntdetect.com,the actual virus file is ntdelect.com.
ntdetect.com is important start up system file,you will know what will
happen if deleted ntdetect.com)

C drive key in
del c:\autorun.inf
del c:\ntdelect.com

D drive key in
del d:\autorun.inf
del d:\ntdelect.com
step 5 - After manual delete 'autorun.inf' and 'ntdelect.com',the next step is
'kavo.exe'.You need to delete kavo.exe file in C:\windows\system32\
.Repeat the step 3 to step 4 to disable the attributes and delete the file
procedures,key in

attrib -s -h -r c:\windows\system32\kavo.exe

Then delete it with key in


del c:\windows\system32\kavo.exe

step 6 - Delete 'kavo.exe' in registry.


Open registry editor,go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run,and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run

What you need to do is delete kavo and c:\windows\system32\kavo.exe


value.

step 7 - to enable 'show hidden files and folder'


Open Notepad with new file,copy and paste below registry value and
rename as .reg file and save it,then double click on it to save into registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"

For more articles, please visit http://wongsk.blogspot.com