Virus from Surigao
Oh my fucking god, what the fuck!? I have become too reckless of viruses that now I finally learned my ultimate lesson. After double-clicking the USB drive icon I noticed that it did not move and so I gave it two more clicks. Moments after, Kaspersky came in running saying of a virus. I opened the command prompt and found out that it was already disabled. I restarted my computer, hopeful enough, but what did I get? A fucking message that I did not understand and bother to read. Then, it turns out that regedit.exe and the Task Manager has also been disabled. Now, what.
Hi. Howaryu? Aym Jaw-ly-bee-cute 3 yehs old frum da bheig bheig manchion ein Shurigaw. Ayl stey hirh forawhile bcos duhbad ghuys tukmehan lefme sumwerh inda leibleib phleiys and ayduno how tu get bak howm. Dows badguys promishd me five moh box of cholate afterh ay join dem indahgeymof haydenshik. Little duhayno bout theyrh ploy of shelling me to dah burgoise. Gudtinh Jawllybeeismart to trwikdemowt anfund weyh hirh tuhuyd.
Upon examining the message the pops up before the password input on start up, I realized that it was English written indistinctly. What blazed me up more is the fact that it mentioned Surigao, a place just a few hours from my hometown San Francisco in Agusan del Sur. I am certain about this. There’s absolutely no doubt that it was a Filipino who made this — a Filipino who particularly speaks the same language as I do. The most disheartening part is that answers on how to resolve this nuisance don’t seem to be available on the Internet yet. Am I the lucky #1 to have tasted it then? All right, this gives me a more bigger drive to make my own wreckage in the future. Oh, you just all wait. I am gonna completely destroy not only your Task Managers, but also your electric sockets.
13 Comments
October 23, 2008 at 07:17
you know what, go look for UnHookExec.inf I think it will enable your regedit back? 😉 I’m not sure about the task manager.
I hate viruses! and I’m glad my anti virus is doing a great job.
October 27, 2008 at 18:25
Owts!
October 29, 2008 at 09:08
Haha, I laughed at the destroying of task managers and such. =P Viruses suck majorly, I think I got that f*ckin autorun.inf one on my flash drives, which pisses me off like none other. It’s not really a violent virus, it’s just annoying as hell.
*sighs*
I will kill it in time.
October 30, 2008 at 14:36
hmm that must be soo annoying. Maybe the only fix left is to reformat your PC.
October 31, 2008 at 00:07
test
October 31, 2008 at 00:13
uy nagsulod na comment ko nels. hehe, nagtest pa ko kay basi makapuyan lang ko sang type kun indi pa gid magsulod. ….
hmmm…. ano gani to sulat ko man? nalipat ko ah…
ah, ang mga virus nga ni bala, daw may suspetsa ako nga ang mga nagabaligya man lang sang mga antivirus ang gapang obra sini, dayon mahimo sila “bulong” kano abi sa amo na nga mga virus. o di vah? business gid. haisst. waay man ko choice, gamit man ko antivirus. hehe. free edition lang man.
your anti-spam asked 7+8 =? ang sabat ko ay 15… kun makasulod ni comment ko, sagad na ko sa math. wahaha :laugh:
October 31, 2008 at 00:18
sagad na gid ko ya sa math. 😯 :laugh: :faint:
November 11, 2008 at 03:57
okay this is the secret way i get rid of newly created virus..
run windows from safe mode, or better yet use a boot disc that can boot to command prompt
1. boot windows in “safe mode with command prompt” to see this option press “F8” right before the windows loading screen.
2. it might tell you to log in as administrator or your account. select administrator for now if it asked you.
3. in command prompt go to the root directory of your drive.
“type cd” and you wpuld be in the root directory or “c:”
4. at c: type “dir /a:h”
this will display all the hidden files that you cannot see in windows even though you have enabled the “show hidden files option”
the files that you are looking for are
autorun.inf
*.com
*.vbs
*.exe
*.dll
these files are important do not ever erase them since it’s windows boot files. These files are the only ones that should be in the root directory of c: except the folders.
boot.ini
IO.sys
nrdlr
MSDOS.sys
NTDETECT.COM
if there is an autorun.inf and other suspicious files then good we could proceed further.
5. autorun.inf is not evil it’s job is to auto execute a program when browse or inserted (usb or dics). it’s just being exploited by virus makers. Since it’s job is to execute a certain file we would now what files is the virus.
at c: type “type autorun.inf”
ex. C:type autorun.inf, you’ll see bunch of text like these
;qa5dDjAa222Ljosw0aoKqa14LsrAikkrAfs3jL3p5Aawo140fL73sLfD3akq3
[AutoRun]
;2L3HkloslJaikioJUek2ijA83S35kpJpaAr08sZl8aJ2walk4d4ddKwKeKsA4wad042639arCi27s0k3LKO3aKsawDik5sowD4rkKkdaw2Df
open=obehha.com
;kOlokdajw3K17il8l1saKKsKe4a92dsLqskK0LkLiH4Kwsd
shellopenCommand=obehha.com
;aDKS2a4o0j4d5s3lDL33LikoofdswKqlf4c
shellopenDefault=1
;D
shellexploreCommand=obehha.com
;4fjK2eAw3jf3Dfsk6sZKeLA9qS44L152llasDdi24sp7Dwwwds0kHsdak38K5fsaomkwoJkilr0okka23Z
but the ones that matter are these
open=obehha.com
shellopenCommand=obehha.com
shellexploreCommand=obehha.com
as you can see at these example that “obehha.com” is the virus or tha culprit that spreads the virus
take note of that file since we will be deleting that.
6. at c: “type del (virus name) /f/q/s/a”
ex.
c:del obehha.com /f/q/s/a
if the virus has a unique name, you can use wildcards commands incase the virus has dl files included
ex. C:del obehha.* /f/q/s/a or c:del obehha*.* /f/q/s/a
7. do that command to all drives including your usb devices.
to change drives type the drive letter plus collon sign “:”
at c: and going to d: type d:
ex c:d:
and you would be at D: and type dir /a:h to check if that same file exixt there and you the del “virus” /f/q/s/a to delete it
becarefull using that command since it searches all files within the drive, hidden or not, in a folder or not, system files or not and deletes it permanently. normal del (delete) won’t remove the file since it’s a hidden system files.
8. after deleting the file go back to c: and delete all suspicious files just remember to write down the suspicious files your deleting we need that later.
9. you should also check the windows directory and system32 directory to navigate to them
at c: type “cd windows”
ex. c:cd windows and youll be inside the windows directory
c:windows
check for suspicious files by typing dir /a:h
then navigate to system32
at c:windows type cd system32
c:windowscd system32 you’ll be inside the system32 directory
check for suspicious files by typing dir /a:h and delete it.
don’t forget to also delete the autorun.inf. just ignore te other autorun.inf it deletes it doen’t matter anyway
10. now your half done reboot again in safemode with command prompt and this time select you account. if no selection appears proceed to step 11.
11. again check the root directory of your c: if the files return obviously you left the main virus undeleted. if the suspicious deleted files are gone then good were making progress.
type explorer and the recognisable windows will apear and ask you about safemode and stuffs just click yes.
12. hope you have UnHookExec.inf or taskmanagerfix.exe in advance since we need to run it now. UnHookExec.inf is much powerfull since it reverts all change that the virus has made in your registry.
13. click “run” and type “msconfig” and a windoow will apear and select the “startup” tab and check for the files that you have deleted on the command column if it’s there un tick the box and apply the setting.
14. click “run” and type “regedit” search all the suspicous files you wote down and delete all the strings that contain those command.
you can also find other files theat the virus execute other files related to it.
do not delete rundll just the files you wrote down
and if you see the virus is hooked with explorer just delete the virus name leving the explorer behind
it’s very dangerous deleting stuffs on your registry.. tis is not neccessary though since the virus is gone. but the massage it displays or other changes the virus has made is still there. this is just for cleaning up the virus tracks. do not attemp to mess with the registry if your unsure what you are doing.
you can use ccleaner to do the cleaning for you. since you deleted the files and the registry cannot point, locate and execute that files. ccleaner will dellete it for you in a safe way.
all cleaning you need to do is the mountpoints2
in the registry click the computer then search for mountpoints2
you should see a bunch of folders with kind of resembles this names
{009ff59d-5cce-11dd-841e-001966656651}
{074add66-5a6e-11dd-9858-c3b868304521}
{0cf191a9-5a6d-11dd-ab2a-806e6f6e6963}
{0cf191aa-5a6d-11dd-ab2a-806e6f6e6963}
{0cf191ad-5a6d-11dd-ab2a-806e6f6e6963}
and at the bottom you’ll see
C
CPC
D
E
F
depending how many drive letters you have.
if you browese those folders with weird names you’ll find out how the virus speads or where it was executed and the virus names you wrote can be found there.
so delete all those folders leaving only
C
CPC
D
E
F
and also delete all “folders” that is inside
C
D
E
F
only CPC should have folders inside
and don’t delete the keys inside
C
CPC
D
E
F
these key are namely “default” and “baseclass”
15. if everything goes right. you’ll free youself from that virus and having to reformat again and again when faced with a new viirus.
if you can’t remove the virus you can send it to me to be analyzed.
at safemode command prompt assuming you checked inside the autorun.inf and found out the file name of the virus
at c: type attrib -s -h -r “Virus name”
ex. c:attrib -s -h -r obehha.com
now that file should be visible in plain dir or windows
copy that file to a different folder or usb device zip or rar it with password and send it to me
tunay na email ko yan
pa delete na lang ng comment ko pag na save mo na sa notepad
di ko alam kung baket nawawala ang mga (slash sign) sa dulo ng mga c: o d: sana sanay ka sa DOS/CMD
November 13, 2008 at 15:09
deim!! na infect din ang system ko nitoh. and until now. la akong mahanap na solution!! sheeet. tagal na un sa comp ko bah. baka magka loko2 na yun. deim!! =(
November 16, 2008 at 05:48
Ah dear. @_@
That English, I do not care to deduce… but that’s insane. ><
November 20, 2008 at 19:10
Aw help.
Meron na rin to sakin ba…
DI MO RIN MAOPEN ANG MGA HARD DRIVE DAHIL DITO!!!
TULLONNNGG!!!!!
PANO TO ALISIN!????
August 12, 2009 at 05:04
Man, my girlfriend has the same virus, you are not the only one. We search for the solution but we don’t find.
September 14, 2009 at 15:09
check this link, instead. 🙂
http://pointblank.i.ph/blogs/pointblank/2008/01/26/getting-rid-of-autruninf/