That English, I do not care to deduce… but that’s insane. ><

run windows from safe mode, or better yet use a boot disc that can boot to command prompt

1. boot windows in “safe mode with command prompt” to see this option press “F8” right before the windows loading screen.

2. it might tell you to log in as administrator or your account. select administrator for now if it asked you.

3. in command prompt go to the root directory of your drive.
“type cd” and you wpuld be in the root directory or “c:”

4. at c: type “dir /a:h”
this will display all the hidden files that you cannot see in windows even though you have enabled the “show hidden files option”

the files that you are looking for are

autorun.inf
*.com
*.vbs
*.exe
*.dll

these files are important do not ever erase them since it’s windows boot files. These files are the only ones that should be in the root directory of c: except the folders.
boot.ini
IO.sys
nrdlr
MSDOS.sys
NTDETECT.COM

if there is an autorun.inf and other suspicious files then good we could proceed further.

5. autorun.inf is not evil it’s job is to auto execute a program when browse or inserted (usb or dics). it’s just being exploited by virus makers. Since it’s job is to execute a certain file we would now what files is the virus.

at c: type “type autorun.inf”

ex. C:type autorun.inf, you’ll see bunch of text like these

;qa5dDjAa222Ljosw0aoKqa14LsrAikkrAfs3jL3p5Aawo140fL73sLfD3akq3
[AutoRun]
;2L3HkloslJaikioJUek2ijA83S35kpJpaAr08sZl8aJ2walk4d4ddKwKeKsA4wad042639arCi27s0k3LKO3aKsawDik5sowD4rkKkdaw2Df
open=obehha.com
;kOlokdajw3K17il8l1saKKsKe4a92dsLqskK0LkLiH4Kwsd
shellopenCommand=obehha.com
;aDKS2a4o0j4d5s3lDL33LikoofdswKqlf4c
shellopenDefault=1
;D
shellexploreCommand=obehha.com
;4fjK2eAw3jf3Dfsk6sZKeLA9qS44L152llasDdi24sp7Dwwwds0kHsdak38K5fsaomkwoJkilr0okka23Z

but the ones that matter are these
open=obehha.com
shellopenCommand=obehha.com
shellexploreCommand=obehha.com

as you can see at these example that “obehha.com” is the virus or tha culprit that spreads the virus

take note of that file since we will be deleting that.

6. at c: “type del (virus name) /f/q/s/a”
ex.
c:del obehha.com /f/q/s/a

if the virus has a unique name, you can use wildcards commands incase the virus has dl files included

ex. C:del obehha.* /f/q/s/a or c:del obehha*.* /f/q/s/a

7. do that command to all drives including your usb devices.
to change drives type the drive letter plus collon sign “:”

at c: and going to d: type d:
ex c:d:
and you would be at D: and type dir /a:h to check if that same file exixt there and you the del “virus” /f/q/s/a to delete it

becarefull using that command since it searches all files within the drive, hidden or not, in a folder or not, system files or not and deletes it permanently. normal del (delete) won’t remove the file since it’s a hidden system files.

8. after deleting the file go back to c: and delete all suspicious files just remember to write down the suspicious files your deleting we need that later.

9. you should also check the windows directory and system32 directory to navigate to them

at c: type “cd windows”
ex. c:cd windows and youll be inside the windows directory
c:windows
check for suspicious files by typing dir /a:h
then navigate to system32
at c:windows type cd system32
c:windowscd system32 you’ll be inside the system32 directory
check for suspicious files by typing dir /a:h and delete it.

don’t forget to also delete the autorun.inf. just ignore te other autorun.inf it deletes it doen’t matter anyway

10. now your half done reboot again in safemode with command prompt and this time select you account. if no selection appears proceed to step 11.

11. again check the root directory of your c: if the files return obviously you left the main virus undeleted. if the suspicious deleted files are gone then good were making progress.

type explorer and the recognisable windows will apear and ask you about safemode and stuffs just click yes.

12. hope you have UnHookExec.inf or taskmanagerfix.exe in advance since we need to run it now. UnHookExec.inf is much powerfull since it reverts all change that the virus has made in your registry.

13. click “run” and type “msconfig” and a windoow will apear and select the “startup” tab and check for the files that you have deleted on the command column if it’s there un tick the box and apply the setting.

14. click “run” and type “regedit” search all the suspicous files you wote down and delete all the strings that contain those command.

you can also find other files theat the virus execute other files related to it.

do not delete rundll just the files you wrote down
and if you see the virus is hooked with explorer just delete the virus name leving the explorer behind

it’s very dangerous deleting stuffs on your registry.. tis is not neccessary though since the virus is gone. but the massage it displays or other changes the virus has made is still there. this is just for cleaning up the virus tracks. do not attemp to mess with the registry if your unsure what you are doing.

you can use ccleaner to do the cleaning for you. since you deleted the files and the registry cannot point, locate and execute that files. ccleaner will dellete it for you in a safe way.

all cleaning you need to do is the mountpoints2
in the registry click the computer then search for mountpoints2
you should see a bunch of folders with kind of resembles this names

{009ff59d-5cce-11dd-841e-001966656651}
{074add66-5a6e-11dd-9858-c3b868304521}
{0cf191a9-5a6d-11dd-ab2a-806e6f6e6963}
{0cf191aa-5a6d-11dd-ab2a-806e6f6e6963}
{0cf191ad-5a6d-11dd-ab2a-806e6f6e6963}

and at the bottom you’ll see

C
CPC
D
E
F

depending how many drive letters you have.
if you browese those folders with weird names you’ll find out how the virus speads or where it was executed and the virus names you wrote can be found there.

so delete all those folders leaving only

C
CPC
D
E
F

and also delete all “folders” that is inside

C
D
E
F

only CPC should have folders inside

and don’t delete the keys inside
C
CPC
D
E
F
these key are namely “default” and “baseclass”

15. if everything goes right. you’ll free youself from that virus and having to reformat again and again when faced with a new viirus.

if you can’t remove the virus you can send it to me to be analyzed.

at safemode command prompt assuming you checked inside the autorun.inf and found out the file name of the virus

at c: type attrib -s -h -r “Virus name”
ex. c:attrib -s -h -r obehha.com

now that file should be visible in plain dir or windows

copy that file to a different folder or usb device zip or rar it with password and send it to me

tunay na email ko yan

pa delete na lang ng comment ko pag na save mo na sa notepad

di ko alam kung baket nawawala ang mga (slash sign) sa dulo ng mga c: o d: sana sanay ka sa DOS/CMD

your anti-spam asked 7+8 =? ang sabat ko ay 15… kun makasulod ni comment ko, sagad na ko sa math. wahaha :laugh: