1. Search and download the following software. Programms should be located on the flash drive unpacked and ready to run:

- far portable
- file monitor (Filemon.exe)
- process viewer (PrcView.exe)
- ATF-Cleaner.exу
- Flash_Disinfector.exe
- CureIT
- BV Soft Run Edit
- Unlocker

2. Reboot, go safe mode and do scan by CureIT. While scanning do not open new windows (i.e. explorer exe);
3. Remove all records with c.cmd from system registry;
4. Clean everything with ATF cleaner and keep program running to perform cleaning after every operation;
5. Perform monitoring on the programs / processes running by FileMon (filter «autorun») and PrcView;
6. Search and destroy virus traces and files: fool0.dll, ies0.dll, kxvo.exe in the system32 folder;
7. Install Run Edit locally and check for kxvo.exe autorun parameter. It should be removed;
8. Check option to delete files immideately in the Recycle bin;
9. Put fake autorun.inf to the flash drive using Flash Desinfector;
10. Kill hkmd system process;
11. Open Recycler in the flash drive and check indataset.exe inside? Is it there?
12. indataset.tlb and indata.dat located in system32 should be deleted, do full cleaning of temporary files again after;
13. Put «indataset» filter to the FileMon and play with flash drive by deleting indatast, indata files, pluging and unpluging drive;
14. If some processes attempting to copy files to the flash, kill processes and hkmd, do cleaning;
15. Go c:\windows\temp do unlock (unlocker should be installed) hlktmp file, delete it, put empty file with the same name;
16. Reboot. Check virus traces. Try different sequence if no success.

Note that virus hiding its parts, so files should be visible in the far only while the «Unhide system files» function of explorer.exe is blocked by the virus. Cured system should not create Recycler folder in the flash drive as well as any files there.

Eugene Prgoff, July 25, 2008.


PS. Looks like it was two viruses instead of one. Laptop is clean now but there is an empty RECYCLED directory apears in the flash drive every time after its deletion. I have killed all MountPoints2 sub forlders in the registry but no result. Could someone suggest me how to deal with this fucking fake trash can? skype: vedeney




During that “disinfection campaign” I found I am not alone in my unprofessional attempts, so here is the more accurate and consistent instruction from Farmosi, a man who also annoyed with operating system running out control. There is nothing to say more except of a big thanks and best wishes to Farmosi. We both hope that information will be helpful against viruses. As he did, I warning unskilled users from even following the instruction above since it potentially may cause a system damage etc.





Кто не сумеет это прочесть, тому в принципе, оно и не нужно.