Friday, February 8, 2008

Say No to Drugs - iloveher.exe virus remover/removal instruction

Here's another autorun virus that is more annoying than other viruses that rely on autorun.inf. I don't know its official name but what it do is put an annoying flashing text in your desktop that says: "Say No to Drugs!!!". It appears right in the middle of your screen and it is really annoying. Once your PC is infected, your task manager will be gone too (disabled) and other Windows programs/commands that you will need to identify/get rid of this virus.

The culprit here is the file iloveher.exe that came with this virus/malware/trojan (whatever you call it).

Steps to clean it out of your system:
1. Use RRT to restore any restrictions that the virus put to your system. Click to download.
2. Use Flash Disinfector by sUBS to get rid of this annoying virus. Click to download
3. If you want to be sure, there is a batch file made by Nokie that effectively get rid of all the commonly known flash viruses. It's on version 12 as of this writing. He always update it whenever there's a new autorun virus hanging around. You can download it here. Just run the batch file and follow the instructions on your screen.

Here's the readme.txt file if you want to know what it does:

---------------------------------------------------------------------------------------------------
Enfal, Fujacks, Taga-Lipa Are, Ravmone, Strawberry, YM Virus, Zinblog and Flash Drive Cleaner.
---------------------------------------------------------------------------------------------------

---------------------
Flash_V12
---------------------
Added "__" Removal (Don't know the exact name).
Added "Anti-TAGA LIPA ARE!" Removal.
Added "exp1orer.exe" Removal. (Note: Running Flash_V12.bat will close all internet explorer open, I have to kill iexplore.exe in order to remove this infection).
Added "h.cmd", "x.com" and "xn1i9x.com" Removal (Found out this has the same effect as "amvo" virus).
Updated "Desktrukto" Removal (Please restart after running the batch file).

---------------------
Flash_V11.9
---------------------
Decided to skip this version due to numerous updates. =)

---------------------
Flash_V11.8
---------------------
Added "ntldr" Virus Removal.
Effect: "ntldr missing" (This batch is just for removing the virus until such effect will come, I think the virus has a maturity time).
You have to copy ntldr, ntdetect.com and boot.ini from another pc in order to fix "ntldr missing" error. (Note: These are system
files, you have to show all hidden and system files in order to copy these files from another pc).

---------------------
Flash_V11.7
---------------------
Fix some bugs.

---------------------
Flash_V11.6 Update
---------------------
Added "amvo" Removal (Don't know the exact name).

---------------------
Flash_V11.5 Update
---------------------
Added "alecks" Removal (Don't know the exact name).

---------------------
Flash_V11.4 Update
---------------------
Added "scvshosts.exe" Removal.

---------------------
Flash_V11.3 Updates
---------------------
Added "bar311.exe" Removal (Yellow Happy Face Icon).
Symptoms: Your computer will restart if you run "cmd" or "command" (Command Prompt) in 1 second.
Note: Your computer will be restarted once you run the batch file (if infected by bar311.exe).
After restart, run the batch file again for complete removal.

Added "d.com" Removal.
Added "jamesgo.dll" Removal (On testing, since I don't have a sample of this virus).
Added "scvhosts.exe" Removal.

---------------------
Flash_V10 Update:
---------------------
Added "Funny UST Scandal.avi.exe" Removal.

---------------------
Flash_V9 Update:
---------------------
Added "Jay.exe" Virus Removal.

---------------------
Flash_V8 Updates:
---------------------
Added "Lsass.exe" Virus Removal. (Note: For effectivity, run the batch file once and reboot your computer after. Run the batch file again after a reboot.

---------------------
Flash_V7 Updates:
---------------------
Added "SSCVIHOST.exe" Virus Removal (I don't know the exact name of this virus, I think it's W32/Sohana-W.)
Symptoms: Task Manager and Regedit is disabled, very slow response of your pc.

Added "TTMS NAA NA DIRI, DON’T WORRY I’M NOT A CORRUPT LIKE YOU!" (VBS.Nokrupt) Removal.

Added "ntde1ect.com" Virus Removal.

---------------------
Flash_V6 Updates:
---------------------
Added Imgkulot and Destrukto Virus Removal (On testing, since I don't have samples of these viruses). Merged functions of Clean_NSL_V3.bat with this version. No need to run Clean_NSL_V3.bat this time. =)

---------------------
Notes:
---------------------

Windows Vista (Not tested, since there are only few infections for this OS).

Tested to run on Windows XP Professional (SP2 or below) and Windows 2003 Server Enterprise Edition.

Windows XP Home (You need a copy of taskkill.exe and place it on C:\WINDOWS\system32 before running the batch file).

Windows 2000 (Might run, haven't tried it yet).

Windows 98 (Not supported, since there are only few infections for this OS).

---------------------
Instructions:
---------------------

Extract the batch file anywhere (e.g. Desktop). Double-click to run and wait for "Press any key to continue...".

You can restart after running the batch and run it again after a restart if you like to (Optional).

You can plug your flashdrive/flashdisk/usbdrive before running the batch to clean it from these infections.
Unplugged it after and plug it again, you'll notice that it is cleaned. =) For harddisks/harddrives, you have to
restart or logoff after you run the batch, so that you can double-click it again. =)

You can add more drives in the batch file by editing it, use notepad or worpad (default is drive C to H). Just add a drive letter inside
the parenthesis, e.g. (C D E F G H I) - drive I is added.

----------------------------------------------------------
Download updated version of this batch at:
----------------------------------------------------------
http://hosted.filefront.com/nokie/ (Thanks to filefront for free hosting of this file).

2 comments:

Greg said...

Thanks, these flash viruses are damn annoying and the usual commercial anti-virus programs don't really do a good enough job of screening them.

The tools you've recommended are very helpful, especially Nokie's batch file. I'd done regedits twice with no success before learning about the file from this blog. Quick and hassle free removal right there.

computer repair brisbane said...

Hi,
I had serious infection in my computer. I do not know what to do. At that time I came to know about the ItsFixed and subscribed in that. Next day itself they removed my entire virus. I was very happy and want to share so that some one will get help from them.