USB Autorun Virus Removal
After you have successfully stopped the running virus, you can proceed to removing the autorun virus. In usual cases, you will have access to the USB drive via command prompt. Go to the USB drive’s folder in command prompt, so that you reach a prompt USB:\(example: H:\).
Now type in the command attrib -r -a -s -h *.* and press enter. So that the command prompt will look like
H:\>attrib -r -a -s -h *.*
The command will remove all files’ attributes, namely, read only, archive, system, and hidden.
Now you can see the autorun virus’ components. That is, the hidden autorun.inf(launcher) will be exposed along with the autorun virus, say, autorun.exe. Now you can see the all the files in explorer, and delete them.
Make sure you have unchecked(disabled) the Hide extensions for known file types in My Computer > Tools > Folder Options > View. This will enable you to see programs disguised as folders, so that you will not double click it to open the folder, while in fact you accidentally activate the virus.
If you see a program ,say New Folder.exe, inside the folder with the same name, say New Folder, then it is in almost all cases a virus which you need to remove.
Read Full Post | Make a Comment ( None so far )Manually remove viruses – Part 1
Now we will see how we can remove viruses manually. Because, sometimes the antivirus we installed does not seem to do its job. This is where we have do it the hard way. The first thing you have to do, is to locate the viruses running in memory. Press ctrl-alt-del to get the task-manager. Look for suspicious processes in that list, if you are familiar with the process list of your system (If you are not familiar, then all are suspicious). And then look up the suspicious processes in Google, and find out information on them. If the information(if you trust it) says that it is dangerous, then right-click on the entry and in the menu that pops up, click “End process tree”. Similarly, end all suspicious processes.
My Windows Task Manager
Some viruses will deny your access to the task-manager. If so, go to ‘Start > Run > cmd.exe’, and type in ‘tasklist’ and press enter. Then again, you will get the running processes’ list. Here, you will have to use the command ‘taskkill’, to kill a running process. Type in ‘taskkill /?’ for info on the command. For example, if you have Notepad running, you can kill that process by typing “taskkill /im notepad.exe”and pressing enter. Where ‘im’ means that the input is a process-image-name.
Tasklist in console
Please remember that System(PID=4), System Idle Process(PID =0), winlogon.exe, services.exe, lsass.exe, svchost.exe, smss.exe,… are legitimate Windows processes. It is advised not touch any processes under SYSTEM, NETWORK SERVICE, and LOCAL SERVICE unless you are confident and familiar with these things.
You can also get a full-permission Task Manager for temporary purposes from patheticcockroach.com. I have personally checked the program. It gives you access to task manager by double-clicking it, when ctrl-alt-del is denied by the virus.
Assuming that this stage is a complete success, we have stopped all running virus programs. And thus, hopefully, stopped the virus from making all our efforts go waste.
Read Full Post | Make a Comment ( 9 so far )USB Virus/Autorun Virus Identification
The most common form of virus today in college campuses, companies, file-sharing cirlces, and other institutions is the sticky USB pen drive virus.
Virus targets —> USB:\autorun.inf
Virus slows —> The startup of Windows.
Virus stays —> In ‘%windir%\system32\’ (%windir% stands for windows directory eg: ‘c:\WINDOWS’). This is the most common and safest place for the viruses.
Virus hides —> My Computer > Menu Bar > Tools > Folder options (so that the user will not be able to un-hide hidden and system files, so that the viruses won’t get exposed to the user)
Virus denies —> Access to Task Manager, regedit.exe, msconfig(start up configurations), and other admin utilities saying “you don’t have admin privileges” or something like that, even if you are the admin. Also denies the right click & open(and then, you double click, which activates the autorun virus) of the USB drive via explorer, and won’t allow formatting of the drive.
Virus names —> Itself as a camouflaged program that resemble a legitimate Windows process. For example ‘System’ (which is a real windows core process). The virus is named ‘system.exe’ and stores itself in ‘%windir%\system32\’. The fact is, for a common Windows XP user, there is no such program named ‘system.exe’ in ‘%windir%\system32\’ or ‘%windir%’ itself. This virus can be seen running in task manager(ctrl-alt-del) as ‘system.exe‘, alongside the real Windows process named ‘System‘ that has a constant PID 4 with the User Name SYSTEM instead of the real user account name, say jais. Another disguised program that i recently ‘End Process’ed calls itself ‘explorcr.exe’ to resemble the actual XP desktop process named ‘explorer.exe’. There are also stupid and random-letter virus names like bad1.exe, bad2.exe, bad3.exe, dfjhw.exe, uwnwef.exe . So keep a watch on the task manager’s process list.
Read Full Post | Make a Comment ( 4 so far )The ‘Open with’ problem
Most of you would have had bad luck when connecting USB pen-drives or CDs. These storage mediums may carry viruses that get activated via the autorun functionality in Windows. Some of these viruses also store autorun files in the system’s local drives. This results in popping up the open with dialog box when you double click the drive icons. Also explore might not function. A virus that i got recently from my USB is such that it stores autoruns in all drives. Also, I couldnt change the ‘view hidden files‘ setting in folder options. After applying the setting, nothing happens; when i go to folder options again, the setting is back to ‘do not show hidden files‘. The removal of autoruns is simple from read-write drives (not possible in CDROMs/DVD ROMs). All you have to do is run command prompt. Go to the root of the unaccessible drive, type the following and press enter. But before that you will have to end the process named explorer.exe from task-manager or command line.
del /a:h /f c:\autorun.*
Where, c:\autorun.* means all files that are named autorun with any extension in drive c: to be deleted. The command deletes the files even if they are hidden, even if it has to be forced. Now run the explorer.exe from task-manager. And all is well. For ease, i have created a batch file for cleaning all local drives in an instant by double clicking the .bat file. It is given below.
echo off
echo Deleting autoruns in C,D,E,F…
taskkill /f /im explorer.exe
del /a:h /f c:\autorun.*
del /a:h /f d:\autorun.*
del /a:h /f e:\autorun.*
del /a:h /f f:\autorun.*
start explorer
I would recommend disabling autoruns completely. But if that feels too restrictive, you can always bypass autoruns by holding down the shift key while connecting USB device or closing the CD tray with CD.
Read Full Post | Make a Comment ( 4 so far )
Jais' Weblog 