Today someone asked me if I could remove Spy-Shredder, as it becomes challenge for him to remove it completely. He said that he dumped AVG Anti Spyware free version on the system and find SpyShredder, and removed it. Although after every restart it reappears again n again.
Tech details:
Spy-Shredder, is the successor to the rogue anti-spyware program called SpySheriff. SpyShredder get installed on your computer without your permission through the use of some Trojans program and other malware. Once installed, the Trojans will display message boxes on your screen stating the following:
NOTICE: If your computer has been running slower than normal, it may be infected with Viruses, Adware or Spyware. Spy-Shredder will perform a quick and completely FREE scan of your system for malicious programs.
Here I’m posting a quick n successful guide to remove it manually.
1. First Open Task Manager (Ctrl+Alt+Del/Esc)
2. Now Go to the processes tab, and end the following three processes (if its thr)SpyShredder.exeavp.exemgrs.exe
3. Unregister the following files one by one. (By clicking start -> Run -> and typing regsvr32 /u ***)where i have typed ***, replace with the following file names (do 1 at a time)SpyShredder.exeavp.exemgrs.exe
4. Go to My computer and browse to C:\Program Files. Look for a folder named SpyShredder.
Delete this folder (when you delete the folder hold the Shift key on your keyboard to perminantly delete it)
5. Restart the PC.
Sunday, May 18, 2008
Spyware Removal
Staying SPYWARE FREE is one of the most important things you can do to keep your pc running smooth and safe. Spyware will crash your pc, ruin your internet connection and make your internet surfing unsafe so PLEASE follow this thread exactly.There are two excellent spyware removal apps available and they are both FREE so there is no reason to not use them regularly.
The two best apps there are for removing spyware are SpyBot Search & Destroy and Ad Aware. IT IS IMPERATIVE THAT YOU USE BOTH OF THESE APPS SINCE ONE FINDS WHAT THE OTHER MISSES AND VICE VERSA, YOU ARE NOT SAFE USING JUST ONE OF THEM.
There is one other app that I HIGHLY recommend is for spyware prevention, SpywareBlaster. This app sets certain registry entries that prevent spyware from ever installing, it DOES NOT run in the background using any resources,you_just_set_it_and_forget_it.
Once you have installed these three MUST HAVE apps you then need to update them and keep them up to date. I would recommend checking for updates weekly, it’s just like your antivirus app, you need to stay protected from the latest spyware out there.
To update SpyBot just open the app from your start menu (use the advanced mode option) and select “search for updates” it will then show you what updates are available for download, always install all the updates. Another feature that SpyBot has is called “Immunize”, you will see an icon for it. Select the icon and under “Permanent Internet Explorer Immunity” select “Immunize” this works in the same way as SpywareBlaster in blocking new spyware. It also gives you the option of locking your hosts file against hijackers, I highly recommend using this option as well. To update Ad Aware just open it and select “Check for updates now”.
For SpywareBlaster it is mostly the same, open it up and select “Check for updates” once you update this you then must select “select all” and then “Protect against checked items” so that the updates you just did take effect.Anything these apps find is spyware and should be removed, if you choose not to remove what is found then you have no one to blame if your pc crashes due to spyware or your privacy is invaded (including these companies stealing your credit card number and identity). I recommend doing weekly scans and as I have already said, ALWAYS remove anything they find to keep yourself safe.
The two best apps there are for removing spyware are SpyBot Search & Destroy and Ad Aware. IT IS IMPERATIVE THAT YOU USE BOTH OF THESE APPS SINCE ONE FINDS WHAT THE OTHER MISSES AND VICE VERSA, YOU ARE NOT SAFE USING JUST ONE OF THEM.
There is one other app that I HIGHLY recommend is for spyware prevention, SpywareBlaster. This app sets certain registry entries that prevent spyware from ever installing, it DOES NOT run in the background using any resources,you_just_set_it_and_forget_it.
Once you have installed these three MUST HAVE apps you then need to update them and keep them up to date. I would recommend checking for updates weekly, it’s just like your antivirus app, you need to stay protected from the latest spyware out there.
To update SpyBot just open the app from your start menu (use the advanced mode option) and select “search for updates” it will then show you what updates are available for download, always install all the updates. Another feature that SpyBot has is called “Immunize”, you will see an icon for it. Select the icon and under “Permanent Internet Explorer Immunity” select “Immunize” this works in the same way as SpywareBlaster in blocking new spyware. It also gives you the option of locking your hosts file against hijackers, I highly recommend using this option as well. To update Ad Aware just open it and select “Check for updates now”.
For SpywareBlaster it is mostly the same, open it up and select “Check for updates” once you update this you then must select “select all” and then “Protect against checked items” so that the updates you just did take effect.Anything these apps find is spyware and should be removed, if you choose not to remove what is found then you have no one to blame if your pc crashes due to spyware or your privacy is invaded (including these companies stealing your credit card number and identity). I recommend doing weekly scans and as I have already said, ALWAYS remove anything they find to keep yourself safe.
“Putta.com” and “Speedy.bat” Viral's Solutions
This summary is not available. Please
click here to view the post.
W32.Imaut.U1
W32.Imaut.U
Discovered: January 6, 2007
Updated: February 13, 2007 1:03:11 PM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.1. To disable System Restore (Windows Me/XP)If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore.
Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
· How to disable or enable Windows Me System Restore
· How to turn off or turn on Windows XP System RestoreNote: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
Discovered: January 6, 2007
Updated: February 13, 2007 1:03:11 PM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.1. To disable System Restore (Windows Me/XP)If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore.
Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
· How to disable or enable Windows Me System Restore
· How to turn off or turn on Windows XP System RestoreNote: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
Remove W32.Imaut
Category:
Worm, Threats
W32.Imaut.CO propagates via USB media drives and instant messaging clients with malisious attachment and links.
Other Alias: -
Threat Level: Low
Systems Affected: Windows - All
More:
W32.Imaut.CO on SSR
1. Temporarily Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. Navigate to and delete the following
entries:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”MSN Messengger” = “%System%\MsRun32.exe”
Restore the following registry entries to their original values, if
required:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “Explorer.exe MsRun32.exe”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1″HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableRegistryTools” = “1″HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\”CheckedValue” = “0 ”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NofolderOptions” = “1″HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\”shared” = “%DriveLetter%\True_Love.exe”
6. Exit registry editor and restart the computer.7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner
Worm, Threats
W32.Imaut.CO propagates via USB media drives and instant messaging clients with malisious attachment and links.
Other Alias: -
Threat Level: Low
Systems Affected: Windows - All
More:
W32.Imaut.CO on SSR
1. Temporarily Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. Navigate to and delete the following
entries:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”MSN Messengger” = “%System%\MsRun32.exe”
Restore the following registry entries to their original values, if
required:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “Explorer.exe MsRun32.exe”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1″HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableRegistryTools” = “1″HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\”CheckedValue” = “0 ”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NofolderOptions” = “1″HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\”shared” = “%DriveLetter%\True_Love.exe”
6. Exit registry editor and restart the computer.7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner
Remove Newfolder.exe virus
Trouble:
One of our readers reported about a virus in his pen drive,his drive is infected with Newfolder.exe virus. He has some very crucial data on the drive, so he cannot format the drive.
New Folder.exe virus disables task manager, disables registry editor, disables folder options, and disables run option from start menu. Virus creates exe files like the icon of folders with the same name as the name of the folder, it also consumes more than 50 % of your processor usage so slows down your computer.
Let’s see how we can remove this virus without formatting the drive.
Fix:
In order to remove the newfolder.exe virus you can use two types of tools, again there is a manual procedure also but the tools mentioned below are much better:
Tools to remove Newfolder.exe virus
1. Newfolder virus removal tool by Muhammad Abdullah. Download it www.od3n.net/download
2. Newfolder Virus removal tool by Albin. Download it www.downloads.andymanchesta.com
Both of these are executable files, download any one of them and run the file by double-clicking on it, it will clean the virus.
If you find some problem in using any of the above mentioned tools. Please let us know through comments.
One of our readers reported about a virus in his pen drive,his drive is infected with Newfolder.exe virus. He has some very crucial data on the drive, so he cannot format the drive.
New Folder.exe virus disables task manager, disables registry editor, disables folder options, and disables run option from start menu. Virus creates exe files like the icon of folders with the same name as the name of the folder, it also consumes more than 50 % of your processor usage so slows down your computer.
Let’s see how we can remove this virus without formatting the drive.
Fix:
In order to remove the newfolder.exe virus you can use two types of tools, again there is a manual procedure also but the tools mentioned below are much better:
Tools to remove Newfolder.exe virus
1. Newfolder virus removal tool by Muhammad Abdullah. Download it www.od3n.net/download
2. Newfolder Virus removal tool by Albin. Download it www.downloads.andymanchesta.com
Both of these are executable files, download any one of them and run the file by double-clicking on it, it will clean the virus.
If you find some problem in using any of the above mentioned tools. Please let us know through comments.
Virus Detection avoidance Techniques
Viral programs have almost no defense at all againstdisinfection. 99% of virus are almost trivially simple to getrid of, simply by replacing the "infected" file (or boot sector)with an original copy. (Some more recent boot sector and systemvirus require slightly more knowledge in order to performeffective disinfection: none require drastic measures.) Farfrom their image as the predators of the computer world, viralprograms behave much more like prey. Their survival isdependant upon two primary factors: reproductive ability andavoidance of detection. Using the standard system calls to modify a file leaves verydefinite traces. The change in a file "creation" or "lastmodified" date is probably more noticeable than a growth in filesize. File size is rather meaningless, whereas dates and timesdo have significance for users. Changing the date back to itsoriginal value, however, is not a significant programmingchallenge. Adding code while avoiding a change in file size is moredifficult, but not impossible.
Overwriting existing code andadding code to "unused" portions of the file or disk are somepossible means. (The fictional rogue program P1, in ThomasRyan's "The Adolescence of P1", avoided problems of detection byanalyzing and rewriting existing code in such a manner that theprograms were more compact and ran more efficiently. Suchactivity has not yet, alas, been discovered in any existingvirus.) Some viral programs, or rather, virus authors, rely onpsychological factors. There are a number of examples of viruswhich will not infect program files under a certain minimumsize, knowing that an additional 2K is much more noticeable on a5K utility than on a 300K spreadsheet.
In a sense these are all "stealth" technologies, but this termis most often used for programs which attempt to avoid detectionby trapping calls to read the disk and "lying" to theinterrogating program. By so doing, they avoid any kind ofdetection which relies upon perusal of the disk. The disk givesback only that information regarding file dates, sizes andmakeup which were appropriate to the original situation. (Thisalso relies upon the virus being "active" at the time ofchecking.)
Although this method avoids any kind of "disk"detection, including check summing and signature scanning, itleaves traces in the computer's memory which can be detected. (Some viral programs also try to "cover their tracks" bywatching for any analysis of the area they occupy in memory andcrashing the system, but this tends to be noticeable behavior... )FUNGENA.CVP 911202
Overwriting existing code andadding code to "unused" portions of the file or disk are somepossible means. (The fictional rogue program P1, in ThomasRyan's "The Adolescence of P1", avoided problems of detection byanalyzing and rewriting existing code in such a manner that theprograms were more compact and ran more efficiently. Suchactivity has not yet, alas, been discovered in any existingvirus.) Some viral programs, or rather, virus authors, rely onpsychological factors. There are a number of examples of viruswhich will not infect program files under a certain minimumsize, knowing that an additional 2K is much more noticeable on a5K utility than on a 300K spreadsheet.
In a sense these are all "stealth" technologies, but this termis most often used for programs which attempt to avoid detectionby trapping calls to read the disk and "lying" to theinterrogating program. By so doing, they avoid any kind ofdetection which relies upon perusal of the disk. The disk givesback only that information regarding file dates, sizes andmakeup which were appropriate to the original situation. (Thisalso relies upon the virus being "active" at the time ofchecking.)
Although this method avoids any kind of "disk"detection, including check summing and signature scanning, itleaves traces in the computer's memory which can be detected. (Some viral programs also try to "cover their tracks" bywatching for any analysis of the area they occupy in memory andcrashing the system, but this tends to be noticeable behavior... )FUNGENA.CVP 911202
Virus Detection avoidance Techniques
Viral programs have almost no defense at all againstdisinfection. 99% of virus are almost trivially simple to getrid of, simply by replacing the "infected" file (or boot sector)with an original copy. (Some more recent boot sector and systemvirus require slightly more knowledge in order to performeffective disinfection: none require drastic measures.) Farfrom their image as the predators of the computer world, viralprograms behave much more like prey. Their survival isdependant upon two primary factors: reproductive ability andavoidance of detection. Using the standard system calls to modify a file leaves verydefinite traces. The change in a file "creation" or "lastmodified" date is probably more noticeable than a growth in filesize. File size is rather meaningless, whereas dates and timesdo have significance for users. Changing the date back to itsoriginal value, however, is not a significant programmingchallenge. Adding code while avoiding a change in file size is moredifficult, but not impossible.
Overwriting existing code andadding code to "unused" portions of the file or disk are somepossible means. (The fictional rogue program P1, in ThomasRyan's "The Adolescence of P1", avoided problems of detection byanalyzing and rewriting existing code in such a manner that theprograms were more compact and ran more efficiently. Suchactivity has not yet, alas, been discovered in any existingvirus.) Some viral programs, or rather, virus authors, rely onpsychological factors. There are a number of examples of viruswhich will not infect program files under a certain minimumsize, knowing that an additional 2K is much more noticeable on a5K utility than on a 300K spreadsheet.
In a sense these are all "stealth" technologies, but this termis most often used for programs which attempt to avoid detectionby trapping calls to read the disk and "lying" to theinterrogating program. By so doing, they avoid any kind ofdetection which relies upon perusal of the disk. The disk givesback only that information regarding file dates, sizes andmakeup which were appropriate to the original situation. (Thisalso relies upon the virus being "active" at the time ofchecking.)
Although this method avoids any kind of "disk"detection, including check summing and signature scanning, itleaves traces in the computer's memory which can be detected. (Some viral programs also try to "cover their tracks" bywatching for any analysis of the area they occupy in memory andcrashing the system, but this tends to be noticeable behavior... )FUNGENA.CVP 911202
Overwriting existing code andadding code to "unused" portions of the file or disk are somepossible means. (The fictional rogue program P1, in ThomasRyan's "The Adolescence of P1", avoided problems of detection byanalyzing and rewriting existing code in such a manner that theprograms were more compact and ran more efficiently. Suchactivity has not yet, alas, been discovered in any existingvirus.) Some viral programs, or rather, virus authors, rely onpsychological factors. There are a number of examples of viruswhich will not infect program files under a certain minimumsize, knowing that an additional 2K is much more noticeable on a5K utility than on a 300K spreadsheet.
In a sense these are all "stealth" technologies, but this termis most often used for programs which attempt to avoid detectionby trapping calls to read the disk and "lying" to theinterrogating program. By so doing, they avoid any kind ofdetection which relies upon perusal of the disk. The disk givesback only that information regarding file dates, sizes andmakeup which were appropriate to the original situation. (Thisalso relies upon the virus being "active" at the time ofchecking.)
Although this method avoids any kind of "disk"detection, including check summing and signature scanning, itleaves traces in the computer's memory which can be detected. (Some viral programs also try to "cover their tracks" bywatching for any analysis of the area they occupy in memory andcrashing the system, but this tends to be noticeable behavior... )FUNGENA.CVP 911202
Remove W32/Drowor.worm
W32/Drowor.worm may get send around using a deceiving filename Google Earth .scr. Aliases TR/VB.aei (H+BEDV) Virus.Win32.Drowor.b (Kaspersky) W32/Drowor (McAfee) Win32.Drowor.A (Virusbuster) Worm.VB-117 (Clamav) Worm/VB.6.A (Grisoft) Characteristics Characteristics - W32/Drowor.worm may get send around using a deceiving filename "Google Earth .scr" , having a filesize of 58.736 bytes decimal.
The file is written in MSVB5 and it is not internally compressed with a packer. Upon running in our test environment an error message was encountered that it needs the dynamic link library called "thumbs .db". It didn't copy itself onto another location on the system nor did it drop other files or make registry entries. It failed to spread to other test systems in our test environment. Looking at the code it seems to have Asian origin - possibly Indonesian, an example is the word "Surabaya". It tries to modify the file autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer" If msvb60.dll gets copied to thumbs .db it might infect other binary files that are in the same directory as the malware was run from. These infections will be triggered upon with W32/Drowor. The infection routine does not work always. Symptoms Symptoms - Presence of the file "Google Earth .scr" , having a filesize of 58.736 bytes decimal.
Unexpected messages apprearing with Asian origin - possibly Indonesian, an example is the word "Surabaya". Modified autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer" Modified PE binary files Method of Infection Method of Infection - Manual infection - there's no exploit associated with it. Removal - Removal - All Users: Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations
The file is written in MSVB5 and it is not internally compressed with a packer. Upon running in our test environment an error message was encountered that it needs the dynamic link library called "thumbs .db". It didn't copy itself onto another location on the system nor did it drop other files or make registry entries. It failed to spread to other test systems in our test environment. Looking at the code it seems to have Asian origin - possibly Indonesian, an example is the word "Surabaya". It tries to modify the file autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer" If msvb60.dll gets copied to thumbs .db it might infect other binary files that are in the same directory as the malware was run from. These infections will be triggered upon with W32/Drowor. The infection routine does not work always. Symptoms Symptoms - Presence of the file "Google Earth .scr" , having a filesize of 58.736 bytes decimal.
Unexpected messages apprearing with Asian origin - possibly Indonesian, an example is the word "Surabaya". Modified autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer" Modified PE binary files Method of Infection Method of Infection - Manual infection - there's no exploit associated with it. Removal - Removal - All Users: Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations
Remove Subhya Virus
By using latest antivurus u can get security from the “Surabhaiya Virus” But……………..
After cleaning the virus, u may still got the msg every time u login (after restart). Here is the way to remove the msg: 1. Delete the autoexec.bat from '\Documents and Settings\user' if any. 2. Run Regedit, find 'surabaya' and delete the two entries related to the msg. That's all.
Note:
If case u found out that all your folder has file size 40K (which is not suppose to be), it is a virus. It hides your original folder and create one dummy folder (virus). If you have any removeable device like thumb drive or usb hdd, it will create autorun.inf and two more files like thums*.* . So when u insert the infested thumb drive or usb hdd to another pc, it will auto infest that pc unless that pc got very good antivirus to block it.Even the antivirus manages to kill the virus, you may have problem open your thumb drive or usb hdd (windows will prompt u what program to use to view the file).
It is because there is this autorun.inf. To gain access back to your usb device, @ windows explorer, type in your drive letter @ the address bar like F: Once you gain access to the drive, change the folder option to show all files include hidden file. The file most likely will be marked as Hidden, System and Read Only. In case after the folder option setting, u still can't find the file, go to Command Prompt (CMD).
Type in your usb device drive letter (example F and press Enter. Type in the following command: attrib autorun.inf -s -h -r press Enter DEL autorun.inf Now you should be able to view the file. Erase that file then removes and reattachs that usb device and now you can view your usb device. Also unhide and delete this file thumb*.* from your C: or your Thumbdrive or USB HDD root directory. attrib thumb*.* -s -h -r press Enter DEL thumb*.* To unhide all hidden folders: ATTRIB -s -h -r /D /S press Enter.
.
After cleaning the virus, u may still got the msg every time u login (after restart). Here is the way to remove the msg: 1. Delete the autoexec.bat from '\Documents and Settings\user' if any. 2. Run Regedit, find 'surabaya' and delete the two entries related to the msg. That's all.
Note:
If case u found out that all your folder has file size 40K (which is not suppose to be), it is a virus. It hides your original folder and create one dummy folder (virus). If you have any removeable device like thumb drive or usb hdd, it will create autorun.inf and two more files like thums*.* . So when u insert the infested thumb drive or usb hdd to another pc, it will auto infest that pc unless that pc got very good antivirus to block it.Even the antivirus manages to kill the virus, you may have problem open your thumb drive or usb hdd (windows will prompt u what program to use to view the file).
It is because there is this autorun.inf. To gain access back to your usb device, @ windows explorer, type in your drive letter @ the address bar like F: Once you gain access to the drive, change the folder option to show all files include hidden file. The file most likely will be marked as Hidden, System and Read Only. In case after the folder option setting, u still can't find the file, go to Command Prompt (CMD).
Type in your usb device drive letter (example F and press Enter. Type in the following command: attrib autorun.inf -s -h -r press Enter DEL autorun.inf Now you should be able to view the file. Erase that file then removes and reattachs that usb device and now you can view your usb device. Also unhide and delete this file thumb*.* from your C: or your Thumbdrive or USB HDD root directory. attrib thumb*.* -s -h -r press Enter DEL thumb*.* To unhide all hidden folders: ATTRIB -s -h -r /D /S press Enter.
.
Subscribe to:
Posts (Atom)