Virus Prevention and Removal

  • Bien
  • Bien's Avatar Topic Author
  • Offline
  • Platinum Boarder
  • Platinum Boarder
More
11 years 9 months ago - 9 years 10 months ago #69687 by Bien
Virus Prevention and Removal was created by Bien
This series is a step by step on Autoplay viruses, prevention, and solutions. PM me if there should be corrections or additions. I'm going to keep this thread locked para hindi humaba on mere comments. ^^

To prevent from being easily infected with autorun viruses and worms from USB flash drives, iPods, etc.

Disable Autoplay Xp:

click Start
click Run
type: gpedit.msc
click administrative templates
click System
click Turn off Autoplay
click Enable and "set to All drives"
click Apply
close window

Note: do this for both "Computer" and any "User" Configurations.

OR: scroll down this thread and see kidlatatbp's post. ^^
When doing battle with viruses, it's always best to be able to see your enemy! Do this on your server. Make it a policy for your customers to have their flashdrives checked by you before they can plug in your client pcs.

Set Explorer to view all hidden files.

Open My Computer
Click Tools> Folder Options> View
-select "Show hidden files and folders"
-remove check on "Hide extensions of known file types"
-remove check on "Hide protected operating system files"
-click Apply
Never ever open a removable drive in My Computer. Just don't open My computer when there's a flash drive of any sort in your usb port or a floppy disk in your floppy drive.

-When opening flash drives, right click Start > Explore
-navigate to your flash drive on the left panel. you should be able to view the contents on the right panel without double clicking. if you see the familiar autorun virus files (exe, bat, htt, ico,vbs, usually blue box icons or green paper scrolls), delete them right away! unplug the flash drive. check task manager for running programs (for Disk Knight, you have to do this before deleting the files para hindi na bumalik) and close the apps and processes. replug the drive.

Disable Autoplay on Xp Home

There is no gpedit.msc for Xp Home. Copy the following lines on a notepad. Save it as "Disable Autoplay.reg" on your desktop. Double click it to run and it should automatically edit your registry for you.

[code:1]Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000b5[/code:1]

if you want the cd autoplay to keep working, change b5 to 95.

Note: you can also run regedit, search for NoDriveTypeAutoRun , and change the value manually.
Post edited by: Bien, at: 2008/03/31 10:19
Also read Troublefree Windows <<<<<<<<<<<<<
The topic has been locked.

Related topics

Topic subjectRelevanceDate of latest post
Top Tools for Virus Removal11.94Wednesday, 20 January 2010
Shortcut Virus Removal Tool11.94Friday, 14 June 2013
Classified.exe Virus Removal [Highly Recommended!]11.68Sunday, 08 August 2010
  • Bien
  • Bien's Avatar Topic Author
  • Offline
  • Platinum Boarder
  • Platinum Boarder
More
11 years 8 months ago - 10 years 8 months ago #72506 by Bien
Replied by Bien on topic Virus Prevention and Removal
first things first, lets get our tools ready. This is Autorun Virus Removal 101. I'll try to make this as simple as i can so you'll be able to remove at least most of the autorun viruses out there.

-make sure you have the latest updates for your antivirus.

-download: Killbox Utility

- make sure your Explorer is set to view all hidden files. (Open My Computer > Folder Options> View> remove the check in the two "Hide" entries and also click on "Show hidden files and folders". (Read my previous post)
- turn off Xp autoplay feature (if you haven't done it yet, read my post above)and reboot <
to hopefully disable the autorun file from launching more copies

ok, now your pretty much ready to kick this thing in the balls...

-In IE Tools> Internet Options> delete all cookies, urls, and temporary internet files. (some viruses launches from the internet using your browser start page. set your start page to "about:blank".

-Right click Start > Explore
Navigate to your C drive. you should find a file named autorun.inf, rename it to autorun.txt. some viruses hide their autorun lanchers in Windows>System32, look for autorun.ini.

-Open the *.txt file

-Note the files used to launch or run the virus (like xmss.exe, document.exe, *.vbs, *.bat, *.ico, etc). these are usually hidden files.

-Using the search feature, find these files and delete them. Remember to include "hidden files", otherwise search may not find them. DO NOT DELETE normal windows files! list them from another good pc so you'll be familiar with them.

-If Windows says "file is in use", note or copy the location of the file and paste it on Killbox. Click on the Red button with an X on it to kill and delete the file.

-Move on to the next file in your autorun list and do the same steps till you got them all. do another search sweep to make sure none of them came back.

-do a full system scan with your antivirus. delete any files in its quarantine folder.

-open regedit (Start> Run> type Regedit> press enter) and delete any entries regarding the files in your autorun list. Start the search from "My Computer" in the left hand panel. Make sure it is a rougue entry!!! baka ibang entry ma-delete mo. double check before pressing delete and yes. ^^

-reboot pc.

-check your other drives and partitions for any of the same hidden files and delete them (they should go away without any fuss now).

done! hopefully...
The topic has been locked.
  • Bien
  • Bien's Avatar Topic Author
  • Offline
  • Platinum Boarder
  • Platinum Boarder
More
11 years 8 months ago - 10 years 7 months ago #73446 by Bien
Replied by Bien on topic Virus Prevention and Removal
Print this to guide you while you work. Mahaba lang ang post na ito kasi gusto kong i-explain na mabuti ang reason sa bawat step na ibibigay ko. the actual steps are short, but for some people, they need to understand the "why's".

Mahirap talaga mag-alis ng mga peskeng autorun viruses na yan minsan. kahit pa updated antivirus mo, parang hindi sya maubos ubos sa hardisk mo. Don't panic! There's a simple way to do this. If you're too lazy to read this, then tumawag ka na lang ng technician. ^^

There are online antivirus websites that offers online scanning of your system. kaya lang dahil online sya, they take too long. isa pa, since you're scanning a Windows system you booted from, malamang, pagkatanggal nya ng isang virus file, ibabalik lang sya ulit ng ibang files of same virus. so it's kinda useless for some viruses. those that tried to manually delete these files know what i'm talking about. antivirus softwares can only scan your files one at a time. they are more effective at "preventing" infections. once infected, it's a totally different story since the virus is up and running. replicating files deleted by your antivirus.

Ok ok... so, you're not computer savvy, but do you think you can handle a screwdriver? At least do you think you're familiar with the "insides" of your cpu? If not, take a couple of hours to read your motherboard manual, and all the manuals that you accumulated for your pc. be familiar with it, because you have no business "operating" on your system unit with a status of "ignoramus". hehehe, at least know how to connect your hardisk.

Unplug your computer . Open your System Unit casing, and remove your hardisk! (kung first time mo pa lang gagawin ito, get a flashlight, and take a mental picture of the cable connections, or better yet, draw it on paper (note: one side of an IDE cable has a red wire), or check with your manual.) If the RAM (memory module) is in the way, remove it first (obviously).

Go to another pc (wala naman yatang lanshop na isa lang ang pc, d ba?). avoid mo lang infected pcs mo at baka lalong dumami lang virus ng hd.

if all your pcs are infected by the "makulit na virus" (scan it twice with your antivirus, dapat wala na makita sa 2nd scan). Otherwise, format one, install the OS and your antivirus (update it). wag mo munang isama sa iyong local workgroup para hindi malipatan ng virus through the network. actually, after updating the antivirus, best remove it from the network completely by unplugging the UTP cable. Now you have a pc ready to fix all your hardisks!

Disable the autoplay of that pc first, kung hindi mo pa nagagawa (ito ang isa sa unang ginagawa pagka install ng mobo drivers).

Change your problem hardisk jumper from master to slave. (if you don't know how to do this, hindi mo binabasa nakasulat sa hardisk mo.)

connect it to the newly formatted pc (oi oi, don't forget to turn off the power!gusto mo ba umusok pc mo?).

turn on the pc. right click start > explore. make sure your hardisk is there. don't do this by opening My Computer on your desktop!!! baka mainfect pa pang scan mong hardisk sayang naman.

if you're using AVG, go to Test Center. select "Scan Selected Areas". select your problem drive (or partitions).

scan.

After the antivirus has scanned the hardisk, open by right clicking Start> click Explore and navigate down to your hardisk on the left panel (isang click lang, hindi dobol click! better use the arrows on your keyboard). if it was an autorun virus, maiiwan ang autorun.inf file sa C drive mo, and in any other parition na meron ang hardisk na yan. delete those too.

Done! ikabit mo ulit sa pinaggalingan nyang pc. should be virus free now. hey, don't forget to put the hardisk's jumper back to "master".

can't get any easier than that. pag sanay ka na, depending on how much data is on the hd, you should have your problem pc up and running in less than an hour. ^^<br><br>Post edited by: Bien, at: 2008/06/13 10:34
The topic has been locked.
  • Bien
  • Bien's Avatar Topic Author
  • Offline
  • Platinum Boarder
  • Platinum Boarder
More
11 years 7 months ago - 10 years 7 months ago #73847 by Bien
Replied by Bien on topic Virus Prevention and Removal
Here's a nifty tool for removing viruses like:

HBG "Hacked by Godzilla"
TLA "Taga Lipa Are" - and other variants.
Baguio Strawberry Worm
Yahoo! Worm Sohanad
Funny UST
Krag
ImgKulot
Bar311

Download Noob Killer

Exit your Antivirus before running this! Especially kung AVG gamit nyo. Hindi pa naaayos ng bagong AVG "false positive" nya sa tool na to.

It was made by Leerz . Last time i checked, Tiga Lipa virus pa lang sakop ng tool nya. Now there are even fixes for some of the registry entries viruses tend to disable or change to prevent removal.

don't forget to update! yes, sosyal na si Leerz ngayon, at may update capabillity na ang Noob Killer nya.

I advice using the tool as soon as you suspect or confirm infection by these viruses to minimize the damage (which means you haven't read a thing i wrote before this, otherwise you wouldn't be infected). Another great thing about it is, it kills the processes on the fly. No need to boot from another pc. Just let it run, sit back, and wait for it to finish.

Another nifty job it does is that it removes any autorun.inf hidden in your root drives. ^^

When scanning is done and the pc is rebooted, you may now try restoring your system settings under Tools > Registry patches.

Note: If there's no floppy in your floppy drive, it may make some noise. No biggie. just the program checking if there's an infected floppy there. If you let it scan on 8-X, it would rattle your floppy drive many times. ^^
The topic has been locked.
  • Bien
  • Bien's Avatar Topic Author
  • Offline
  • Platinum Boarder
  • Platinum Boarder
More
11 years 5 months ago #80558 by Bien
Replied by Bien on topic Virus Prevention and Removal
Sometimes a picture is worth a thousand words...

Did this in Paint, so i apologize for the rough work. Trying to finish this before I put it off again for another day. lolz.

Got these virus pics off an mp3 player and a flash drive. Will add more soon as i get hold of more screen shots.

Again, never open a drive in My Computer. If you don't know where, read my previous posts here...

This image is hidden for guests.
Please log in or register to see it.



sometimes, the antivirus will get there before you can delete the file.

This image is hidden for guests.
Please log in or register to see it.



Rename the autorun.inf to autorun.txt so you can safely read which files you should delete.

This image is hidden for guests.
Please log in or register to see it.

This image is hidden for guests.
Please log in or register to see it.

This image is hidden for guests.
Please log in or register to see it.



Editing the registry

This image is hidden for guests.
Please log in or register to see it.

The topic has been locked.
  • Bien
  • Bien's Avatar Topic Author
  • Offline
  • Platinum Boarder
  • Platinum Boarder
More
11 years 3 months ago - 11 years 1 day ago #89570 by Bien
Replied by Bien on topic Virus Prevention and Removal
Spybot Search and Destroy: download

This is a must have for me especially for units without Deepfreeze or Steadystate.

update and immune immediately after installing.

Go to advance options, click on Settings, then open "Ignore Products"

Uncheck all entries, making sure all possible infections will be removed. uncheck Cdilla, etc (about 3-4 entries in all are ignored at default).

reboot, press F8 before windows logo comes up, and go to safe mode. open Spybot and scan. let it finish then fix all findings. reboot normally.

if the Teatimer is slowing down your bootup (and you have Steadystate, Deepfreeze, or any other system locking software anyway), you can disable it after scanning, or uninstall Spybot altogether.

To just disable Teatimer:

in the Spybot menu, click Mode
click Advanced mode
click Tools
click Resident
uncheck Resident "Teatimer" (click allow changes if promted by spybot)
close the Spybot window.

now your system should boot faster, but bear in mind you have to protect the system another way.
The topic has been locked.
More
10 years 5 months ago - 10 years 5 months ago #125759 by kidlatatbp
Replied by kidlatatbp on topic Virus Prevention and Removal
perhaps you can try this to prevent AUTORUN.INF files from being used on your PC, from any medium

to quote from the source:

"... it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables..."

here's the link:
nick.brown.free.fr/blog/2007/10/memory-stick-worms
Mod Bien: Nice find. moved it to our locked autorun virus prevention. ^^
The topic has been locked.
  • Bien
  • Bien's Avatar Topic Author
  • Offline
  • Platinum Boarder
  • Platinum Boarder
More
9 years 9 months ago #174407 by Bien
Replied by Bien on topic Virus Prevention and Removal
Often times, flash drives gets infefcted by autorun viruses and folders seem to disappear, making the owner think that they have been erased. More often than not, these folders have only been hidden from view by the virus.

even though folder view let's you see them, sometimes their hidden attributes cannot be changed by simply unchecking the drive's "Hidden" property.

make sure the drive is free from viruses.

To restore them into their normal state:

click Start> then select Run
type cmd
press enter and a dos command window should appear
type:

attrib x:\*.* /d /s -h -r -s

note: x is your flash drive letter.

press enter.

now all folders and files should be normal view.
The topic has been locked.