Just remembered something, you can use prefetch on xp to see which progs hav been executed. If u see a suspicious file, just google it. To access prefetch, type prefetch on start->run. Not sure about vista On 7/3/09, Mr. Lawi <mail2lawi@gmail.com> wrote:
@David I have worked with one such and if it is the one on ur machine then this wil help: Tafuta file called winweb.exe in windows\system32. It loads 2 dll files on boot - iconhandle.dll and webad.dll in sys32 folder. U cant remove this while explorer is running. Start task manager, go to processes, right click on explorer and end all processes. Only the task manager will be left running. On taskmgr, start new prog, cmd, then in cmd, go to sys32 and remove those 3 files: winweb.exe, webad.dll and iconhandle.dll. I usually rename for safety' sake. Reboot ur machine n u r good to go.
On 7/3/09, David Mugo <raidarmax@gmail.com> wrote:
Thanks...solution to this? Anyway, I will give it more time and if i get a solution I will share...
David.
On Thu, Jul 2, 2009 at 10:32 PM, Dennis Kioko <dmbuvi@gmail.com> wrote:
David, Disclaimer: The set of instructions mostly work for flash disks. They might work on hdds as well but if a virus is already on a hdd then most probably there is a service/daemon/dll that is running in memory regenerating the virus files. Thats what anti-viruses are for. But they can be removed - manually.
that applies for your case. A service keeps recreating the virus.
try the instructions in safe mode.
If all fails, do a re-install with an immediate antivirus installation, complete with updates.
Plese note that some viruses disable your anitivirus from updating incase you are using old updates that don't detect them .
Mcafee claims that the "program rejected the updates"
in such a case, uninstall->install->update immediately. 2009/7/3 David Mugo <raidarmax@gmail.com>
Hey,
Mine recreates as soon as i delete, any advise?
David.
On Thu, Jul 2, 2009 at 9:52 PM, nyarotho kennedy <kenyarotho@gmail.com>wrote:
You are better than Mortein Doom! Even Louie the pest would cringe at your sighting! Thanx 4 the tutorial, it goes a long way!
Hi Guys,
I thought I should post something about removing viruses: Step 1: Run the virus scan on the flash drive. If you dont have an av or feel that it missed something, proceed to step 2
Step 2: The rest
There is this virus family that hides all folders in a flash and creates new files with the original folder name and appending a .exe. So if you had a folder called Docs, u will see Docs.exe. If you have not enabled display of file extensions, the .exe part will not be seen. So all you will see is Docs. You double click it thinking its your folder, and that executes the virus.
This is what I do:
I DO NOT double click on a flash drive directly in My Computer - (actually that's what I do not do) After ascertaining the drive letter (lets say its G:), go to Start -> Run -> cmd
C:\Documents and Settings\etc>G: Move to the root of the flash G:\> Type dir /a This shows all the folders (like ls -a in Linux) including hidden ones
If you do see autorun.inf you can check what file it activates by typing G:\>more autorun.if (There is more in windows, yey! No less, though :)) From the output you can see the file/virus being called by the autorun.inf. Autorun.inf gets executed when u double click on the drive letter on my computer.
Remove the autorun.inf G:\>attrib -h -r -s autorun.inf This removes s(ystem), r(ead only) and h(idden) attributes. On Linux/cygwin, u can do chmod 777 autorun.inf G:\>del autorun.inf
Removing the 'fake' .exe folders dir *.exe - This will list all .exes You can delete all of them by using del *.exe. However, deleting one by one is recommended since you might have a valid .exe file on your flash - like firefox_3.05.exe
G:\>del Docs.exe Access Denied If u get the Access Denied error, its most probably of file attributes
On 7/3/09, Mr. Lawi <mail2lawi@gmail.com> wrote: -
sometimes the virus sets them as system files or read only
This command resets all the attributes G:\>attrib -h -r -s Docs.exe del Docs.exe should now work
Do the same for all .exes Again, if using cygwin (or if removing from linux), chmod 777, then rm -i *.exe should do.
Next Step: Displaying hidden folders The folders in the flash were set to attrib s by the virus hence making them hidden from normal view. To see them, do a dir /a. A better way is to a dir /a:s This will show all files with attribute s(ystem) Again, do a reset of attributes for all folders:
G:\>attrib -s -h -r <foldername> Guys running cygwin can do this using the chmod 777 -R <foldername>
Summary: G:\>dir /a G:\>more autorun.if G:\>attrib -h -r -s autorun.inf G:\>del autorun.inf G:\>attrib -h -r -s <filename>.exe G:\>del <filename>.exe G:\>dir /a:s G:\>attrib -s -h -r <foldername>
There are other stuff to consider like SYSTEM, RECYCLER, RECYCLED,etc folders: Going into these will make an already long mail too long. Feel free to explore there and search and delete virus files. Do not delete the RECYCLER folder
Disclaimer: The set of instructions mostly work for flash disks. They might work on hdds as well but if a virus is already on a hdd then most probably there is a service/daemon/dll that is running in memory regenerating the virus files. Thats what anti-viruses are for. But they can be removed - manually.
It covers only a very small sub-set of viruses/trojans/worms - they mean the same to me:( so an antivirus is still the better option.
-- People should know when they are conquered. _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Got any life problems? visit www.dearkenya.com
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- with Regards: Pornography and Technology: Buddies for Life? Find out at my blog: http://gramware.blogspot.com
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Skunkworks announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science - http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi - http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Got any life problems? visit www.dearkenya.com