On 7/3/09, David Mugo <
raidarmax@gmail.com> wrote:
> Thanks...solution to this? Anyway, I will give it more time and if i get a
> solution I will share...
>
> David.
>
> On Thu, Jul 2, 2009 at 10:32 PM, Dennis Kioko <
dmbuvi@gmail.com> wrote:
>
>>
>> David,
>> Disclaimer:
>> The set of instructions mostly work for flash disks. They might work on
>> hdds as well but if a virus is already on a hdd then most probably there
>> is
>> a service/daemon/dll that is running in memory regenerating the virus
>> files.
>> Thats what anti-viruses are for. But they can be removed - manually.
>>
>> that applies for your case. A service keeps recreating the virus.
>>
>> try the instructions in safe mode.
>>
>> If all fails, do a re-install with an immediate antivirus installation,
>> complete with updates.
>>
>> Plese note that some viruses disable your anitivirus from updating incase
>> you are using old updates that don't detect them .
>>
>> Mcafee claims that the "program rejected the updates"
>>
>> in such a case, uninstall->install->update immediately.
>> 2009/7/3 David Mugo <
raidarmax@gmail.com>
>>
>> Hey,
>>>
>>> Mine recreates as soon as i delete, any advise?
>>>
>>> David.
>>>
>>>
>>> On Thu, Jul 2, 2009 at 9:52 PM, nyarotho kennedy
>>> <
kenyarotho@gmail.com>wrote:
>>>
>>>> You are better than Mortein Doom! Even Louie the pest would cringe at
>>>> your sighting! Thanx 4 the tutorial, it goes a long way!
>>>>
>>>> On 7/3/09, Mr. Lawi <
mail2lawi@gmail.com> wrote:
>>>> > Hi Guys,
>>>> >
>>>> > I thought I should post something about removing viruses:
>>>> > Step 1: Run the virus scan on the flash drive.
>>>> > If you dont have an av or feel that it missed something, proceed to
>>>> step 2
>>>> >
>>>> > Step 2: The rest
>>>> >
>>>> > There is this virus family that hides all folders in a flash and
>>>> creates new
>>>> > files with the original folder name and appending a .exe. So if you
>>>> > had
>>>> a
>>>> > folder called Docs, u will see Docs.exe. If you have not enabled
>>>> display of
>>>> > file extensions, the .exe part will not be seen. So all you will see
>>>> > is
>>>> > Docs. You double click it thinking its your folder, and that executes
>>>> the
>>>> > virus.
>>>> >
>>>> > This is what I do:
>>>> >
>>>> > I DO NOT double click on a flash drive directly in My Computer -
>>>> (actually
>>>> > that's what I do not do)
>>>> > After ascertaining the drive letter (lets say its G:), go to Start ->
>>>> Run ->
>>>> > cmd
>>>> >
>>>> > C:\Documents and Settings\etc>G:
>>>> > Move to the root of the flash
>>>> > G:\>
>>>> > Type dir /a
>>>> > This shows all the folders (like ls -a in Linux) including hidden ones
>>>> >
>>>> > If you do see autorun.inf you can check what file it activates by
>>>> typing
>>>> > G:\>more autorun.if
>>>> > (There is more in windows, yey! No less, though :))
>>>> > From the output you can see the file/virus being called by the
>>>> autorun.inf.
>>>> > Autorun.inf gets executed when u double click on the drive letter on
>>>> > my
>>>> > computer.
>>>> >
>>>> > Remove the autorun.inf
>>>> > G:\>attrib -h -r -s autorun.inf
>>>> > This removes s(ystem), r(ead only) and h(idden) attributes.
>>>> > On Linux/cygwin, u can do chmod 777 autorun.inf
>>>> > G:\>del autorun.inf
>>>> >
>>>> > Removing the 'fake' .exe folders
>>>> > dir *.exe - This will list all .exes
>>>> > You can delete all of them by using del *.exe. However, deleting one
>>>> > by
>>>> one
>>>> > is recommended since you might have a valid .exe file on your flash -
>>>> like
>>>> > firefox_3.05.exe
>>>> >
>>>> > G:\>del Docs.exe
>>>> > Access Denied
>>>> > If u get the Access Denied error, its most probably of file attributes
>>>> -
>>>> > sometimes the virus sets them as system files or read only
>>>> >
>>>> > This command resets all the attributes
>>>> > G:\>attrib -h -r -s Docs.exe
>>>> > del Docs.exe should now work
>>>> >
>>>> > Do the same for all .exes
>>>> > Again, if using cygwin (or if removing from linux), chmod 777, then rm
>>>> -i
>>>> > *.exe should do.
>>>> >
>>>> > Next Step: Displaying hidden folders
>>>> > The folders in the flash were set to attrib s by the virus hence
>>>> > making
>>>> them
>>>> > hidden from normal view.
>>>> > To see them, do a dir /a. A better way is to a dir /a:s This will show
>>>> all
>>>> > files with attribute s(ystem)
>>>> > Again, do a reset of attributes for all folders:
>>>> >
>>>> > G:\>attrib -s -h -r <foldername>
>>>> > Guys running cygwin can do this using the chmod 777 -R <foldername>
>>>> >
>>>> > Summary:
>>>> > G:\>dir /a
>>>> > G:\>more autorun.if
>>>> > G:\>attrib -h -r -s autorun.inf
>>>> > G:\>del autorun.inf
>>>> > G:\>attrib -h -r -s <filename>.exe
>>>> > G:\>del <filename>.exe
>>>> > G:\>dir /a:s
>>>> > G:\>attrib -s -h -r <foldername>
>>>> >
>>>> > There are other stuff to consider like SYSTEM, RECYCLER, RECYCLED,etc
>>>> > folders: Going into these will make an already long mail too long.
>>>> > Feel
>>>> free
>>>> > to explore there and search and delete virus files. Do not delete the
>>>> > RECYCLER folder
>>>> >
>>>> > Disclaimer:
>>>> > The set of instructions mostly work for flash disks. They might work
>>>> > on
>>>> hdds
>>>> > as well but if a virus is already on a hdd then most probably there is
>>>> a
>>>> > service/daemon/dll that is running in memory regenerating the virus
>>>> files.
>>>> > Thats what anti-viruses are for. But they can be removed - manually.
>>>> >
>>>> > It covers only a very small sub-set of viruses/trojans/worms - they
>>>> mean the
>>>> > same to me:( so an antivirus is still the better option.
>>>> >
>>>>
>>>>
>>>> --
>>>> People should know when they are conquered.
>>>> _______________________________________________
>>>> Skunkworks mailing list
>>>>
Skunkworks@lists.my.co.ke
>>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>>> Other services @
http://my.co.ke
>>>> Other lists
>>>> -------------
>>>> Skunkworks announce:
>>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>>> Science -
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>>> kazi -
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>>>
>>>
>>>
>>>
>>> --
>>> Got any life problems? visit
www.dearkenya.com
>>>
>>> _______________________________________________
>>> Skunkworks mailing list
>>>
Skunkworks@lists.my.co.ke
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> Other services @
http://my.co.ke
>>> Other lists
>>> -------------
>>> Skunkworks announce:
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> Science -
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> kazi -
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>>
>>>
>>
>>
>> --
>> with Regards:
>> Pornography and Technology: Buddies for Life? Find out at my blog:
>>
http://gramware.blogspot.com
>>
>>
>>
>> _______________________________________________
>> Skunkworks mailing list
>>
Skunkworks@lists.my.co.ke
>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> Other services @
http://my.co.ke
>> Other lists
>> -------------
>> Skunkworks announce:
>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>> Science -
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>> kazi -
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>
>>
>
>
> --
> Got any life problems? visit
www.dearkenya.com
>
_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
Other services @
http://my.co.ke
Other lists
-------------
Skunkworks announce:
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
Science -
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
kazi -
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general