On Fri, Jul 3, 2009 at 7:27 AM, Mr. Lawi
<mail2lawi@gmail.com> wrote:
Hi Guys,
I thought I should post something about removing viruses:
Step 1: Run the virus scan on the flash drive.
If you dont have an av or feel that it missed something, proceed to step 2
Step 2: The rest
There is this virus family that hides all folders in a flash and creates new files with the original folder name and appending a .exe. So if you had a folder called Docs, u will see Docs.exe. If you have not enabled display of file extensions, the .exe part will not be seen. So all you will see is Docs. You double click it thinking its your folder, and that executes the virus.
This is what I do:
I DO NOT double click on a flash drive directly in My Computer - (actually that's what I do not do)
After ascertaining the drive letter (lets say its G:), go to Start -> Run -> cmd
C:\Documents and Settings\etc>G:
Move to the root of the flash
G:\>
Type dir /a
This shows all the folders (like ls -a in Linux) including hidden ones
If you do see autorun.inf you can check what file it activates by typing
G:\>more autorun.if
(There is more in windows, yey! No less, though :))
From the output you can see the file/virus being called by the autorun.inf. Autorun.inf gets executed when u double click on the drive letter on my computer.
Remove the autorun.inf
G:\>attrib -h -r -s autorun.inf
This removes s(ystem), r(ead only) and h(idden) attributes.
On Linux/cygwin, u can do chmod 777 autorun.inf
G:\>del autorun.inf
Removing the 'fake' .exe folders
dir *.exe - This will list all .exes
You can delete all of them by using del *.exe. However, deleting one by one is recommended since you might have a valid .exe file on your flash - like firefox_3.05.exe
G:\>del Docs.exe
Access Denied
If u get the Access Denied error, its most probably of file attributes - sometimes the virus sets them as system files or read only
This command resets all the attributes
G:\>attrib -h -r -s Docs.exe
del Docs.exe should now work
Do the same for all .exes
Again, if using cygwin (or if removing from linux), chmod 777, then rm -i *.exe should do.
Next Step: Displaying hidden folders
The folders in the flash were set to attrib s by the virus hence making them hidden from normal view.
To see them, do a dir /a. A better way is to a dir /a:s This will show all files with attribute s(ystem)
Again, do a reset of attributes for all folders:
G:\>attrib -s -h -r <foldername>
Guys running cygwin can do this using the chmod 777 -R <foldername>
Summary:
G:\>dir /a
G:\>more autorun.if
G:\>attrib -h -r -s autorun.inf
G:\>del autorun.inf
G:\>attrib -h -r -s <filename>.exe
G:\>del <filename>.exe
G:\>dir /a:s
G:\>attrib -s -h -r <foldername>
There are other stuff to consider like SYSTEM, RECYCLER, RECYCLED,etc folders: Going into these will make an already long mail too long. Feel free to explore there and search and delete virus files. Do not delete the RECYCLER folder
Disclaimer:
The set of instructions mostly work for flash disks. They might work on hdds as well but if a virus is already on a hdd then most probably there is a service/daemon/dll that is running in memory regenerating the virus files. Thats what anti-viruses are for. But they can be removed - manually.
It covers only a very small sub-set of viruses/trojans/worms - they mean the same to me:( so an antivirus is still the better option.
@Mr Lawi,
Very good information this is, but quite time consuming. Imagine you were doing this as a commercial venture. It will take you so much time.
The way I do it? Simply get Hiren's Ultimate Boot CD (UBCD), boot off it, and you have a Windows running off a memory disk which won't get infected anyway. Open the flash disk, goto Tools->Folder Options->View, show hidden files and folders->Ok.
You have all the files showing right on your face. Select all, deselect the ones you don't want to delete (eg the Firefox Setup 3.0.11.exe, etc) and shift+delete the files/folders. Delete autorun.inf and any other funny named command files the virus had created and voila! Reboot/Eject UBCD and ask for the next virus victimé:-)