On 7/3/09, Mr. Lawi <
mail2lawi@gmail.com> wrote:
> Hi Guys,
>
> I thought I should post something about removing viruses:
> Step 1: Run the virus scan on the flash drive.
> If you dont have an av or feel that it missed something, proceed to step 2
>
> Step 2: The rest
>
> There is this virus family that hides all folders in a flash and creates new
> files with the original folder name and appending a .exe. So if you had a
> folder called Docs, u will see Docs.exe. If you have not enabled display of
> file extensions, the .exe part will not be seen. So all you will see is
> Docs. You double click it thinking its your folder, and that executes the
> virus.
>
> This is what I do:
>
> I DO NOT double click on a flash drive directly in My Computer - (actually
> that's what I do not do)
> After ascertaining the drive letter (lets say its G:), go to Start -> Run ->
> cmd
>
> C:\Documents and Settings\etc>G:
> Move to the root of the flash
> G:\>
> Type dir /a
> This shows all the folders (like ls -a in Linux) including hidden ones
>
> If you do see autorun.inf you can check what file it activates by typing
> G:\>more autorun.if
> (There is more in windows, yey! No less, though :))
> From the output you can see the file/virus being called by the autorun.inf.
> Autorun.inf gets executed when u double click on the drive letter on my
> computer.
>
> Remove the autorun.inf
> G:\>attrib -h -r -s autorun.inf
> This removes s(ystem), r(ead only) and h(idden) attributes.
> On Linux/cygwin, u can do chmod 777 autorun.inf
> G:\>del autorun.inf
>
> Removing the 'fake' .exe folders
> dir *.exe - This will list all .exes
> You can delete all of them by using del *.exe. However, deleting one by one
> is recommended since you might have a valid .exe file on your flash - like
> firefox_3.05.exe
>
> G:\>del Docs.exe
> Access Denied
> If u get the Access Denied error, its most probably of file attributes -
> sometimes the virus sets them as system files or read only
>
> This command resets all the attributes
> G:\>attrib -h -r -s Docs.exe
> del Docs.exe should now work
>
> Do the same for all .exes
> Again, if using cygwin (or if removing from linux), chmod 777, then rm -i
> *.exe should do.
>
> Next Step: Displaying hidden folders
> The folders in the flash were set to attrib s by the virus hence making them
> hidden from normal view.
> To see them, do a dir /a. A better way is to a dir /a:s This will show all
> files with attribute s(ystem)
> Again, do a reset of attributes for all folders:
>
> G:\>attrib -s -h -r <foldername>
> Guys running cygwin can do this using the chmod 777 -R <foldername>
>
> Summary:
> G:\>dir /a
> G:\>more autorun.if
> G:\>attrib -h -r -s autorun.inf
> G:\>del autorun.inf
> G:\>attrib -h -r -s <filename>.exe
> G:\>del <filename>.exe
> G:\>dir /a:s
> G:\>attrib -s -h -r <foldername>
>
> There are other stuff to consider like SYSTEM, RECYCLER, RECYCLED,etc
> folders: Going into these will make an already long mail too long. Feel free
> to explore there and search and delete virus files. Do not delete the
> RECYCLER folder
>
> Disclaimer:
> The set of instructions mostly work for flash disks. They might work on hdds
> as well but if a virus is already on a hdd then most probably there is a
> service/daemon/dll that is running in memory regenerating the virus files.
> Thats what anti-viruses are for. But they can be removed - manually.
>
> It covers only a very small sub-set of viruses/trojans/worms - they mean the
> same to me:( so an antivirus is still the better option.
>