iGeek Blog

Jignesh Patel's Blog

categories

recent posts

recent comments



This guide will help you to get rid out of viruses spread by USB Pen drives, Flash drives or Memory cards.
Most of the viruses are spread by pen-drives or its kind of devices because of built-in feature of Windows to autorun the file in pen-drives.

Problem:

When you connect the removable drive to your PC's USB port, Windows automatically try to dictate the 'autorun.inf' file if it resides on removable drive, which commands the file to be executed when autorun event occurs, but if autorun file execute the file which can be viruses than you should be worried about it.
As soon as you connect the drive, virus makes a copy of itself into your computer. It's done, virus enters into your computer.

Autorun file basically resides on the drive alone, not in any folders.
File name : autorun.inf
Properties: hidden with two level hiding attributes. May be read-only also.
Contents: i.e.
[AutoRun]
OPEN=abc.exe
This will execute the file 'abc.exe', which could be a virus.

Basically here, the file "abc.exe" will also be hidden with two level hiding attributes, such that you cannot see it directly on your drive, so you wont even know that it resides on your removable drive.

Diagnosis
:

To know that if "autorun.inf" resides on the drive including your hard drives, CD/DVD drives and other removable drives, follow this steps.

One simple way is,
-Right-click the drive, find 'Auto' or 'Autorun' option on the menu, if it is there, then there will be a "autorun.inf" file in your drive.

Another way is,
-In Windows Explorer, follow the path: Tools > Folder Options, click on it.

-In the folder option, in the 'View' tab, find the item, "Hidden files and folders", it will have two options, select the option "Show hidden files and folders".

-Remove the check sign from the item "Hide protected operating system files (Recommended)".

Now go to your drive, you will be able to see all the hidden files & folders onto your drive including "autorun.inf", if it is there. But if your computer has the after-effects of the virus named 'sal.xls.exe', than you wont be able to see the files, because it just resets the changes you have made in above step.

Solution:

You take care of your computer a lot, you update the virus definitions of your anti virus software. But some latest viruses cant be caught with it.

If you can see the file, 'autorun.inf ' on your drives, it may meant for spreading the viruses. So it is my recommendation that you must delete it immediately.

To stop spreading viruses by USB pen drives, flash drives or memory cards, the best way is to disable the autorun feature of windows.

You can do it by some registry tweaks, but the easiest way is here:

You will be required to install 'Tweak UI' Powertoys utility on your computer, which can be downloaded from here.

Download from any of the servers.
Server 1 : TweakUiPowertoySetup.zip, Size: 133 KB, Download Now
Server 2 : TweakUi.exe, Size: 147 KB, Download Now

Install it, If you are using Windows Xp, follow the path in Start menu:
"All Program" > "Powertoys for Windows XP" > "Tweak UI".

In window, which appears, select the items this way from the left tree.
"My Computer" > "Autoplay" > "Drives".

On the right side, all the drives appears with check boxes.

Remove the check marks for the drives, you want to disable autorun. My recommendation is that remove the check marks for all the drives including your CD/DVD drives.
Press OK. Thats it.


This is the another solution if your computer is affected by virus included in 'sal.xls.exe'.

Following are some after-effects of it.

-In Folder option, when you select the option, "Show hidden files and folders", and when you press OK, you cant see the hidden files or folders, even those resides on your computer.

Here is the solution for it, you have to do some registry tweaks.

-Go to Start > Run and type in 'regedit', press OK.

-Go to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

-Delete the value CheckedValue. ( Its type should be REG_SZ and data should be 2 ).

-Create a new DWORD value called CheckedValue ( same as above, except that the type is REG_DWORD ). Modify the value data to 1 (0x00000001).

This should let you change the "Hidden Files and Folders" option.

0 comments

Post a Comment