Tuesday, July 15, 2008

Computer Viruses - Steps involved in prevention and manual removal

I have been suffering from lot of virus problems ever since the day i started using my computer. To say the least, I have got used to removing them as well in most cases. Well when it comes to viruses, th most general thing they do is replication. For this they generally, place a non-erasable piece of code in your system. This may be either a hidden superuser file or a short piece in the registry.

With vista though, the above things can be avoided by enabling User Account Control(UAC) in the msconfig. The major reason for viruses attacking any system is the user's negligence in turning off the autostart of CD's or running unwanted executables. Anybody running vista, might notice the "AutoPlay" option in the Control Panel. This can be used for preventing the CD's and thumb drives being autoplayed when they are inserted. Incase of XP, the Xp-Antispy can be used to disable the autostart and prevent unauthorised registry editing.

Now that you have completed the above steps successfully, you can be sure that future attacks are mostly prevented. Now I would prefer the following steps to remove the virus for each of the following symptoms:-

1)Each folder turns into an .exe with a folder like icon or New Folder.exe:-
This virus can be removed by following the following steps.

1. Kill the following processes and delete the files(If any present):-

• newfolder.exe
• shelliddono.dll
• srv0104.ids
• srvidd20.exe or any rundll32.exe(dont delete this one, just stop this i.e rundll32)

2. Delete the following registry entries(If any present):-

• Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run for nwiz.exe
Value: @

• Key: software\microsoft\windows\currentversion\run\alchem
Value: @

• Key: software\microsoft\windows\currentversion\run\zzb
Value: @

SOFTWARE\Microsoft\Windows\CurrentVersion\Run -
This location is mainly responsible for the programs that autostart when you start your computer. This can also be accessed using the msconfig. Make sure no wanted programs are present in this list. If any is present, delete them or stop them for starting at start-up. Make sure this is checked periodically.

3. Delete unwanted dll's and exe's in the System32 folder:-

The name of those executable's will be something like amvo*.* ,kavo*.* or tavo*.*(i.e. tavo.exe, tavo1.dll etc). These are the malicious files resposible for the replication process.

4. Delete unwanted autorun.inf & other files in the root of the drives:-
The autorun.inf files and files named like VirusRemoval.vbs,******.cmd, ******.exe, ******.bat show that the files are placed in the root of the drives, so that they autorun when you open the drives. you can check whether there are any hidden files like that in the specified location and delete them by using the command.

dir /ah - meaning display all the hidden files in the current location.

del /f /ah (filename) - delete the hidden file forcefully.

If forcefull deletion does not succeed, then try changing its attributes by using the following command:

attrib -a -h -s (filename) - to reduce the file privileges from a superuser file to a normal user file.

this command can also be used with the + instead of - if you need to promote your file to a superuser file privilege and as a hidden one.

then try deleting it again, after stopping any associated process mentioned as in step(1).

Note: Make sure that you dont use the explorer during the step as much as possible, try using the command line to naigate and check for hidden files and viruses. and directly access task manager for stopping any processes. Do this for all drives in your system( even include your thumb drives)

After doing all these, restart your computer and check that none of the malicious code is again running.

2) Not able to access the hidden folders:-

Each time you try to view the hidden files in your folder, it isn't shown. The tools->folder options-> View ----- show hidden files and folders can not be enabled. This can be due to the presence of a malicious code, like the one I mentioned above. Follow the above steps to remove them. Then to re-enable the viewing of hidden files, follow the steps:-

  • Run Registry Editor by typing regedit in run or command prompt.
  • In the Registry traverse to this path
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Then double click the value Hidden in the right hand side pan
  • A dialog box pops up asking for the .Any virus would have changed the value to 0 which should be either of the following.
    • 1 - Show hidden
    • 2 - Don't show
These steps must restore the system to a reasonably good condition. Remove the replicated New Folder.exe and the rest normally by searching for them and deleting them.(Make sure you dont run them!!!!!!!! when deleting them).

You can change the hidden folders( by the malicious code) to normal ones, by using the attrib command mentioned above.

3)The CD/DVD drive opens and closes repeatedly, when system starts:-
This is caused by a simple VB script or any other script. Make sure you remove it when system starts from msconfig. and you can stop it from task man from stopping the appropriate script engine.

You must be able to enjoy your system happily from now on. If you do need any anti-virus, Please go for avast. It might slow down your system. but it does the task.

I have seen many other viruses that can show a open with dialog, when you double-click on drives in the explorer. But I have still not had a first hand experience with them yet. So i'll try providing the steps for those as well in the near future after I try them out. Once you have learned removing them, I believe you need not get annoyed with them, the next time they attack you.

In case of problems, please comment for me to help you.

Viruses were created for fun! So enjoy them!
They help you learn more about your system

No comments: