Note: If you want to copy this article and post to your website please link back to my site.
Simple step on how to prevent and remove autorun spyware/virus manually from removable disk
1. You need to disabled your Autorun/Autoplay
2. Kill the program that process in your system
3. Delete the files and remove in the startup programs
What is Autorun/Autoplay?
Autorun/Autoplay is the ability of many modern computer operating systems to automatically take some action upon the insertion of removable media such as a CD-ROM, DVD-ROM, or flash media. - wikipedia
The disadvantage of Autorun is it can pose a security threat, when the user does not expect or intend to run the software, such as in the case of some viruses and spyware, which take advantage of this feature to propagate. Imagine that the program runs in your computer without your knowledge, so here's how to disable Autorun/Autoplay using Group Policy
Autorun/Autoplay is the ability of many modern computer operating systems to automatically take some action upon the insertion of removable media such as a CD-ROM, DVD-ROM, or flash media. - wikipedia
The disadvantage of Autorun is it can pose a security threat, when the user does not expect or intend to run the software, such as in the case of some viruses and spyware, which take advantage of this feature to propagate. Imagine that the program runs in your computer without your knowledge, so here's how to disable Autorun/Autoplay using Group Policy
1. Click Start button > Run > type gpedit.msc then click OK
2. In Group Policy, expand User Configuration > Administrative Templates > System then double click Turn off Autoplay
3. Select Enabled and All Drives in Turn of Autoplay Properties, click Apply > OK
Since you disable the Autorun/Autoplay, you need to open the removable media manually to play like when insert a audio cd or video cd.How to remove autorun spyware/virus in your hard drive or USB drive manually
In order to make a demo, I enabled my Autorun/Autoplay and insert a USB Drive infected with spyware and let the spyware run on my computer system. And now I want to remove it manually, here's how...
1. Show the hidden files and protected operating system files
Open My Computer, in Tools Menu select Folder Options....
In Folder Options, select Show Hidden files and folders and then unchecked Hide protected operating system files > Apply > OK
Other spyware hide the Folder Options, in this case you need to run Group Policy (gpedit.msc)Go to User Configuration > Administrative Templates > Windows Components > Windows Explorer then select Disabled in the Remove the Folder Options menu item from the Tools menu > Apply > OK
2. Look for autorun.inf
Now open USB Drive, you can see the autorun.inf file and open it ( you also see this file in your Hard disk drive)
Be aware of New Folder or have a folder icon in your USB Drive like you see above, actually this is not a folder it is a executable program that use the icon of a folder. Sometimes it use notepad, yahoo messenger, microsoft word icon and other system icon to hide. Here's how to determine if it is a real folder or an executable programBefore you open the folder, in your mouse right click the folder and click Properties
This is a real folder, you can see the Sharing and Customize Tab
While an executable program have a Version and Compatibility Tab
Remember all the file, in this case it's only one "SCVVHSOT.exe" but when it's already running in your system it has the ability to generate another file (Recycler) or call a executable program (like the New Folder.exe) hide in the USB Drive. Other autorun.inf have more files like in the bar311 virus (bar311.exe, password_viewer.exe, photos.zip.exe and pc-off.bat)3. End the Process
Go to Task Manager or press “Ctrl + Alt + Del” keys, in Processes Tab select the file that you see in the autorun.inf then click End Process. If you get this message
Run Group Policy (gpedit.msc)Go to User Configuration > Administrative Templates> System > Ctrl+Alt+Delete options > Remove Task Manager, select Disabled in the Remove Task Manager Option > Apply > OK
For me I use Process Explorer to kill the process
4. Remove the file in the Startup Programs
You can remove it by using Autoruns, check the process programs in the Logon Tab
Click image to enlarge
Now you can see the path of the file where it hide, follow the path in my computer and then delete all the files. Delete also files that process like the New Folder.exe and Recycler in the USB Drive. Most of this files hide in this directoryRoot directory (drive C, drive D etc..)
x:\windows
x:\windows\system32
x = where you install the windows
Other case you cannot delete the files because there is a message that the program is running, in this case you can use Unlocker. Unlocker has the ability to delete the file even if it is running.
In the Autoruns, Delete or you can unchecked programs so that it will not run again when the computer restart
Checked also Scheduled Tasks tab, delete the file At1.job (something like that)
This article is an alternative way to remove spyware and virus, if you want to use Antivirus software I recommend NAV. Download Norton AntiVirus with Antispyware from Symantec today! Click Here
But if you want high performance on your computer system I recommend Bitdefender - Industry leading security that maintains speed for the ultimate gaming experience. Buy Bitdefender Gamesafe Now!
I hope this article helps you, you can also see my other article on...
How to Protect Your Windows System without using Antivirus Software (Yes! I haven’t used Antivirus Software for near 3 years now)
Frequently Asked Question
Q: How can I type gpedit.msc or go to Group Policy if I can't see my Start button or Run command?
A: In your desktop, right click your mouse > select New > Shortcut then type gpedit.msc > click Next > Finish
Q: I can't see my taskbar and when I enter to My Computer it won't open?
A: In this case I use a Windows Live, it's a Windows that run in computer using a CD or USB Drive. You can now explore your hard disk and look for autorun.inf, find and delete all the files that you see in the autorun.inf. Most of Windows Live CD has a Antivirus software included, you can use it.
Q: Do you have other files you know if it is a spyware or virus?
A: Here is the list of common viruses and spyware you see in your removable media.
$lddata$
__.*
_defau~1.pif
_exp1orer.exe
_istmpi.dir
_noteped.exe
_sv_cmd_
111.exe
3g08.bat
3wcxx91.cmd
8ng8w.com
8ot8y86.exe
8u.com
ac12594
Ad22098
adober.exe
aikelyu.html
alecks.*
amvo.exe
amvo0.dll
amvo1.dll
an16554
autorun.*
avpo*.*
awkeygen.exe
azkaban.*
bacabr~1.txt
bar311.exe
blastcln.exe
blastclnnn.exe
boot.exe
ccprxy.exe
copy.exe
crss.exe
ctfmon.exe
d.com
mdm.exe
desktop.exe
desktop.ini
destrukto.*
destrukto.vbs
dismgnt.exe
dllhost.com
dnscon70.dll
dv6191~1
dv6211~1
dv6333~1
exiplorer.exe
exp1orer.exe
explorar.vbs
explorer.exe
explorer.vbs
folder.htt
FS6519.dll.vbs
Funny UST Scandal.avi.exe
funnyu~1.exe
g2p3s.exe
gwe(i~1.exe
h.cmd
h2.com
homepage.html
host.exe
ie.exe
iexp1ore.exe
iloveher.exe
imgkulot.*
infrom.dat
infrom.exe
intern~1.lnk
isass.exe
j6154022.exe
j6154022.exe
jalak-~1.com
jay.exe
jaymeyka.wen9.com
kavo.exe
kavo0.dll
kavo1.dll
kernel~1.vbs
kernell.dll.vbs
killer.exe
knight.exe
krag.exe
kragdor.log
kulitut.*
ld.exe
ldjs.txt
ldlist.txt
ldup.exe
ldupver.txt
lsass.exe
lsasse~1.exe
maskrider2001.vbs
mdm.exe
mgrShell.exe
mma.bat
mma.reg
mma.vbs
ms.config
ms.config`.exe
ms32dll.dll.vbs
MS32DLL.dll.vbs
ms-dos
msinfo
msrm
mstcpcon20.dll
msvcr71.dll
mswinsck.ocx
mveo.exe
myfold~1.com
n1deiect.com
n2847
n5619
n8127
netmanage.dll
netsvcs.exe
netused.dll
new document.exe
new folder.exe
newdoc~1.exe
newfol~1.exe
noteped.exe
nt.config
ntde1ect.com
ntkros.dll
ntsys.exe
o4154027.exe
ofcpfwsvcs.exe
p3r1ud.exe
passwo~1.exe
Password:winzip123
password_viewer.exe
pc-off.bat
pet32.exe
photos.zip.exe
photos~1.exe
poogs.vbs
pooh.vbs
ratedr~1.com
ravmone.exe
ravmonlog
recycled
recycler
recycler.exe
redelbat.bat
rm
rootfo~1.com
S2pidwaraynon.html
s5421
s6939
s8787
Say No To Drugs - iloveher.exe
scvhost.exe
scvhosts.exe
scvhsot.exe
scvshosts.exe
scvvhsot.exe
SecretStub.exe
sender.vbs
setting.ini
setup
setup.exe
sexvid~1.exe
silent~1.exe
SilentSoftecth.exe
smss.exe
spoclsv.exe
sqlserv.exe
sscvihost.exe
sscviihost.exe
ssvichosst.exe
startu~1.com
svchosl.exe
svchost.ini
svchost32.exe
svhost.exe
svhost32.exe
svohost.exe
svshost.exe
sxs.exe
sy.exe
SY20118
t.exe
test.*
ttms*.dll.vbs
ugqe
VBS_SOLOW.A
vhost.exe
wincab.sys
winconfig.dll.vbs
winkrnl.exe
winlogon.exe
winscok.dll
wintask.exe
wmiprvse.exe
WORM_ONLINEG.TCZ
wscript.exe
wsctf.exe
wvcst.*
x.com
x264~1.exe
xn1i9x.com
ymworm.exe
zelurm~1.exe
zllictbl.dat
q83iwmgf.bat
1 comments:
this is gr8 dear
Post a Comment