Removing Autorun.inf Virus & Viruses that uses Autorun.INF
There are several viruses that uses the autorun.inf to spread itself such as the Bacalid (hides itself in ctfmon.exe) and the RavMon.EXE. These viruses set its file attributes to System+Hidden+Read-Only attributes so some anti-viruses will have a hard time detecting or finding them. These viruses save itself in the root directory of every available drives of the current infected computer and runs itself every time you Double-Click the drive. In
Autorun.INF is usually used by CD Installers to autoplay their installations but Hard disks by default should not have AUTORUN.INF in the drive.
Now, it is possible that your computer is infected by those viruses if you try to display the content of the your computer through
You will see from this window that drive C contains a hidden file autorun.inf, this is a possibility that the computer is infected. Now to erase this, restart your window to Safe Mode Command Prompt. (Do this by rebooting your computer and pressing F8 before windows go out and select from the boot menu). On drive C and other drives type the following commands: 1. attrib -h -r -s autorun.inf 2. del autorun.inf
Do this steps to other drives to disable the autorun.inf .
Disable AUTORUN from
Now you can disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can creat it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected
Update:
If you want to prevent viruses that uses autorun.inf to infect your USB
1. Open your flash drive via Command Prompt (do this via Start->Run->cmd.exe)
2. Change your logged drive to your
3. Create a
The reason why this will avoid future infection is that autorun.inf viruses usually generates a file autorun.inf. Having an AUTORUN.INF folder on the root directory of your drives will make virus programs unable to create their own autorun.inf file, virus can’t even overwrite it because it’s a folder and not a file. See my point?
Read also my current post on free tools on removing autorun.inf virus and other malware.
If this post helps you on your PC problem, please link back to this blog: http://bleuken.i.ph as a sign of your gratitude. Thank you!
Removing SCVHOST.exe or W32/YahLover.Worm.gen
November 5, 2007
There’s a strain of computer virus/worm that hide itself using the name SCVHOST.EXE or SCVHOSTS.EXE, (don’t mistaken it as SVCHOST.EXE, it’s one of the vital programs of Windows, see the difference in spelling). It was detected as W32/YahLover.Worm.gen of McAfee Antivirus and as Win32/Autorun.R.worm by NOD32. This virus infects your computer by different means.
• One is it install itself in autorun.inf in Open option of the AUTORUN. Once you double click it will run and start spreading itself to your system.
• The other event that I observed is it copy itself through all the
Characteristic of the Virus
• This virus/worm when blocks the task manager when you press Ctrl+Alt+Del to invoke the task manager
• It blocks the registry (The worm change the registry to prevent running task manager and registry for harder detection).
• It also restarts the computer when you try to go to the command prompt. (This is based on my experience on this worm/virus when I try to disinfect it manually)
• It copy itself to different folders of drives and uses the name of the folder where it belongs. The copied virus/worm uses a FOLDER icon
• According to McAfee it changes the configuration of your Yahoo Messenger (see McAfee info)
• It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe
To remove the virus manually, (try this it works with my computer but if you can’t try using an ANTI-VIRUS like McAfee or NOD32):
1. Boot your system in Safe Mode Command Prompt Only (Press F8 when your computer restarts, a menu will be shown and select the option)
2. After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
3. Type CD C:\WINDOWS\SYSTEM32 (assuming that your Windows System files are located at Drive C)
4. Type DIR /AH, this will display all hidden files of this folder. You will see the following file which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
5. Type ATTRIB -H -R -S SCVHOST.EXE
6. Type ATTRIB -H -R -S BLASTCLNNN.EXE
7. Type ATTRIB -H -R -S AUTORUN.INI
8. Type DEL SCVHOST.EXE
9. Type DEL BLASTCLNNNN.EXE
10. Type DEL AUTORUN.INI
11. Type CD\
12. Type ATTRIB -H -R -S AUTORUN.INF
13. Type DEL AUTORUN.INF
After removing the virus/worm files, it should be removed from the registry of your system.
1. From the command prompt type REGEDIT.EXE this will run the
2. From the registry, look for the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
3. Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , don’t delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that will remain from this registry entry.
I’ve tried this steps and this works. You should try this if you’re only know how to edit registry entries. (try it at your own risk) Hope this will help you
No comments:
Post a Comment