I have this problem that makes my folders hidden and creates a .exe file with the same name as the folder when opening some thumbdrives.
The .exe file size is always 1.34mb.
Not all folders are infected.
Is it due to my comp or is the virus from these external sources? cos it only happens after i lend out to a friend.
Is there anyway to recover my files?
AVG scan can't seems to solve it, it only asks me to remove them.. =(
Reboot to safe mode, and open up CMD.
And e.g if your flash drive is F:\
Enter the command :
del F:\Flashdevicename\virus.exe
It's in your registry somewhere I guess, but best way to know is to use Xen's method, then reboot back to regular operation, and insert thumbdrive again. If it still happens, it's in your registry.
Originally posted by Raraken:It's in your registry somewhere I guess, but best way to know is to use Xen's method, then reboot back to regular operation, and insert thumbdrive again. If it still happens, it's in your registry.
how to know which part of the registry?
Originally posted by MyPillowTalks:how to know which part of the registry?
Search the registry for Mountpoints2
First run this file - http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Then run this file - http://www.mediafire.com/?zztykiiyjmk
Upload the log somewhere (no Rapidshare, Megaupload or Megashares) and post back the link to the log.
what i did with mine is:
just show hidden files and folders. you will find your folders hidden inside your thumb drive. delete the non-hidden virus folders of the same names. select hidden folders then rightclick-properties-uncheck hidden box. you will have your folders back in sight.
whenever you restart your pc and insert your thumbdrive it will happen again. so before restarting PC please delete the virus shortcut in C: documents and settings_your user name_startmenu_programs_startup. take note of the virus shortcut name.
in the "task manager" end the process with that same name of the shortcut. the virus is inside a hidden folder inside the system32 folder in c:\WINDOWS. please delete.
Depending on the version, you may not be able to show hidden files at all, nor gain access to registry editor.
Your case is small case, that's why easily fixed.
To use the "show hidden files and folders" or "unhide protected operating system files" you need to access "Folder Options" in Windows Explorer(XP). But viruses will sometimes annoyingly disable this option under the "Tools" menu in Explorer, although some viruses will not disable this option and instead set a registry key that will disable to "SHOWALL" hidden files and folders. Even if you have the option it will not take effect at all. And one more thing some viruses do set to disallow some accounts to use the "Registry Editor".
This are very common and the workarounds are common in the internet too. Here are some that i've used to get around these problems:
1 No "Folder Options" in Explorer - In Reg Editor navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Policies\Explorer
there should be no "NoFolderOption" entry or if
there is a "NoFolderOption" you should delete it
or change its value to "0".
2 If there is a "Folder Option" but setting to show hidden files and folders will not take effect then, I tried this in Reg Editor
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
See if the CheckedValue value datatype is REG_DWORD. If not (e.g. REG_SZ), then delete it.
If there's np CheckedValue, create a new DWORD Value, name it as CheckedValue. Double click the new CheckedValue and change its value to 1, some viruses change it to 0 or other values.
In the same window look also for the TYPE entry with valuetype REG_SZ and set value to RADIO.
3 Account not allowed to use the Registry Editor. This is what I did:
Click Start - Run. In Run dialog box type "gpedit.msc", click OK. In Group Policy dialog that opens. Under "user configuration" - "administrative templates" , highlight the word "System" with a click. In the right pane find the entry "Prevent access to registry editing tools", double click and set the "Disable" radio button. click "OK".
At least this procedures saves me wasted time from annoying viruses.
1. Viruses are smart too. They can disable regedit as well. Whether it disables yours is another issue altogether. Different versions of the same virus will differ slightly. Easy version use your fix, block everything use automated fix or use other third party tools that will allow you to open regedit (such as registrar) and command prompt (third party cmd) and show hidden files (third party windows explorer). If skilled enough, write VBS to fix it. Requires no reboot most of the time, but if not done properly and cause it to regenerate, then your VBS also no use.
2. Group Policy editor is not available on all versions of Windows.
Only these versions have it:
Windows 2000 Professional
Windows XP Professional
Windows Vista Business and above
Windows 7 Professional and above
3. Too easy to workaround all your fixes. You need to understand Windows and the virus to remove it properly. Also need some basic understanding of securing Windows to stop such infections.
you're right some windows don't support group policy (network management things). what i know are the home editions. but i heard there are workarounds. i happen to run through it in a microsoft website.
what i understand, i'm not sure if i'm entirely right. even how smart the virus maker he will still be obliged to use the native language of the OS. that's what makes a virus curable (understandable) any programmer can analyze what a virus do and can prevent or reverse its effect entirely. some gurus i heard will use decompilers for that because most viruses are compiled or encrypted. as what i said virus makers are smart. they don't want their codes easily analyzed by what you called third party antivirus programmers.
one more thing, all viruses do are the things that are allowed by the OS, (e.g. making changes in settings, making copies, creating folders etc.). those actions can be done by the user weither basic or advanced. it's just that most users don't know how to use it or don't care at all.
what makes a virus annoying to a user is that the user doesn't know all, specially the advanced settings. but anyway that is not the reason why a user buys and use a computer. a lot just want to use the simple things. they don't care to learn the advanced (mindbuggling) things.
most of the things a virus do is doing things a user will do in navigating windows. but instead of using the GUI a virus opts to code the settings e.g. vbs, vb. once the virus code is analyzed the virus will have no chance to regenerate at all unless the user allows it to do it again. or antivirus programmers will not fix it. all the virus does is written in its code. some cures written in vbs are just the reverse of what it's doing. that's why it's important for antivirus programmers to read the virus code.all viruses has no match for the antivirus programmers. they only can exploit the ordinary users who doesn't know everything about the OS.
there are some virus codes i found in the internet some written in VBS, it's fun to understand what it does. some are very tricky. but most of them just multiply itself and hide their copies inside your pc. some wait and scan periodically for thumbdrive to be inserted and then copies itself to it. some put autorun.inf file so that when user opens the thumdrive in another pc it can copy itself to the root of the OS. most of them just alternates copies of itself from thumbdrive to pc and vice versa. some add, change or modify settings in the the registry while doing this.
as what i understand they're just scripts but their purpose is to do unwanted and annoying things instead of doing helpful things for the user. anybody who knows to program can make a virus if he opts to. virus makers are programmers but they're in the opposite side.
what i understand is that the third party tools e.g. registrar? is doing the same thing as you do it manually. for example if you do this manually in your pc.
Click Start - Run. In Run dialog box type "gpedit.msc", click OK. In Group Policy dialog that opens. Under "user configuration" - "administrative templates" , highlight the word "System" with a click. In the right pane find the entry "Prevent access to registry editing tools", double click and set the "Disable" radio button. click "OK".
this is approximately what the third party tool is doing but in VBS code. so you will only click once and the code will execute it with no hassles. here is a link for an example, download the file and edit so the code will show in notepad:
what i know are the home editions. but i heard there are workarounds. i happen to run through it in a microsoft website.
I don't think MS ever published any workarounds for things they never wanted it to be around. The closest one can come to tweaking Windows without Group Policy editor is using regedit, but requires a user to be advanced.
Or use XP Power Toys. Can set some, but not all.
The last method would be to use third party administrative tools, which has the same effects.
what i understand, i'm not sure if i'm entirely right. even how smart the virus maker he will still be obliged to use the native language of the OS.
Don't understand, but he definitely have to code in a way that the OS understands - that means using Windows API, and not Mac or Linux APIs.
that's what makes a virus curable (understandable) any programmer can analyze what a virus do and can prevent or reverse its effect entirely. some gurus i heard will use decompilers for that because most viruses are compiled or encrypted. as what i said virus makers are smart. they don't want their codes easily analyzed by what you called third party antivirus programmers.
It's easier to say than to do it. Some even come with anti-everything, no debugging, no decompiling, etc.
one more thing, all viruses do are the things that are allowed by the OS, (e.g. making changes in settings, making copies, creating folders etc.). those actions can be done by the user weither basic or advanced. it's just that most users don't know how to use it or don't care at all.
As long as permissions allow, that is. Problem is most users run with administrative rights, that's why those actions are allowed. Some people have reported by using an account with restrictive rights, it reduced the number of such issues occurring.
That's one issue. The second issue is exploit. This is outside of users' control, especially when MS have not patched it. It's getting quite common these days. These exploits causes the software to give them extra rights than required, which gives certain problems.
The last issue is convenience. Some of these issues happen because it's simply too convenient. ActiveX and JavaScript is can do wonder stuffs, but so can people with other ways of thinking. Balancing both is not easy task.
most of the things a virus do is doing things a user will do in navigating windows. but instead of using the GUI a virus opts to code the settings e.g. vbs, vb. once the virus code is analyzed the virus will have no chance to regenerate at all unless the user allows it to do it again.
Not true. If I analyze the virus and it has no chance to regenerate, it will be good. But that doesn't happen. It needs to be cleared.
But clearing it requires understanding of Windows. It's not as simple as deleting files or resetting the registry settings.
Imagine this:
You have analyzed a building for security issues. You found two issues and fixed them. But you didn't realize that there's another backdoor, and somebody found out about it. One fine day he decides to rob the building and even though you had someone guarding all exits.
Even after educating the user and fixing everything, Windows still have other goodies that will cause it to auto regenerate.
what i understand is that the third party tools e.g. registrar? is doing the same thing as you do it manually. for example if you do this manually in your pc.
Click Start - Run. In Run dialog box type "gpedit.msc", click OK. In Group Policy dialog that opens. Under "user configuration" - "administrative templates" , highlight the word "System" with a click. In the right pane find the entry "Prevent access to registry editing tools", double click and set the "Disable" radio button. click "OK".
No. I don't mean that. Using a third party tool is when Windows tools are blocked. Of course, you can simulate the same effect through Group Policy editor, but not all of effects desired. Group Policy editor, to some extent is still quite limited, unless you change the templates, which is not quite easy.
Modifying the registry gives you direct advantage. What you are able to do with Group Policy editor may or may not be able to give you the full damaging/fixing powers as compared with modifying the registry.
you are right saying that there's always a way for viruses to attack. that's true. but talking only of one virus. all that virus do is written in it's code. all the files it creared and the settings it tweaked. so if a antivirus programmer reads and analyze it. he can completely reverse it. and that virus is virtually dead. what you mean is the virus maker will make another virus. that is true. that will never end.
what i thought is that when i do some changes in group policy or other settings manually the OS conveniently adds the registry keys automatically. i mean is always the other way around. when i do changes the OS writes the corresponding registry entries and when i tweak registry tho OS will automatically change the manual settings. i thought they are in one place but can be accessed many ways.
third party antivirus tools i think is a compilation of all the tweaks to clean, secure and check all OS settings. that's what makes this tools very handy in solving OS glitches. but i think all these compiled tweaks of a third party application does is just the things that can be done manually or tweaking registries etc... although there might be some settings that cannot be done manually without permissions. but with with permissions it's still possible.
because if all these settings needs permission then i think no programmer can make a virus.
pardo me. i mean if a virus maker with administrative rights is able to tweak those settings without permission then anybody with administrative rights can untweak(reset) it also without permission.
what you mean is the virus maker will make another virus.
Nope, I don't mean this. I mean this - Windows autostart locations. This is what causes them to re-generate even after deleting the files and undoing the registry settings. Without clearing the loading point, it will re-generate. That's why clearing the files and undoing all the negative settings it did is not enough. This is just the basic. Nowadays they are more advanced...
The concept is similar to antibiotics concept. For you to be completely cured, you need to finish the whole course of antibiotics treatment as prescribed by the doctor. If you didn't finish it, there's a chance that it may re-generate and make you sick again.
While it's all basically codes, you need to read and understand the codes to produce a fix for it. It won't die just because someone analyzed it.
pardo me. i mean if a virus maker with administrative rights is able to tweak those settings without permission then anybody with administrative rights can untweak(reset) it also without permission.
Of course. Provided you are able to use the tools to reset them.
from my 19 oct post
"...please delete the virus shortcut in C: documents and settings_your user name_startmenu_programs_startup..."
this is one them windows autostart locations. this can also be done in registry.
some other autostart are also found in the registry too.
and to completely removed the virus: (19 oct)
"...the virus is inside a hidden folder inside the system32 folder in c:\WINDOWS. please delete..."
creating these files and tweaking these reg entries are all coded in the virus so if analyzed and provided with complete understanding of OS, knows how to use the right tools then all these virus created settings for autostart entries and files created can be located and removed. the virus cannot start again.
yes after understanding(analyze) the code it has to be reversed. not just analyzed