Pendrive autorun viruses

Follow these tips to avoid infections from pendrives and also see tips on how to remove autorun based viruses.

  • Always scan the media before accessing its contents. Keep your antivirus up to date. If you find that the icon of media has been changed from default drive to a folder or something, that means you are carrying an infection in your drive.

  • Instead of auto running the device, click on explore, this avoids malicious code from being executed by mistake if it escapes anti virus data base. Upon right clicking on your media, if the there is autorun on top instead of open or when some unknown language being displayed, be certain you have a virus waiting to execute on double click.
  • Beware of suspicious looking files. Always uncheck the “hide extensions for known file types” option in folder options. This lets you keep an eye on suspicious stuff like a folder with “.exe” extension, a media file with “.avi.exe” extension etc. Same implies to New folders that pops out of nowhere. Usually virus files set themselves super hidden attributes to avoid being seen.

Note: Super hidden files means system files, i.e. those files that comes visible when you go to tools-folder options-view-and tick show hidden files and folders and untick hide operating system files. In DOS it is called SH attribute, SYSTEM HIDDEN or nick named super hidden.

After enabling show hidden, uncheck hide protected OS files and uncheck hide extension, delete all folders carrying a .exe extension. Also delete the COM, BAT files and recycler folder in the pendrive.

Note: Recycler folder is present on NTFS volumes and it is the space you allot to recycle bin for that drive. A recycler folder on your partitions is a system folder, which stores the files in your recycle bin. But we know when we delete the files from pendrives, they are permanently deleted, doesnt go to recycle bin, hence this means there is no system recycler folder on pendrive. Also, pendrives are usually formatted in FAT system, and in FAT, there is no recycler folder, its called RECYCLED there! Thus,  any recycler folder on a pendrive got a trojan inside it, which is usually run by autorun.inf files.

  • Keep track of files that you have on your pen drive/hard disk. Any new file with a suspicious extension should be avoided to be innocently checked.
  • There may arise an occasion when you see that opening your folders take a hell lot of time in your pendrive. Point to any folder and see its size. If a folder containing a movie shows a size of 300 Kb to 1 Mb, this means your pendrive and your PC is infected now. These kind of viruses when they enter our pendrive hides all folders available in it and set up their off springs which are .exe files but carry icon of a folder and names of your folder. When ever you double click these files, tricked that they are your folders, the code executes and then the virus takes you to the folder which is actually hidden to avoid suspicion.

Or there may be a lucky occasion that on scanning your pendrive before access, your antivirus detects a lot of infections and deletes them. But on opening your pendrive you find all your folders missing. They are actually super hidden now.

In case you find that your system isn’t showing you hidden files/ super hidden files, that means your system is in grip of an infection or an infection had made a malicious entry in system registry.

Firstly download Malwarebytes, install it and run a full scan. Then download the registry defaults tool and run it to restore registry defaults, this enables the disabled features. Restart to fix the issue.

But if you want to change back the attributes of the SH folders and files back to normal, it cant usually be done by file\folder properties. Use command prompt and attrib command to do that. Open a new cmd window and write & execute this command-

attrib -s -h -r X:\*.* /s /d

where X: is the drive letter of your removable media.

  • In case you end up executing a suspicious code, check in task manager if you got a new process running. It can stopped temporarily from there. But the damage to registry can’t be easily undone. Use application like process manager if you find your task manager has been disabled. Use kill box to delete the malicious file. In case you arent comfortable removing it manually, scan PC with Malwarebytes.
  • Always try to recognize processes in task manager from time to time, especially when you install new applications. This helps you identify foreign processes running in case of a virus infection. Enthusiasts can use the application InstallRite to keep eye on all files and registry entries copied by an application install. Half the job is done when you identify the virus in processes.
  • Create a folder AUTORUN.INF in all your drives and hide it for convenience. ( E.g. – create the folder just inside C: drive, another in D: drive etc.) This makes sure that malicious codes aren’t able to autorun themselves on double clicking the drives. Same case implies to your pendrives, create a folder of specified name and avoid malicious code execution.

Note: Many viruses that spread from flash drives use a mechanism of autorun to spread. They copy themselves to target drive and make a autorun.inf file having code that makes the virus execute whenever the drive is double clicked (note carefully, it’s a file not folder). If we have made a folder named AUTORUN.INF, already present in our drives, the autorun.inf file made by virus can’t be created, since a folder and a file can never have same name at same location. A file can replace a file, a folder can replace a folder, but a file can’t replace a folder. Hence, even though the virus copies itself to your pendrive/system drives, it isn’t executed even on double clicking the drive.

If your drives aren’t opening on double clicking or opens in a new window, there must be a super hidden autorun.inf file in your drive root. Search for it, delete it and restart. This fixes the problem. You can also use killbox to delete the autorun.inf files as shown below-

  • Ever annoyed by file not getting deleted, renamed, or pendrive being not safely removed with file in use error? The solution is- Unlocker. This little tool installs a explorer extension that comes visible when you right click on a file or drive. Unlocker displays all the processes using (or locking) the file/ folder/drive. This locking handle can prevent the file from being deleted or renamed or prevents the pendrive from being safely removed with drive/ file in use error. In that case, just right click on the object and click on unlock. A list of applications using the object is displayed. Click unlock all and proceed.
  • Keep an eye on applications registered at startup using the tool Autoruns. Find them in logon tab. If you ever feel you executed a malicious file, check the startup and delete the malicious file autorun entry ( remember to see the key too, since it points to address of malicious file, which too has to be deleted ).
Advertisements

11 Responses

  1. very good information …….
    thanks a lot…………..

  2. cool site dude! really awesome i really liked the topics that u hav chose to be put in ur blog! But don write posts of this much length make it a little bit short covering the content within that, cuz when some one who doesn’t have knowledge about pc’s views the post he shudd not feel dozed off by seeing such a big content!.geez keep rockin !

    • Hey thanks dude … I agree with your opinion, have noticed that a few posts which cover a group of topics can be put into parts, each specific to one. Thanks for advice !

  3. Great post buddy !!

  4. Gr8 work dude, keep posting like this, this had solved a lot of my problem . Do u hav anything so that i can keep in touch wid ur posts.

    • Thanks! You can follow me on Twitter, or subscribe through E mail, else follow on Facebook. Any new post will be automatically intimated. All subscriptions are shown on right side column.

  5. very good info

  6. I am posting this from a different computer. The other
    computer starts with regsvr.exe which first started saying
    I have no authorisation, then switched on to report that
    windows cannot find regsvr.exe etc.
    clicking on icons on desk top end with a query choose a
    programme to open this.
    trying to start anything via RUN also results like choose a
    programme to open with ( this is what I get for regedit,
    msconfig, etc.)
    Clicking any folder in Conrol panel results in giving me only
    two options to open or delete.
    Open gives again no programme is associated with the
    folder for opening. and I am prompted to associate a
    programme to open the folder using folder options. This is
    for all folders exce[t Accessories, Administration which
    also only display sub folders available. Nothing further
    can be done.

    Connecting to internet is totally out of question as
    device manager puts Yellow marker for ethernet card
    drivers , media drivers , etc. No drivers available is the
    report.

    How do I solve this problem. Please help.

    Incidentally this problem started after installing
    AVG 9.0 Free edition. The programme was used to scan
    by right clicking the drive and in the dropdown menu
    choosing Scan with AVG. After completion of scan it
    reported 280 contaminations and deleted them.
    From next reboot all these problems started.

    Kindly advise. Thanks.

    • Hi ! Your PC is badly roughed up by malware. Firstly, use the exe fix, reg entries, to restore exe association defaults. This must allow you to run programs. Then run RatsCheddar tool and restore other settings.

      Also download this tool called ” Dial a fix ” and run it. Fix all the settings given there, and it lists out buggy registry entries, delete them.

      Run this tool ” Autoruns ” and in winlogon tab, delete the entries with file missing error besides them, this will fix the Regsvr error.

      Install malwarebytes and run a full scan now. This must help you out. Else, read get remote help section and post me your system log using RunScanner.

      Good luck !

  7. whhoo!! it helps.. thanks alot.. 🙂

  8. thanks a lot! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: