|More USB Virus tips
FIRST - ALWAYS flip the tab on your card to read only then plug it in. If the PC has an error like "unable to write to disc" then this is a sign of a virus. But your files are safe you can copy them to the PC. Now if there is no error and you need to change or delete the files unplug the memory card, flip the tab off "read only" and plug it back in.
2. I came acoss a prog against USB viruses http://forum.lowyat.net/topic/483643 download Flash_Disinfector.exe it cleans and protects, disables autoruns
3. I always use to Task manager to see if any nasty progs are running. I can close them and then use Run:Msconfig to stop them coming back.
-from the web I found this info page on stopping tasks
- Right-click "My Computer", Select "Manage"
-Select an item and click the Stop buttom (just like the Stop button on a DVD player) to... well, stop the program.
- Windows has some default protection built in, so you won't be able to stop everything... but do be careful - anything that's required has to remain running.
-After that, close the window, and hit CTRL-ALT-ESC to open the Task Manager. Select the Processes tab, and find things like acroread.exe or other adobe files - they're memory hogs. Right-click, and select "End Process"
-Check this page: (http://www.tweaksforgeeks.com/EssentialP... ) to see which processes you do absolutely NOT want to end that way.
- USB VIRUS BLOG : Been coming across a lot of USB virus problems this is a compilation page
- Indonesia 2007 - see pc341a about the "hide all your files virus"
- KL spring 2008The Cybercafe has another tough virus which puts the cmd.exe file on your stick
Also I recommend virusscan.jotti.org great tool for checking viruses it takes your suspected file and runs it through various checkers
|- KL Spring 2008 new virus - locks taskmanager on the PC
|| - actually Spybot detects it as malware and removes it. I got it off one PC, but on another it comes back after reboot. I think it hides as "protection bar" or in google toolbar. Yes I got it, but it's tricky. You switch off scripts, delete googletoolbar & all the other crap in the startup with msconfig.exe, but still it comes back. Since the virus file is hidden in RVhost.exe, I had to move the existing file (it won't let me delete it) use notepad to create a new blank RVhost.exe in the place of the old one set the properties to read only that way the virus can't put it back or use it to change the startup.
||- 11th January 2009 Alman Virus
|| - Just got a new USB virus. Cos there was no slot in my PC, the owner grabbed my memory stick and stuck it in his PC. I tried to stop him, but it came back with boot.exe on. The next PC detected this as the alman virus. What it does is search for exe files and inserts the virus code at the beginning of each. It's not easily cleaned by anti-virus programs. I downloaded a fix from AVG , which does clean it. Run it from windows and it takes time to search the whole PC so it's faster if you run it in DOS as you can select the drive/folder to search RMALMAN.exe F:/folder2 etc.
- Some of the files on my stick are Pocket PC exe's and it didn't clean them.
|-Recent spyware/virus I have seen|
- also I just saw 3B_password_viewer.exe running
- iph.exe a pendrive virus
- unvise32.exe keylogger
|- 27/1/09 Sure Sign of a virus : Task Manager has been disabled
- I found that you can re-enable the task manager through gpedit.exe and in the system policies/ task manager option disabling the ability to disable task manager.
- Though this virus must be strong cos I had to disconnect from the the network to do this. Even after all this something was trying to write to my memory card the second time, fortunately it was set to read only. I noticed from looking at Task Manager that the virus generates progs with random names.
some good tips and routines to renable task manager etc
|- 29th January Viruses hiding inside USBCillin.exe
|| - Another Cybercafe another USB virus writing files to my memory stick .. I am suspicious of this USBCillin.exe I think someone has adapted it to hidea virus as it wrote itself to my stick with the wrong date and this is the second time I have seen this ...|
- "new worm virus Our advice is to block all incoming and outgoing traffic on port 445 from those computers to ensure that".. How ?
|- Jan 30 th Can we use disk imaging to protect ?|
- cyber should be using Deepfreeze fro Faronics $45 per year https://store5.esellerate.net/store/checkout/CustomLayout.aspx?s=STR1066199390&pc=&page=OnePageCatalog.htm
- http://selfimage.excelcia.org/ disk imaging software
- but could you partition the disk to put the system files on one drive and then write-protect it ?
|Feb 09 - there is a removal tool gets rid of Not valid windows sign
- then set to manual update .. and deselect VGA
|| March 09 - regsvr.exe |
- this ones a bastard as it disactivates some of the tools needed to fix it, but it's based on the old technique of making exe files with the same name as your folders.
- heres a good fix: regsvrexr-or-autoruninf-virus fix
| April 27 09 - iframe virus / false detect HTMLIframe-inf ||
Twice in 2 days I have seen this
- There was a virus which infects webpages : It inserts an iframe code into a webpage, which connects to some malicious software on a Chinese server which tries to run on your machine. |
- So Avast anti-virus to counter this problem blocks all sites which have iframe codes which refer to another domain which is not the webpages. Trouble is some webtraffic analytic tools seem to use this iframe thing. So if a site uses them then it seems to be often blocked by Avast.
| Nov 2012 - fix for Windows blackscreen ||
- You boot up into Windows, but all you can see is a blackscreen with no desktop or start button. This is caused by a virus or something causing the program explore.exe NOT to run at startup.
Solution : click ctrl/alt/delete to get task manager to appear. Click top left are run process explore.exe. So you'll be back into windows normally. Click START Accessories/SystemTools/SysyemRestore to reset windows to a týme before you had the problem (probably best to switch off your antivirus by right clicking on it's icon on the bottom right of the screen.)
- Now click START Accessories/Command and type Msconfig to remove any suspicious progs from the startup list end running processes.
Now when you restart the PC everything should be OK.
| Nov 2012 - "free" antivirus prog that came with your PC expires ||
Windows Fix 2 : for when the "free" antivirus prog that came with your PC expires & keeps telling you you need to purchase an upgrade. Just go into ControlPanel/Software and completely remove the prog and then switch on Bit Defender the anti-virus prog that's built into Windows these days. Of course if you have an illegal copy of windows this method doesn't work and you have to download a free anti-virus prog like Antivir
Memory cards/ipods at cybercafes - CAREFUL
Apologies I don't make a habit of sending out bulk emails if you don't use memory cards/sticks/ipods or you only use them on your home PC don't worry ignore this mail.
If you do use them... Be careful there's a memory card virus epidemic around. Usually you won't even realise your card is infected it might not make any difference to your camera mp3 player or phone, but it will just pass it onto the next PC you connect it to. I already meant to warn everybody about this problem after my memory card was wiped by a virus in a cybercafe in Indonesia , but today I noticed that a normally reliable cybercafe in KL had a problem. I tested my own memory card and sure enough it got contaminated with the same type of virus as before. Even though I knew what I was doing it took me a while to remove it. And when I removed it from the PC it came back next reboot.
0. I noticed that most viruses seem to put a hidden file called autoexec.exe (or is it autorun.inf ??) So what I do is create a file called autoexec.exe in notepad. I put this on the memory card and change it to "read only". That way the virus can't put a autoexec.exe on my stick as it already has one.
1. FLIP THE TAB TO "Read Only" So I would advise that before you connect your card to computers other than your own, that you make a habit of flipping up the little tab on your card to "write protect " or "Read Only". You'll still be able to copy files to the PC, but it stops files or viruses being written to your card. With "Read Only" on you won't be able to delete or take new photos so when you have finished on the PC flip the tab back down before you put it back in your camera then delete the unwanted photos from there.
I pointed out the problem to the manager, he thinks a customer came in with an card and it infected the entire network so they can't fix it today . When I pointed out that he should really tell people today not to use memory cards, he said no he couldn't afford to lose business. This is downright irresponsible to me as innocent customers are going come up catch the virus and spread it to next cybercafe or PC.
2. BACK UP So make sure you have your important files/photos backed up, before you lose them to a virus.
3. TURN OFF VB The viruses make use of Visual Basic, but most people don't use the VB function on their home PC so one handy thing you could do is turn it off : If you know what you are doing then you can rename the vbscripting files in windows/system32 and change the "file associations" to make .vb files open with Notepad.
4. CHECK YOUR CARD The virus files hide themselves so to see if you have them on your memory card you have to "show hidden files". If you know what you are doing you can do this in File Explorer click the tab "tools/folder options", click view then set the thing to show all hidden files and show file extentions. The sign of a virus is a file called autorun.exe or boot.exe and files with the extension .dll or vbs. In normal circumstances those kind of files should not be on a memory stick, I delete them and it fixes the problem. Sometimes this is tricky cos they set themselves to "read only", and I right click/ properties to turn "read only" off.
5. BTW sometimes these memory cards fail. Don’t reformat use a program from the internet to get back your files.
6. If you can use notepad to create a blank docs autorun.inf and cmd.exe make then read only then a virus can't create autorun procedures on your stick