Cognoscis

Our college computers are infected with this virus and it gets transmitted through pen drives. What this virus does is that it modifies the autorun.inf file in the roots of all the drives and creates exe files of all the folders with the same name and hides the original folder. This is very annoying and slows down the system considerably. So, here is the fix that I found using Google search

 

First of all, you have to remove its primary weapon. Autorun.inf. To do that, follow the instrustion

• First, click on start >> run
• Type “cmd” (without quotes) and press enter
• Go to root, meannig, type “cd..” (without quotes) till you reach the command prompt “C:\>”
• There, type “attrib -h -r -s autorun.inf” (without quotes) and press enter
• Type “del autorun.inf” (without quotes) and press enter
• Type “md\autorun.inf ” (without quotes) and press enter
•  This must be repeated on all drives. To change the drive just say “d:” (without quotes) or “e:” (without quotes) and so on.

Now lets remove it from the startup

• Click start->run and type msconfig and click ok
• Go to startup tab look for regsvr and uncheck the option click OK.
• Click on Exit without Restart, cause there are still few things we need to do before we can restart the PC.
• Now go to control panel -> scheduled tasks, and delete the At1 task listed their.

 

Now the gpedit part. If yours is XP home, then you will have to download and install it. You can do it from here. Once done follow these instructions

• Click on start -> run and type gpedit.msc and click Ok
• Go to users configuration->Administrative templates->system
• Find “prevent access to registry editing tools” and change the option to disable.

Once you do this you have registry access back so that you can change their values. This is done as follows. Please take a backup before editing registry

1. Click on start->run and type regedit and click ok
2. Go to edit->find and start the search for regsvr.exe
3. Delete all the occurrence of regsvr.exe. KEEP IN MIND regsvr32.exe is not to be deleted. Delete regsvr.exe occurrences only.
4. At one ore two places you will find it after explorer.exe in theses cases only delete the regsvr.exe part and not the whole part. E.g. Shell = “Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the explorer.exe

Once this is done, close the Regedit window. Now the final step in the removal process

1. Click on start->search->for files and folders.
2. There click all files and folders and all your drives
3. Type “*.exe” (without quotes) as filename to search for
4. Click on ‘when was it modified ‘ option and select the specify date option. For example type from date as 1/1/2009 and also type To date as 1/2/2009. This depends on when your folders were modified. 
5. Now hit search and wait for all the exe’s to show up.
6. Once search is over select all the exe files and shift+delete the files, caution must be taken so that you don’t delete the legitimate exe file that you have installed on 1st jan.
7. Also selecting lot of files together might make your computer unresponsive so delete them in small bunches.
8. Also find and delete regsvr.exe, svchost .exe( notice an extra space between the svchost and .exe)
9. Make sure that you delete only the folders first as thats what is attacked in such viruses. The .exe files must be carefully deleted  by examining them.

 

After this is done, reboot your system. Do a cold reboot. Meaning, shut it down. Switch off the power and then switch it on the boot your system. Also, download and install Avira Antivirus to counter this type of threats in the future.

 

Hope this helped you as it did me

One day suddenly I faced a new problem, when ever I double clicked on any drive, it started opening in new a window. I tried to fix it with the usual methods.

 

Open the explorer and in that choose

Tools >> Folder Options. 

In the General tab, uder the browse folder option select “open each folder in same window”

Click Apply and then Ok

 

I tried the registry fixes too but that didnt work!

 

Then I digged deep and found that there is a “autorun.inf” file that was created in all the drives. You have to use “show hidden system files” option from folder options menu to be able to see it. Then, I tried to search the net and found a solution that I like to share here

 

• First, click on start >> run
• Type “cmd” (without quotes) and press enter
• Go to root, meannig, type “cd..” (without quotes) till you reach the command prompt “C:\>”
• There, type “attrib -h -r -s autorun.inf” (without quotes) and press enter
• Type “del autorun.inf” (without quotes) and press enter
• Type “md\autorun.inf ” (without quotes) and press enter
•  This must be repeated on all drives. To change the drive just say “d:” (without quotes) or “e:” (without quotes) and so on.

 

What the above does is that it deletes the autorun.inf file from all the drives and creates a directory by the same name. So, when the virus tries to copy itself into the drives again, it cannot do it as the directory already exists. Do the same to your pen drives to avoid being infected by the virus. After the spreading of virus is limited, you now need to reset the values of registry it has changed. To do that follow these steps

 

• Click on start >> run
• Type “regedit” (without quotes) and press enter
• In the registry editor, navigate as shown below. To navigate, just press on the “+” mark behind the name specified on the left side of the editor

  HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies

•  In policies, click on explorer

• Now, on the right side, find the value NoDriveAutorun. If its not there, right click on the empty space below the present values, click on new >> DWORD
  
  
• Rename it as NoDriveAutorun and press enter
  
  
• Double click on the value and chage the value to “FF” or “255″ and press enter

 

Now, colse the registry and restart the system. This solved my problems. I then made those autorun.inf folders as hidden. Now, this works well but doesnt remove the virus entirely. Scanning the system with a godd antivirus will help. But, there are simply too many viruses that create autorun.inf after infecting. Also, not all viruses are detected and deleted. I use AVG and it failed to delete this particular virus. Even Avast failed. So far this is the best fix I have. If anyone else has other tweaks, please comment