Removing Pen Drive Viruses

Tired of the viruses coming over and over again in your pen drives or removable media? Know where they come from and how to tackle them

By Amol Vyavhare

| Friday, September 05, 2008

Troubled by the viruses coming again and again on your pen drive or other removal storage devices? Well, read through and you would be able to remove them from your pen drive or other removable storage device.

Where does the virus comes from?

The virus may had come from a friend's computer or a net cafe you visited recently. Most of these viruses which spread themselves through removal storage media are at first loaded in the system itself. These viruses infect your removable storage drives as soon as you plug them in. Some of these create applications which have icons exactly similar to your folders. So, people often mistakenly double click them. This loads the virus in their system memory as well. Viruses may set themselves to autorun as soon as you plug in your removable device by which they are capable of infecting it and spreading further. I have mentioned a series of steps below which will help you prevent and remove viruses from your system and pen drives or whichever removable devices you have.

1. Remove them from the memory first

You need to find yourself a good antivirus scanner for this. I strongly recommend the ones below:

a) ZoneAlarm from ZoneLabs
b) AVG(Free)
c) Avira Antivirus(Free)

Most often these viruses get updated more quickly than anti viruses do, so we can use some other tools which can aid us in removing them from memory. With these tools, you can manually kill the viruses from the current running processes.

a) HijackThis
b) Gmer

If you are wondering which processes to kill, I would suggest you look out for this ones:

# 1.exe	# logon.exe	# slsk.exe
# actalert.exe	# lsas.exe	# sms.exe
# adm4005.exe	# lsass32.exe	# smsss.exe
# a.exe	# lssas.exe	# soproc.exe
# aq3hel~1.exe	# ma.exe	# spollsv.exe
# arupld32.exe	# matcli.exe	# spooler.exe
# asm.exe	# mediagateway.exe	# spool.exe
# asmonitor.exe	# mfc71.dll	# spools.exe
# backweb.exe	# microsoft.exe	# spoolsrv.exe
# bargains.exe	# mm.exe	# spoolsvc.exe
# basfipm.exe	# mmm.exe	# sqlserver.exe
# belt.exe	# mousedrv.exe	# sr.exe
# bil.exe	# mrtstub.exe	# sservice.exe
# bmupdate.exe	# msbb.exe	# ssk.exe
# bpk.exe	# msblast.exe	# start.exe
# cdaengine0500	# msmgs.exe	# susp.exe
# cds.exe	# msmsg.exe	# svch0st.exe
# cfmon.exe	# mspmspv.exe	# svchosts.exe
# check.exe	# mssearchnet.exe	# svchot.exe
# cmesys.exe	# mtask.exe	# svhost.exe
# cmrss.exe	# mwsoemon.exe	# svshost.exe
# crss.exe	# nail.exe	# sychost.exe
# crsss.exe	# navapp.exe	# sysmonitor.exe
# cryptfg.exe	# netmon.exe	# syspools.exe
# csrrs.exe	# netsurf.exe	# system32.exe
# ctfmon32.exe	# netsvc.exe	# sysupd.exe
# dcomcfg.exe	# nls.exe	# taskbar.exe
# ddcman.exe	# nsvsvc.exe	# taskmon.exe
# desktop.exe	# ntosa32.exe	# tbon.exe
# dfrgsrv.exe	# nvcpl.exe	# tbps.exe
# dinst.exe	# nvsc32.exe	# tool.exe
# dlhost.exe	# optimize.exe	# udcpas.exe
# dssagent.exe	# p2p networking.exe	# udcsdr.exe
# dw.exe	# p2pnetworking.exe	# umxfwhlp.exe
# exec.exe	# picsvr.exe	# updater.exe
# exp.exe	# plscd.exe	# updmgr.exe
# explore.exe	# pmmnt.exe	# vsnpstd2.exe
# explorere.exe	# pmmon.exe	# wauclt.exe
# fc.exe	# pmsngr.exe	# wdfmrg.exe
# fph.exe	# pmsnrr.exe	# wfdmgr.exe
# fservice.exe	# poker.exe	# whagent.exe
# gmt.exe	# powerreg	# whsurvey.exe
# gui.exe	# powerreg scheduler.exe	# win32.exe
# hbtv.exe	# pro.exe	# win.com
# hnm_svc.exe	# resetservice.exe	# winctlad.exe
# ibm00001.exe	# rk.exe	# winlogin.exe
# iexplorer.exe	# rlvknlg.exe	# winmain.exe
# install.exe	# rundl32.exe	# winnt.exe
# inst.exe	# sacc.exe	# winotify.dll
# isamini.exe	# sais.exe	# winshost.exe
# isamntr.exe	# sass.exe	# winstall.exe
# isamonitor.exe	# scchost.exe	# winsys2.exe
# isass.exe	# schedulingagent	# winsys.exe
# istsvc.exe	# scrss.exe	# winupdate.exe
# kernel32.exe	# scvhost.exe	# winupdates.exe
# keygen.exe	# senslogn.exe	# wsys.exe
# lass.exe	# servic.exe	# wtoolsa.exe
# license_manager.exe	# shmgrate.exe	# wupdt.exe
# lockx.exe		# xhrmy.exe
		# zango.exe

If you do not find these, at least I would assume you are a bit safe and your system isn't infected.

2.) Disable autorun

To disable autorun in Windows XP:
a) Open run dialog (Windows Key + R), type gpedit.msc and press enter
b) Under computer configuration, double click administrative templates and then click system.
c) On the right pane, find Turn off Autoplay and double click it
d) Click on enabled radio button and below it select All drives. Finally, press ok

To disable autorun in Windows Vista:
a) Open control panel and double click on AutoPlay
b) Uncheck the Use Autoplay for all media and devices option
c) Click save and close the window

3) Opening the drive

First open up my computer, goto Tools menu, click folder options, click the view tab and under it click the show hidden files and folder radio button.
To open the drive, don't double click it, just goto to address bar of my computer (alt+d), type the drive letter followed by a colon like I: and press enter. Find the file autorun.inf. Right click it and open it with notepad. Find the line open= and remember which filename is written after the open=. Close notepad and delete autorun.inf and the file you found written after open=. Assuming you are still in I: or whichever drive it is for you, press F3 at the window. This will bring up the search window. Find *.exe files and delete all those files that are listed in the search results which have a icon similar to the folder icon.

4) Extra measures

To be sure that the virus doesn't get executed, scan your pen drive or other removable storage device with an anti virus software. Just remember to have a good anti virus program running always and keep it updated. You can also use a nice software called WinPatrol which will alert you whenever a new program is added to start with windows. This way you can prevent viruses to start automatically when windows start.