Last Sunday, when my friend switch on his pc, he shocked to saw this, message, before Login.
Don't kill me, I’m just send message from your computer",
After he recovered from the shock, he called me and asked for “what could be done”.
Did you attached USB pen drive to your pc , recently? I asked. Yes, an affirmative answer. I copied the data from friend’s pc.
Then don’t worry, I assured him. It is Surabaya virus, which is easy to remove.
Surabaya virus is spread through the largely USB pen drives , via autorun. It affects the autorun.inf of pen drive. When you attach a pen drive, autorun.inf file get run and infects the local hard disks.
Other Symptoms of Surabay virus
1.All folders and files including windows OS folder disappears. Only few folder files with fixed size of 40K appears to user.
2.When you try to change the options for show hidden files, it doesn’t show the previous data.
3. You will not able to run many anti virus & software programmes. Installation also get blocked.
4. There are files like thumb.exe
5. System becomes unresponsive. After login it takes lot of time to user to operate it.
Other notable symptoms
Got to DOS prompt using CMD. On root of drive ,type DIR Prog*. *, It will show you all the content of Programme Files folder, which was not visible earlier in windows GUI.
How to remove it? You can remove it manually.
Follow these steps
First take printout of this process, here onwards.
(A) At Registry Level
Step 1: Open registry by typing “regedit” at command prompt. In registry ,search for word "Surabaya”.
You will see two keys entries as LegalNoticeCaption and LegalNoticeText.It contains the same message, which appears at startup.
Delete these keys. No harm
Step 2: Keep searching for this word “Surabaya”. There will be lot of entries, are attached to Rundll32. Just remove the Rundll Surabaya text portion from registry key. Remember, keep no trace of Surabaya.
Step 3: Now navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hideen\SHOWALL You will see that value of CheckedValue is 0 means show all files are disabled. To enable it make it 1.
Quit from registry and got to command prompt. (Start->Run->cmd)
(B) At Command line level
Step 4. Type CD\ to switch to root of drive say C: drive.
Issue the following command
Attrib *. * -S –H –R /D /S ( Put space between /D and /S switches.)
(Note: /S switchProcesses files in all directories in the specified path. /D, Process folders as well.) It will change the attributes of all files in C drive. Surabaya hides all the files by making them Hidden and System files. This command resets the attributes of the files to normal.
While running this command you may receive error for System Volume information folder. Just ignore.
Repeat this command to all drives in your system.
Now you may be able to see all files and folders in your drive.
Step 5 :When you click on infected drive, the autorun.inf file points to some thumb*.exe file. So delete both the files Autorun.inf as well thumb.exe
From command prompt issue following commands.
Del c:\autorun.inf
Del d:\autorun.inf (If D drive present. Do same for E, F: drives)
Del c:\thumb*.exe /S
Del d:\thumb*.exe /S
You may see the command is deleting thumbs.db files too. Don’t worry, these files will get regenerated
Check the Autoexec.bat files in C: drive. Remove the suspicious entries , if any.
Step 6 :Download and install “autoruns” utility. Check the startup programmes in “Logon” and remove the suspicious entries from startup.Restart the system. Now you should not get any message at startup. The virus is removed now. Relax...
Join us on Twitter : @Techfreakindia
Post Your Comments
