Wednesday, July 16, 2008

How to remove Surabaya Virus ? Manually remove; Get rid off of Surabaya Virus.

If you are receiving message “Surabaya in my birthday, Don't kill me, I’m just send message from your computer", trust that you have Surabaya virus. Don’t worry , the manual removal is easy.
Last Sunday, when my friend switch on his pc, he shocked to saw this, message, before Login.
Don't kill me, I’m just send message from your computer",
After he recovered from the shock, he called me and asked for “what could be done”.
Did you attached USB pen drive to your pc , recently? I asked. Yes, an affirmative answer. I copied the data from friend’s pc.
Then don’t worry, I assured him. It is Surabaya virus, which is easy to remove.
Surabaya virus is spread through the largely USB pen drives , via autorun. It affects the autorun.inf of pen drive. When you attach a pen drive, autorun.inf file get run and infects the local hard disks.
Other Symptoms of Surabay virus
1.All folders and files including windows OS folder disappears. Only few folder files with fixed size of 40K appears to user.
2.When you try to change the options for show hidden files, it doesn’t show the previous data.
3. You will not able to run many anti virus & software programmes. Installation also get blocked.
4. There are files like thumb.exe
5. System becomes unresponsive. After login it takes lot of time to user to operate it.
Other notable symptoms
Got to DOS prompt using CMD. On root of drive ,type DIR Prog*. *, It will show you all the content of Programme Files folder, which was not visible earlier in windows GUI.
How to remove it? You can remove it manually.
Follow these steps
First take printout of this process, here onwards.
(A) At Registry Level
Step 1:
Open registry by typing “regedit” at command prompt. In registry ,search for word "Surabaya”.
You will see two keys entries as LegalNoticeCaption and LegalNoticeText.It contains the same message, which appears at startup.
Delete these keys. No harm
Step 2: Keep searching for this word “Surabaya”. There will be lot of entries, are attached to Rundll32. Just remove the Rundll Surabaya text portion from registry key. Remember, keep no trace of Surabaya.
Step 3: Now navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hideen\SHOWALL You will see that value of CheckedValue is 0 means show all files are disabled. To enable it make it 1.
Quit from registry and got to command prompt. (Start->Run->cmd)
(B) At Command line level
Step 4. Type CD\ to switch to root of drive say C: drive.
Issue the following command
Attrib *. * -S –H –R /D /S ( Put space between /D and /S switches.)
(Note: /S switchProcesses files in all directories in the specified path. /D, Process folders as well.) It will change the attributes of all files in C drive. Surabaya hides all the files by making them Hidden and System files. This command resets the attributes of the files to normal.
While running this command you may receive error for System Volume information folder. Just ignore.
Repeat this command to all drives in your system.
Now you may be able to see all files and folders in your drive.
Step 5 :When you click on infected drive, the autorun.inf file points to some thumb*.exe file. So delete both the files Autorun.inf as well thumb.exe
From command prompt issue following commands.
Del c:\autorun.inf
Del d:\autorun.inf
(If D drive present. Do same for E, F: drives)

Del c:\thumb*.exe /S
Del d:\thumb*.exe /S
You may see the command is deleting thumbs.db files too. Don’t worry, these files will get regenerated
Check the Autoexec.bat files in C: drive. Remove the suspicious entries , if any.
Step 6 :Download and install “autoruns” utility. Check the startup programmes in “Logon” and remove the suspicious entries from startup.Restart the system. Now you should not get any message at startup. The virus is removed now. Relax...

Join us on Twitter : @Techfreakindia
Post Your Comments

43 comments:

surendra sharma said...

WHEN I AM TYPING ATTRIB *.* -S -H -R /D/S MSG COMES INVALID SWITCH

TECHFREAK said...

@Surendra
You have to put space in between /D and /S.
The command is like
ATTRIB *.* -S -H -R /D /S
tahnsk for pinting it.

nikhil said...

techfreak explain me from step five

i tried to delete autorun file

but it says that autorun file is not found

explain pls

TECHFREAK said...

@Nikhil

Please understand the functioning of most of the virus, which spreads through usb pen drive.

When you attach pen drive to usb port and pc recognize it as a removable drive, autorun.inf get executed and run the program , which is mentioned in autorun.inf file. See the structure of autorun.inf file.

( One of the preventive measures is to keep disable auto running of program.You may find more on this topic in my upcoming posting. )

Surabaya virus also spread through autorun.inf file from usb drive. It copies the infected autorun.inf file to system hard disk too. So next time when you click on C: drive or E: drive of your PC, every time autorun.inf get executed and virus check the presence of itself.

So the chances are that if your system is infected with Surabaya virus , it may leave autorun.inf file on C: drive or d: drive. So better check for it and remove it.
What I have suggested is direct removal of this file instead of checking its presence, to avoid any kind of re-infection. If this file is not present on your system, then just re-ensure that it is not became hidden again. If it is really not present, you may safely avoid this step.

saritha said...

i tried..still virus is there.how do i recognise virus entries in registry.My desktop is not allowing me to login beause of surabaya virus.as soon as i login it logs out.pls help

TECHFREAK said...

@Saritha

To remove Surabaya Virus, Steps 1 & 2 are good enough.

As you are not able to login , I doubt you can follow these steps or any of the steps.

Try to login in safe mode and see if it works.

Remember, for manual operations, you must have access to registry.. Any how.
and till you logged in you cannot even run any anti virus.

So the options for you are
1. Boot your pc with “Windows bootable/rescue CD” and run antivirus. I fear there might be some other virus, which is not permitting you for Logging in.
2. Make your system dual boot. Install another copy of OS.( Check the licensing issue) . And from freshly installed OS, Run antivirus. My preference is for Avast
By exercising any of the options, the chances are that virus executables , DLLs will get removed and you will be able to Login. Then follow the mentioned procedure, and run Avast too.

Good luck

ganesh said...

Hi

I am not able to run the regedit. The error msg says, registry editing has been disabled by your administrator.

What shall I do now?

TECHFREAK said...

@Ganesh

I also faced this problem several times in recent years. It is mainly an act of spyware.

There are various methods available to tackle this situation. based on my experience I would recommend you that...
(1) First Run many Antivirus , spyware remover tools etc and get your system clean.
(2) for this typical problem USE freeware RRT tool(Remove Restrictions Tool) .It does necessary changes in registry only , it doesn’t remove any virus.
(3) While running RRT you may receive registry change warning by your antivirus tool. Accept the changes
(4)Run antivirus , spyware one more time.
It will help you to solve the problem.

By the way, Install Autoruns and keep watch on any suspicious startup program. The disabling of Task manager and Registry editing can be tracked down from startup entries, as per my experience.

Khaela said...

How can I install "autoruns" utility?

TECHFREAK said...

Autoruns is well known sysinternal utilty which shows you what programs are configured to run during system bootup or login.

This utility is now with Microsoft.You can download it from Microsoft website as Autoruns creator Mark Russinovich is with Microsoft.

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

or search in Google for " Downlaod Autoruns".

kirru said...

My system got infected with Surabaya virus. I am not able to install any anti virus due to this virus. The error says I dont have sufficient privileges for Starting services.

The steps suggested like registry cleaning, even I remove the mentioned entries, they are reappearing once I close the regedit and open it again.

I am seeing some files with extension .scr, these are also reappearing even after i modify the attributes and deleted them.

Please help me, how can I install Antivirus, that will solve all my problems I hope, with the presence of this virus?

TECHFREAK said...

@Kirru
It seems there are more viruses/malware in your system. Please see the following points..
1. Try to do installation of antivirus in safe mode.
2. Ensure that your privileges are really of administrator , especially if you are running Vista.
3. Check wheatear you can open/run Task manager or not. If you find that Task manager is also disabled, first fix this error by running Task manager enabler tools like (Task Manager Fix 2.0 )
4. Stop unwanted services.
5. YOu can use Autoruns utility too. Run Autoruns and find out the suspicious programme , services which run at startup. Autoruns helps greatly to remove virus , though it is not an antivirus software.
I hope either of above mentioned solution will direct you towards the problem solving.

pradosh said...
This comment has been removed by the author.
pradosh said...

hi. my sys was infected with surabaya virus. i followed upto step 5 above n now my surabaya virus is clear. after that i scanned my sys with AVG antivirus.no infections detected. however i developed new prob. there are certain new files n folders seen in my drives n desktop which was never there earlier. Ex:- i can now see a note pad file named "desktop" right on desktop as well as in some of my folders. i can also see note ped folder named "picassa" in my photographs folder. i can also see additional folders named "recycling bin", "AVG 8.0 Vaults" and some folders of progamme files etc., in my C and D drives. can u kindly tell me the reason for this n what to do about it?

TECHFREAK said...

Nice to know that Surabaya virus has been removed. But to ensure more safety , i would advise you to run Avast too.

Regarding your desktop icons problem. I also faced this problem in past and even facing it today. Frankly , i donot have solution for it so far. Files from My documents , Pictures starts appearing on desktop all and suddenly. I searched a lot on net , on MS site but in vain.
Someone suggests me to use XP-SP3, but I have not try it. As i already moved to Vista and Windows 7 ,I have no plan to use it. If u find a solution for it , please let me know.Thxs

General A said...

hi , i did not understand Step2 , would you please explane it for me , when i keep searching for the word Suarabaya i cant see what you said

vieteenboiduy said...

I have some problems with this so please help me =[

When I tried to do the del C:\autorun.inf it always say that it could not be found. However when I did the attrib step and a series of words like Access Denied - ... appears, I see where it says C:\autorun.inf but whenever I try to delete it with command prompt it always say that it can't be found.

Can you help me with this please? thank you

pankaj said...

my problem is same as mentioned by kirru...i hv performed all of the above steps successfully,,,but the entries which u told to delete,found to be same as before every time i reopened the regedit...
the task mangr is totally accessable,,,& im able to perform alll the above steps u suggested...
but the virus is not letting me intall any of the antivirus (i tried avast, quick heal),& also system is not getting started in safe mode.....wat to do now..plz suggest me

TECHFREAK said...
This comment has been removed by the author.
TECHFREAK said...

@Pankaj
Have you tried Autoruns? Through autoruns or WinPatrol or Anvir task manager , you can find out the suspecious service.That need to be stopped first.Then try safe mode

pankaj said...

igfxtray
hkcmd
igfxpers
SOUNDMAN
PDVDServ
NeroCheck
GrooveMonitor
googletalk
ClamTrav
jusched
winpatrol
GoogleUpdate
ctfmon
NBJ
msmsgs
runlld
desktop
DriveGuard
Adobe update
Adobe Online
winupi.dll,InitSys


these are the startup processes are running on my system,,which one is to disabled..on searching google i found winupi.dll,InitSys is to be removed....& removal also worked for a while & that startup birthdayday msg was not there for a few restarts...but after some time winupi.dll,InitSys automatically got included into startup....& again same problem.....now plz suggest somethin effective......also system is not getting started on safemode also...

Sadistic Psycho Bitch said...

hi! my computer just got infected by the surabaya virus.. I already had it reformatted but my second problem is my USB drive. I don't want to insert it to my computer anymore.. I'm worried about my files in my USB.. Will my files also be infected? Can I still retrieve it? Please help. you can mail me, pls.. chelsea_91487@yahoo.com.. I really need your help.

TECHFREAK said...

AFAIK , it doesnot destroy the data files.To get your data back from USB drive , better connect it to Linux pc and retrive your data.

bhawna said...

I tried all the steps but when I type Attrib *. * -S –H –R /D /S system gives me a series of messages saying access denied...
also I m not able to start my system in safe mode.please help

TECHFREAK said...

@Bhavna
Which OS r u using?For some files you may get the said error but these files are supposed to be system files.
What error msgs r u getting while enetering in safe mode?

Michael said...

our PC also has the Surabaya virus. I was able to download AVG Free Anti Virus and was able to remove many viruses in our computer but it failed to remove the Surabaya virus. i tried doing your instructions but i didn't find any LegalNoticeCaption and LegalNoticeText. The only thing i saw in the window is (Default) REG_SZ (value not set) on the right side and 5 HKEY folders on the left side. since i have nothing to delete, i jumped to step 3. I navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hideen\SHOWALLt. the value is 0x00000001 (1). i right clicked it and chose Modify and the value is 1 so I didn't do anything again. I went to command prompt and after typing cd\, I typed this:

C:\>attrib *.* -s -h -r /d /s

Access denied - C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\LightningSand.CFD
Access denied - C:\Documents and Settings\client\Local Settings\Temp\hsperfdata_client

so nothing was happening and i got frustrated and pressed the keyboard desperately and numerous lines like this showed up:

Access denied - C:\Documents and Settings\Prefetched\.....
the dots were programs on our PC then lastly, this showed up:

Unable to change attribute - C:\pagefile.sys
Access denied - C:\System Volume Information

now our pc is as annoying than ever..how i am i gonna gert rid of that virus..hope you can help me out..

BLUE_DEVIL said...

my start button isnt wrking.itz taking a lot of time.can i reisntall windows xp?will this delete the virus?

salim said...

hi techfreak
when iam going through
mycomputer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced


after this there's no folder/hidden on the left side


after clicking on advanced i can only see hidden and super hidden on the right side
what should i do, should i proceed ?

salim said...

hi techfreak iam not able to run the command at step-4
Attrib*.*-S-H-R/D /S
even though i put space between /D and /S
i get message like this
"not recognised as an internal or external command operable program or batch file"
what should i do ?
pls help

Hriz rulz said...

hey........................
wen i type the command
ATTRIB *.* -S -H -R /D /S
I get the message:-
"not recognised as an internal or external command operable program or batch file"

Please help me.....

TECHFREAK said...

It should recognize...or just search for attrib.exe using search feature. Probably you will find it in "C:\Windows\System32" folder. Ensure that this folder is in your path. Type "Set" on command prompt and check the "Path" setting.

brisbaneflyer said...

hey i tried deleting the thumbs and it not letting me any clues here and where else do i look for the virus in the regedit area?

TECHFREAK said...

You can try Autoruns utility to see suspicious programs. Also see the file attributes of Thumbs.exe file(s). Most probably , the file attribute is still Read-only or Hidden. Ensure that Attrib command is running is prescribed way.

kurt said...

when i try to delete autorun.inf. it says that it is being used by another process

kurt said...

when i try to delete autorun.inf. it says that it is being used by another process

DaGreatZ3Z4 said...

why doncha simplify da whole thing .. a lil bit .. :$

Jem Allen said...

when I tried step 5 Del d:\autorun.in it says the device is not ready, please explain this, thnx :D

TECHFREAK said...

@ Jem Allen It is not clear whether D:\ drive is local hard disk or removable drive?
If it is removable , then first remove it from USB port and reinsert it so that it can get re-recognize.
If it is local HDD then the reason behind this behavior cannot be predicted from here.So a Restart is advisable.

TECHFREAK said...

@Jem Allen do join me on Twitter too. Twitter ID is "Techfreakindia"

rintu renjith said...

Hi techfreak, i tried the step 5 and it said that access denied for the whole lot. is that meant to happen?! also how do i do this for my D:\ drive?

Anoosha Sharma said...

Hey..My pc is attacked with this virus...i tried removing it manually..i did not understand Step2 , would you please explain it for me , when i keep searching for the word Suarabaya i cant see any more entries..it says search complete..no match found..i lost all directories in my pc because of this virus..

macky laurente said...

on the part of Del c:\autorun.inf , it says that "Could not find c:\autorun.inf"

how is that?

macky laurente said...

On the part of step 5 which is the Del c:\autorun.inf , it says "Could not find c:\autorun.inf" How is that?