Sunday, April 22, 2012

Presentation Slide For IT Student - Manually Removing Virus Left Outs

Manually Removing Virus Left Outs

Objectives

The Main Objective is to revert the changes made by virus.
Remove settings that prevents from drives being opened by double click.
Remove error message saying some files not found at startup.
This presentation isn't related in removing virus.

What is computer virus?
According to wikipedia, A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user.

Virus Leftout-1

Symptoms


A dialog box telling it is unable to load certain file, especially boot.vbs.
Appears everytime you log in.
Goes after you click OK.
Some dialogue box remains no matter how manytimes you click OK.

Description


Actually this file alone isn't a virus.
This is a simple file containing nasty script.
Virus changed the setting in your computer to load this file every time you start your computer.
Your system unable to load the missing file produced the error.

How virus programmed it?


Windows Explorer is your default shell for windows.
It provides user interface, including but not limiting to copy, paste, taskbar, desktop and so on.
You can simply take shell as the program containing start menu and desktop icons

How virus programmed it? (contd.)‏


Windows OS decides which shell to load from registry.
Open registry editor by typing regedit in RUN.
Registry contains settings of your Windows OS and registry editor is any software that can manipulate those settings.
Navigate to
HKLM\Software\Microsoft\Windows NT\Current version\Winlogon

As you see from the picture there was a key in registry called shell.
The value of explorer.exe was given to it.
It is telling the OS to load explorer.exe from windows directory as the default shell.

How virus programmed it? (contd.)‏


The problem overhere is explorer.exe takes argument.
Like if you type notepad.exe filename.txt, notepad will open that file automatically.
Similarly if explorer.exe is called as
explorer.exe some_other_program.exe explorer will load that program automatically.

How virus programmed it? (contd.)‏


If you look closely along with explorer.exe there is boot.vbs
boot.vbs is the visual basic script file.
It is the file containing nasty scripts.
Your shell is loading explorer.exe as a shell which in turn is loading the file boot.vbs
Your Anti-virus has removed the nasty file boot.vbs but not this setting.

Removal

Now it is for you to remove it.
Simply double click it and delete all but explorer.exe or whatever your shell is.
Reboot

Virus Leftout-2

Symptoms


A openwith dialouge box appears while opening any drive.
Some strage options appears while right clicking any drive.
Drive Icon might get changed.

Description


This is also not virus.
This is only virus leftouts.
This is simple file used by virus to load itself.
OS reads this file and tries to load the virus which is already deleted by anti-virus.

How virus programmed it?


Windows OS provides Autorun feature.
By double clicking a drive, required program can be opened.
Similarly drive icon can be changed.
And context menu can also be manipulated.
All these settings are under one file.

How virus programmed it?(contd)‏


The file is autorun.inf.
While opening any drive Windows Explorer searches this drive.
This file contains simple commands.
This file is useful to autorun CD and USB thumb drive.

How virus programmed it?(contd)‏


This files structure is
[autorun]
open=Program to auto-open
icon=Drive icon
shell\command_name=new context menu
shell\command_name\command=command

How virus programmed it?(contd)‏


Instead of opening genuine program the virus changed the file to load itself.
The main program in memory changed autorun.inf file of all the drive plugged in the infected computer.
Thats why Thumb Drive easily gets infected.

How virus programmed it?(contd)‏


Your antivirus deleted the virus specified by open=virus.exe or shell/open/command=virus.exe
Windows explorer tried to open virus.exe specified by autorun.inf.
Upon failing it produeces error.

Removal


Simply delete the autorun.inf file from problematic drive.
You can use DOS command too
del c:\autorun.inf /ahrs

Questions

?

Download the ppt slides for Manually Removing Virus Left Outs presentation from here.

3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. nice posting.. thanks for sharing.

    ReplyDelete

Comments are moderated. No spam please.