Extra Topics (Joe’s Blog Site)

On one of my article, I discussed how to disable the autorun feature in Windows to minimize the spread of USB viruses. In addition to that, I also created an article about creating a folder named “autorun.inf” on your USB drive to prevent viruses from creating an autorun.inf file.

Unfortunately there are some malware which are smart enough to delete the autorun.inf folder so they could successfuly create an autorun.inf file on your portable drives. To prevent this, we will create a special folder inside your autorun.inf folder. Once this is created, even you wouldn’t be able to delete the autorun.inf folder easily.

Follow the steps below to create a special folder called CON inside your autorun.inf folder. Let us assume that your USB drive letter is E:

1. Click Start->Run… and type CMD.
2. At the command prompt type, E: then hit Enter
3. Type MD AUTORUN.INF, hit Enter (skip this step if you already have an autorun.inf folder)
4. Type CD AUTORUN.INF, hit Enter
5. Type MD .\CON\, hit Enter.

For an explanation about the CON folder, read my article about the “magic” in Microsoft.

I have created an article on How to speed up boot time using Sysinternals Autoruns. I strongly suggest that you read that article first. A lot of people are asking which startup program items can be deleted or unchecked in Sysinternals Autoruns that slows down the boot sequence and those harmful items added by trojans and spywares.

Well I found a great website that have a database of startup programs. It currently has 23,403 startup items on its database at the time of this writing. It allows you to search for programs that you find starting automatically on your computer and determine if they are considered to be harmful, optional, unnecessary, or necessary to run.

The database is alphabetically organized so you can browse through using its index. You can also use its search feature to find the program you want to know.

Each entry in the database will have a Status assigned to it. The key to this status is the following:

• Y - This status flag means that this entry should be left alone and be allowed to run as if it is unchecked it may break the functionality or use of a particular program.
• N - This status flag means it is unnecessary to run this program automatically when Windows starts as you can run it manually when necessary.
• U - This status flag means it is up to you whether or not you feel this program needs to run automatically.
• X - This status flags means the item should definitely not start up automatically. Items that have this flag are generally malware such as viruses, trojans, hijackers, spyware, etc.
• ? - This status flag means the status of this entry is unknown at this time and more research is necessary.

Link to list of startup program items: http://www.bleepingcomputer.com/startups/

SDFix is another great tool that you can use. If you love combofix, you’ll also love  this one. This tool is created by AndyManchesta and it removes thousands of different types of trojans and worms.

SDFix targets those hard to remove pests which are usually bundled with other malware that antivirus and antispyware programs can’t completely fix.

You can download SDFix from any of these links: link1, link2, link3.

NOTE: SDFix will only run in Safe Mode in Windows XP and 2000. This also requires Administrator Account Privilages.

Instructions: I’m not going to provide an instruction here on my site because there’s already an easy-to-understand instruction on How to Use SDFix from bleepingcomputer. I highly suggest that you visit this site first before using SDFix.

If you want to see a list of files that this tool can remove, check out their changelog page.

It’s very common today that viruses utilize the autorun.inf feature to spread themselves by putting a copy of themselves and creating an autorun.inf file on your removable drives. This would make sure that they would automatically execute when you insert your flash drives in your USB ports and infect your computer. I have already created an article on how to disable the autorun.inf from being automatically executed on your computer to minimize the infection.

How do I prevent autorun.inf from being created on my USB drive?
For additional security, you can prevent viruses from creating an autorun.inf file on your USB flash drive. Without the autorun.inf, these viruses cannot automatically execute themselves. To do this, all you have to do is to create a folder named “autorun.inf” (without the quotes) on your USB drive’s root directory. That’s all! It’s sort of immunizing your USB flash drive. The virus cannot create an autorun.inf file if there’s already a folder with the same name.

Why can’t I create a folder named “autorun.inf”?
If you cannot create this folder, it means there’s already a file called autorun.inf existing on your flash drive. You’ll have to delete this file first. This file was most probably created by a virus if you didn’t put it there.

I cannot see the autorun.inf file to be deleted, what will I do?
It’s just probably hidden by the virus. You must configure your Windows Explorer to show hidden and system files. How? Follow these steps:

1.) In you Windows Explorer window, go to Tools->Folder Options…

2.) Click the View tab and below are the Advanced settings.

3.) Find Hidden files and folders, select “Show hidden files and folders”.

4.) Uncheck “Hide protected operating system files”

5) Click OK.

You should now be able to view the hidden and system files so you can delete it then.

There’s no “Folder options…” under the Tools menu of my Windows Explorer?!
There are several reasons why the “Folder options” isn’t there:

• It could be under the View menu if you’re using earlier versions of Windows like Windows 98.
• The administrator has removed it as a security policy. Contact your systems administrator.
• Your system has been infected and the virus has removed it. Run ComboFix to fix this.

Creating an autorun.inf folder doesn’t mean that your USB flash drive will no longer get infected. The viruses can still make a copy of themselves into your flash drive. But without the autorun.inf, they cannot easily execute when you insert your flash drive unless you double click on the executable virus file. So be sure to recognize which files you really did put on your drive.

NOTE: If the autorun.inf file exists and you haven’t disabled the autorun feature on your operating system yet, there’s a chance that your system has been infected already. If your anti-virus didn’t trigger, then you could run ComboFix to clean your system.

Have you been infected by a malicious program? You think your computer is behaving differently and your antivirus is not telling you anything? You cannot update your antivirus because it is being blocked by something? And even if you update your antivirus, it still has an unusual behavior? Well I got the answer. Try using ComboFix.

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. This tool is so powerful that you are advised not to run this program without supervision. Well if you’re about to format your hard drive as your last resort in removing that annoying malware, then who needs supervision. Just run this program and you might not have to format your hard drive anyway…

This tool has saved my life a lot of times and those who I helped too. I’ve proven the effectivity of this tool many times but not all the time. It failed me once when the infection was so strong that I cannot run ComboFix effectively.

You can download ComboFix from these links:

• BleepingComputer.com
• ForoSpyware.com
• GeeksTogo.com

For the complete guide in using this tool, please check their website on how to use ComboFix.