Simple step on how to prevent and remove autorun spyware/virus manually from removable disk
1. You need to disabled your Autorun/Autoplay
2. Kill the program that process in your system
3. Delete the files and remove in the startup programs
Autorun/Autoplay is the ability of many modern computer operating systems to automatically take some action upon the insertion of removable media such as a CD-ROM, DVD-ROM, or flash media. - wikipedia
The disadvantage of Autorun is it can pose a security threat, when the user does not expect or intend to run the software, such as in the case of some viruses and spyware, which take advantage of this feature to propagate. Imagine that the program runs in your computer without your knowledge, so here's how to disable Autorun/Autoplay using Group Policy
1. Click Start button > Run > type gpedit.msc then click OK
2. In Group Policy, expand User Configuration > Administrative Templates > System then double click Turn off Autoplay
3. Select Enabled and All Drives in Turn of Autoplay Properties, click Apply > OK
Since you disable the Autorun/Autoplay, you need to open the removable media manually to play like when insert a audio cd or video cd.
How to remove autorun spyware/virus in your hard drive or USB drive manually
In order to make a demo, I enabled my Autorun/Autoplay and insert a USB Drive infected with spyware and let the spyware run on my computer system. And now I want to remove it manually, here's how...
1. Show the hidden files and protected operating system files
Open My Computer, in Tools Menu select Folder Options....
In Folder Options, select Show Hidden files and folders and then unchecked Hide protected operating system files > Apply > OK
Other spyware hide the Folder Options, in this case you need to run Group Policy (gpedit.msc)
Go to User Configuration > Administrative Templates > Windows Components > Windows Explorer then select Disabled in the Remove the Folder Options menu item from the Tools menu > Apply > OK
2. Look for autorun.inf
Now open USB Drive, you can see the autorun.inf file and open it ( you also see this file in your Hard disk drive)
Be aware of New Folder or have a folder icon in your USB Drive like you see above, actually this is not a folder it is a executable program that use the icon of a folder. Sometimes it use notepad, yahoo messenger, microsoft word icon and other system icon to hide. Here's how to determine if it is a real folder or an executable program
Before you open the folder, in your mouse right click the folder and click Properties
This is a real folder, you can see the Sharing and Customize Tab
While an executable program have a Version and Compatibility Tab
Remember all the file, in this case it's only one "SCVVHSOT.exe" but when it's already running in your system it has the ability to generate another file (Recycler) or call a executable program (like the New Folder.exe) hide in the USB Drive. Other autorun.inf have more files like in the bar311 virus (bar311.exe, password_viewer.exe, photos.zip.exe and pc-off.bat)
3. End the Process
Go to Task Manager or press “Ctrl + Alt + Del” keys, in Processes Tab select the file that you see in the autorun.inf then click End Process. If you get this message
Run Group Policy (gpedit.msc)
Go to User Configuration > Administrative Templates> System > Ctrl+Alt+Delete options > Remove Task Manager, select Disabled in the Remove Task Manager Option > Apply > OK
For me I use Process Explorer to kill the process
4. Remove the file in the Startup Programs
You can remove it by using Autoruns, check the process programs in the Logon Tab
Root directory (drive C, drive D etc..)
x = where you install the windows
Other case you cannot delete the files because there is a message that the program is running, in this case you can use Unlocker. Unlocker has the ability to delete the file even if it is running.
In the Autoruns, Delete or you can unchecked programs so that it will not run again when the computer restart
Checked also Scheduled Tasks tab, delete the file At1.job (something like that)
This article is an alternative way to remove spyware and virus. If you want to see the full article CLICK HERE!