How can you remove the surabaya virus from a slaved hard disk?

Answer 1

How to remove Surabaya Virus

Overview -

W32/Drowor.worm may get send around using a deceiving filename Google Earth .scr.

Symptoms -

* Modified autoexec.bat to display a message upon system start: "Don't kill me, I'm just send message from your computer"

* your folder has file size 40K

* Modified PE binary files

Removal

1. del autorun.info in drive c:

Press Start -> Run -> cmd press Enter

attrib autorun.inf -s -h -r press Enter

DEL autorun.inf

3. Press Start -> Run -> regedit press Enter

"HKEY_LOCAL_MACHINE", then "SOFTWARE" then "Microsoft" then "Windows NT" then "Current Version" then "WinLogon".

and on the right windows (under data) modify or delete "LegalNoticeCaption" & "LegalNoticeText".

you should be fine.

go to start, run, type in regedit and find;

4. Show Hidden files

Start --- Run --- regedit --- OK

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\

Hidden\SHOWALL

CheckedValue = "0" change to "1"

Recommend Good Antivirus Program

Avira AntiVir PE Classic:

Avast 4 Home Edition:

start in safe mode with internet & do two free online scans:

http://www.bitdefender.com/scan8/ie.HTML

http://housecall.antivirus.com

http://www.superantispyware.com

Free version is excellent.

security installed in your PC, a firewall, antispyware and anti virus program.

Looks like a worm and I would suggest that you download both of these free

program and update, run an indepth scan and then reboot to be on the safe side.

http://www.emsisoft.com A2Squard Free from Austria,

will find worms, rogue dialers, keyloggers, adware, spyware,

worms, trace spyware and tracking cookies.

www.avast.com

it is a free antivirus and the most efficient one too.....

you can register it for home use for free.......run a boot time

scan....all problems will be solved!!!

Run your antivirus and use deep scan or scan & clean online at http://www.mcafee.com/apps/downloads/sec...

How to remove Surabaya Virus

Symptoms -

• Modified autoexec.bat to display a message upon system start: "Surabaya is my birthday"….."Don't kill me, I'm just send message from your computer"…and then some blah - blah in some Thai language I guess.

• Your folder has file size 40K

• All your hard disk partitions become autorun…if you right click on any partition or any drive letter it'll give the "autorun" option instead "open".

• All your existing original folders become hidden and are replaced by another dummy folder with same file name but with size of 40KB. If you right click on any file, the menu which opens will show "test", "configure"….etc options but no "open" option.

Removal Steps:

Step 1:

Press Start -> Run -> cmd (or command) -> press Enter

Type in command box- CD\

Type again in command box- c:

Type again in command box- attrib -s -h -r /d /s -> press Enter

Type again in command box- del autorun.inf -> press Enter

Type again in command box- del thumb*.* -> press Enter

Repeat the same with your other hard drive partitions as well…say if you have 3 drive partitions viz. "C", "D" & "E"…for this:

Type again in command box- d:

Type again in command box- attrib -s -h -r /d /s -> press Enter

Type again in command box- del autorun.inf -> press Enter

Type again in command box- del thumb*.* -> press Enter

Type again in command box- e:

Type again in command box- attrib -s -h -r /d /s -> press Enter

Type again in command box- del autorun.inf -> press Enter

Type again in command box- del thumb*.* -> press Enter

If you have any USB hard drive on pen drive connected, do the above procedure with its drive name. For example if your USB drive name is "G"…

Type again in command box- g:

Type again in command box- attrib -s -h -r /d /s -> press Enter

Type again in command box- del autorun.inf -> press Enter

Type again in command box- del thumb*.* -> press Enter

Type again in command box- exit

Step 2:

Press Start -> Run -> regedit ->press Enter

Click on following (in left side window):

"HKEY_LOCAL_MACHINE"->"SOFTWARE" -> "Microsoft" -> "Windows NT" -> "Current Version" -> "WinLogon".

Now on the right side window (under data) delete "LegalNoticeCaption" & "LegalNoticeText".

Step 3:

Go to Start menu -> Programs -> Accessories -> System Tools -> System restore

This'll open a box where you'll get the option - "Restore my system to an earlier time"... Select any old date on which you think your system was working fine…push on next..next…till the system restore starts…

System restore takes a few minutes to complete depending on your computer speed….so be patient….after system restore completes….Your computer will restart…..the problem should have been solved.

Step 4:

Press Start -> Run -> regedit ->press Enter

Press Ctrl + F

In the find window type Surabaya if at all you find any entries in the registry with this name…"Surabaya"…delete them

Step 5:

This virus makes your system's show hidden file option in folder menu to get disabled. To make your computer to show Hidden files, and to get your computer again back into normalcy…

Start --- Run --- regedit --- OK

HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows ->

Current Version -> Explorer -> Advanced -> Folder -> Hidden -> Show All

On the right side window, locate this: CheckedValue = "0"

Modify this value to 1. (right click on the Checked value under Name column -> Modify)

Note:

This virus usually reaches to your computer through any USB drive (pen drive or hard disc). Whenever you plug your USB drive into any other computer, infected with this virus, the virus will infect this drive and will infect the next computer, in which the drive is plugged in next time. So its always advisable not to open the pen drive directly. Instead always right click on the drive and select open option. If at all you see the first option as "autorun", after you right click on the USB drive, this means that the drive is infected.