0

Background: I have the common Pendrive Shortcut virus(creates a shortcut within the pendrive),

Question: How can I remove it?

Some additional info: There is a hidden .ini file included with the .lnk file in the drive folder. That's not exactly hidden, since it only shows on using the "ls" command at cmd. The file name is something like "~(random character string).ini", where random character strings are like "a3b$%N3a4"

Cheeku
  • 149
  • 1
  • 6
  • 3
    ...if you remove that file, you break your system. How exactly did you "trace" anything to that file? You can verify and repair system files with `sfc /scannow`. – Bob Dec 21 '13 at 14:50
  • Hmm...The .lnk shows the path to that file. – Cheeku Dec 21 '13 at 15:01
  • If you have a shortcut that merely runs that file, it's not necessarily an indicator of an issue. Executing `rundll32.exe` with no arguments does absolutely nothing. It is certainly *not* a reason to dive in and delete it. Please provide more details - what makes you think this is a virus, and what is the entire shortcut target line? – Bob Dec 21 '13 at 15:03
  • 1
    With all due respect, I would recommend actually using an antivirus software rather than do detective work on your own, considering it's led you to the conclusion to delete crucial system files. –  Dec 21 '13 at 15:06
  • @Moses See edits, please! No, it's led me to that conclusion since there exists a malware that creates a file in your system by the name "rundll32.exe". I have faced it before, and deleting it solved the problem. It's just that it was never in system32 folder. – Cheeku Dec 21 '13 at 15:09
  • @Cheeku If that file was modified, `sfc` should catch it and fix it. Deleting it would be a **bad** thing. Anyway, as you can see, it's not exactly an easy thing to modify - which makes it all the less likely. Disguising other programs under that name in other locations is (was?) a common tactic, but in the correct location it's a heavily protected core system file. Again, what's the full target of that shortcut? If there were no arguments after the executable name, it'll do literally nothing (apart from launching a program stub and then closing itself). Also, why are you against AVs? – Bob Dec 21 '13 at 15:13
  • @Bob The argument is the .ini file which I mentioned in the question. More specifically, "%hoMEdrive%\WINDOWS\System32\rundll32.exe ~%QOFNPYRVHRSUNP.ini, lnk " is the path! – Cheeku Dec 21 '13 at 15:29
  • @Cheeku Mmm, after your edit it becomes much easier. Just remove the Shortcut-virus. You can follow instructions [here](http://geekofreak.com/2013/10/how-to-remove-shortcut-virus-from-your-pen-drive.html) or anywhere you find on the web googling for [Pendrive+Shortcut+virus](https://www.google.com/search?q=Pendrive+Shortcut+virus). – Rik Dec 21 '13 at 15:31
  • @Rik Obviously tried that! The command just displays the hidden folder created by the malware in the name "_" along with the .ini file. What help does it do to me? I could always open that folder by clicking on the .lnk. Now, I can directly open it. But the malware is still there. It's just a way around it, not a solution. – Cheeku Dec 21 '13 at 15:37
  • @Cheeku Again - `sfc` should catch any modifications to `%SystemRoot%\System32\rundll32.exe`. You can run it from an installer DVD if you want to be certain that `sfc` itself has not been tampered with. Otherwise, that is the correct path for that file - and what it does depends on the arguments. The first argument should be a DLL; a text file (e.g. `.ini`) is *not* a valid target from any of the documentation I've seen. Can you check the contents of that text file? – Bob Dec 21 '13 at 16:06
  • @Cheeku You need to copy your real files off the pendrive and **format it**. After that copy your files back and the virus should be gone from the pendrive. Use a virusscanner to scan the rest of your harddrive. – Rik Dec 21 '13 at 16:18

3 Answers3

1

CASIR should help you here.( Common And Stubborn Infections Remover )

http://www.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6

If that does not help, you can use Kaspersky Rescue Disk to scan and clean your computer while your windows is sleeping. Kaspersky Rescue Disk boots into a Linux Environment and then scans your Windows Installation. This way the virus which is active when windows is running, does not get a chance to interfere when the Kaspersky Rescue is cleaning your computer from a Linux Environment.

bbalegere
  • 741
  • 5
  • 9
  • I was thinking I better switch to Linux, as the virus is present but shows no effect there. – Cheeku Apr 05 '14 at 01:07
0

try this

Ripara USB

http://conte57.altervista.org/?page_id=10

Can sometimes be useful

ops
  • 11
  • 2
-1

you can change the owner of the rundll32.exe to your user with Right click -> Properties -> Security Tab -> Advanced -> Owner tab -> Edit -> select your user. then reopen the properties panel and select Security tab -> Edit -> Select the administrator -> tick Full Control. Now you can do whatever you want with the file.

Keep in mind that there is a reason you can't remove the file even as an administrator. It will break your system if you tamper with the file.

Braiam
  • 4,709
  • 3
  • 26
  • 57
Simiil
  • 336
  • 3
  • 9
  • 5
    **NO. NONONONONO. THERE IS ALMOST NEVER A GOOD REASON TO DO THIS. YOU ARE BETTER OFF REINSTALLING THE SYSTEM.** I rarely shout like this, but... seriously?!?! – Bob Dec 21 '13 at 14:57
  • Okay! Made an edit! – Cheeku Dec 21 '13 at 15:02
  • why the downvote? i just answered his question (before he edited it), i never said it was a good idea... – Simiil Dec 21 '13 at 15:24
  • As background for the OP: Compare the virus to a list which says "Get a knife from the kitchen drawer, then pry open a locked cabinet". As answer to that you are trying to remove all knives from the kitchen drawer, which is not the solution (and those knives are used for other things which will fail if you remove them). Instead remove the .lnk file. – Hennes Dec 21 '13 at 17:16