-1

I'm trying to remove a virus from my friend's PC. The virus is called qbqjralptr..vbs & I found it's a worm specified like USB – Dinihou – Houdini Worm.VBScript

It seemed easy to remove but I just was able to deactivate it, without removing.

It infects all USB keys connected to PC creating false links to all files contained into the key. They link to a hidden file on the key which is the virus.

Well, I found it's a process which check if a new key is connected and build virus links.

I tried to kill the process and it worked. It won't recreate itself and the key I connected didn't make any link anymore. I deleted all system registry keys which permitted the virus to start when the OS loaded.

I located it into the temp folder of the user, but when i checked into that folder i didn't find any file.

Windows suggests it is a file but dir command won't retrieve anything, so I can't delete it because of “file not found” message.

Do you know how can I proceed?

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
blurstream
  • 111
  • 4
  • 3
    [VirusTotal](https://www.virustotal.com/en/file/96fa88ed13ef12d2ca0651902812d665b2783e2cf2836aa9ee071df735a58d73/analysis/1396719834/) suggests a lot of anti-virus programs will remove it. – Andrew Morton Oct 04 '14 at 18:36
  • I found fews utilities, but I'd remove it without scripts if it's possible and it isn't complex. Thank you! – blurstream Oct 04 '14 at 18:53
  • 1
    One of the problems with malware is that is often loads more malware, which might be more difficult to detect, onto the computer. Using an anti-virus program will increase the chances of detecting and removing them too. As for `dir` not showing it, you might need to use `dir /a:hs` which shows files with the hidden and system attributes. But I still recommend using an anti-virus program, and perhaps also something like Malwarebytes. – Andrew Morton Oct 04 '14 at 18:58
  • using this command can I see the whole content of the folder so could I see the virus too? it's strange I can't delete it while Windows tells me there is in that folder. how can I delete it? – blurstream Oct 04 '14 at 19:17
  • It may be that you may have disabled some part of it but it has been clever about preventing its deletion and other parts of it remain. Really, just use an anti-virus program to remove it; many of them have free versions which you can uninstall afterwards if you want to. Just don't have more than one anti-virus program on the computer at the same time, as they will interfere with each other unless designed to co-operate. – Andrew Morton Oct 04 '14 at 19:35
  • @blurstream The reality is by approaching this manually you are simply playing "whack-a-mole" and might never truly deal with the issue in a stable & definitive way. Life is too short. Just download the proper tool & get rid of the malware. – Giacomo1968 Oct 04 '14 at 19:38
  • alright, thank you!! i am going to use an utility! :) – blurstream Oct 06 '14 at 11:14

1 Answers1

0

look for autorun.inf file in the root of the removable media or infected pc hard disks. these files will have some strange file names from mostly user data directory or documents directory or sometimes even just the startup directory.

try to locate that file and delete it from safe mode, because once you login its not easy to remove the script as it would normally replicate itself through some other aplication.

use the software autoruns available from microsoft website.

look for the file under startup and scheduled tasks, these are common places for such scripts.

look for stranger file names with long alphanumeric values , upload them to virustotal and check them out. it might help .

For your file not found error:

To locate the file directory from commmand prompt type attrib -s -h -r . then dir . if you want to see the file existense first use dir . /ah to see if the file is in hidden mode which is the first thing they do.. also, you have to use command prompt in elevated mode if in win 7

it is unfortunate its very common these small viruses are lurking around easily. most antiviruses ihve seen remove only the infected file and its very obvious that something else is creating these scripts and doesnt hit the source at all...

if you can upload the script file and locate the autorun file and post it to some server, it wold help.

rajeshontheweb
  • 1
  • thank you! i am going to try it as soon as i meet my friend and i'll get file content (i remember is encrypted but it should be easy to do) – blurstream Oct 07 '14 at 13:14