-1

I'm trying to remove a virus from my friend's PC. The virus is called qbqjralptr..vbs & I found it's a worm specified like USB – Dinihou – Houdini Worm.VBScript

It seemed easy to remove but I just was able to deactivate it, without removing.

It infects all USB keys connected to PC creating false links to all files contained into the key. They link to a hidden file on the key which is the virus.

Well, I found it's a process which check if a new key is connected and build virus links.

I tried to kill the process and it worked. It won't recreate itself and the key I connected didn't make any link anymore. I deleted all system registry keys which permitted the virus to start when the OS loaded.

I located it into the temp folder of the user, but when i checked into that folder i didn't find any file.

Windows suggests it is a file but dir command won't retrieve anything, so I can't delete it because of “file not found” message.

Do you know how can I proceed?

Giacomo1968
  • 58,727
blurstream
  • 111

1 Answers1

0

look for autorun.inf file in the root of the removable media or infected pc hard disks. these files will have some strange file names from mostly user data directory or documents directory or sometimes even just the startup directory.

try to locate that file and delete it from safe mode, because once you login its not easy to remove the script as it would normally replicate itself through some other aplication.

use the software autoruns available from microsoft website.

look for the file under startup and scheduled tasks, these are common places for such scripts.

look for stranger file names with long alphanumeric values , upload them to virustotal and check them out. it might help .

For your file not found error:

To locate the file directory from commmand prompt type attrib -s -h -r . then dir . if you want to see the file existense first use dir . /ah to see if the file is in hidden mode which is the first thing they do.. also, you have to use command prompt in elevated mode if in win 7

it is unfortunate its very common these small viruses are lurking around easily. most antiviruses ihve seen remove only the infected file and its very obvious that something else is creating these scripts and doesnt hit the source at all...

if you can upload the script file and locate the autorun file and post it to some server, it wold help.

rajeshontheweb
  • 11