Most of us use removable media daily, for transferring data from one computer to another.We generally use pen drives with computers at offices, colleges, cyber cafes, etc...The computers at such places may or may not have anti-virus software installed. If the system you are using is infected with virus, then this virus will also get transferred onto your pen drive along with other data. If you use a pen drive containing virus, it will infect your system, which intern may lead to loss and/or theft of your personal data and leave you with no other option but to format your hard drive. Most common forms of such viruses are regsvr.exe,new folder.exe, etc..
   I have been using this method to prevent my computer from getting infected with viruses,contained in removable media, for quiet some time now with great success, so I thought i'd share it with others.
   All you need, to follow this guide is a good anti-virus software ( I recommend and use ESET NOD32 ).   
STEP 1: Click 'start' and then select 'run'.
STEP 2: In the dialogue box type 'gpedit.msc'.Doing this will give you access to the group policy editor.
NOTE:- the group policy editor can only be accessed from the administrator's account.
SETP 3: A new window should now open. Click on 'Administrative templates'.
STEP 4: Now on the left hand side, double click 'system'.This is what your window should look like.
 
STEP 5: From the list, find the line that reads 'Prevent access to registry editing tools'.
STEP 7: Double click it and a new window should open.
STEP 8: Select 'enabled' and click 'apply'.
 
This will prevent an unwanted application (Virus) to make any changes to the registry.
STEP 9: Now select 'turn off autoplay' from the list and double click it.
STEP 10: Select 'enabled' and from the drop down box select 'all drives',click apply.
This is what your window should look like:
The virus contains an 'autorun.inf' file. Whenever you plug in your pen drive into the usb port an interrupt is generated,your computer services the interrupt with the appropriate ISR (interrupt service routine), this is how the computer (and the virus) know that some removable media has been connected to your computer. The autoplay feature reads this autorun.inf file and executes the commands listed in it. These commands are responsible for installing the virus files onto your system without your permission.So turning 'off' the autoplay wizard, does not allow the 'autorun.inf' to execute its code.
STEP 11: Now plug in the pen drive and go to 'my computer'.
Step 12: 'Right click' on the icon that corresponds to your pen drive and select 'advanced options' and then 'clean files'.
STEP 13: Nod32 will now start scanning the removable media for viruses.
STEP 14: Once the scan is complete, select and delete all the infected files from the scan log.
STEP 15: Just to make sure that the autorun.inf file is no longer present on your    pen drive, go to 'start',click run and type cmd (gives access to the command prompt). Type your drive letter followed by ':'. For eg. if my drive letter is 'i', I will type 'i:'. On the next line type 'dir'.This should give you a list of all the files present in your pen drive. If you see the 'autorun.inf' file in the list the simply delete it using this command 'del autorun.inf'.
STEP 16: The virus changes the attributes of all the folders on your pen drive to 'hidden', so to collectively remove the hidden attribute from all the files and view the files once again just type this in the command prompt:
         I:\>attrib -H -S \*.* /S /D
STEP 17: Now open my computer and 'explore' (do not double click and access the drive as yet) your pen drive. At this point you should be able to see and access all files on your pen drive. Simply delete the files that you don't recognize or alternatively just copy all the required files onto some other location.
STEP 18: After all the required data as been recovered, format your pen drive !!
Saturday, September 19, 2009
Guide to prevent your computer from getting infected with Viruses that spread through removable media(like pen drives).
Labels: new folder.exe, regsvr.exe, Virus removal
Posted by Angad at 1:23 PM
Subscribe to:
Post Comments (Atom)

4 comments:
woah~ ^o^ hehe. I can't find 'Prevent access to registry editing tools'. -->here is what it looks like
http://i47.tinypic.com/34etff7.jpg<--
hehehe.
You will find it under Administrative Templates
on right click on pendrive ,no advanced option is there.
You will get the 'advanced options' only if you install nod32 anti-virus
Post a Comment