TUTORIAL: SAY GOODBYE TO VIRUS

By: KaziMd. Shams Tibrize

This is a MINI tutorial about how to be protected from virus, and how to get rid of some viruses (ravmon, ssvichosst). It is important to spell virus names EXACTLY as svchost.exe is a useful system file, not a virus!

INTRODUCTION

First of all, let us give an overview on viruses. Some programs, made by some EXPERTS or HACKERS (they actually reveal the leaks of system security), are intended to harm your computer or system in any way. These programs are called MALWARE that can steal data, pass information to other, corrupt your important files, change system, or even make your system gone eating important system files if you are much unlucky. Virus is one kind of malware; Dialer, Joke program, Trojan are some other forms. In this tutorial, malware and virus are used as same meaning, e.g. any harmful programs.

HOW VIRUS MAY SPREAD

The main home of malware is the INTERNET. Experts write codes, create virus and upload it to the most biggest network named Internet. While visiting different dangerous sites, malware automatically or in absence of user’s knowledge and expertise about that (as it is very difficult), copy itself onto your system’s storage device including hard disk, floppy, removable devices, etc. Most (99% I think) of the cases, these programs are very little of hundreds Kilo Bytes and hidden files. Once virus file is in your system, it may be executed automatically or manually (if user is not cautious) then it replicate itself in places that are much valuable for any system. Then you will notice your system has gone BAD making some sort of unusual works… And you become worried.

STAY PROTECTED

The following are the possible sources from where your computer may be infected (with virus):

· Internet

· Network

· Floppy

· CD

· Pen drive

· Removable devices such as MP4 player or Mobile.

For Home Users:

If you are a home user without any networking or Internet connection, then it is very much easy to stay protected. As viruses are hidden files, make sure you’ve set the system to view the hidden files (Folder Options>View> ‘Show hidden files and folders’).

Now, whenever, you insert any devices (Floppy, CD, Pen drive, Removable devices), DO NOT DOUBLE CLICK IT. Just right click and select OPEN. If Open is not listed in context menu (right click), then write the drive letter (e.g. H:) in address field of your window.

Now, if you are inside the drive, then look for AUTORUN.INF file and remove it. You may open that .inf file, and see the line “OPEN =” to view which EXE filename is there. If it is unnecessary file, delete both autorun.inf and that EXE file as well. Note that, many valuable software use autorun.inf for its own purpose. But viruses too use autorun.inf. Though autorun.inf is not a virus; it is a very useful and non-harmful file, commands listed inside this file may be harmful. Also, find for any file that you already know is harmful.

Use your existing knowledge to search (press F3 > *.exe in ‘filename’ field) out any unusual virus like program. If you have any antivirus software, have a virus scan of the drive as well.

For users having net and/or Internet:

If you own modem or NIC (Network Interface Card) to connect other computer or the Internet, then you are at higher risk to be infected.

In that case you must obey the tips in “For Home Users” section as well as make sure that you DO NOT VISIT ANY UNWANTED SITES that you think might not be trusted… Another thing you must keep in mind that DO NOT CLICK links without knowing it’s content. So, you must make sure that YOUR FIREWALL IS RUNNING…

ANTIVIRUS

Well, you might already know something about antivirus (AV) software. Many people (including me) ask other which software to use. I advice and request you to use any antivirus supplied with your motherboard CD. You may depend on McAfee, eTrust, PcCillin, Kaspersky, Norton, BitDefender, antivirus SW. Any of these software will make sure that your system is secured from virus infection.

I know, different person have their suggested AV names. But, for me any of the branded AV will do. If you ask me, which AV I use, I used Norton, Symantec AV, PcCillin, Panda, Kaspersky. Norton is slower while Kaspersky will give you some extra features with its own firewall as well as valuable application protection that will help protect your applications from modified in unusual way. Now, I do not use any AV, just make myself conscious during doing anything… If you use any AV, U R STILL UNDER RISK, believe me. Because, your AV requires a virus database need to be updated regularly to detect new viruses.

As we use pirated copies L, the AV companies gives no support and as we do not update AV, we are under risk. I request frequently updating AV database (once or twice a week if possible) or make the AutoUpdate feature of AV enabled if you have Internet connection.

BE YOUR OWN AV !

Yes, I am telling you to be antivirus J though it is impossible. What you can do is to be more and more careful which is the key to avoid virus infections. My suggestion for you is DONT USE AV for recent viruses if you do not UPDATE frequently as it only waste your resources and slows down your working… However, U MUST USE AV without update only for old viruses but useless in front of most recent viruses. I must not advice or request you not to use AV but just say keep it up-to-date.

RECOGNIZE INFECTION

There are some symptoms to know your system is infected including: system slows down, Folder Option, Task Manager, Registry Editor (regedit), System Configuration (msconfig) are disabled or not working. Your system might be even corrupted as well.

One option is to REINSTALL your system (windows) which is actually BAD idea to me as it is the wastage of huge time moreover all of your data (always the highest priority) might not be possible to be backed up.

HOW VIRUS HARM and SURVIVE

Now, lets see, what viruses do to survive and harm your computer…..

First of all, virus copy itself onto your computer as in ‘Stay Protected’ section. Virus is then in sleeping state unless you DOUBLE-CLICK (directly or using double-clicking drive!) on them. Then the virus EXECUTES itself.

Once, virus is in your RAM (running), it replicate itself in your HD (mainly in C:\Systm or C:\System\System32 folder).

It change something in your REGISTRY (or SYSTEM):

· Replicate itself at least one of C:, C:\Windows, C:\Windows\System32).

· Replicate itself in folder named “Startup” under start menu (basically only current user is affected, but some virus may use “Startup” folder of “All Users” as well.

· Disable registry editor so that you cannot change back.

· Disable task manager so that you cant view or stop the execution of virus and

· Disable your Folder Option so that you can’t view hidden files and folders hence the virus is invisible to you.

· Change the SHELL (It defines which file is to be executed when you log on to the system) value in registry so that virus too can run with the system

· Create an entry in RUN (specifies which programs will run upon your system startup)

· Create a service (run services.msc to view services) that runs with your system.

In registry the following changes are usually done by viruses (eg. ravmon, svchosst):

1. Task Manager and Registry Editor is disabled:

[HKEY_USERS\S-1-5-21-2052111302-879983540-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=dword:00000001

"DisableRegistryTools"=dword:00000001

2. Folder Option is disabled

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NofolderOptions"=dword:00000001

3. Change the SHELL value and append it with its own name (%System%\RAVMON.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe" “RAVMON.EXE”

4. Create an entry in RUN subkey which makes virus to run itself with system

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

“Yahoo Messenger” = “RAVMON.EXE”

SOLUTION/CURE OF YOUR SYSTEM

There are many cases, I physically saw, where users get infected with having anti virus software running behind!!! And even though they know the virus avoidance tips under “Stay Protected” section, they get infected by double clicking MP4 or similar removable devices!!! This section will give you the way to get rid of the virus that had infected your system. As I given the changes virus do for its own SURVIVOR in previous section, this section highlights how these settings can be restored and make the system cured.

You might be thinking that virus changes mainly the registry for its survivor. here just know that registry is the HEART of the windows operating system that stores millions of information about system, hardware, software, users, users settings, configurations and many more. And Windows is shipped with a registry editor utility (or tool) named regedit.exe that can be found under windows folder.

If you are already familiar with registry / registry editor and msconfig tool, then just try running your registry editor to change back the registry and disable the startup entries respectively   and come back to this tutorial soon…

So, what’s the matter, you just failed to do so… as I knew. You can’t even stop the virus from tracking system in background from system neither delete it from windows folder as it is already running…

Don’t be worry, because I did not find valuable information once I got infected by svichosst.exe. Then, I continued to find out why and how the virus is working. And devised a way of my own to clean that virus from your system. Here, note that if your computer have any virus do not mean that your computer is infected. Virus do not activate unless someone (most of the cases you or sometimes automatically) activates it by executing (double-click) it. Let’s look forward to the end part of my tutorial. I know you will have fun and will be able to disinfect the virus.

Restore registry changes:

Though virus disabled registry edit using regedit tool of windows, you can use third party registry editor that I (TuneUp Utilities) did someday earlier. But, why bother using extra SW??? We can do the same task using another tool of windows.

The tool is to use REG command in command prompt (cmd). To know more about REG tool, just search “reg” in ‘Help and Support Center’ of windows.

A. COPY THE FOLLOWING LINES AS IT IS, paste it in wordpad (or notepad) and save it in C:\tib.txt: (Make sure that each line starts in new line).

;START COPYING

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NofolderOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe"

;END COPYING

B. Click Start Menu > Run and type “REG IMPORT C:\tib.txt” (without quotes).

C. Use task manager (right-click taskbar or click run and type “taskmgr”.

D. Find out the instance of virus under “Processes” tab of task manager.

E. Press “Delete” key or right-click and select ‘end task’. If u r having problem, I know you will face problem then See NOTE.

F. Now, use your folder option and change the setting to see all hidden files and folders.

G. Search for the virus with windows search engine and DELETE the virus file(s).

H. Open System Configuration Utility (type msconfigin Run as in step C) and disable any virus-like entries from ‘StartUp’ tab. DO NOT DISABLE ANY IMPORTANT ENTRY.

I. Delete any instances of virus from Windows, Startup folders if exist.

J. NOW, YOU HAVE JUST disinfected your system.

For making sure, open registry editor (regedit.exe) and find for the VirusName. And also, manually try to make sure that RUN subkey is free of any dangerous entry of virus, SHELL value has the data value “explorer.exe” only without any postfix.

The process listed above do not delete all the replicated copies of the virus. If you know the virus name then search with that name. The virus may even create executables (.exe files) under folders with the same name as its parent folder. So, search for *.exe files and carefully delete those items (file icon will be like folder).

By now, your computer is both virus free and do not contain any sleeping virus (only true for known virus name and depend a lot on your experience and expertise).

IT ALSO GOOD TO DISABLE ANY AUTOPLAY OPTION OF ANY DRIVE. If you need, I may provide you how… but later.

NOTE (*important*)

In the earlier section, I told you to use REG tool to import TIB.TXT file and then kill the running virus (e.g. process) using task manager. But, as a matter of fact, if you open ‘Task Manager’, ‘MsConfig’ or ‘CMD’ then within few seconds the virus automatically close that. So, you are unable to kill the task from task manager. Now … what to do?

The easiest solution is to use any third party task manager tool (bundled with TuneUp utilities). We may also do that using windows tool (KILLTASK). Open task manager and make a very quick look of the running processes, if you are quick enough you will be able to find out the virus like process. Do the process as many times you want to grab the EXACT process name of the virus (e.g. ssvichosst.exe, new folder.exe, etc).

Now in ‘RUN’ (Winkey + R), type:

TASKKILL /im “ProcessName”

Press enter. If you have done exactly, then the virus is no more in the ram. To make sure open task manager and if it is not automatically closing within short time then YOU DID IT.

Now, use regedit, msconfig (as I told above) to make your computer virus free. Use a search for *.exe files and delete virus like programs.

SUMMARY

Thank you for viewing this mini tutorial that I created for you for the first time keeping in mind the essence and spreading of virus files named ravmon and ssvichosst. Making your system secured is totally upon your carefulness. One thing I would add from my life that MORE YOU EXPLORE MORE YOU LEARN. So, never stop exploring in any area you are interested.

COPYRIGHT

This mini tutorial is created by Kazi Md. Shams Tibrize, M.Sc.Engg.(CSE), BUET who is not any kind of certified professional. You can freely distribute this tutorial and must try to convey any wrong information or suggestion or comments on this tutorial at tibrize@yahoo.com. Thank you for your patience.