I’ve spent countless hours removing nar.vbs, 3wcxx91.cmd, start.exe, etc. files off jump drives. These viruses spread by automatically launching themselves using the autorun.inf file, and then replicating throughout your system. Once your system is infected, they will continue to infect every external USB device you plugin, and continue spreading this way.
For some reason a lot of anti-virus programs don’t pick these up quickly enough. The latest definitions of Symantec Antivirus seem to do it however. Kaspersky, my favorite, is usually the best choice however.
In case your system is not infected yet, or if you are trying to clean up a flash drive, here is what you can do.
These steps have to be performed before you actually open up a jump drive, because once you do you will have a virus.
Here is a batch sript that will clean the C, E, F, and g drives:
cd c:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
cd e:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
cd f:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
cd g:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
You can copy and paste that into the command prompt if you choose.
Another trick is disabling autorun.inf. That can be done with either downloading TweakUI, and disabling autorun in external devices, or manually by importnig the following code into your registry:
To import this into your registry,create a new file in Notepad, copy and paste the code above, and then save it as “registry-fix.reg”. Once saved, the values will be imported into your registry. You may want to back up your registry before you do aything to it just in case.
Get Rid of Flash Drive Viruses
I’ve spent countless hours removing nar.vbs, 3wcxx91.cmd, start.exe, etc. files off jump drives. These viruses spread by automatically launching themselves using the autorun.inf file, and then replicating throughout your system. Once your system is infected, they will continue to infect every external USB device you plugin, and continue spreading this way.
For some reason a lot of anti-virus programs don’t pick these up quickly enough. The latest definitions of Symantec Antivirus seem to do it however. Kaspersky, my favorite, is usually the best choice however.
In case your system is not infected yet, or if you are trying to clean up a flash drive, here is what you can do.
These steps have to be performed before you actually open up a jump drive, because once you do you will have a virus.
Here is a batch sript that will clean the C, E, F, and g drives:
cd c:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
cd e:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
cd f:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
cd g:
attrib -r -a -s -h *.*
del 3wcxx91.cmd
del autorun.inf
del start.exe
del New Folder.exe
del Info.exe
del New_Folder.exe
del Ravmon.exe
del *.vbs
You can copy and paste that into the command prompt if you choose.
Another trick is disabling autorun.inf. That can be done with either downloading TweakUI, and disabling autorun in external devices, or manually by importnig the following code into your registry:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
“Text”=”@shell32.dll,-30499″
“Type”=”group”
“Bitmap”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
“HelpID”=”shell.hlp#51131″
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
“RegPath”=”Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced”
“Text”=”@shell32.dll,-30501″
“Type”=”radio”
“CheckedValue”=dword:00000002
“ValueName”=”Hidden”
“DefaultValue”=dword:00000002
“HKeyRoot”=dword:80000001
“HelpID”=”shell.hlp#51104″
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“RegPath”=”Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced”
“Text”=”@shell32.dll,-30500″
“Type”=”radio”
“CheckedValue”=dword:00000001
“ValueName”=”Hidden”
“DefaultValue”=dword:00000002
“HKeyRoot”=dword:80000001
“HelpID”=”shell.hlp#51105″
To import this into your registry,create a new file in Notepad, copy and paste the code above, and then save it as “registry-fix.reg”. Once saved, the values will be imported into your registry. You may want to back up your registry before you do aything to it just in case.