Life of a Blogger

Bleuken.i.ph is my first ever blog and give me opportunity to post different topics that can help other people to make money online and go through cyberspace. This started at Roxas City, Capiz, Philippines. This blog is intend to post different advice on programming, web design, search engine optimization (SEO Challenges, SEO Contests), information about viruses and how to remove it, making money online and contain some of my experiences online.

If you wish to suggest or send feedbacks, you can contact me at fbaguyo[at]hotmail[dot]com

Home » Post Item » Computer Virus attacks HC Lab!

Computer Virus attacks HC Lab!

February 22, 2007

There's a strain of computer virus that infects the file server and workstations of the computer laboratory of Hercor College, Roxas City, Capiz, Philippines. It hides itself by using the name ctfmon.exe (Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.) It was detected by TrendMicro 2007 as PE_VBAC.A virus and as MianCrypt.Gen virus by AVAST.

The said virus hides itself inside a folder named Recycled. The folder has a hidden/system/read-only attribute, that's why you can't see it if you will use the Search window. When your system is infected by the said virus, it infects every drive connected to your PC by dropping VCAB.DLL to the internet temporary folder and creating the CTFMON.EXE to folder Recyled & AUTORUN.INF to the root directory of every drive. That's why when you connect your USB sticks to the infected PC it will be infected immediately, the USB disks will be the new carrier for the virus. The program runs every time you start your computer because it copy itself in the Startup folder of the Start Menu. It also run every time your insert the infected USB disk and it triggers every time you Double-Click the infected drive (bcoz of the AUTORUN.INF). The virus infects .EXEs and .DLLs.

To check if your system is infected by the said virus without using an antivirus, do the following steps:

  1. Go to command prompt.
  2. Type CD\ in drive C to go the root directory
  3. Type DIR /AH and press ENTER key. This will display all hidden files in your drive C
  4. If you see a file AUTORUN.INF and a folder Recycled, then your system is infected.
  5. Try doing this to your USB drive and check if your USB stick contains the same folder and AUTORUN.INF, if it does then your system is really infected.

To remove it download and install a trial version of Trendmicro and scan your system.

To manually remove it (but i'm not recommending it especially if the infections of Bacalid is very high try using an anti-virus such as McAfee or TrendMicro's PCCillin) follow the following steps (This is the step I take when i repair my computer without an internet connection. Note you should understand what you're about to do, you try it at your own risk!)

  1. Boot your system in Safemode
  2. Go to command prompt, in Drive C do the following commands.
  3. Type -> ATTRIB -H -R -S AUTORUN.INF then press enter
  4. Type -> DEL AUTORUN.INF then press enter
  5. Type -> ATTRIB -H -R -S Recycled then press enter
  6. In Windows Explorer in Safemode, remove the folder Recycled in drive C use Shift-Delete to delete the folder.
  7. Repeat Step 3 to 6 for all drives of your system including the USB drive.
  8. Search for CTFMON.EXE in your system using the Search of Windows found in Start Menu. If you find a file that is not located in C:\WINDOWS\SYSTEM32, delete it immediately. Dont forget to empty the recycle bin afterwards (Usually the virus will copy itself in the Startup folder of the Startmenu. Check if the file is present there and delete it then.)

To disable autorun of drives (i.e. everytime you double-click a drive or cd or usb, it is auto open) follow the following step:

  1. Click Start->Run->type REGEDIT.EXE
  2. Go to this key from the register HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer
  3. Look for the entry NoDriveTypeAutoRun, double click the entry
  4. Type a new value : 0FF (Hex) for the NoDriveTypeAutoRun, this will turn off the AutoRun for all drives, and press ENTER
  5. Reboot the system.

Good luck everyone!

 

Posted by bleuken at 6:54 pm | permalink

Previous Comments

hi, my problem is Deep Freeze 5 by Faronics. Somebody installed this in my computer. I tried uninstalling it but they ask for a password which I don’t know ’cause this was downloaded by another person. This has been making problems in my computer. When I turn-off the computer all my new downloads & saved pictures & documents are gone.
Can u help me? thank’s

Posted by joy at February 25, 2008, 9:03 pm

joy, before you can uninstall deep freeze, u need to thawed it or unfreeze it and it requires u to specify the password. I found this unfreezer (use for unfreezing deep freeze w/o password) but I never tried using this. it is found at http://usuarios.arnet.com.ar/fliamarconato/pages/edeepunfreezer.html then read the link from Faronics for uninstalling it:
http://www.faronics.com/faq/#1

Good luck joy, just leave ur comment here if this works!

Posted by bleuken at February 25, 2008, 9:19 pm

Search

Business Software

For online storing of receipts, organizing and managing your expenses, use an Expense Management Software with their system to help you quickly prepare your expense report, what you could ask for?

    

Blog Directories

Subscribe rss feed!

Blog Directory - photarium Software blogs Top Blogs Computers blogs Add to Technorati Favorites Free Blog Directory Blog Search, Blog DirectoryGoogle PageRank Checker - Page Rank Calculator Top BlogsBRDTracker Internet Blogs - Blog Top SitesBlog Directory & Search engine Technology & Computers - Top Blogs PhilippinesWebloogle Blog Directory Bloglisting.net - The internets fastest growing blog directory Blog Directory - Blogged blog search directory

website stats Web Design Blogs
Filipino web designer & programmer add page

Recent Viewers