Webtresting

The following things happened with my one bad morning.

A friend of mine asked me my USB /Pendrive, and used it in his laptop. When he returned it to me, I scanned the USB using my anti virus( NOD32). It detected a few torjans and deleted them. Ever since I installed NOD32 I never had any virus troubling me. So I was confident that I am safe. But just after I inserted the USB, ever time I opened any of the drives (C, D, E, F) from “my computer”, the drawer of the CD drive of my laptop opened automatically. I was so confident on NOD32 that I couldn’t believe that it allowed a virus file in.

I asked my friend and found that the same problem exists in his computer too. So this time my anti virus software let me down! I started googling to find out if there is any solution to this problem, but I couldn’t find any. I opened the task manager, and tried to find out if any unknown program is running on my laptop. I found that every time I click opened any of the drives, a program wscript.exe runs until the CD drive ejects.

But wscript.exe is windows program, and is not a virus in itself. So, actually, wscript.exe was being called and run by some thing else. What could be that?

There was one hint: the wscript.exe runs only when I open any of the drives. That means every time I open any of the drives some program runs automatically. I searched a bit in google and found that Windows searches for autorun.inf files, and if it exists in any folder, it executes it automatically. So I tried to find out if there are any hidden files by the name autorun.inf files in the root folder of the drives. I use AVAFind to search files in my computer. And lo behold.. my guess was correct. Each of the drives in my laptop had similar autorun.inf files. All of them were calling a file called ProtectFile.vbs

I tried to delete the files, but they didn’t get deleted. It said, the files are read only, and so can’t be deleted. Then I right clicked -> properties, un-checked “read only” and deleted the autorun.inf files one by one. But the files were getting recreated by the Protectfile.vbs. I tried to do delete the ProtectFile.vbs one by one, but they too were getting re-created. I couldn’t delete these files manually.But finally, after hours of struggling I was able to get rid of these files. How I did that, I have described it in my next post. Removing Protectfile.vbs

For reliable virus/spyware protection I recommend to use original antivirus. Don’t use keygen of cracks at least for antivirus, because those who develop these cracks develop them with the intention of spreading their own spywares and viruses. Here is a Special Internet Offer for ZoneAlarm, and for Norton AntiVirus 2009 with 2-yr Protection.