I visited my friends place yesterday to copy some movies onto my Portable HDD. I found that he had McAfee Antivirus installed & so went ahead & plugged in my Portable HDD. Suddenly I realised that I did not check whether his Antivirus definitions were up to date & also found out that they were outdated.
I thus installed Avast's Free Antivirus for Home Users. Within minutes it detected a suspicious file ph.exe
in the Operating Systems memory & suggested to do a Boot Scan for the OS. Surprisingly the Boot Scan did not trace any sort of infection. It still felt there was something suspicious as the PC would not allow me to update my Avast's Virus definitions.
I then returned home & plugged the Portable HDD to my Laptop. It immediately showed me options to "Run program", "Open Files", etc. Though I skipped this screen, I accidentally double clicked the HDD Drive Letter which triggered the Trojan (which I realized later). I did not know what Trojan or Virus I had been infected with, but definitely I knew that there was a suspicious file PH.EXE which was behind this entire problem.
I searched through the net & ran the FixAprop.exe from Symantec's site which was supposed to fix the PH.EXE infection. I also found out that I could not enable the option of "Show hidden Files and Folders" in Windows Explorer. I thus started accessing the C Drive of my Laptop through the administrative share of C$ through my Home PC. Through my Home PC I could find out that every time I deleted ph.exe from my Laptop, the file would get recreated within seconds. After lots of research & tweaking I found out the following -
- The entire Trojan kit consisted of 3 files - autorun.inf, ph.exe & herss.exe.
- The infection spreads through USB drives. As soon as somebody inserts a USB drive to an infected PC the Trojan copies ph.exe & autorun.inf (pointing to ph.exe) onto the root directory USB drive.
- The infection spreads from the USB drive to another PC when the user plugs in the USB drive & selects "Run program from disk" or double clicks the USB drive letter thus triggering the ph.exe through autorun.inf.
- If you feel your USB drive is infected with this Trojan don't panic. Plug it peacefully onto another PC, go to Windows Explorer, right click (not double click) on the USB drive letter & click "Explore". Now enable "Show Hidden Files and Folders" & delete the files ph.exe & autorun.inf from the root directory of the USB drive.
- If you feel that your PC has been infected, execute msconfig from Start -> Run, go to Startup tab & look for a startup entry pointing to "C:\Documents and Settings\\Local Settings\Temp\herss.exe". Once the entry is found, uncheck it, save changes & reboot the PC. The Trojan is now unloaded from your OS memory.
- Now remove the final traces of the Trojan by manually deleting ph.exe, autorun.inf & herss.exe from the mentioned directories.
- If you are unable to enable "Show Hidden Files and Folders", enable it by following one of the methods listed at Technize website. I used Method 3 & it worked fine for me.
- Check that your Antivirus software is up to date.
It is my earnest request to all readers to be little bit careful with Virus & Trojans in today's world of Piracy, Information theft, etc. Please don't be ignorant & have a casual approach towards keeping your data safe & secure. Keep a constant vigil on any suspicious activities on your PC. If you are not knowledgeable enough, ask someone rather than ignoring things. Have FREE Antivirus & Firewall applications like Avast & ZoneAlarm installed on your home PC's. Remember, in today's connected world Internet is the main medium through which infections are spread. Keep your computer safe from prying eyes. Even if you are associted with IT, enroll yourself for a basic Computer course & learn some important things.
I hope this post would be of some help to infected users. Do write to me on any Data Security or Data Protection questions that might arise in your mind.
Remember - Prevention is better than cure
Happy Computing!!!
I FIND THIS POST TO BE QUITE POPULAR. PLEASE CLICK ON THE ADS ON MY BLOG IF YOU BENEFIT OUT OF THIS POST.