Thursday, September 02, 2010


I dont know whether it is a virus in first place, but it was irritating to me. A filenamed "Durai'sAutoProtection.vbe" gets copied to my pen drive everytime i inserted my pendrive into my windows box at office. My GNU/Linux laptop at home is my antivirus for pendrive. I kept removing the file from my pendrive and after a while got totally irritated and decided to fix it once for all.

First job is to track the location of the vbscript file. A bit of googling revealed that it is present in C:\Windows\system32 folder. To see the file, you will have to enable the following in folder options.

* Mark Show hidden files and folders
* Unmark Hide extensions of Known file types
* Unmark Hide protected Operating system files

Now i could see the file "Durai'sVirusProtection.vbe" in C:\WINDOWS\System32 directory. This is actually a VB script file, and i tried looking into the vb script code. Since i dont know even few words of vb script, could not guess much. But it claims to be removing a few viruses, and does few undesirable stuffs too.

1) Changes registry settings to change the Internet Explorer Title bar name to Durai.
2) Sets the default page of IE to some site.
3) Copies itself into pendrives inserted.

Though the file can be located, it is not possible to delete the file. Says the file is being used. The program using it is wscript.exe. Could not get much info about the same. Stop the process and then delete the file. Make sure the read only flag of the file is deselected before trying to delete.

Next to fix the registry settings,

Open regedit, and go to HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ and then delete the Key value Window Title. Also change the starting address back to about:blank or whatever you want.

Also, inside HKEY_ LOCAL_ MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon the following key "Userinit" will be set to execute the vbscript file. Now since the file is removed, it will report an error everytime we logon. It will be set to some value like,

“C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\Durai'sVirusProtection.vbe”

Change this to just, “C:\WINDOWS\system32\userinit.exe"

With this the virus or unnecessary script will be removed from the machine. At times harmless stuffs like this are interesting to analyze and fix.

No comments: