TECHRENA: How to Delete/Remove Surabaya virus/worm/Spyware from your Computer?

Many people are facing problem with the new USB worms coming up,one such worm is Surabaya Virus[As it calls itself by that name!]

Some info: Surabaya is the second largest city in Indonesia,the name and language suggests that the worm was actually originated in Indonesia by some spammer.Ok,enough about it’s history,Let’s get into the details of the worm’s operation.

When the virus enters your system,the following message would come up:

“Surabaya in my birthday
Don't kill me, i'm just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0”

And it creates a lot of ‘.SCR’ files and also changes Shell Extensions for all Drives(C,D,E,F,G,H..whatever).

So when you try to open any drive,or if you right-click on any drive you’ll be amazed to find “Test,Configure” instead of standard “Open/Explore”.

It also changes the registry to hide all the hidden folders and also disables ‘FOLDER OPTIONS’.

Let’s See How to Remove Surabaya virus

THE SOLUTION:

>>STEP1: Download free ClamWin Anti Virus, install, update then boot into safe mode [Press F8 during start up and select Safe mode Booting], disable any other antivirus software that you have, and perform
a full scan:

Size: 5.5 MB

http://rapidshare.com/files/208762048/clamwin-0.88.5-setup.exe

This is a Free Anti Virus which detects Surabaya. After deleting all the viruses by the antivirus perform the steps below.

Note: You can proceed to next step if you have already deleted the virus with any other anti-virus. It is not that only ClamWin anti virus must be used.

>>STEP2: Delete file ‘Autorun.inf’ which allows the malicious script to run automatically when you click/double click on the drive.

If you are not able to delete it from Windows Explorer,then you can try using ‘DOS Command Prompt’. To enter into this,

Go to Start Menu>Click on RUN>Type ‘cmd’ ,Click ‘OK’.

Now the command prompt will be opened up,

the default root will be ‘C:\Documents and Settings\Administrator>’

You have to change it to ‘C:\’,to do that type ‘cd/’ and it’ll take you to ‘C:\’.

Now type attrib -s -h –r autorun.inf [And Hit ‘Enter’-This is to change attributes if the file so that we can delete it]

Now Type ‘del autorun.inf’

>>STEP3:The Second step is very important because you need to work with ‘Windows Registry’

Ok let’s start it:

Method 1 By Using Command Prompt:

Open a command prompt. Copy and paste the commands given below in your command prompt (To paste in command prompt right click in the black screen and select paste):

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /f

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /f

[Note: If any error shows like: "Registry Editor Has Been Disabled by your Administrator" then You need to enable it. Visit the link Below: http://techrena.blogspot.com/2008/11/how-to-enable-registry-editor-regedit.html ]

Method 2 By Using visual Windows Registry Editor:

As in the first step, go to Start>Click on RUN>type ‘REGEDIT’ and press ‘ok’.

[Note:’REGEDIT’ stands for Windows Registry Edit. If any error shows like: "Registry Editor Has Been Disabled by your Administrator" then You need to enable it. Visit the link Below: http://techrena.blogspot.com/2008/11/how-to-enable-registry-editor-regedit.html ]

Then Click on>“HKEY_LOCAL_MACHINE”[Click onthe ‘+’ sign]

Then find ‘SOFTWARE’ and Again Click on the ‘+’ sign next to it.

Registry Editor

Next Find ‘Microsoft’ under it and then ‘WINDOWS NT’

Next ‘CURRENT VERSION’ and finally find ‘WINLOGON’.

The path you’ve followed is

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CURRENTVERSION >WINLOGON

on the right windows (under data) modify or delete “LegalNoticeCaption” & “LegalNoticeText”.

This removes any message coming up in the start up.

>>STEP4: Visit the link below and enable your Show Hidden folder Options:

http://techrena.blogspot.com/2008/11/how-to-show-hidden-files-and-folders-in.html

This will enable the ‘FOLDER OPTIONS’ and will show hidden files/folders if checked.

I hope this will clear your problem,if still problem exists or have any trouble while doing this, please post them in comments section below.

21 comments:

Ramon Pereyra Jr.December 24, 2008 at 1:14 AM
Thak you wery much!!!

This post realy helped me eliminate this annoying pop-up and it also solved the "hidden folder" thing. At first I was hesitant to try the suggestions because it deals with the registry of my system. Though, I took the risk just to eliminate the symptoms of surabaya virus....

I'm very glad that it worked!!!

I recommend this to everyone!!!
IT'S WORTH IT!!!
UnknownFebruary 19, 2009 at 1:10 AM
This comment has been removed by the author.
UnknownFebruary 19, 2009 at 1:15 AM
hey...i performed all the steps mentioned...but the virus is still same as it was,,,,the entry of “LegalNoticeCaption” & “LegalNoticeText”. in regedit became the same every time i removed it...wat to do now
Techie BloggerFebruary 19, 2009 at 1:27 PM
Pankaj,it's because the virus is running each time when you start the computer itself,so first you have to remove it from the start-up items,to do this type "msconfig" in the run command[Windows button+R] then remove the unwanted start-up itmes[or if you know the exact process name which is running as virus,just uncheck it] now you follow the above steps to remove the virus's Registry entries..you are done..comment here if you still find it difficult..
UnknownFebruary 19, 2009 at 7:50 PM
igfxtray
hkcmd
igfxpers
SOUNDMAN
PDVDServ
NeroCheck
GrooveMonitor
googletalk
ClamTrav
jusched
winpatrol
GoogleUpdate
ctfmon
NBJ
msmsgs
runlld
desktop
DriveGuard
Adobe update
Adobe Online
winupi.dll,InitSys

these are the startup processes are running on my system,,which one is to disabled..on searching google i found winupi.dll,InitSys is to be removed....& removal also worked for a while & that startup birthdayday msg was not there for a few restarts...but after some time winupi.dll,InitSys automatically got included into startup....& again same problem.....now plz suggest somethin effective......also system is not getting started on safemode also...
Techie BloggerFebruary 19, 2009 at 10:47 PM
Pankaj have you removed the registry entries after removing the malicious startup items??
You were telling that that startup birthday message was not coming for a while and after that you again got the problem..from this I can understand that the virus is sitting in somewhere in your hard disk.But the virus will be non-functional until you make it run.For example sometimes it'll run when you click a file which just like a folder but actually a virus.Another chance may be that it may be running when you double click the Drives[Like Drive c] to open files.If you can figure it in which way it's running then we can remove it easily.I mean if you didn't understand what I told please leave a msg here...
UnknownFebruary 20, 2009 at 2:49 PM
hey...wat's this...today i realized that the registry values which u told to delete or to edit..are being reloaded with the same values just after i navigate from that particular page of registry editor,,,,now wat,,virus is still running even when there is no such process in startup.....
DennisFebruary 20, 2009 at 6:31 PM
See pankaj, you repeat all the necessary steps to remove the virus as given. remove from the start up and all. And you have to remove all the autorun.inf files from your drives. for doing this you need to show hidden files(system files also) and don't double click any of the drives. if you double click them you will run the virus thats what the autorun is for. just explore the drives and delete them. see if it comes. OK.
UnknownMarch 10, 2009 at 7:36 AM
Hi,

I followed the steps exactly as instructed here but the virus still won't go away. Also, doing this "attrib autorun.inf -s -h –r" doesn't change the attributes of the files it only says "no access for C:\ System Volume Information". I also deleted "LegalNoticeCaption" & “LegalNoticeText” but it keeps coming back after being deleted. Are there other ways to remove the virus?

Thanks,
Jane
DennisMarch 10, 2009 at 12:52 PM
@Jane Nicole
The registry comes back because the virus is still running in ur computer. Surabaya virus appears to spread around using a deceiving filename
Google Earth.scr
Aliases:
W32/Drowor.worm,
TR/VB.aei
Virus.Win32.Drowor.b
W32/Drowor
Win32.Drowor.A
Worm.VB-117
Worm/VB.6.A

Download free Clamwin AnitVirus, install, update then boot into safe
mode, disable any other antivirus software that you have, and perform
a full scan:
http://www.download.com/ClamWin-Antivirus/3000-2239_4-10369483.html?tag=mncol&cdlPid=10514511

This is a small freeware which detects Surabaya.
After deleting all the viruses by the antivirus repeat the steps again.
To delete autorun.inf in any drive use command prompt and type:
cd/

attrib -h -s -r autorun.inf

del autorun.inf

It looks like this:
C:\Users\DENNIS>cd/

C:\>attrib -h -s -r autorun.inf

C:\>del autorun.inf
UnknownMarch 10, 2009 at 6:09 PM
Hi!

I did exactly as you said and the virus was removed!

Thanks! :)
UnknownMay 22, 2009 at 7:22 AM
I used this method and it worked. I thank you for this.

I have removed the virus and changed the registry so that I can once again see hidden files.

However, folders that were not hidden prior to me getting the virus are now hidden files. This is not a big deal but all the regular folders that I had (i.e. Program Files, WINDOWS) are now "faded" and appear as hidden folders. How do I remedy this?

Secondly, how do I remove the virus from external devices (the method I was first infected)? Can I simply run the anti-virus? Is there another autorun.inf file to delete?
UnknownAugust 17, 2009 at 5:43 PM
i am not able to boot both safe & normal. than how can we delete/remove surbaya virus.
ravinder agarwal
UnknownAugust 30, 2009 at 7:37 PM
I am not able to open cmd prompt. It shows open with dialouge. Now how to remove this?
hassDecember 6, 2009 at 2:07 AM
I don't understand 2nd step, the part concerning the -s-h-r autorun.inf
i keep typing it and they keep telling me that it aint a cmd
pleeeaz can anybody help me with that
UnknownFebruary 16, 2010 at 6:35 PM
some computers that are infected with this virus are not able to go to safe mode,i had thesame issue before and what i did is remove the infected hardisk and scan it with a computer that has an updated anti virus, clamwin and smart virus remover for the autorun inf.if all of this is done then you may able to save the infected hard disk.
UnknownMay 29, 2010 at 10:41 AM
the solution work.it was nice to solve problem on your own.
NamitOctober 7, 2010 at 7:39 AM
Thank you ... your help is really appreciated!!
UnknownOctober 20, 2012 at 9:52 AM
Thank you accompany me even just a moment, but for me is very meaningful
Sorry if I requested happiness is her all of my life
I understand that this should not keberadaanku disisimu, just daydreaming in regret
For the lover who wiII ever had

Its too late for me. But you can still run
UnknownOctober 20, 2012 at 9:53 AM
Thank you accompany me even just a moment, but for me is very meaningful
Sorry if I requested happiness is her all of my life
I understand that this should not keberadaanku disisimu, just daydreaming in regret
For the lover who wiII ever had

Its too late for me. But you can still run
UnknownSeptember 14, 2016 at 10:24 AM
reply pls .