Hello and first, thank you very much for making our beloved and favorite apps portable. I enjoy a lot carrying them and work on the go.
Right now, the only issue that have is the next. I'm a college student and as such many times I have to work on the public computers. Obviously infections are easily spread, shame to accept, by USB drives.
I have no problem making at home as I always assume that my device is infected so most of the time I catch the sneak and null it. In fact, this isn't the problem I'm reporting. (ClamWin makes wonders usually)
The problem is that this particular virus overwrites the portable app launcher, rendering it as a virus launcher instead (ironic). I don't think it's the malicious author's intention; you can easily see how the launcher was overwritten as the icon changes to that of a folder (so the unsuspecting user "opens" it and in the process loads the virus).
I've found that it work in a really simple way. It creates an .exe of the same name as the folder it contains. So, let's say, I have "H:\Folder" the virus creates "H:\Folder\Folder.exe"; "H:\ClamWinPortable\ClamWinPortable.exe" is overwritten for a virus in this case. Okay, I can install my app in a folder whose name doesn't match, but the problem is that it does that too to the subfolders. "H:\FirefoxPortable\App\firefox\firefox.exe" turns into a virus in this case!
Is it possible to avoid this trouble, like by using custom folder names? I hate so much to clean and then reinstall my programs, it steals valuable time from me whenever it happens.
Thanks in advance.
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
Hi Rodrigo!
There is a solution, and it is very simple. If you got to
[Portable App]/Other/Sourceyou'll see a[App Name]Portable.iniwith the app's name instead of it.Copy that file to the top of the install (where is the [App Name]Portable.exe) and open it with a text editor.
Search for the entry:
For example, on Firefox it would be:
This points to the file you want to launch portably. So rename the file to another name so the virus doesn't screw you, and modify the entry to point to it instead. So the launcher will launch it.
Hope to have helped!
This will save me from a lot of headaches
I have suffered from the same trojan. It copies to C:\ a file autorun.ini where it resides. It writes to the windows registry, it copies to the root directory a file with the name "c.com", "e.com", etc. And it hides inside c:\windows\system32\ as a dll. Some renames as advk0.dll or copies the names of others dll's and adds a number. To desinfect completely, you will need to open a comand windows and using 'attrib *.*' discover which are hidden with attributs R (read), S (sistem) and H (hidden) and remove it and after that, delete the file. Those files are autorun.ini, the *.com and the *.dll with the before mentioned names. Locate it and delete it. Later, check the registry with regedit and search the *.com and delete those keys. After, pass your anti virus. I recommend the portable anti virus. Restart your machine and make another pass of the anti virus.
Those are the steps I was forced to take to get rid of this beast.
A warning: This trojan damage the folder structure and also damage the software. If the changes are extensive, probably is better to reinstall everithing. Also, be careful to not delete ntdetect.com, which is required to the machinte to gain access to your hard disk.
Hope this help
Denis J Navas