I have noted that I did not really express how to get rid of this virus. The quickest way to do this would be to remove it from your disk in the operating system - Linux or go to http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.CG&VSect=Sn
Ok I am guessing you didn't quite figure that one out huh? Ok if you want a sure fire way - Stick a Live boot CD of Linux into your machine, Ubuntu is a clear favourite and you can get the disk fairly cheaply from http://www.fosscds.co.za/product_info.php?products_id=589 or if you have the bandwidth, you can download it from http://ultimateedition.info/Ultimate%20Edition/ubuntu/
This virus distributes itself using your USB stick and your local hard drive - it has the uncannily ability of filling up a USB stick with whatever is in your recycle bin and then hides all the files using the windows dll files and resident memory in exlorer.exe. Most Antiviruses will detect this as I depicted in my previous article, but they are unable to get rid of the virus.
Print this out and take to a trained technician unless you are comfortable with taking out your hard drive and putting it in a machine that has Linux installed.
To the Technician: Gather all hard drives and memory sticks suspected as having the virus, connect them up in a machine that has Linux installed or where you have access to an Ubuntu Live CD - Important, please don't boot into Windows as you will then infect the host machine and will have to clean that too... Once booted into Linux, locate the windows hard drives connected, on Ubuntu these are usually displayed on the desktop, others will be located under /mnt/windows or /mnt/media. Go to the root of these drives, delete the following: autorun.inf, recycler and any bat or cmd files present excepting for autoexec.bat which is a legacy file for windows. Also delete ".recycler" and any folders that say recycler.
The Autorun.inf files and the cmd files are what makes this virus work, when you boot back into windows now the files are removed, you may get a few error messages, to get rid of these messages:
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Active Setup>Installed Components - In the left panel, locate and delete the key:
{08B0E5C0-4FCB-11CF-AAX5-90401C608512}
- Close Registry Editor.
Delete any files you do not recognise (it would be wise to google and make sure) - most of the files here are a mirroring of the ones in your system tray next to the time. These files run in your memory so that they open quickly when you access them, such as your graphics tray - igfxtray and windows hot keys - hkcmd.
Stopping Autorun Viruses
DISABLE AUTORUN. This will stop a lot of viruses from spreading from one drive to the other. You can do this by opening regedit.exe and modifying the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
There should be an entry with the name NoDriveTypeAutorun. Set it to 0x95 to disable autorun on everything but CD drives, or 0xB5 (the letter 'B', not the number '8') to disable it on all drives.
1 comment:
http://wiki.answers.com/Q/How_can_you_remove_the_virus_recycler_exe
Post a Comment