Removing the BV:AutoRun-G[Wrm] Virus

20 April 2009
I am in a hostel in Costa Rica and all over the PCs here, the BV:AutoRun-G[Wrm] Virus is popping up when people are using their thumbdrives.

You can delete the autorun.inf file in the root of the drive but it keeps coming back.

avast Antivirus keeps poping up alerts, but a full scan doesn't find any problems.

I searched a little bit but couldn't find a proper solution, formatting the drive didn't help people and the Flash Disinfector tool doesn't seem work either.

I am not an administrator on the machines here, so my tool usage is limited. I can not use Procman.exe to find out who is writing the files after they have been deleted.

Nevertheless, two other SysInternal Tools came to the rescue.

Steps to remove the bugger:
  1. Download 'progexp.exe' and 'Autoruns.exe' from http://live.sysinternals.com
  2. Open the autorun.inf file in a text-editor and find out which executable it is starting.
  3. Start progexp.exe and under the 'Find' menu open 'Find handle or dll'. In the 'Handle or DLL substring' put the name of the executable found in step 2. Most likely you will find it in the explorer.exe process. In my case the virus attached itself to the Windows Explorer process.
  4. Still in progexp.exe find Explorer.exe in the process list and kill it. Now the virus is no longer active on your system.
  5. Delete autorun.inf on your thumbdrive and also all content of the Recycler bin, both on the removable drive and on the local drives.
  6. Open autoruns.exe, click the Logon tab, under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run section may be an entry that points to an executable in the recycle bin. You should have deleted this file in step 5, but also delete the entry here.
  7. Your done, copy 'progexp.exe' and 'Autoruns.exe' to your thumbdrive so you have them handy for the next time you are running into a similar problem.

Update: It looks like the virus is always using explorer.exe, so you can just kill it with Task Manager and then use msconfig.exe to remove the Run entry, or even regedit.exe. So you don't need any external programs, I still recommend the SysInternals tools though.
This shows that often you don't need any dubious third party removal tools to get rid of a virus.

For more information about removing viruses, please check my article Manually finding and removing malware

Pages in this section

Categories

ASP.Net | Community | Development | IIS | IT Pro | Security | SQL (Server) | Tools | Web | Work on the road | Windows