删除jwgkvsq.vmx ,Autorun.vinf蠕虫病毒

简介:

移动硬盘根目录不知何时出现了一个总也删除不掉的Autorun.vinf文件,用HexEditor打开一看,二进制的,但从末尾的ASCII码,能够看到  jwgkvsq.vmx 字样。上网搜索一看,才知道这是个比较新的病毒。

 

实际上,如果此病毒还没有感染系统的话,可以进入安全模式,进行如下操作:

1、关闭系统欢迎;

2、关闭回收站功能;

3、将Administrators组添加到RECYCLER,System Volume Information等文件夹,如果添加不了,清除权限继承,并将系统管理员添加的所有者;

image

4、对autorun.vinf的安全选项卡中,加入管理员组;

5、删除RECYCLER,System Volume Information,删除autorun.vinf文件;

 

下面是网络搜索到一个比较全的去除这个病毒的指南:

How to remove the jwgkvsq.vmx worm virus

Posted by: Ryman in Security

The jwgkvsq.vmx is a worm-type virus, which spreads via USB/portable drives and through the network. It also makes autorun.inf file on your USB device as well as a hidden system folder called RECYCLER which contains the jwgkvsq.vmx file. I’m not sure if this is an old virus, but it seems it’s been spreading a lot lately. And most anti-virus doesn’t detect this, but for those who does, it can’t remove it.

It is also known as:

  • W32/Confi
  • W32/Conficker.worm!inf
  • Win32/Conficker.B - CA

It exploits Microsoft Windows vulnerability:
Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008

Symptoms:

  • ‘Show hidden files and folders’ doesn’t work. You can check this by going to a folder, then click Tools, then Folder Options, then View tab. Select the ‘Show hidden files and folders’ then click Apply, then Ok. Open Folder Options again, if it reverted back to ‘Do not show hidden files and folders’ then you have this virus.
  • Evey time you plug in a USB device on your computer, it creates an autorun.inf file, and a RECYCLER folder with the jwgkvsq.vmx virus file.
  • You can’t access anti-virus websites an other popular websites like microsoft.com or yahoo.com
  • Windows won’t boot into Safe Mode. This happens on extreme cases. When you try to boot into Safe Mode, your computer restarts/shuts down

Side-effects

  • Since this is a worm, system slowdown may (or may not) happen.
  • Quickly spreads through networked computers and USB devices. Which includes flash drives, portable external hard drives, mobile phones, mp3 players, and anything that can be plugged into a USB port.
  • Won’t let you access some websites.

Now let’s go back to the topic. Remember that this guide will only help you remove the jwgkvsq.vmx virus.

Click through the link to continue…

Here is a quick step to remove this virus from your computer, and from your USB devices.

Preparation:

  • Download FixDownadup.exe from Symantec.com
  • Download anti-Downadup-EN.zip from BitDefender.com (just in case the first one doesn’t work).
  • Download Process Explorer and AutoRuns from Sysinternals (we may or may not use this).
  • Download MoSo Force Delete (just in case we need to delete something that can’t be deleted).

Now let’s start…

Removing the jwgkvsq.vmx virus from your computer

  1. Disconnect your computer from the network, if it is connected. Removing the network cable from your PC should do the trick.
  2. Just run the FixDownadup.exe we downloaded from Symantec. It should clean the virus of the PC. This works if the infection is in a low-level state. Meaning you have anti-virus software already running and the infection is isolated.
  3. After scanning you should see a report popup, and an option to go to Microsoft website to patch your computer with a critical security update.
  4. Restart your computer. When you’re back on the desktop, check your programs/softwares if it is still running.
  5. Turn of System Restore to delete all entries, which sometimes contains remnants of the virus. To do this:
    1. Right-click My Computer, select Properties.
    2. Click System Restore tab.
    3. Check ‘Turn off System Restore on all drives’. Click Apply, then Ok.
    4. Restart your computer.
    5. Then, uncheck ‘Turn off System Restore on all drives’ to enable it again.

Removing the jwgkvsq.vmx virus from your USB device

  1. First. Start your computer on Safe Mode
    1. Shut down your computer
    2. Turn it back on, before the Windows loading screen comes up, press F8. Or just press it repeatedly after starting your computer
    3. Select Safe Mode on the menu by pressing the arrow keys and hitting Enter.
  2. Plug your USB device. Notice that the autorun.inf won’t run in safe mode.
  3. Enable the ‘Show hidden files and folders’. Instructions are listed on the Symptoms section above.
  4. Delete autorun.inf file. It is usually located on the root of the USB drive.
  5. Delete the hidden/system folder RECYCLER.
    1. If you can’t delete it, you have to disable it’s function (for external/portable hard drives). Right-click on the Recycle Bin icon on your desktop, then select Properties. Select ‘Configure drives independently’. Then tab to the external drive, and check ‘Do not move files to the Recycle Bin.’ Hit Apply, then Ok’
    2. If it is a flash drive or other USB device, use MoSo Force Delete, we’ve downloaded earlier on this guide.

Just in case the virus registered itself on the registry. Open the Run dialog box from the start menu, then type regedit. Then search for the file name jwgkvsq.vmx. If you found an entry, just press DEL to delete it.

If your computer is in a network, better check all the other computers connected to it. Also download and install the automatic update (Microsoft vulnerability) which I’ve posted at the beginning of this post.

In extreme cases, your computer won’t initiate Safe Mode and after using the removal tool above, your system may report a missing .dll file or something.

Credits (and for reference refer) to these two sites:
http://tuxvoid.blogspot.com/
http://arpeex.blogspot.com/

For any additional support or inquiry regarding this problem, just leave a comment here, and I’ll reply as soon as I can.

本文转自斯克迪亚博客园博客,原文链接:http://www.cnblogs.com/sgsoft/archive/2009/03/24/1420977.html,如需转载请自行联系原作者



相关文章
|
存储 安全 网络安全
.360勒索病毒解密方法|勒索病毒解决|勒索病毒恢复|数据库修复
近年来,随着互联网的普及和信息技术的快速发展,网络安全问题日益严峻。其中,勒索病毒成为网络安全领域的一大威胁。本文91数据恢复将重点介绍一种名为“.360勒索病毒”的恶意软件,并探讨被该病毒加密的数据文件如何进行恢复。
.360勒索病毒解密方法|勒索病毒解决|勒索病毒恢复|数据库修复
|
安全 网络协议 网络安全
解决方案:勒索蠕虫病毒文件恢复工具
首先还是预防为主,最简单预防方案,自己操作一下就好,控制面板→windows防火墙→高级设置→入站规则→新建规则→端口→tcp→下面输入“135,445”→阻止连接→再新建一次规则里面选udp。
144 0
|
存储 数据采集 安全
devos勒索病毒解决方法|勒索病毒解密|勒索病毒恢复|数据库修复
       随着数字时代的来临,企业在数据采集、处理、存储等方面进行了大量投资,数据已经成为了企业最重要的资产之一。但是,这些数据的安全性受到了越来越多的威胁,其中最臭名昭著的就是勒索病毒。勒索病毒是一种具有高度危险性的恶意软件,可以导致企业数据丢失或被盗取,给企业带来不可估量的经济和声誉损失。91数据恢复研究团队将详细介绍devos后缀勒索病毒及其解决办法,旨在帮助企业更好地了解和应对这一安全威胁。
devos勒索病毒解决方法|勒索病毒解密|勒索病毒恢复|数据库修复
|
存储 安全 算法
.360勒索病毒和.halo勒索病毒数据怎么处理|数据解密恢复
.360勒索病毒和.halo勒索病毒都属于BeijingCrypt勒索病毒家族旗下的病毒,两者加密特征一致,加密勒索信内容一致,仅仅为加密后缀名称不相同。 勒索病毒如今成为网络安全的头号威胁!您的宝贵数据是否正面临被绑架的风险?不要慌张!91数据恢复将在本文深入解析.360勒索病毒和.halo勒索病毒的工作原理。让我们一起揭开这场数据解密之谜,有效保护你的数据免遭黑客绑架!
|
开发框架 安全 Java
网站后门木马查杀该怎么删除
收到阿里云的短信提醒说是网站存在后门,webshell恶意通信行为,紧急的安全情况,我第一时间登录阿里云查看详情,点开云盾动态感知,查看了网站木马的详细路径以及webshell的特征,网站从来没有出现过这种情况,一脸懵逼,无奈询问度娘吧,百度搜索了什么是webshell,为了解决这个问题,我可是下了很大的功夫,终于了解清楚并解决了阿里云提示网站后门的这个问题,记录一下我解决问题的过程。
369 0
网站后门木马查杀该怎么删除
|
安全 测试技术 数据安全/隐私保护
如何恢复部分WannaCry勒索软件加密文件
 如何恢复部分WannaCry勒索软件加密文件 原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://yueque.blog.51cto.com/4580340/1926054    WannaCry勒索软件中毒后的计算机文件会被加密,但是通过测试发现,加密软件先加密文件然后再删除原文件。
1344 0