删除jwgkvsq.vmx ,Autorun.vinf蠕虫病毒

移动硬盘根目录不知何时出现了一个总也删除不掉的Autorun.vinf文件，用HexEditor打开一看，二进制的，但从末尾的ASCII码，能够看到  jwgkvsq.vmx 字样。上网搜索一看，才知道这是个比较新的病毒。

实际上，如果此病毒还没有感染系统的话，可以进入安全模式，进行如下操作：

1、关闭系统欢迎；

2、关闭回收站功能；

3、将Administrators组添加到RECYCLER，System Volume Information等文件夹，如果添加不了，清除权限继承，并将系统管理员添加的所有者；

4、对autorun.vinf的安全选项卡中，加入管理员组；

5、删除RECYCLER，System Volume Information,删除autorun.vinf文件；

下面是网络搜索到一个比较全的去除这个病毒的指南：

How to remove the jwgkvsq.vmx worm virus

The jwgkvsq.vmx is a worm-type virus, which spreads via USB/portable drives and through the network. It also makes autorun.inf file on your USB device as well as a hidden system folder called RECYCLER which contains the jwgkvsq.vmx file. I’m not sure if this is an old virus, but it seems it’s been spreading a lot lately. And most anti-virus doesn’t detect this, but for those who does, it can’t remove it.

It is also known as:

• W32/Confi
• W32/Conficker.worm!inf
• Win32/Conficker.B - CA

It exploits Microsoft Windows vulnerability:
Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008

Symptoms:

• ‘Show hidden files and folders’ doesn’t work. You can check this by going to a folder, then click Tools, then Folder Options, then View tab. Select the ‘Show hidden files and folders’ then click Apply, then Ok. Open Folder Options again, if it reverted back to ‘Do not show hidden files and folders’ then you have this virus.
• Evey time you plug in a USB device on your computer, it creates an autorun.inf file, and a RECYCLER folder with the jwgkvsq.vmx virus file.
• You can’t access anti-virus websites an other popular websites like microsoft.com or yahoo.com
• Windows won’t boot into Safe Mode. This happens on extreme cases. When you try to boot into Safe Mode, your computer restarts/shuts down

Side-effects

• Since this is a worm, system slowdown may (or may not) happen.
• Quickly spreads through networked computers and USB devices. Which includes flash drives, portable external hard drives, mobile phones, mp3 players, and anything that can be plugged into a USB port.
• Won’t let you access some websites.

Now let’s go back to the topic. Remember that this guide will only help you remove the jwgkvsq.vmx virus.

Click through the link to continue…

Here is a quick step to remove this virus from your computer, and from your USB devices.

Preparation:

• Download FixDownadup.exe from Symantec.com
• Download anti-Downadup-EN.zip from BitDefender.com (just in case the first one doesn’t work).
• Download Process Explorer and AutoRuns from Sysinternals (we may or may not use this).
• Download MoSo Force Delete (just in case we need to delete something that can’t be deleted).

Now let’s start…

Removing the jwgkvsq.vmx virus from your computer

1. Disconnect your computer from the network, if it is connected. Removing the network cable from your PC should do the trick.
2. Just run the FixDownadup.exe we downloaded from Symantec. It should clean the virus of the PC. This works if the infection is in a low-level state. Meaning you have anti-virus software already running and the infection is isolated.
3. After scanning you should see a report popup, and an option to go to Microsoft website to patch your computer with a critical security update.
4. Restart your computer. When you’re back on the desktop, check your programs/softwares if it is still running.
5. Turn of System Restore to delete all entries, which sometimes contains remnants of the virus. To do this:
   1. Right-click My Computer, select Properties.
   2. Click System Restore tab.
   3. Check ‘Turn off System Restore on all drives’. Click Apply, then Ok.
   4. Restart your computer.
   5. Then, uncheck ‘Turn off System Restore on all drives’ to enable it again.

Removing the jwgkvsq.vmx virus from your USB device

1. First. Start your computer on Safe Mode
   1. Shut down your computer
   2. Turn it back on, before the Windows loading screen comes up, press F8. Or just press it repeatedly after starting your computer
   3. Select Safe Mode on the menu by pressing the arrow keys and hitting Enter.
2. Plug your USB device. Notice that the autorun.inf won’t run in safe mode.
3. Enable the ‘Show hidden files and folders’. Instructions are listed on the Symptoms section above.
4. Delete autorun.inf file. It is usually located on the root of the USB drive.
5. Delete the hidden/system folder RECYCLER.
   1. If you can’t delete it, you have to disable it’s function (for external/portable hard drives). Right-click on the Recycle Bin icon on your desktop, then select Properties. Select ‘Configure drives independently’. Then tab to the external drive, and check ‘Do not move files to the Recycle Bin.’ Hit Apply, then Ok’
   2. If it is a flash drive or other USB device, use MoSo Force Delete, we’ve downloaded earlier on this guide.

Just in case the virus registered itself on the registry. Open the Run dialog box from the start menu, then type regedit. Then search for the file name jwgkvsq.vmx. If you found an entry, just press DEL to delete it.

If your computer is in a network, better check all the other computers connected to it. Also download and install the automatic update (Microsoft vulnerability) which I’ve posted at the beginning of this post.

In extreme cases, your computer won’t initiate Safe Mode and after using the removal tool above, your system may report a missing .dll file or something.

Credits (and for reference refer) to these two sites:
http://tuxvoid.blogspot.com/
http://arpeex.blogspot.com/

For any additional support or inquiry regarding this problem, just leave a comment here, and I’ll reply as soon as I can.