BV:autorun-G [wrm] hiding somewhere!

OK - I cannot get rid of BV:autorun-G [wrm] - and it’s annoying me.

Here’s my setup:

I have a XP Laptop connected to my home network - elsewhere on that network there is a Ubuntu (Linux) server hosting a USB connected Mass Storage drive. The drive is shared over the Network and seen on my laptop as S:\

I have already done several sweeps of my laptop with AVAST and removed a few bits-and-pieces - however, when I reboot my laptop. I am unable to access the task manager and edit the registry.

If I browse to S:\ AVAST warns me that the autorun.inf is infected with samples of BV:autorun-G [wrm].

I cannot delete, remove or quarantine the files - but I can remove them direct from the Linux server by removing the autorun.inf and removing the directory RECYCLER.

I can also re-enable the registry by entering the following commands in a command window:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

I can also stop the virus reinfecting the drives by creating a directory on the root of the drive called “autorun.inf”. However the virus is obviously still running on my system somewhere, and I cannot detect nor remove it.

Everytime I restart my laptop, I am unable to access the task manager or regedit, and I cannot take a risk and insert another USB drive as I know that it will immediate infect that as well.

Does anyone have any ideas on how to eliminate this for good?

Hi dbaldaro,

If avast! is missing it, try these scans:

Try a scan with DrWeb CureIT!

Try the usual free adware/spyware scanners.

SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware

I think that I actually managed to rid the laptop of it.
I ran http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx ProcMan after booting up the laptop, and before I accessed the remote USB Drive.
As soon the laptop accesses the drive it then infects it.

Looking at the process trace it looked as if C:\Windows\System32\dgrosr7.dll has attempting to create the autorun.inf.
So after moving that file, and doing at quick sweep and fix of the registry using CCleaner - everything seems back to normal!