BV:autorun-G [wrm]

i think my laptop is infected by that kind of virus but never can be detected by avast

the problem that occurs is that every time i get usb connected to my laptop my avast home edition give warning about that virus, but i never can delete it, i delete it many times but as long as the usb is conected to my laptop the avast keep giving warning, i dont know what to do about this kind of thing can someone help? because that virus is not detected by other anti virus, only my avast home edition keep giving warning every time the usb is connected, but when its unplugged and i scan the whole system avast didnt detect anything my version of virus database is 081112-0, 11/12 please someone tell me what to do with this virus, its annoying to get usb attached and get warning frequently even I already command the avast to delete it

with all regard
Thx

:slight_smile: Hi :

You should try using the FREE “Flash Disinfector” program, available at
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe .

hi,

i have the same problem.

everybody on internet say that using the flash desinfector is the solution, but he only create a “autorun.inf” FOLDER. That prevent the creation of a new autorin.inf file, but the computer is not cleaned.

If you come with a new usb flash (or an external hard-disk) you have the same alert fo virus.

Can you give me a solution for cleaning the computer? How to identify what create these autorin.inf file ?

Thanks in advance.

;D hi pourlesyeux,

try autorun eater, download in this link http://www.softpedia.com/get/Security/Secure-cleaning/Autorun-Eater.shtml :smiley:

Hi pourlesyeux,

The Task Manager has most probably been disabled (Check with Ctrl+Alt+Del). To enable it, go to Start - Run and paste the following command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Hit Enter.

My guess is that the editing the registry has also been disabled. To enable the registry, go to Start - Run and paste the following command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Hit Enter.

Disabling Autorun on all disks could at least keep the nasty from starting up again.
The easiest way to do that is to download TweakUI from here:
http://www.annoyances.org/exec/show/tweakui
Install and start (you will find it under Powertools for Windows - TweakUI).

  • Expand the ‘My Computer’ branch, then the ‘AutoPlay’ branch, and then select ‘Drives’.
  • Turn off the check box next to ALL drive letters (AutoPlay will be disabled now).
    Reboot your computer.

Manual Removal Instructions

Delete the following files
%systemdir%\16E712C5.exe
%systemdir%\74b477be.dll

Delete the following registry keys

6A6004E5
6A6004E5
6A6004E5
LEGACY_6A6004E5
LEGACY_6A6004E5
LEGACY_6A6004E5

C’est ca oui,

polonus

Polonus your description don’t match, but i see many other solutions on the internet (with the “BV:autorun-G [wrm]” reference) that don’t work too.

Finaly i found that the file autorun.inf (file detected as “BV:autorun-G [wrm]”) want to launch “…\RECYCLER.…\ise32.exe”. Solution here: http://www.bleepingcomputer.com/startups/ise32.exe-22719.html

The use of sdfix.exe (download and how to use here) http://www.bleepingcomputer.com/forums/topic131299.html work for me.

samuelvirucide : maybe your solution work but i clean my computer before read your post.

Thanks to all for take time for me.

Hi pourlesyeux,

This in fact further demonstrates how dangerous these new autorun infectors are/can be as 10 % of malware is spread that way nowadays. Read about the dangers and disabling autorun here:
http://forum.avast.com/index.php?topic=41752.msg350220;topicseen#msg350220

Thanks for reporting back what method(s) worked for you. This may help others in the future.
Everybody that uses Windows in whatever version from 95 hence on better disable this function/feature/risk in the ways described in my posting for which I gave the link above,

polonus

Other option is using USB Firewall…
http://net-studio.org/application/usb_firewall.php

Hi Tech,

Three German hospitals were infected recently via AutoRun
Finnish F-Secure informs us to-day that Downadup / Conficker has infected well over 2,3 million Window computers as of now, but the actual number maybe some factors higher. Intranet computers may hang behind a router as a rule, making one IP infected may hit thousands of boxes. The av vendor fears all these infected machines will be part of a giant future botnet for the cybercriminals that are sending these malware vectors.

The other reason the newer variants are so effective, because they make uses of the Autorun function to infect. It drops an autorun.inf file, that is automattically executed while the disk is approached by someone.

So motto of it all to protect against this infections, ergo conclusio: “Disable autorun”,
and worse of it all the latest MS patches were applied in first mentioned scenario,

pol

autorun-G [wrm] infected my system today, I found that it stored it’s self in "C:\WINDOWS\SYSTEM32\DRIVERS" as “WinMgmt.exe”. It’s hidden as a system file, hidden and read-only. Alterations are made in the “regedit.exe” as well.

To delete the “WinMgmt.exe” you’ll have to go into save mode as Administrator and goto Tools-> Folder Options-> View-> and tick “Show Hidden Files and Folders”, and untick “Hide Protected Operating System (not recommended)” click “Apply” and “O.K”. Now goto where the file is stored and delete the file. Empty the “Recycle Bin”. Click on the Start Menu->Run. Type “regedit” press “O.K”. When “regedit” starts press “Ctrl” + “F3” type in “WinMgmt” and hit the “O.K”. This will search the registry for any text with “WinMgmt” in it.

Continue to press “F3” every time it finds one containing those letters, until it finds the following C:\WINDOWS\SYSTEM32\DRIVERS\WinMgmt.exe" - change the drive letter “c” to the system drive. Edit this to resemble the following with the right drive letter put in place of “c”. “C:\WINDOWS\SYSTEM32\wbem\winmgmt.exe” - as this is the official “Windows Management Instrumentation”, a service program. Continue with the search to make sure no more exist, replacing any that are found. As this redirects to the worm. Click File->Exit.

Now delete the “AutoRun.inf” that avast detects as the worm. Reboot and your troubles should be over. ;D

Well it shouldn’t do that, I had 3 USB pen drives all with data on and nothing was deleted.

I have even just done a test by running flash disinfector with my camera 2GB SD card, with images still on it and it did what it should create a hidden protected autorun.inf folder and never touched my images.