February 23, 2010

How to remove worm W32/Renocide ?

W32/Renocide: Another computer worm that uses "AutoRun" to spread through removable storage devices. After infection it downloads more harmful programs from remote site.
It create these files after infection
%WinDir%\system32\csrcs.exe
%WinDir%\system32\autorun.inf


1. Perform standard procedure for Virus removal.
** Standard procedure for Virus removal

2. Remove the following entries from windows registry
** Use at your own risk
** How to edit windows registry ?

Remove these values from registry
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty
HKEY_LOCAL_MACHINE\SOFTWARE\xcn
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings "exc"
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings "exc_num"
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings "media_network"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "dreg"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "eggol"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "exp1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "fix"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "ilop"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty "regexp"
HKEY_LOCAL_MACHINE\SOFTWARE\xcn "reg"
HKEY_LOCAL_MACHINE\SOFTWARE\xcn "unreg"

Add these Values to the registry if required
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDriveTypeAutoRun"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum "{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "dontdisplaylastusername"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "legalnoticecaption"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "legalnoticetext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "shutdownwithoutlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "undockwithoutlogon"

Related :
Download Free Anti Rootkits, Anti Malware and Adware removal tools from Sophos

Top 10 Antivirus 2010 For Home Computers

No comments: