Pages

Saturday, February 14, 2009

jwgkvsq.vmx worm/virus RECYCLER folder

To clean up system which automatically creates autorun.inf and RECYCLER folder with jwgkvsq.vmx, download and run this program. After reboot, the system probably will complain about missing dll file. To fix it manually, you can use regedit or msconfig:

Regedit:
  1. run regedit.exe (start menu, run: regedit.exe),
  2. search the dll file name (CTRL+F)
  3. delete the entry which contains the missing dll file. Usually, the entry should be found on registry location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

Or MsConfig:
  1. run msconfig.exe (start menu, run: msconfig.exe),
  2. go to startup tab
  3. Uncheck the Startup Item which contains missing dll file on the command.

To clean up the infected flash disk or external disk with FAT file system, simply delete the autorun.inf and RECYCLER folder. But if it has NTFS file system, windows will complain about having unauthorized access to the file and folder. You can use Linux and mount the NTFS volume (probably it must be mounted forcefully with options -o force), then delete them. Live CD such as Ubuntu will do.

That's all :)

Updated:
If the above cleaning process didn't work (somehow, the above process works perfectly on my PC but has no effect on my friend's), scan the system using this tool. After scanning, there are probably some unaccessible files (check the log file). then:
  1. find suspicious hidden dll file on \windows\system32\,
  2. boot to save mode
  3. change the ownership of the file (right click, properties, security, click advanced.. the rest I expect you know how.. ;) ), then
  4. change the access permissions for everyone,
  5. delete the dll file manually.

Perhaps, step (3) to (5) can be applied to remove the autorun.inf and RECYCLER folder too..

That's all :)

Updated #2:
For those who have trouble downloading from antivirus website, I add mirrors for the antivirus:
(2012/10/4: Sorry, the mirrors are no longer available).

PS. Turn off System Restore and unplug your network before executing the removal tool. Otherwise, the virus might not be cleaned up. And refer to microsoft bulletin here to update the vulnerable patch.

If none of the above methods works for you, perhaps you should try to follow the cleaning process from microsoft knowledge base here.

That's all :)

Updated #3:
If you still got problem, The FAQ about conficker from kaspersky might be helpful.

That's all :)

26 comments:

  1. DUDE, the links don't work because the virus blocks me from accessing antivirus sites.

    ReplyDelete
  2. hi, I've just added file mirrors. :)

    ReplyDelete
  3. my computer was damaged after the scanning procedures...what should i do now?

    ReplyDelete
  4. my computer doesnt start know after the scanning procedures...

    ReplyDelete
  5. hi, can you be more specific? have you tried to enter save mode? On save mode, run msconfig or regedit to manually fix the missing dll.

    ReplyDelete
  6. You Can use tune up utility to delet that file....

    ReplyDelete
  7. does anyone have the real names of the DLL's ?

    ReplyDelete
  8. Thanks for the tips and download link. Regards!

    ReplyDelete
  9. I think the DLL file name will be created randomly. This virus pretty rough.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. When scan, don`t insert pen drive or else it will effected.

    Try Safemode and use FixDownUp.

    That should work.

    ReplyDelete
  13. If you are trouble with jwgkvsq.vmx virus then
    Download Recycler Removal:
    Download link:http://www.speedyshare.com/798457330.html

    ReplyDelete
  14. does this apply to windows server 2003 also?

    ReplyDelete
  15. @Anonymouse above: sorry, I have not tried it to windows server 2003 yet.

    ReplyDelete
  16. thanks dude,
    finally solve my recycler issue :)

    i thought i delete registry
    recycler value, then virus is gone, but not ..>_<

    ReplyDelete
  17. If you want an easy way to get rid of the virus off the USB drive itself, just download a file explorer like snowbird off the internet and use it. Once again though make sure you enable the “show hidden files option” from within the program but this will override the viruses control over that option in Windows. I have also found that McAfee was the best to get it off the computer itself. Hope this helps anyone.

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. We have developed a removal tool for the virus (Recycler\...jwgkvsq.vmx).
    Please use following link to download the tool.

    http://it.web44.net/VirusDetails/jwgkvsq.vmx.Recover.report.php

    Please give your comments on our web site.
    Thank you.

    Imago Labs®(Sri Lanka)

    ReplyDelete
  20. great 10x :) my computer work over

    ReplyDelete
  21. it.web44.net is reported as an attack site.

    ReplyDelete
  22. kapersky kido removal worked for me!
    http://support.kaspersky.com/faq/?qid=208279973
    http://support.kaspersky.com/downloads/utils/kk.zip

    ReplyDelete
  23. i used unlocker to delete both autorun.inf and jwgkvsq.vmx with success.

    ReplyDelete
  24. virus is not necessarily the reason,
    read how to delete the recycler all the instructions you need, is a 2 steps operation, read the article carefully

    ReplyDelete