Sunday, June 21, 2009
My laptop had been infected for long by a virus. I had identified it to be the recycler virus couple of weeks ago. But I had never really been trying to remove it. Yesterday evening, the virus had started virtual memory hijacking (ie., loading more memory for other processes). I could not bear it any longer.
So I started to search about the recycler virus. And I have made a small tutorial on the steps to remove the virus.
Goto your drive(in command promt C:\ or D:\)
Type ATTRIB -S -A -H -R.
1. You should be able to see your root drive root drive which is c: or d: etc.
2. Ensure that you are able to see hidden files by going to Tool>Folder Option>view and checking off hidden files.
3. System Volume Information and Recycler should be visible in your root drive (c: d: or whatever drive you use) .
4. Go to your drive and right click on RECYCLER folder and click delete.It was not deleted in my case, since it was being used by some other process. Force del is a useful application to override this error and delete the folder.
5. Right Click on System volume information folder and go to Properties. Go to the tab labeled Security, If your user name is not there then add your username that you use for XP . Give yourself all security rights as well as the SYSTEM user. Then press okay. If you cannot see the security tab and you are using XP professional then go to Tool>Folder Option>View uncheck box "Use simple File sharing" then select Apply.
If you have no clue of what step 5 was, there's a simpler way of doing it.
2. Ensure that you are able to see hidden files by going to Tool>Folder Option>view and checking off hidden files.
3. System Volume Information and Recycler should be visible in your root drive (c: d: or whatever drive you use) .
4. Go to your drive and right click on RECYCLER folder and click delete.It was not deleted in my case, since it was being used by some other process. Force del is a useful application to override this error and delete the folder.
5. Right Click on System volume information folder and go to Properties. Go to the tab labeled Security, If your user name is not there then add your username that you use for XP . Give yourself all security rights as well as the SYSTEM user. Then press okay. If you cannot see the security tab and you are using XP professional then go to Tool>Folder Option>View uncheck box "Use simple File sharing" then select Apply.
If you have no clue of what step 5 was, there's a simpler way of doing it.
- Click Start, click Run, type cmd, and then click OK.
- Make sure that you are in the root folder of the partition for which you want to gain access to the System Volume Information folder. For example, to gain access the C:\System Volume Information folder, make sure that you are in the root folder of drive C (at a "C:\" prompt).
- Type the following line, and then press ENTER: cacls "driveletter:\System Volume Information" /E /G username:FMake sure to type the quotation marks as indicated. This command adds the specified user to the folder with Full Control permissions.
- Double-click the System Volume Information folder in the root folder to open it.
- If you need to remove the permissions after troubleshooting, type the following line at a command prompt: cacls "driveletter:\System Volume Information" /E /R usernameThis command removes all permissions for the specified user.
6. Go to the recycle bin the desktop and right click. Choose properties then check the box " Do not move files to the recycle bin. Remove files immediately when deleted." Press Apply.
7. Go to the System Volume Information folder and delete the last folder. These folders are where Xp has taken a snapshot of your system in order to restore it. The virus is hiding here in the event that you restore it is also restored. If you are sure which folder to delete, don't worry. Deleting all the folders in System Volume Information will just delete all the restoration points.
8. You should now open the registry editor and remove the virus from here so that when you restart the virus is not recreated.
9. Open the registry editor. Start >Run> then type regedit in the box and select OK The registry will now open.
10. Hit Ctrl+F Type Recycler (iuhi64 should also be searched) in the search box . Delete the entry when found. Press F3 to find the next occurrance of Recycler(iuhi64) and delete.
11. Close regedit.
12. Go to all installed harddrives and so steps 2- steps 6, steps 8 and steps 9.
13. Run your virus software. You should be able to update any virus software that was previously unupdatable.
14. Restart your computer
15. Verify that that the reycler folder is deleted from you root drive.
16. Then you can uncheck the box in the recycle bin that you checked in step 6. To keep all you deleted files in case you need to restore a file that was accidentally deleted.
My findings:
This virus is recreated using the methods of the recycle bin. Everytime you delete a file it recreates itself because it looks in the recycle bin and restores or copies the virus information inside. If the virus is not able to be stored inside and is immediately removed when you check the box in step 6. Then it cannot recreate itself and all of its power is lost. So erasing it from the registry and drive ensures that it cannot return. It has two copies one in the recyler folder and another one in system volume information. Deleting both the folders does the trick.
http://wiki.answers.com/Q/How_do_you_remove_recycler_virus_found_in_hard_disk
http://www.winmatrix.com/forums/index.php?showtopic=13021
http://support.microsoft.com/
These were the three most useful links for me to understand about the recycler virus and delete it.
Spending an evening with the virus ensured that, my laptop was free of recycler virus.
Labels: Windows corner..., World of virus
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment