Lately there’s been a virus going around the school district that I work at. This virus spreads itself via pen drives and prevents people from opening their pen drives from the My Computer window. It’ll usually pop up an error saying something like “unable to read drive”. Unfortunately, our anti-virus software doesn’t seem to detect it.
So far the virus doesn’t seem to actually do any damage. It’s just annoying.

I when I searched the net for a proper removal method, I only found websites trying to push their crappy anti-virus software. And none of them have real removal instructions. Even Symante’s Security Response website failed to provide any information.

So I decided to post up what I’ve found so far. Below is the email I sent to the rest of my tech department in regards of how to deal with this virus until our anti-virus software is capable of handling it. Hopefully this will help anyone else that’s having trouble getting rid of this virus and needs info on it.

Here’s how to check for it and get rid of it if you find a computer that you think might have it:
Note: Do not try to open the pen drive again until all this has been done.Getting Rid of the Background Process:

  1. Open Task Manager
  2. Look for a process called KOfcpfwSvcs.exe (capitalization may be different).
    If you see this process running, then the computer definitely has the virus.
    If it doesn’t have this process, skip to the next part (Getting Rid of the Registry Keys)
  3. End the process.
  4. Open msconfig from the Run window.
  5. Look for KOfcpfwSvcs and any entries that have the first two column blank. Delete them.
  6. Open the Search window from the start menu.
  7. Click All files and folders.
  8. In the first box, type KOf
  9. In the Look In dropdown, select Local Hard Drives
  10. Click More Advanced Options
  11. Check Hidden files and folders and Search system folders and Search subfolders
  12. Click Search.
  13. If you get any results that says KOfcpfwSvcs.exe or KOfcpfwSvcs.exe-PREFETCH, or similar, delete those files.

Sometimes the computer might not have the virus’s process, but will have the registry keys that also prevent the pen drive from opening.

Getting Rid of the Registry Keys

  1. Open regedit from the Run window.
  2. Click on My Computer at the very top of the left list.
  3. Go to Edit and Find.
  4. In Find What, type AutoRun
  5. Uncheck Keys and Values, Check Data, Check Match whole string only
  6. Click Find Next
    You’re looking for a folder that looks something like this:
    (These are folders on the left)
    +- {1a60db72-7355-11db-a02d-0015c5540121} (this folder wont be named exactly like this, but will look similar)
    |+- shell
    ||+- 1
    ||+- 2
    ||+- Autoplay
    ||+- AutoRun
    If it doesn’t find it the first time, go to Edit and Find Next until you find it.
  7. Open 1 and 2 and the command folder inside of it. On the right there should be an entry that says something like “E:\.\RECYCLER\autorun.exe”.
  8. Delete 1 and 2 (right click and select Delete)
  9. Make a new folder called 1 (right click shell and select New > Key.
  10. On the right, double-click the (Default) entry and enter “Open” (without the quotes) in the blank box. Click OK.
  11. Make another folder in 1 called command.
  12. Again double-click (Default) in command and this type enter “explorer %L”. Click OK.

Finally,
Getting Rid of the Virus from the Pen Drive:

  1. Open the Run window and type “cmd”, click OK.
  2. Type the drive letter of the pen drive followed by a colon and hit enter (usually E:)
  3. Type “rmdir /S RECYCLER” and hit enter.
  4. When it asks if you’re sure, hit Y then enter.

Now both the pen drive and the computer should be clean of the virus.