Variant: W32.Rotinom [Symantec], Trojan.Win32.Agent2.ldt [Kaspersky], Trojan:Win32/Folstart.A [Microsoft], TR/Agent2.ldt.36 [Avira]
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7
W32.Rotinom is a computer worm that copies itself and spreads via removable drives or network shared drives.
How does it propagates?
The worm makes copies of itself using the folder names found on the root directory of the targeted removable or network drives, adds an “EXE” file extension, then it sets the infected folder attribute settings to hidden. Be wary, the hidden malware executable icon is cleverly disguised as a typical windows folder.
Step by step manual removal guide:
• Disable system restore (Windows ME and XP users only)
• Reboot and login under safe mode with networking (Press the F8 key on Windows boots up)
• Show hidden files and folders – Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.
• Navigate and delete W32.Rotinom created files:
• Navigate and restore the following registry entries to their original values: (Click Start → run → type regedit → click OK)
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Update Anti-Virus definition files
• Run Anti-Virus full system scan
• Re-enable system restore (Windows ME and XP users only)
• Reboot and login under normal mode