How to Remove  Stuxnet Virus

Continuing the previous article Close Up with Stuxnet, in this article I will try to write about how to clean and repair Stuxnet virus.

If  Stuxnet already succeeded to infiltrate your computer, Stuxnet will make some files as follows :

1. C:\WINDOWS\system32\winsta.exe
Winsta.exe files created by this Stuxnet, will enlarge to the remaining disk space, and will causing
your hard drive becomes full (usually will attack the C drive or OS system).
2. C:\WINDOWS\system32\drivers\mrxcls.sys, and
3. C:\WINDOWS\system32\drivers\mrxnet.sys

File mrxcls.sys and mrxnet.sys an active file used by Stuxnet to infect computers and other devices connected (such as USB flash / removable disk).

In addition to making files above, Stuxnet also will infect some the following important file system :

  1. Svchost: this files related to network connections, with infected this file Stuxnet will be make the network disconnected.
  2. LSASS: when this file is infected will make the computer slowly, hangs and restarts.
  3. Spoolsv: If the file is infected will be that the computer cannot print.

When the third file system above it has infected by Stuxnet, computer will automatically run slow or hangs, and if your computer have connected to the network, your connection will be disconnected.

Stuxnet also will make modifications to your computer registry, some register changed are:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET

Obtained from several sources that I have read and from some case that has ever addressed the following steps is effective enough to clean or remove the virus Stuxnet :

1. Clean and Remove Stuxnet virus with removal tools from Dr Web CureIT. Download and run removal tools from Dr Web CureIt, you can download this tool at http://www.freedrweb.com/download+cureit/

2. Fix computer registry
Fix the windows registry that has been modified by a virus Suxnet, with copy the script below, use WordPad or Notepad and save it with name repair.inf

[Version]
Signature=”$Chicago$”
Provider=Project-880
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0×00010001,0
HKLM, SOFTWARE\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”

[del]
HKLM, SYSTEM\CurrentControlSet\Services\MRxCls
HKLM, SYSTEM\CurrentControlSet\Services\MRxNet
HKLM, SYSTEM\ControlSet001\Services\MRxCls
HKLM, SYSTEM\ControlSet002\Services\MRxNet
HKLM, SYSTEM\CurrentControlSet\Services\Enum\Root\LEGACY_MRXClS
HKLM, SYSTEM\CurrentControlSet\Services\Enum\Root\LEGACY_MRXNET
HKLM, SYSTEM\ControlSet001\Services\Enum\Root\LEGACY_MRXClS
HKLM, SYSTEM\ControlSet002\Services\Enum\Root\LEGACY_MRXNET

Run repair.inf file by right clicking this file name on file explorer then select install and restart your computer.

To prevent the rest of the trojan tries to be active again, clear the temporary files using software such as ATF Cleaner or using Microsoft Windows program application Disk Clean-Up.

3. Prevention of virus attack again

To prevent a virus infects a computer again, you can use the following script:

@echo off
del /f c:\windows\system32\winsta.exe
rem rd c:\windows\system32\winsta.exe
md c:\windows\system32\winsta.exe
del /f c:\windows\system32\drivers\mrxnet.sys
rem rd c:\windows\system32\drivers\mrxnet.sys
md c:\windows\system32\drivers\mrxnet.sys
del /f c:\windows\system32\drivers\mrxcls.sys
rem rd c:\windows\system32\drivers\mrxcls.sys
md c:\windows\system32\drivers\mrxcls.sys
attrib +r +h +s c:\windows\system32\winsta.exe
attrib +r +h +s c:\windows\system32\drivers\mrxnet.sys
attrib +r +h +s c:\windows\system32\drivers\mrxnet.sys

Save this file with the name “winsta.bat”, then run this file by double click on this file name.
For optimal cleaning and prevent the virus infects a computer, scan your computer again using the antivirus that has been updated and can recognize this virus very well.