infected autorun.inf

[niceandbland]

2/10/2009 8:35:10 PM >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
2/10/2009 8:35:10 PM >>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
2/10/2009 8:35:10 PM >>> E:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)

these are infected most likely

I have read and fully understood the rules, Will post quarantine file afterwards.

[drongo]

According to our rules you should attach 3 logs,
and posting quarantine is forbidden! For each system different theme.
Please download in my signature special avz, put it in new folder on desktop.
Please execute this script in avz:
(Do remember to exit antivirus and disconnect from internet before that)

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('E:\autorun.inf','');
 QuarantineFile('D:\autorun.inf','');
 QuarantineFile('C:\autorun.inf','');
 QuarantineFile('D:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll','');
 QuarantineFile('D:\WINDOWS\system32\drivers\scsk5.sys','');
 QuarantineFile('D:\WINDOWS\system32\NPFWFLT.SYS','');
 QuarantineFile('D:\WINDOWS\system32\Drivers\neokdss.sys','');
 QuarantineFile('D:\WINDOWS\system32\Drivers\iqvw32.sys','');
 QuarantineFile('D:\WINDOWS\system32\JRSUKD24.SYS','');
 QuarantineFile('D:\WINDOWS\system32\JRSKD24.SYS','');
 QuarantineFile('D:\WINDOWS\system32\DRIVERS\tcpip.sys','');
 QuarantineFile('D:\WINDOWS\system32\ntkrnlpa.exe','');
 QuarantineFile('D:\WINDOWS\system32\NgSharedPort.dll','');
 QuarantineFile('d:\program files\live mesh\remote desktop\wlcrasvc.exe','');
 QuarantineFile('d:\program files\limeusa\limeusa_download.exe','');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.

Please upload the quarantine according to appendix 3 of rules, by link http://virusinfo.info/upload_virus_eng.php?tid=39453
Let us know, when you done.

[niceandbland]

ok I'll put up three of those logs as rule states.

I have not used the script above yet.

Wait until I post three logs

[drongo]

you are late with rules Please send a requested quarantine.

[niceandbland]

this script did not get rid of them? and I uploaded the quarantine as requested.

[drongo]

this script did not get rid of them? and I uploaded the quarantine as requested.

No, just make a copy

Добавлено через 14 минут

Please search on your computer and flash drives file: peyfrf2.cmd Use an avz, read appendix2 of rules.
It is important, so please don't even think delete it before sending us

[niceandbland]

Quarantine file: failed (error), attempt of direct disk reading (peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (D:\WINDOWS\peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (D:\WINDOWS\system32\peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (D:\WINDOWS\peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (D:\WINDOWS\system32\peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (D:\WINDOWS\peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (D:\WINDOWS\system32\peyfrf2.cmd)
Quarantine file (direct disk reading) "%S" - failed (error)

this is what it says and does not show up in quaratined folder so Im guessing it's not being quaratined?

Добавлено через 2 часа 59 минут

I just sent the ziped quarantine file with peyfrf2.cmd file

let me know what to do next

[drongo]

peyfrf2.cmd-Trojan-GameThief.Win32.Magania.avat (kaspersky)
D:\WINDOWS\system32\uweyiwe0.dll- Trojan-GameThief.Win32.Magania.avav(kaspersky)

Please disconnect from internet, make shure hat all your removable disks( disk on key )are connected to computer and execute this script in avz:

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DeleteFile('D:\WINDOWS\system32\uweyiwe0.dll');
 DeleteFile('D:\autorun.inf');
 DeleteFile('D:\peyfrf2.cmd');
 DeleteFile('C:\autorun.inf');
 DeleteFile('C:\peyfrf2.cmd');
 DeleteFile('E:\autorun.inf');
 DeleteFile('E:\peyfrf2.cmd');
 DeleteFile('K:\autorun.inf');
 DeleteFile('K:\peyfrf2.cmd');
 DeleteFile('L:\autorun.inf');
 DeleteFile('L:\peyfrf2.cmd');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.

After that make a set of logs according to rules: http://virusinfo.info/showthread.php?t=9184

[niceandbland]

did everything as asked. ran the script but it did not get rid of it.

what do I do?

[drongo]

exit(disable) your live mesh program
try delete D:\WINDOWS\system32\kva8wr.exe
D:\WINDOWS\system32\uweyiwe0.dll
with Icesword, http://rapidshare.com/files/13306104...122en.zip.html
File.-> find file-> choose Force delete, choose Yes, Restart.

Fix in hijackthis: (http://virusinfo.info/showthread.php?t=9206)

Код:

F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: IEHlprObj Class - {F171A450-7AF5-43E1-AFED-EDC826A1B0F5} - D:\WINDOWS\system32\bgotrtu0.dll

Don't restart, just execute this script in avz.

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 clearquarantine;
 QuarantineFile('D:\WINDOWS\system32\kva8wr.exe','');
 QuarantineFile('D:\WINDOWS\system32\bgotrtu0.dll','');
 DeleteFile('D:\WINDOWS\system32\bgotrtu0.dll');
 DeleteFile('D:\WINDOWS\system32\kva8wr.exe');
 DeleteFile('D:\WINDOWS\system32\uweyiwe0.dll');
 DeleteFile('D:\autorun.inf');
 DeleteFile('D:\peyfrf2.cmd');
 DeleteFile('C:\autorun.inf');
 DeleteFile('C:\peyfrf2.cmd');
 DeleteFile('E:\autorun.inf');
 DeleteFile('E:\peyfrf2.cmd');
 DeleteFile('K:\autorun.inf');
 DeleteFile('K:\peyfrf2.cmd');
 DeleteFile('L:\autorun.inf');
 DeleteFile('L:\peyfrf2.cmd');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.

Remember, every time when you insert removable disk, you should hold on Shift . Or disable autostart on all disks permanently.In order to do this you can use our reg file:
http://virusinfo.info/attachment.php...9&d=1206283419

make a new logs.
If there something new in quarantine, please upload it http://virusinfo.info/upload_virus_eng.php?tid=39453