Hi,

I am having this strange problem since 3-4 days. All problems started when I plugged in a pendrive given by a close friend of mine. I am getting warnings from Avast that there is some Trojan/virus on my PC whenever I boot my PC or plugin a pendrive.

I have been through many websites and forums but never got the exact remedy.

Following is the log if Avast.

2/9/2009 9:05:14 PM SYSTEM 1804 Sign of “BV:AutoRun-G [Wrm]” has been found in “E:\autorun.inf” file.
2/9/2009 11:47:39 PM Administrator 1180 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
2/9/2009 11:49:10 PM Administrator 1180 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
2/10/2009 10:22:19 AM Kalpak Luniya 1716 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[1].exe” file.
2/10/2009 10:23:03 AM Kalpak Luniya 1716 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[2].exe” file.
2/10/2009 10:23:07 AM Kalpak Luniya 1716 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\sound32.exe” file.
2/11/2009 1:36:35 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[1].exe” file.
2/11/2009 2:28:36 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[2].exe” file.
2/11/2009 2:28:44 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[3].exe” file.
2/11/2009 2:28:48 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\cncai32.exe” file.
2/11/2009 2:28:51 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\cncai32.exe” file.
2/11/2009 2:37:46 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\ANR41U7C\nadz[1].exe” file.
2/11/2009 2:37:52 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\ANR41U7C\nadz[2].exe” file.
2/11/2009 2:37:55 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\sound32.exe” file.
2/11/2009 7:11:25 PM SYSTEM 1632 Sign of “BV:AutoRun-G [Wrm]” has been found in “E:\autorun.inf” file.
2/11/2009 7:13:43 PM SYSTEM 1632 Sign of “BV:AutoRun-G [Wrm]” has been found in “E:\autorun.inf” file.
2/12/2009 12:47:25 AM SYSTEM 1656 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\O09TL1DY\nadz[1].exe” file.
2/12/2009 12:47:44 AM SYSTEM 1656 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\O09TL1DY\nadz[2].exe” file.
2/12/2009 12:47:52 AM SYSTEM 1656 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\sound32.exe” file.
2/12/2009 9:59:51 AM Kalpak Luniya 1600 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\DAJZ2MPK\nadz[1].exe” file.
2/12/2009 10:00:26 AM Kalpak Luniya 1600 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\DAJZ2MPK\nadz[2].exe” file.
2/12/2009 10:00:30 AM Kalpak Luniya 1600 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\sound32.exe” file.
2/12/2009 3:02:25 PM Kalpak Luniya 1680 Sign of “BV:AutoRun-G [Wrm]” has been found in “E:\autorun.inf” file.
2/12/2009 3:02:38 PM Kalpak Luniya 1680 Sign of “BV:AutoRun-G [Wrm]” has been found in “E:\autorun.inf” file.
2/12/2009 3:02:51 PM Kalpak Luniya 1680 Sign of “BV:AutoRun-G [Wrm]” has been found in “E:\autorun.inf” file.

=========================================================================================================

I would be very happy to see this problem getting resolved. I request someone to help me out.

regards…

Raj

To help with the resolution , I am attaching the report of Trend Micro HijackThis v2.0.2

Please help.

Hi :

I suspect your friend’s pen drive is/was “infected” !? To counter that, I
recommend you use the FREE “Flash Disinfector” with Info available at
http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs .

Your HijackThis Log indicates your Java is at least 2 “Versions/Updates”
behind ; in addition Win XP SP3 Operating System usually uses the 6.0 ( 1.6 )
Java series, not the “older” 5.0 ( 1.5 ) series, so unless you have been having
difficulty using the latest version of Java, I recommend you use the FREE
“JavaRa” program, available from http://raproducts.org .

Hi,

I installed Flash_Disinfector.exe and the problem of Autorun Trjan/virus got solved. But I am still getting the message for Win32-Trojan-gen {other}

How do I solve it? In the mean while I will update the java version to the one latest and upload the hijackThis report.

regards…

Raj

What is the name and location of the file detected? (You can find this information in the avast! log.)

Hi,

The location in the log is as given below.

2/10/2009 10:22:19 AM Kalpak Luniya 1716 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[1].exe” file.
2/10/2009 10:23:03 AM Kalpak Luniya 1716 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[2].exe” file.
2/10/2009 10:23:07 AM Kalpak Luniya 1716 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\sound32.exe” file.
2/11/2009 1:36:35 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[1].exe” file.
2/11/2009 2:28:36 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[2].exe” file.
2/11/2009 2:28:44 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[3].exe” file.
2/11/2009 2:28:48 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\cncai32.exe” file.
2/11/2009 2:28:51 PM Kalpak Luniya 1660 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Kalpak Luniya\cncai32.exe” file.

regards…

Raj

Try deleting your temporary internet files:

http://support.microsoft.com/kb/260897

Or use CCleaner:

http://www.ccleaner.com/

Then try these free adware/spyware scanners. Download, install and update.

SUPERAntiSpyware Free
Malwarebytes’ Anti-Malware

When you have finished, check for out-of-date and insecure software and update- this will reduce the risk of similar infections.

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)

Attached is the New HijackThis log

Hi,

I have already used CCleaner. But I think I will give other a try.

Thanks for all your help.

regards…

Kalpak

There’s probably some active malware that’s putting the files back in the temp directory then: you need to run the spyware scans. Nothing obvious in the HijackThis! log.

Hi Frank (I guess this is your name),

Thanks a lot. I used Malwarebytes’ Anti-Malware and the virus seems to be gone. Avast is not reporting any message now. I hope the system is clear now.

I again thak you for the time and effort you have spent.

regards…

Kalpak

Hi,

A last question

I have heard of disabling the autorun using the gpedit.msc. So I opened Computer Configuration >> Administrative Templates >> System >> Turn Off Autoplay and enabled Autoplay for all drives. But still the USB and even the CD are detected when inserted. The PC has been rebooted after the configuration change.

I know this is not the forum, but I though that this info would help others when they plug in the pendrive and get viruses/Trojans like BV: Autorun-G [Wrm]

regards…

Kalpak

It’s my “nom de malware”.

Glad I could help.

Don’t forget the Secunia scan: this will help prevent future infections.

Here’s the best way to disable autorun:

http://support.microsoft.com/kb/953252

Note: Gpedit.msc will not run on XP Home edition as it is not available.

In XP Media Center it is available.