carpet\shey.exe, muza\sguza.exe

Hi,

I am stuck with a very new virus that Avast (and all the other AV I tried to this moment) does not detect or that I can manage to get rid of. The created files are named either

carpet\shey.exe
or
muza\sguza.exe

plus an autorun.inf

The folders are hidden on any external storage media I plug on the computer and it instantaneously (I hope I spelled that right…) infects any computer it is putted on. I cleaned the registry files, deleted every trace of the files on the computer but it keeps coming back. I will attach the infected files here and the OTL log as well. I tried what was written here :

http://rhosted.blogspot.com/2010/06/manual-removal-of-sguzaexe-and-sheyexe.html

No results.

More information :

http://www.prevx.com/filenames/X285138109880396664-X1/SHEY.EXE.html

Detection progress :
http://www.virustotal.com/analisis/192e08de435a10cb6912a8c52494732e7f997c0e8c4c31f759e0bce4fa79868e-1276081986
http://www.virustotal.com/analisis/db84ef5f2fe248384321cdd820c96bf37e236cb8a8f591b155d069a7aa46d511-1276082193

So there I am, clueless and desperate for help as it has infected my office as well.
Thank you!

->Problem solved, malware link removed<-

EDIT : Added links posted below to the original post.

VirusTotal - autorun.inf - 4/40
http://www.virustotal.com/analisis/112956e2ba2cb34d13e8b7a6e61a2cb4d589e32ac2d743ba0e4a54260c6e2669-1276031483

since Panda is detecting it, have you tried Panda active scan ? http://www.pandasecurity.com/activescan/index/

Hi Martarek,

Make that live link to the malcode non-clickable by giving in htxp or wxw…
For the malcode see: htxp://jsunpack.jeek.org/dec/go?report=d301c3915709538e1aa6fd1112a96b9349e09cf6
(mentioned link only to be opened by experts that know what they are doing, for instance working in a VM surroundings with a Mozilla type browser(or Malzilla) with NoScript and RequestPolicy active with just plain user rights,
use care!)

polonus

Hi lets try this for starters

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O33 - MountPoints2\{d2e19af4-544f-11de-9c35-001fd0497d1a}\Shell\AutoRun\command - "" = dqm.exe
O33 - MountPoints2\{d2e19af4-544f-11de-9c35-001fd0497d1a}\Shell\open\Command - "" = dqm.exe
O33 - MountPoints2\{f4c0395e-8c1b-11de-9c63-001fd0497d1a}\Shell\AutoRun\command - "" = rEcycLER\\dRiVER.EXe
O33 - MountPoints2\{f4c0395e-8c1b-11de-9c63-001fd0497d1a}\Shell\eXPLORe\cOmmANd - "" = rECyCLeR\drIvER.eXe
O33 - MountPoints2\{f4c0395e-8c1b-11de-9c63-001fd0497d1a}\Shell\oPEn\coMMaNd - "" = RECYCler\\DrIVER.ExE
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
[] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
[
] Wait until it has finished scanning and then exit the program.
[*] Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don’t delete this folder…it will help protect your drives from future infection.

FINALLY

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

@Pondus : Did not try Panda, I did not think of it before you mentionned it. I’ll give it a shot.

@Polonus : Sorry for the link. I edited my previous post on the matter.

@essexboy : Thanks for the directives. I’ll do that as soon as I get to work tomorrow morning (10 hours from now).

I’ll keep you updated on the progess. Thank you all for your help!

btw: what’s your avast version? these binaries probably belong to a family detected as Win32:MalOb-AI previously and v5 could detect this new variant as Win32:SuspBehav…

@Maxx_original

I uploaded the autorun.inf sample this morning if you need it…

these autoruns are less important than the binaries… the binaries contain all the malcode, so we should detect them…

both file names are in our FP submissions log (ppl thought that it was a FP) detected as Win32:SuspBehav, so the heuristics seem to work here (and detect a new variant)…

http://www.virustotal.com/analisis/192e08de435a10cb6912a8c52494732e7f997c0e8c4c31f759e0bce4fa79868e-1276081986
http://www.virustotal.com/analisis/db84ef5f2fe248384321cdd820c96bf37e236cb8a8f591b155d069a7aa46d511-1276082193

(i would suggest to update avast+vps to the latest version, this is an example why it is a good step forward in computer security)

Hi,

Thanks for all your valuable inputs and time. I am going to install an AV that detects it based on the list you sent. I thought that avast and avast 5 were using the same virus-definitions and could detect the same thing. Obviously, I was wrong so thank you for setting me straight!

So if everything goes well, this should be my last post on the topic. Thanks again!

v5 contains advanced heur technologies (impossible to implement to v4)… it’s not that surprising that a new version may be better than the older or is it? :wink:

computer security is (mainly) based on updating of key system components, let’s give v5 a shot…