NOD32 Alert problem

Discussion in 'NOD32 version 2 Forum' started by Reymar_Santos20, Jul 23, 2007.

Thread Status:
Not open for further replies.
  1. Reymar_Santos20

    Reymar_Santos20 Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    66
    Kindly look at the attachment
    One of the client have problem to this.

    Please see my solution is ok
    Please give me feddback about this.

    Try this manual removal virus.

    But be carefull to do this.

    After two cups of black coffee while my little noisy son is 'eating rice with angels' (literal translating of arabic expression means sleeping) i found out the fellowing :

    Every time detects the malicious exe files it misses (and so do i) at least one of them so it recreate itself when i double-click the drive again!

    This time I manually deleted all the malicious files, removed the svchost.exe from registy so it doesn't run at start up anymore and then i did reboot my computer!

    But the "Aoutrun" item still there and when i double-click the drive, an error message appears saying that theres no such file called copy.exe!

    I then regedit, did some search and found out these three registry keys that are apparently added by the virus to add an item to the context menu for every drive I have in my computer C, D and E :



    CODE

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    {a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    {a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    {a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    {a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
    @="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    {a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
    {a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
    @="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"



    I deleted those keys and the item disappeared and the 'Open' item came back to the top of the menu as the default selection so when I double-click the drive it normally shows the contents of it in the same window and no exe files are created!



    Thank you,


    Reymar A. Santos
    Technology Support Group
    Valueline Systems and Solutions Corporation
    2nd Flr., J & L Building, No. 23 Matalino Street,
    Central District Diliman, Quezon City
    Philippines, 1100
    Phone # : +632 925.7623
    Fax # : +632 925.2174
     

    Attached Files:

Thread Status:
Not open for further replies.