Solve : ehjalrp.exe and quqnrtl.exe - Frustrating Viruses? – InterviewSolution

InterviewSolution

1.	Solve : ehjalrp.exe and quqnrtl.exe - Frustrating Viruses?
Answer» OS: Windows XP (home and professional) Rest of the specs = VARIOUS computers. Hey guys, I'm in a bit of a pickle with this one. Basically, it started off at school (this will be a bit of a long story). Every now and again, a flash drive would get a strange autorun.inf file created on it, and another inctvg.exe (or similar) created file. The combination of these would cause the flash drive to be inaccessible via the usual "double click" from my computer, instead only accessible through explore or auto-play. To fix the flash drives, all files had to be copied off, and the flash drive reformatted. Then it started spreading to home computers. I am one of the two students who has been appointed to find out more about this. So far, this is what I know, but I was wondering if anyone knew any more about this virus, because every google result I get is in chinese, and that would make sense, because no anti-virus software that I have yet found (and I've tried 5 of the best) can remove it. The main dilemma is - ALTHOUGH the server can be reset and started again - it will just take one student with their flash drive still infected to bring the virus back. Anyhow, this is what we know: -It runs two files at startup which run in the processes (ehjalrp.exe and quqnrtl.exe) -You end one, and it will respawn the other, and vice versa, so the entire process tree has to be stopped in order for it to stop the virus -It's effects on the system include changing the file type assosciation of folders to open every file folder as a new search window, it prevents hidden files from being viewed (both while the virus is there, and even after it is stopped - i.e. it just changes the folder options back to not viewing hidden files), any administrative windows apart from task manager are closed straight away (i.e. msconfig, system properties, etc), and safe mode is DISABLED. These are the only ones we have discovered, there may be more. -It downloads various other keyloggers and trojans, and possibly a virus called the "Like Virus" -To remove it, it has to have the process killed, and then we have used file-assasin to remove it, because windows doesn't recognise it's existence. Then it doesn't start up again, but it seems that maybe it has other processes or registry keys attatched to it, because after a few days it recreates itself. So I was wondering the following: -Does anyone know how to get the viewing of hidden files re-enabled after the damage is done? (i.e. maybe a registry key preventing it or something) -Does anyone have a fix for this, or know the other assosciated processes with it? -Does anyone have a server wide fix or any suggestions? Because checking 600 odd flash drives for infection would be quite time consuming. We were thinking an immunity in the registry or something, but this would require knowing what registry keys it affects and modifies, and the knowledge of how to implement it. Thanks guys. Thanks in ADVANCE for any help that you guys might have to offer. Being a seemingly Asian virus, I don't know of anyone who's heard of it, so it makes it a bit hard. Thanks again -Phoenix910Please list the protection apps you have run... It sounds like a self-replicating trojan which most AV programs may not be able to deal with... Trojans are a different beast.it does sound like a trojan so maybe try superantispyware. its free and really good also dl hijackthis and post a log for me and other members to review. the log my take more than one post.Most of the infected school computers run McAfee (not my favourite), but on the infected computers, I have run Trend-Micro Internet Security 2007, ClamWin, Spybot, Adaware, HijackThis, and Registry Mechanic. From memory I believe that was all. In terms of posting a HijackThis log, I will have to wait until I find another infected computer, so that will be perhaps about a day or two, but along with this virus, I seem to find about 150 different other keyloggers and trojans every time, so I am theorising perhaps it downloads a lot of other viruses itself? Anyhow, thanks for the help so far. -Phoenix910but try superantispyware dl it install it update it and then unplug the TEST computer( a random infected computer we will work on and try to fix first) from the network then scanAlrighty, I'll try that and let you know how it goes. If this works, any idea on immunities on a server level? I.e. what keys it affects so we can block it from occuring?ummm thats hard to tell but if sas finds it it will tell you what it did just make a log for me to look at

Discussion

No Comment Found

Related InterviewSolutions