nodqq and ca.exe virus on 3 maschines, USB spreading virus

[Rusty]

Not sure where my 1st post went, but I'll try again. I have 3 machines ( Desktop, Laptop and Netbook all infected with nodqq.exe/ca.exe virus. Bought a Verbatim 500G usb drive to sync all my stuff between the three about 2 weeks ago. Noticed Friday night that I couldn't access any hidden files with my laptop, either in the drive or on the comp hdd.
Tried on the desktop and found the same issue. Any attempt to show hidden files by Start>MyDocuments>Tools>Folder Options>View didn't work. Selection goes right back to not show.
Have spent most of the weekend fighting this. 1st I updated all my Norton to Internet Security 2010 and ran back to back scans. 2nd downloaded and ran Hijackthis and posted results (Previous post #1 not listed anymore?) 3rd downloaded and ran CCleaner and posted results. Eventually Norton ID'd nodqq and ca.exe among some other unfavorable stuff and removed them from the desktop and laptop.

The problem is that my netbook is still infected. I thought I had it beat yesterday when I found and changed some items in the registry and got it working again. All seemed ok until I restarted and went back to the same issues. This is what I have figured/found out:

I'm not sure where the virus got picked up, but it installed itself into my USB drive disguised as "autorun.inf"
When the drive got plugged in to my netbook, it used autorun to install itself into the windows inf folder. It also added the value "nod32 = %Local Settings%\Temp\nodqq.exe" under the registry key   

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

and changes the value  Hidden = 02
ShowSuperHidden = 00

under the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\folder\showall

I can get into msconfig and deselect nodqq.exe but when I click OK I get an access error message that tells me to sign in as an admin.

I found and deleted 1 exe and 2 dll files with the name nodqq I found by running search, selecting search hidden files and folders. Now no more files with that name are found.
Norton keeps finding and quarantining Trojan.Packed.NsAnti
Each time it says its rosolved but it keeps coming back. It has also picked up and resolved ca.exe once and rpw.exe twice.

I've ran and am running Norton Internet security 2010, CCleaner, Hijackthis and spybot S&D.

I've changed registry values back to normal and removed added items only to have them go back. I need to find where this thing is hiding, how it's coming back and changing reg entries and how I can kill and remove it permanently. I hope I've included enough info. By the way:

ASUS EeePC
Intel Atom
CPU N270 @ 1.60 GHz 0.99Mb RAM
XP Home 2002 SP3
Norton Internet Security 2010
SPybot S&D

Let me know if you want logs posted have the ones from Hijackthis, Norton, and CCleaner.

Also downloaded and running NOautorun USB defender and was able to get into my drive and remove the virus on that front.

[ochenspiel]

Hey man, I've registered just to tell you how I finally managed to kill nodqq and its variants.

I was using my USB stick on a networked, public computer at school and when I got home and plugged it into my laptop and PC, I noticed Windows Live Messenger and IE were crashing.

Malwarebytes has always been my go to for getting rid of this kind of thing and it found and deleted nodqq.exe and dlls, repaired registry, etc.

However, upon reboot, the virus managed to keep regenerating itself. I even deselected it from start up in msconfig, but it would magically reappear in the list.

Anyways, I downloaded this PeeTech fix advertised on some tech-blog site and it worked PERFECTLY. Upon reboot, I could instantly see hidden files that nodqq had been blocking. I was weary at first to d/l something that I didn't know anything about, but I figured I'd try it first on my laptop where the damage would be minimal.


Anyways, here's the link to the blog and directly to the fix. Just download, unrar and run. Made my day- I'd been losing my mind.

Blog: http://hotzone-it.blogspot.com/2010/04/how-to-remove-dqmexe-nodqqexe.html

Fix: http://www.mediafire.com/?mmlwxnmn2yz

Hope this helps!

Oh, and PS, I'm planning on just throwing the USB drive in the garbage hahaha.

[harry 48]

rusty , please wait for a malware expert to help you in this topic

[Rusty]

Wanted to update those who were interested. To recap, Norton Internet Security 2010 was able to kill three viruses identified as trojans. Specifically they were: ca.exe, nodqq.exe and pwe.exe. The virus showed up in my Verbatim USB HDD and was named "autorun.inf". As soon as the drive was plugged in to a machine, Bam it downloaded itself to 3 different locations. It also created registry keys, and changed registry values. The keys were created start them on bootup, even if removed from msconfig startup list. The registry values seemed to make them hard to find by not allowing access to hidden files.

All 3 had to be removed in short order or they would be replaced by one of the other two.
When pwe.exe was removed by Norton, you could get access to hidden files by changing them back to a value of (1) in the registry. When this worked I ran search and located each file (nodqq.exe, ca.exe, and pwe.exe, along with nodqq.dll) and deleted them. I also found copies of them in the %temp% file and deleted them. The first try was a bust, but the second time I remembered to empty the recycle bin and then they didn't return.

It was quite a blur, with 3 machines running simultaneously so I'm having trouble recalling it all, but between Norton 2010, CCleaner, Hijackthis & Spybot S&D it seemed to work out. I also installed Noautorun which allowed me to find and kill the original threat disguised as "autorun.inf".  All 3 are up and running, the only thing I found is that Norton finds and removes a different trojan 3-4 times/day so something is still going on there. Hope this info helps someone.
Rusty