Get infected...

Forum for anything else which doesn't fit in the above forums. Site feedback, random talk, whatever, are welcome.
Post Reply
yumeyao
Moderator
Posts: 1718
Joined: Sun Aug 27, 2006 9:24 pm
Location: Taiyuan, Shanxi, PR China

Get infected...

Post by yumeyao » Thu Aug 19, 2010 11:40 pm

http://www.virustotal.com/file-scan/rep ... 1282274850

my computer got infected yesterday night, about 13 hours ago, I just sent a virus sample and the result is like above.

Anyone knows how to clean it? It doesn't matter I can restore infected files(the clue is modified on yesterday with a .exe extension). I'm just asking whether it has something else in my system?

Anyway I'm using avast's removal tool for a try.

The most f*cking thing is that I have a lot of hotfixes downloaded and they don't have a copy!!!! And most PE virus damages self-extract files!!!
Image
My work list(Hosted by dumpydooby)

feup
Posts: 11
Joined: Sat Jul 09, 2005 9:45 am

Post by feup » Fri Aug 20, 2010 12:09 am

Hi.

You can try one of these:
Kaspersky Virus Removal Tool
Dr.WEB CureIt!

Good luck.

User avatar
5eraph
Site Admin
Posts: 4619
Joined: Tue Jul 05, 2005 9:38 pm
Location: Riverview, MI USA

Post by 5eraph » Fri Aug 20, 2010 12:16 am

Tenga-A infects all EXE files it finds on your system and connected file shares on other PCs networked to yours. Luckily it seems to be an older virus, so most antivirus programs should catch it. I'd recommend disconnecting all PCs from your home network until they've all been cleaned to prevent reinfecting them.

TheMAN
Posts: 27
Joined: Tue May 25, 2010 8:15 pm
Location: Dallas, TX

Post by TheMAN » Fri Aug 20, 2010 12:19 am

does malwarebytes work in this case?
I use panda too

yumeyao
Moderator
Posts: 1718
Joined: Sun Aug 27, 2006 9:24 pm
Location: Taiyuan, Shanxi, PR China

Post by yumeyao » Fri Aug 20, 2010 12:54 am

The infected files' modified times are from 2010/8/19 21:58 to 2010/8/20 3:54, all files are located in F: or G:, but not all exe files in F: get infected(although all infected files are important ones..).

my G: holds musics/movies and games, but my F: is my major working space... All UpdatePacks, Addons, codes, etc. are in F:. Although I have a backup but of course the backup is not always latest and I never backup the hotfixes...

My notebook is connected with a desktop computer in my family network, the desktop computer seems fine - no files infected.
Image
My work list(Hosted by dumpydooby)

User avatar
mr_smartepants
Posts: 824
Joined: Thu May 18, 2006 5:56 am
Location: Cambridgeshire, UK

Post by mr_smartepants » Fri Aug 20, 2010 1:40 am

What A/V are you using for everyday protection? A full scan should be able to remove it.
More info here: http://www.symantec.com/security_respon ... 16-2523-99

You could use 7zip or winrar to extract the contents from the .exe. It's just a container in any case. Then you'll have the important bits and ditch the .exe
Image
Some heroes don't wear capes, they wear Kevlar and dog-tags!

yumeyao
Moderator
Posts: 1718
Joined: Sun Aug 27, 2006 9:24 pm
Location: Taiyuan, Shanxi, PR China

Post by yumeyao » Fri Aug 20, 2010 10:07 am

I have removed all infected files and most are restored. But I need to download all hotfixes later, ahh.... a big project..........

@mr_smartepants,
i wasn't using any AV nor do I plan to use any on my laptop. If I would use, avast is a good choice, I guess.
Image
My work list(Hosted by dumpydooby)

User avatar
user_hidden
Posts: 1924
Joined: Thu Dec 06, 2007 7:52 am
Location: Canada eh!

Post by user_hidden » Fri Aug 20, 2010 1:27 pm

i dont use any a/v or malware sw either on my personal environment.
in my corp environment we use Symantec AV Corp or Endpoint Protection.

as for firewall i like ZoneAlarmPro or ComodoFree, i use ZAP on my personal pc.

i have been lucky when dealing with infected PC's to use:
Good ole Microsoft MRT.exe for malware
McAfee Stinger
Remove Fake AV

yumeyao
Moderator
Posts: 1718
Joined: Sun Aug 27, 2006 9:24 pm
Location: Taiyuan, Shanxi, PR China

Post by yumeyao » Fri Aug 20, 2010 5:51 pm

To be honest, I havn't encountered a PE worm/virus for almost 10 years, on different computers(including friends'). I have manually cleaned a lot of Trojans/Spicious since 2003 - unlike PE viruses, they use various ways to hide themselves and various ways to run with your OS, but they don't damage files (or only a small amount of system files).

ComodoFree is what I use, but I prefer to turn it off when I'm at home.. Well, I may change this decision in the future. I suppose that remote attacks shouldn't be that easy on a full-updated OS. Anyway thanks for the links.

BTW I'm go to the city where my college is soon, with my family, for viewing EXPO. I planned to release a new version of .NET yesterday but I wasn't able to do that. Now I don't know when I can release a new one.
Image
My work list(Hosted by dumpydooby)

User avatar
user_hidden
Posts: 1924
Joined: Thu Dec 06, 2007 7:52 am
Location: Canada eh!

Post by user_hidden » Fri Aug 20, 2010 7:19 pm

have a great time with the family and the start of a new school season.

User avatar
shiner
Posts: 655
Joined: Sun Nov 08, 2009 4:18 am
Location: SE Asia

Post by shiner » Fri Nov 05, 2010 9:13 pm

Aargh!
There is some wicked malware now on my system.

I normally browse with FF and NoScript.
I recently allowed an object I thought was a "Captcha," or whatever, to view the image and got nailed.

Been wrestling with its removal, but it looks like a definite reformat and clean install for me on this SOB.
"You can lead a horse to water, but you can't make it drink."

User avatar
avexmode
Posts: 47
Joined: Tue Sep 16, 2008 3:12 pm

Post by avexmode » Sat Nov 06, 2010 7:42 am

Sandboxie is a great application to prevent virus / malware...

User avatar
=[FEAR]=JIGSAW
Posts: 392
Joined: Mon Feb 18, 2008 11:54 am
Location: Cape Town, South Africa

Post by =[FEAR]=JIGSAW » Sat Nov 06, 2010 5:34 pm

shiner wrote:Aargh!
There is some wicked malware now on my system.

I normally browse with FF and NoScript.
I recently allowed an object I thought was a "Captcha," or whatever, to view the image and got nailed.

Been wrestling with its removal, but it looks like a definite reformat and clean install for me on this SOB.
Try "Malwarebytes" - http://www.malwarebytes.org/

have Not found something that this baby can not remove ;)

User avatar
shiner
Posts: 655
Joined: Sun Nov 08, 2009 4:18 am
Location: SE Asia

Post by shiner » Sat Nov 06, 2010 6:39 pm

Try "Malwarebytes" - http://www.malwarebytes.org/

have Not found something that this baby can not remove
Thanks, =[FEAR]=JIGSAW

MBAM was one of the first programs I tried and it found zero, but it was not the only one. In the order I used the programs

Avast 5 Free boot-time scan - Found nothing
Spybot SD - Found nothing
MBAM- Found nothing
GMER - Showed several irregularities but couldn't complete scan.
SysInternals - Rootkit Revealer found nothing
HijackThis - showed nothing suspicious
DrWebCureIT - found nothing
Kaspersky TDSSKiller - found nothing
Rootkit Repeal - confirmed some irregularites found by gmer
SysInternals Autoruns - confirmed irregularities with certain drivers' entries in the registry

The telltale signs are detection of spyt.sys and another .sys file with a random 8 character name. These two files were not detected by most of the above software, all running latest definitions.

GMER seemed the closest to getting this thing but it stalls just before completing its scan.
I now think this is a variant on the TDL3 / TDL4 rootkit despite the negative results by the DrWeb and Kaspersky tools.

This thing in my system is a sublime piece of work and very difficult to detect, but it is there and I can't remove it with any tools I have tried yet.
It modified atapi.sys and I think it is also using the paging file and an encrypted hidden virtual drive to conceal itself.
I have just download Combofix and OTL after researching their use.
But I am now just fiddling around and waiting until Patch Tuesday to do the reformat and clean install.
"You can lead a horse to water, but you can't make it drink."

User avatar
Siginet
Site Admin
Posts: 2894
Joined: Fri May 27, 2005 1:07 pm
Location: Planet Earth
Contact:

Post by Siginet » Sat Nov 06, 2010 11:27 pm

I was gonna say try Combofix if you are using a 32 bit OS... but looks like you're trying it now. ;)
Image
--Siginet--

Techware
Your Virtual Technician
Computer Management Software

User avatar
mr_smartepants
Posts: 824
Joined: Thu May 18, 2006 5:56 am
Location: Cambridgeshire, UK

Post by mr_smartepants » Sun Nov 07, 2010 2:53 am

The problem with trying to purge an infected system is that once the system is compromised, it's 90% impossible to clean it using utilities that need to be installed on the system because the malware will invariably block/corrupt the utility before it has a chance to get it's "shields" up.
I noticed you're using "free" utilities. The only free utilities that I've tried that is any decent is the Microsoft Security Essentials and SuperAntiSpyware. I myself use Symantec Endpoint Security (only because I get it free from my organization/site license) but I always recommend Eset to people willing to pay.
I think your best option is to use HijackThis and report your findings on the associated help forums to let the pros figure it out.
Unless of course you already have an up-to-date UBCD4win image on hand, then you should use that to do a parallel fix.
Your next option is to wait until after patch Tues and nuke the system from orbit.
Image
Some heroes don't wear capes, they wear Kevlar and dog-tags!

User avatar
5eraph
Site Admin
Posts: 4619
Joined: Tue Jul 05, 2005 9:38 pm
Location: Riverview, MI USA

Post by 5eraph » Sun Nov 07, 2010 2:59 am

mr_smartepants wrote:[...] and nuke the system from orbit.
It's the only way to be sure. ;)

User avatar
shiner
Posts: 655
Joined: Sun Nov 08, 2009 4:18 am
Location: SE Asia

Post by shiner » Sun Nov 07, 2010 4:23 am

...because the malware will invariably block/corrupt the utility before it has a chance to get it's "shields" up.
Agreed.
mr_smartepants wrote:
[...] and nuke the system from orbit.

It's the only way to be sure.
Agreed.

But until that time I can poke at it with different sticks.
I have already discovered a nice information tool, OTL.exe, because of this.
"You can lead a horse to water, but you can't make it drink."

User avatar
bphlpt
Posts: 1372
Joined: Sat Apr 19, 2008 1:11 am

Post by bphlpt » Sun Nov 07, 2010 6:37 am

shiner wrote:I have already discovered a nice information tool, OTL.exe, because of this.
From what I remember, their forum is pretty helpful, too. As they bill it, OTL is HijackThis on steroids.

Cheers and Regards

User avatar
crashfly
Posts: 789
Joined: Thu Mar 13, 2008 11:39 pm
Location: Arkansas, USA

Post by crashfly » Mon Nov 08, 2010 1:29 am

yumeyao wrote:ComodoFree is what I use, but I prefer to turn it off when I'm at home.. Well, I may change this decision in the future. I suppose that remote attacks shouldn't be that easy on a full-updated OS. Anyway thanks for the links.
I used to use the free version of Comodo, however due to some a bug in one of their antivirus updates a few months back (related to using a x64 bit system), I cannot feel entirely comfortable using them. I switched to MS Security Essentials and have not had any problems. In addition, it seems to take up less resources than any other antivirus program I have seen (no, I have not tested them all lately). It might be worth it for you to use MSE. It is free and gets regular updates at least.
A mind is like a parachute, it only functions when it is open.
--Anonymous

How to Ask Questions the Smart Way

ccl0
Posts: 817
Joined: Tue Jan 02, 2007 1:56 am

Post by ccl0 » Tue Nov 09, 2010 12:19 am

i used to be a fan of comodo too.. until i read about this http://www.calendarofupdates.com/update ... opic=19279

its quite unsettling


i like mse too. i'm hoping ver2 comes out soon though. its suppose to be even better.. or was it faster? i forget :P

Post Reply