Get infected...

yumeyao · Post by **yumeyao** » Thu Aug 19, 2010 11:40 pm

http://www.virustotal.com/file-scan/rep ... 1282274850

my computer got infected yesterday night, about 13 hours ago, I just sent a virus sample and the result is like above.

Anyone knows how to clean it? It doesn't matter I can restore infected files(the clue is modified on yesterday with a .exe extension). I'm just asking whether it has something else in my system?

Anyway I'm using avast's removal tool for a try.

The most f*cking thing is that I have a lot of hotfixes downloaded and they don't have a copy!!!! And most PE virus damages self-extract files!!!

feup · Post by **feup** » Fri Aug 20, 2010 12:09 am

Hi.

You can try one of these:
Kaspersky Virus Removal Tool
Dr.WEB CureIt!

Good luck.

Post by **5eraph** » Fri Aug 20, 2010 12:16 am

Tenga-A infects all EXE files it finds on your system and connected file shares on other PCs networked to yours. Luckily it seems to be an older virus, so most antivirus programs should catch it. I'd recommend disconnecting all PCs from your home network until they've all been cleaned to prevent reinfecting them.

TheMAN · Post by **TheMAN** » Fri Aug 20, 2010 12:19 am

does malwarebytes work in this case?
I use panda too

yumeyao · Post by **yumeyao** » Fri Aug 20, 2010 12:54 am

The infected files' modified times are from 2010/8/19 21:58 to 2010/8/20 3:54, all files are located in F: or G:, but not all exe files in F: get infected(although all infected files are important ones..).

my G: holds musics/movies and games, but my F: is my major working space... All UpdatePacks, Addons, codes, etc. are in F:. Although I have a backup but of course the backup is not always latest and I never backup the hotfixes...

My notebook is connected with a desktop computer in my family network, the desktop computer seems fine - no files infected.

mr_smartepants · Post by **mr_smartepants** » Fri Aug 20, 2010 1:40 am

What A/V are you using for everyday protection? A full scan should be able to remove it.
More info here: http://www.symantec.com/security_respon ... 16-2523-99

You could use 7zip or winrar to extract the contents from the .exe. It's just a container in any case. Then you'll have the important bits and ditch the .exe

yumeyao · Post by **yumeyao** » Fri Aug 20, 2010 10:07 am

I have removed all infected files and most are restored. But I need to download all hotfixes later, ahh.... a big project..........

@mr_smartepants,
i wasn't using any AV nor do I plan to use any on my laptop. If I would use, avast is a good choice, I guess.

Post by **user_hidden** » Fri Aug 20, 2010 1:27 pm

i dont use any a/v or malware sw either on my personal environment.
in my corp environment we use Symantec AV Corp or Endpoint Protection.

as for firewall i like ZoneAlarmPro or ComodoFree, i use ZAP on my personal pc.

i have been lucky when dealing with infected PC's to use:
Good ole Microsoft MRT.exe for malware
McAfee Stinger
Remove Fake AV

yumeyao · Post by **yumeyao** » Fri Aug 20, 2010 5:51 pm

To be honest, I havn't encountered a PE worm/virus for almost 10 years, on different computers(including friends'). I have manually cleaned a lot of Trojans/Spicious since 2003 - unlike PE viruses, they use various ways to hide themselves and various ways to run with your OS, but they don't damage files (or only a small amount of system files).

ComodoFree is what I use, but I prefer to turn it off when I'm at home.. Well, I may change this decision in the future. I suppose that remote attacks shouldn't be that easy on a full-updated OS. Anyway thanks for the links.

BTW I'm go to the city where my college is soon, with my family, for viewing EXPO. I planned to release a new version of .NET yesterday but I wasn't able to do that. Now I don't know when I can release a new one.

Post by **user_hidden** » Fri Aug 20, 2010 7:19 pm

have a great time with the family and the start of a new school season.

shiner · Post by **shiner** » Fri Nov 05, 2010 9:13 pm

Aargh!
There is some wicked malware now on my system.

I normally browse with FF and NoScript.
I recently allowed an object I thought was a "Captcha," or whatever, to view the image and got nailed.

Been wrestling with its removal, but it looks like a definite reformat and clean install for me on this SOB.

avexmode · Post by **avexmode** » Sat Nov 06, 2010 7:42 am

Sandboxie is a great application to prevent virus / malware...

=[FEAR]=JIGSAW · Post by **=[FEAR]=JIGSAW** » Sat Nov 06, 2010 5:34 pm

shiner wrote:Aargh!
There is some wicked malware now on my system.

I normally browse with FF and NoScript.
I recently allowed an object I thought was a "Captcha," or whatever, to view the image and got nailed.

Been wrestling with its removal, but it looks like a definite reformat and clean install for me on this SOB.

Try "Malwarebytes" - http://www.malwarebytes.org/

have Not found something that this baby can not remove

shiner · Post by **shiner** » Sat Nov 06, 2010 6:39 pm

Try "Malwarebytes" - http://www.malwarebytes.org/

have Not found something that this baby can not remove

Thanks, =[FEAR]=JIGSAW

MBAM was one of the first programs I tried and it found zero, but it was not the only one. In the order I used the programs

Avast 5 Free boot-time scan - Found nothing
Spybot SD - Found nothing
MBAM- Found nothing
GMER - Showed several irregularities but couldn't complete scan.
SysInternals - Rootkit Revealer found nothing
HijackThis - showed nothing suspicious
DrWebCureIT - found nothing
Kaspersky TDSSKiller - found nothing
Rootkit Repeal - confirmed some irregularites found by gmer
SysInternals Autoruns - confirmed irregularities with certain drivers' entries in the registry

The telltale signs are detection of spyt.sys and another .sys file with a random 8 character name. These two files were not detected by most of the above software, all running latest definitions.

GMER seemed the closest to getting this thing but it stalls just before completing its scan.
I now think this is a variant on the TDL3 / TDL4 rootkit despite the negative results by the DrWeb and Kaspersky tools.

This thing in my system is a sublime piece of work and very difficult to detect, but it is there and I can't remove it with any tools I have tried yet.
It modified atapi.sys and I think it is also using the paging file and an encrypted hidden virtual drive to conceal itself.
I have just download Combofix and OTL after researching their use.
But I am now just fiddling around and waiting until Patch Tuesday to do the reformat and clean install.

Siginet · Post by **Siginet** » Sat Nov 06, 2010 11:27 pm

I was gonna say try Combofix if you are using a 32 bit OS... but looks like you're trying it now.

mr_smartepants · Post by **mr_smartepants** » Sun Nov 07, 2010 2:53 am

The problem with trying to purge an infected system is that once the system is compromised, it's 90% impossible to clean it using utilities that need to be installed on the system because the malware will invariably block/corrupt the utility before it has a chance to get it's "shields" up.
I noticed you're using "free" utilities. The only free utilities that I've tried that is any decent is the Microsoft Security Essentials and SuperAntiSpyware. I myself use Symantec Endpoint Security (only because I get it free from my organization/site license) but I always recommend Eset to people willing to pay.
I think your best option is to use HijackThis and report your findings on the associated help forums to let the pros figure it out.
Unless of course you already have an up-to-date UBCD4win image on hand, then you should use that to do a parallel fix.
Your next option is to wait until after patch Tues and nuke the system from orbit.

Post by **5eraph** » Sun Nov 07, 2010 2:59 am

mr_smartepants wrote:[...] and nuke the system from orbit.

It's the only way to be sure.

shiner · Post by **shiner** » Sun Nov 07, 2010 4:23 am

...because the malware will invariably block/corrupt the utility before it has a chance to get it's "shields" up.

Agreed.

mr_smartepants wrote:
[...] and nuke the system from orbit.

It's the only way to be sure.

Agreed.

But until that time I can poke at it with different sticks.
I have already discovered a nice information tool, OTL.exe, because of this.

bphlpt · Post by **bphlpt** » Sun Nov 07, 2010 6:37 am

shiner wrote:I have already discovered a nice information tool, OTL.exe, because of this.

From what I remember, their forum is pretty helpful, too. As they bill it, OTL is HijackThis on steroids.

Cheers and Regards

crashfly · Post by **crashfly** » Mon Nov 08, 2010 1:29 am

yumeyao wrote:ComodoFree is what I use, but I prefer to turn it off when I'm at home.. Well, I may change this decision in the future. I suppose that remote attacks shouldn't be that easy on a full-updated OS. Anyway thanks for the links.

I used to use the free version of Comodo, however due to some a bug in one of their antivirus updates a few months back (related to using a x64 bit system), I cannot feel entirely comfortable using them. I switched to MS Security Essentials and have not had any problems. In addition, it seems to take up less resources than any other antivirus program I have seen (no, I have not tested them all lately). It might be worth it for you to use MSE. It is free and gets regular updates at least.

ccl0 · Post by **ccl0** » Tue Nov 09, 2010 12:19 am

i used to be a fan of comodo too.. until i read about this http://www.calendarofupdates.com/update ... opic=19279

its quite unsettling

i like mse too. i'm hoping ver2 comes out soon though. its suppose to be even better.. or was it faster? i forget