A 'morphing' virus, BLOCKED MY NET!

[Guest]

[Nikwan3]

Hi..

I recently discovered presence of two 'system' attribute files on my drives..
They spread through USB drives..
Also, since the time, my net is blocked, I can connect, but can not surf/download anything...! so NO AV UPDATES as well!!
One of the files is a autorun.ini and the other some*.pif..
I tried to change their attribute using some tools, succeeded with the *.pif file but it fails for autorun.ini..
Also, tried to delete them, but autorun.ini can not be...
also, if I unlock that file then two new files are created, new autorun.ini and *.pif, This time with a different (*.pif) name......!!!! Also this new autorun.ini points to this new *.pif file....!!
Awesome it is, some may think, BUT I need to remove them!!!!
 I have yesterday's (15th Sep,09) virus definitions and COMODO FAILS TO DETECT THEM, not even warnings.... Those files are not excluded from scan and I DO NOT have ANY OTHER security software....

Any help from anyone....

[Kevin D.]

Hello,
I think you could try to scan with SUPERAntiSpyware and Malwarebytes Anti-Malware.
Download these programs on another computer and burn them or put them on an USB stick. Then install it on your infected computer and run a complete scan.
Big chance these programs will find the virus and remove it.

Good luck,

[Nikwan3]

Thanks for your reply..

Already working on it..
 

[Kevin D.]

Indeed, strange it hasn't been blocked by Defense+. Is Defense+ activated and switched to safe mode or paranoid mode?

Avira's Antivir scanner is a good one, and free too! Good to use as active virusscanner, next to the Comodo Firewall and Defense+. This combination works very well and I can recommend it.
Besides that I use SUPERAntiSpyware and MalwareBytes AntiMalware for a manual scan once in a while, and ofcourse on infected systems to remove something. But with above config the chance you will get a virus is very small. Even if Antivir (or Comodo AV or another one) fails to detect the virus, big chance Defense++ will block it/let you block it.

[Nikwan3]

Yes, Defence+ is active and is in Paranoid mode actually...
But its not only me who uses this computer, its sort of a Family computer!!!   
I hope you get me!! 

[EricJH]

Put the hard drive of your computer in another computer and delete the two files from there. Does this help?

[Kevin D.]

And you could try to boot in Safe mode, maybe you can delete the files then. Or boot with a linux live CD like Knoppix or Ubuntu and delete the files.

[OmeletGuy]

From the CIMA report of the malware you uploaded to it..
http://camas.comodo.com/cgi-bin/submit?file=c6842d2bbb41fafae60dc4d12f7e5b312b7fa055b697865d1674a7509371d621

• Families
   Possible Families Detected
       Virus.Win32..Sality.Gen

• Description
  Suspicious Actions Detected
       Disables windows firewall
       Injects code into other processes

If it is Sality, then its hard to remove. It infects other programs... CIS maybe infected already.... BUT what ever you do, dont remove CIS. you are going to need something that can cure files. A normal AV wont do it.

[EricJH]

Dr Web's Live CD is known to be able to successfully clean these type of infections.

Download the image from the link in the above on a clean computer and burn the ISO image to a CD. Boot from the CD in the other computer and let the virus scanner update and run.

Watch this video from Remove-malware by Matt for reference: http://www.youtube.com/watch?v=FGDl-IMOt1g . It shows the process of using Dr Web Live CD to tackle this infecting type of viruses.

[Nikwan3]

[at] EricJH  and Kevin D.
I run Ubuntu as my second OS. Tried deleting those diles already..
But no use...!!
Also, those two files are not there on my local hard drives but get CREATED on every USB drive I cannect!!! 
Irrespective of how many tries I have made at deleting them from there....!

[at] Kevin D.
Tried ur suggestion for using SUPERAntiSpywar, dint help... It did not detect anything... 

[at]OmeletGuy
Do you also mean something like the Dr. Web's Live CD, that can cure infections?

[at]EricJH
Will try that LiveCD and reply back..! 

Thanks all! 

[EricJH]

Good luck and keep us posted.

[OmeletGuy]

[at]OmeletGuy
Do you also mean something like the Dr. Web's Live CD, that can cure infections?

Yes this is what i meant.


Good luck.

[Guillermo391]

Does anyone know if CIS v4 will be able to cure files like Dr Web?

[OmeletGuy]

Does anyone know if CIS v4 will be able to cure files like Dr Web?

Yes it will be able to cure infection... but it may have to use CTM, Comodo Time Machine.

[Nikwan3]

Thank you EricJH..!!
Thanks OmeletGuy..!
 

Dr. Web Live CD really worked..
That file hiding behaviour is no more.. Also, My PC is not creating those files on the USB Drives....! 

Ya, It had infected almost all exes on my PC (Or probably, all exes accessed after the first infection...!)..
Scanner listed out some hundred exes, great it cured Most of them!!! 

Though, Most of the apps I had installed are damaged, like Picasa, Gtalk, Nero, Partition Magic, FireFox and a lot more.. In most of them, the uninstall.exe was incurable, had to delete, But I did not unserstand the reason why should it be so..
In a few, if the starter exe is also damaged.. But I can install those Apps again...!! 

Ya, U were right, even the CIS was infected..
And the Firewall is still acting a bit wierd, its not allowing ANYthing to connect to the net, not even its own updater, something like a "Block-All".. I had to disable it to get online..

What do you suggest, should I reinstall CIS, just to be sure... Or reinstalling just the firewall should be enough...

[Tags:]