Welcome to the Comodo Forum
Welcome,
Guest
. Please
login
or
register
.
March 20, 2010, 02:52:44 PM
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
373252
Posts
41402
Topics
94112
Members
Latest Member:
habakuck
more news...
Search:
Advanced search
|
Tag Cloud
Welcome to the Comodo Forum
Learn about Computer Security and Interact with Security Experts
Virus/Malware Removal Assistance
A 'morphing' virus, BLOCKED MY NET!
« previous
next »
Pages:
[
1
]
2
Author
Topic: A 'morphing' virus, BLOCKED MY NET! (Read 2612 times)
Nikwan3
Malware Research Group
Newbie
Offline
Posts: 15
A 'morphing' virus, BLOCKED MY NET!
«
on:
September 16, 2009, 12:54:31 PM »
Hi..
I recently discovered presence of two 'system' attribute files on my drives..
They spread through USB drives..
Also, since the time, my net is blocked, I can connect, but can not surf/download anything...! so NO AV UPDATES as well!!
One of the files is a autorun.ini and the other some*.pif..
I tried to change their attribute using some tools, succeeded with the *.pif file but it fails for autorun.ini..
Also, tried to delete them, but autorun.ini can not be...
also, if I unlock that file then two new files are created, new autorun.ini and *.pif, This time with a different (*.pif) name......!!!! Also this new autorun.ini points to this new *.pif file....!!
Awesome it is, some may think, BUT I need to remove them!!!!
I have yesterday's (15th Sep,09) virus definitions and COMODO FAILS TO DETECT THEM, not even warnings.... Those files are not excluded from scan and I DO NOT have ANY OTHER security software....
Any help from anyone....
Logged
Kevin D.
Newbie
Offline
Posts: 20
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #1 on:
September 16, 2009, 01:05:15 PM »
Hello,
I think you could try to scan with SUPERAntiSpyware and Malwarebytes Anti-Malware.
Download these programs on another computer and burn them or put them on an USB stick. Then install it on your infected computer and run a complete scan.
Big chance these programs will find the virus and remove it.
Good luck,
Logged
Nikwan3
Malware Research Group
Newbie
Offline
Posts: 15
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #2 on:
September 16, 2009, 01:11:55 PM »
Thanks for your reply..
Already working on it..
Logged
Kevin D.
Newbie
Offline
Posts: 20
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #3 on:
September 16, 2009, 02:10:59 PM »
Indeed, strange it hasn't been blocked by Defense+. Is Defense+ activated and switched to safe mode or paranoid mode?
Avira's Antivir scanner is a good one, and free too! Good to use as active virusscanner, next to the Comodo Firewall and Defense+. This combination works very well and I can recommend it.
Besides that I use SUPERAntiSpyware and MalwareBytes AntiMalware for a manual scan once in a while, and ofcourse on infected systems to remove something. But with above config the chance you will get a virus is very small. Even if Antivir (or Comodo AV or another one) fails to detect the virus, big chance Defense++ will block it/let you block it.
«
Last Edit: September 16, 2009, 02:23:50 PM by Kevin D.
»
Logged
Nikwan3
Malware Research Group
Newbie
Offline
Posts: 15
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #4 on:
September 16, 2009, 02:21:43 PM »
Yes, Defence+ is active and is in Paranoid mode actually...
But its not only me who uses this computer, its sort of a Family computer!!!
I hope you get me!!
Logged
EricJH
Global Moderator
Comodo's Hero
Online
Posts: 5821
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #5 on:
September 16, 2009, 05:22:39 PM »
Put the hard drive of your computer in another computer and delete the two files from there. Does this help?
Logged
Please read:
Introduction to the Sandbox
Using CIS v4 and always the latest snapshot of Opera browser.
AMD Phenom 925 quad core with 4 GB RAM on MSI 785G E53
Kevin D.
Newbie
Offline
Posts: 20
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #6 on:
September 16, 2009, 05:58:04 PM »
And you could try to boot in Safe mode, maybe you can delete the files then. Or boot with a linux live CD like Knoppix or Ubuntu and delete the files.
Logged
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
Offline
Posts: 2003
The only thing i ask for are eggs.
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #7 on:
September 16, 2009, 06:03:34 PM »
From the CIMA report of the malware you uploaded to it..
http://camas.comodo.com/cgi-bin/submit?file=c6842d2bbb41fafae60dc4d12f7e5b312b7fa055b697865d1674a7509371d621
• Families
Possible Families Detected
Virus.Win32..Sality.Gen
• Description
Suspicious Actions Detected
Disables windows firewall
Injects code into other processes
If it is Sality, then its hard to remove. It infects other programs... CIS maybe infected already.... BUT what ever you do, dont remove CIS. you are going to need something that can cure files. A normal AV wont do it.
Logged
EricJH
Global Moderator
Comodo's Hero
Online
Posts: 5821
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #8 on:
September 16, 2009, 07:30:59 PM »
Dr Web's
Live CD
is known to be able to successfully clean these type of infections.
Download the image from the link in the above on a clean computer and burn the ISO image to a CD. Boot from the CD in the other computer and let the virus scanner update and run.
Watch this video from Remove-malware by Matt for reference:
http://www.youtube.com/watch?v=FGDl-IMOt1g
. It shows the process of using Dr Web Live CD to tackle this infecting type of viruses.
Logged
Please read:
Introduction to the Sandbox
Using CIS v4 and always the latest snapshot of Opera browser.
AMD Phenom 925 quad core with 4 GB RAM on MSI 785G E53
Nikwan3
Malware Research Group
Newbie
Offline
Posts: 15
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #9 on:
September 17, 2009, 01:46:07 PM »
[at] EricJH and Kevin D.
I run Ubuntu as my second OS. Tried deleting those diles already..
But no use...!!
Also, those two files are not there on my local hard drives but get CREATED on every USB drive I cannect!!!
Irrespective of how many tries I have made at deleting them from there....!
[at] Kevin D.
Tried ur suggestion for using SUPERAntiSpywar, dint help... It did not detect anything...
[at]OmeletGuy
Do you also mean something like the Dr. Web's Live CD, that can cure infections?
[at]EricJH
Will try that LiveCD and reply back..!
Thanks all!
Logged
EricJH
Global Moderator
Comodo's Hero
Online
Posts: 5821
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #10 on:
September 17, 2009, 06:05:55 PM »
Good luck and keep us posted.
Logged
Please read:
Introduction to the Sandbox
Using CIS v4 and always the latest snapshot of Opera browser.
AMD Phenom 925 quad core with 4 GB RAM on MSI 785G E53
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
Offline
Posts: 2003
The only thing i ask for are eggs.
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #11 on:
September 17, 2009, 06:47:40 PM »
Quote from: Nikwan3 on September 17, 2009, 01:46:07 PM
[at]OmeletGuy
Do you also mean something like the Dr. Web's Live CD, that can cure infections?
Yes this is what i meant.
Good luck.
Logged
Guillermo391
Comodo Member
Offline
Posts: 45
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #12 on:
September 18, 2009, 09:20:45 AM »
Does anyone know if CIS v4 will be able to cure files like Dr Web?
Logged
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
Offline
Posts: 2003
The only thing i ask for are eggs.
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #13 on:
September 18, 2009, 12:07:04 PM »
Quote from: Guillermo391 on September 18, 2009, 09:20:45 AM
Does anyone know if CIS v4 will be able to cure files like Dr Web?
Yes it will be able to cure infection... but it may have to use CTM, Comodo Time Machine.
Logged
Nikwan3
Malware Research Group
Newbie
Offline
Posts: 15
Re: A 'morphing' virus, BLOCKED MY NET!
«
Reply #14 on:
September 20, 2009, 02:43:51 PM »
Thank you EricJH..!!
Thanks OmeletGuy..!
Dr. Web Live CD really worked..
That file hiding behaviour is no more.. Also, My PC is not creating those files on the USB Drives....!
Ya, It had infected almost all exes on my PC (Or probably, all exes accessed after the first infection...!)..
Scanner listed out some hundred exes, great it cured Most of them!!!
Though, Most of the apps I had installed are damaged, like Picasa, Gtalk, Nero, Partition Magic, FireFox and a lot more.. In most of them, the uninstall.exe was incurable, had to delete, But I did not unserstand the reason why should it be so..
In a few, if the starter exe is also damaged.. But I can install those Apps again...!!
Ya, U were right, even the CIS was infected..
And the Firewall is still acting a bit wierd, its not allowing ANYthing to connect to the net, not even its own updater, something like a "Block-All".. I had to disable it to get online..
What do you suggest, should I reinstall CIS, just to be sure... Or reinstalling just the firewall should be enough...
Logged
Tags:
virus
usb
autorun.ini
Block
Pages:
[
1
]
2
« previous
next »
Jump to:
Please select a destination:
-----------------------------
General Category
-----------------------------
=> Melih's Corner - CEO Talk/Discussions/Blog
=> Comodo.TV - Our Internet Video Channel
===> Comodo.TV - News and Announcements
===> Comodo.TV - Program Lineup
===> Audience Feedback and Suggestions
=> Which Product do you want Comodo to develop next?
=> How Can I Help Comodo? (Please We Need You!)
===> Report Comodo Forum / Web Site Issues
===> Please Tell Us Your Views and Vote Here!
===> Help Spread the Word - Banners and Logos
=> General Discussion (off topic) Anything and everything...
===> Member Confessions :-)
===> Funny Photos :-)
===> Cool Stuff
-----------------------------
Desktop Security Products & Services
-----------------------------
=> Comodo Internet Security - CIS
===> News / Announcements / Feedback - CIS
=====> Wishlist - CIS
===> AV False Positive/Negative Detection Reporting
===> Help - CIS
=====> Guides - CIS
=====> AntiVirus Help - CIS
=======> AntiVirus FAQ - CIS
=====> Firewall Help - CIS
=======> Firewall FAQ - CIS
=====> Defense+ / Sandbox Help - CIS
=======> Defense+ / Sandbox FAQ - CIS
=====> Install / Setup / Configuration Help - CIS
=======> Install / Setup / Configuration FAQ - CIS
===> Bug Report - CIS
=> Comodo Backup - CB
===> News / Announcements / Feedback - CB
===> Comodo Online Backup - COB
===> Help - CB
=====> FAQ - CB
=> Comodo Time Machine - CTM
===> News / Announcements / Feedback - CTM
===> Help - CTM
=====> FAQ - CTM
===> Bug Reports - CTM
=> Comodo Dragon - CD
===> News / Announcements / Feedback - CD
=====> Wishlist - CD
===> Help - CD
=====> FAQ - CD
===> Bug Reports - CD
=> Comodo Disk Encryption - CDE
===> News / Announcements / Feedback - CDE
=====> Wishlist - CDE
===> Help - CDE
=====> FAQ - CDE
===> Bug Reports - CDE
===> Beta Corner - CDE
=> Comodo Secure Email - CSE
===> News / Announcements / Feedback - CSE
===> Help - CSE
=====> FAQ - CSE
===> Bug Reports - CSE
=> Comodo EasyVPN - CEVPN
===> News / Announcements / Feedback - CEVPN
===> Help - CEVPN
=====> FAQ - CEVPN
===> Bug reports - CEVPN
=> Comodo AntiSpam - CAS
=> Comodo TrustConnect - CTC
=> HopSurf - CHS
=> Comodo Instant Malware Analysis Online - CIMA
=> Verification Engine - CVE
-----------------------------
Desktop Utilities & Services
-----------------------------
=> Comodo System Cleaner - File/Registry/Privacy Cleaner - CSC
===> News / Announcements / Feedback - CSC
===> Help - CSC
=====> FAQ - CSC
=> Comodo Cloud Scanner - CCS
===> News / Announcements / Feedback - CCS
===> FAQ - CCS
=> Live PC Support
-----------------------------
Business / Enterprise Security Products & Services
-----------------------------
=> Digital Certificates
===> Code Signing Certificate
===> Content Verification Certificate
===> Email Certificate
===> SSL Certificate
=> PCI DSS Compliance
=> Comodo Endpoint Security Manager
=> Two Factor Authentication for Web Applications
=> Trustlogo
=> Hacker Guardian
-----------------------------
Learn about Computer Security and Interact with Security Experts
-----------------------------
=> General Security Questions and Comments
=> Virus/Malware Removal Assistance
=> Leak Testing/Attacks/Vulnerability Research
=> Digital Certificates, Encryption and Digital Signing
=> Other Security Products
-----------------------------
International Comodo Forums
-----------------------------
=> International Comodo Forums
===> 汉语语言, 漢語語言 / Chinese Simplified, Traditional
===> Česky / Czech
===> Dansk / Danish
===> Nederlands / Dutch
===> Suomi / Finnish
===> Francais / French
===> Deutsch / German
===> ελληνικά / Greek
===> Magyar / Hungarian
===> Italiano / Italian
===> Nihongo / Japanese
===> Norsk / Norwegian
===> Polski / Polish
===> Português/Portuguese
===> Română / Romanian
===> По-русски / Russian
===> Slovenský / Slovak
===> Slovenščina / Slovenian
===> Espanol / Spanish
===> Svenska / Swedish
===> Turkce / Turkish
===> Українська / Ukrainian
===> Việt / Vietnamese
-----------------------------
Other
-----------------------------
=> Forum Policy Violation Board
-----------------------------
Archived Boards
-----------------------------
=> Discontinued Products
===> Comodo Anti-Viruspyware (CAVS)
=====> Help for Comodo AntiVirus
=====> FAQ for Comodo Anti-ViruSpyware
=====> Feedback/Comments/Announcements/News about CAVS
===> Comodo BOClean Anti-Malware
=====> Announcements
=====> Comodo BOClean Anti-Malware FAQ
===> Comodo Diskshield
===> Comodo Firewall
=====> Feedback/Comments/Announcements/News
=====> Help for v3
=====> Help for v2
=====> Frequently Asked Questions (FAQ) for Comodo firewall
=====> Comodo Firewall Translations
=====> Bug Reports
===> i-Vault
===> Launch Pad (Discontinued)
===> Comodo Meet (Web Conferencing Product) (Discontinued)
===> Comodo Memory Firewall(Buffer Overflow Protection)
=====> Comodo Memory Firewall Beta Corner
=====> Help
=====> Frequently Asked Questions (Comodo Memory Firewall)
=====> Feedback/Comments/Announcements/News
===> Safesurf
===> Trusttoolbar (Discontinued)
===> Trustfax (online faxing) (discontinued)
===> Trustix Enterprise Firewall
===> User Anywhere (Remote Access product) (Discontinued)
===> UserTrust - First Independent Website Rating - Empowering our users!
===> Comodo Vulnerability Analyzer - CVA
===> ZTL
Page created in 0.066 seconds with 18 queries.
Powered by SMF 1.1.11
|
SMF © 2006, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks
Design by
7dana.com