A 'morphing' virus, BLOCKED MY NET!

[Guest]

[Nikwan3]

Hi..

I recently discovered presence of two 'system' attribute files on my drives..
They spread through USB drives..
Also, since the time, my net is blocked, I can connect, but can not surf/download anything...! so NO AV UPDATES as well!!
One of the files is a autorun.ini and the other some*.pif..
I tried to change their attribute using some tools, succeeded with the *.pif file but it fails for autorun.ini..
Also, tried to delete them, but autorun.ini can not be...
also, if I unlock that file then two new files are created, new autorun.ini and *.pif, This time with a different (*.pif) name......!!!! Also this new autorun.ini points to this new *.pif file....!!
Awesome it is, some may think, BUT I need to remove them!!!!
 I have yesterday's (15th Sep,09) virus definitions and COMODO FAILS TO DETECT THEM, not even warnings.... Those files are not excluded from scan and I DO NOT have ANY OTHER security software....

Any help from anyone....

[Kevin D.]

Hello,
I think you could try to scan with SUPERAntiSpyware and Malwarebytes Anti-Malware.
Download these programs on another computer and burn them or put them on an USB stick. Then install it on your infected computer and run a complete scan.
Big chance these programs will find the virus and remove it.

Good luck,

[Nikwan3]

Thanks for your reply..

Already working on it..
 

[clockwork]

why wasnt it blocked by comodos defense+?
if you cant erase the autorun ini, because its active, maybe try one of the (free) boot antivirus programs. i think avira has one, for example.
a good secondary (free) antivirus for on demand tests is "a squared" (free version has no guard anyway). i can suggest to use one other antivirus for scanning, if you use comodo av as the guard. main reason: exclusion list grows of false positives, and sometimes its important to know when you have a virus on a drive. maybe not for yourself (you have the default deny, mostly), but for those who get files from you. they dont have a default deny, mostly.
i returned after a test of comodos av to my "proved for years av". there are very good free ones out there

 

[Kevin D.]

Indeed, strange it hasn't been blocked by Defense+. Is Defense+ activated and switched to safe mode or paranoid mode?

Avira's Antivir scanner is a good one, and free too! Good to use as active virusscanner, next to the Comodo Firewall and Defense+. This combination works very well and I can recommend it.
Besides that I use SUPERAntiSpyware and MalwareBytes AntiMalware for a manual scan once in a while, and ofcourse on infected systems to remove something. But with above config the chance you will get a virus is very small. Even if Antivir (or Comodo AV or another one) fails to detect the virus, big chance Defense++ will block it/let you block it.

[Nikwan3]

Yes, Defence+ is active and is in Paranoid mode actually...
But its not only me who uses this computer, its sort of a Family computer!!!   
I hope you get me!! 

[EricJH]

Put the hard drive of your computer in another computer and delete the two files from there. Does this help?

[Kevin D.]

And you could try to boot in Safe mode, maybe you can delete the files then. Or boot with a linux live CD like Knoppix or Ubuntu and delete the files.

[OmeletGuy]

From the CIMA report of the malware you uploaded to it..
http://camas.comodo.com/cgi-bin/submit?file=c6842d2bbb41fafae60dc4d12f7e5b312b7fa055b697865d1674a7509371d621

• Families
   Possible Families Detected
       Virus.Win32..Sality.Gen

• Description
  Suspicious Actions Detected
       Disables windows firewall
       Injects code into other processes

If it is Sality, then its hard to remove. It infects other programs... CIS maybe infected already.... BUT what ever you do, dont remove CIS. you are going to need something that can cure files. A normal AV wont do it.

[EricJH]

Dr Web's Live CD is known to be able to successfully clean these type of infections.

Download the image from the link in the above on a clean computer and burn the ISO image to a CD. Boot from the CD in the other computer and let the virus scanner update and run.

Watch this video from Remove-malware by Matt for reference: http://www.youtube.com/watch?v=FGDl-IMOt1g . It shows the process of using Dr Web Live CD to tackle this infecting type of viruses.

[Nikwan3]

[at] EricJH  and Kevin D.
I run Ubuntu as my second OS. Tried deleting those diles already..
But no use...!!
Also, those two files are not there on my local hard drives but get CREATED on every USB drive I cannect!!! 
Irrespective of how many tries I have made at deleting them from there....!

[at] Kevin D.
Tried ur suggestion for using SUPERAntiSpywar, dint help... It did not detect anything... 

[at]OmeletGuy
Do you also mean something like the Dr. Web's Live CD, that can cure infections?

[at]EricJH
Will try that LiveCD and reply back..! 

Thanks all! 

[EricJH]

Good luck and keep us posted.

[OmeletGuy]

[at]OmeletGuy
Do you also mean something like the Dr. Web's Live CD, that can cure infections?

Yes this is what i meant.


Good luck.

[Guillermo391]

Does anyone know if CIS v4 will be able to cure files like Dr Web?

[OmeletGuy]

Does anyone know if CIS v4 will be able to cure files like Dr Web?

Yes it will be able to cure infection... but it may have to use CTM, Comodo Time Machine.

[Tags:]