PDA

Просмотр полной версии : Old sad song again and again: w32: Tenga



FCN_Muc
29.06.2007, 10:13
I know: a lot of people have the same problem. I read many many forums and many pages on AV-Programs-sites. It is always the same: they declare, what this virus is doing, sometimes there are names to find: dl.exe etc.! But this is not my problem: I don't want to delete infected files, I WANT TO KILL THIS MOTHER-BEAST, THIS VIRUS-PRODUCTION-MACHINE (the virus not the infected patient) Where can I find keys in the registry, for which files do I have to search. I used so many Off-line and On-line Anti virus-programmes till there were no more warnings, but a few days later Tenga was back. Where does it hide? Where are all the parts of Tenga scattered over my hard disks? I included the AVZ-zips(REM1) and the HJT-log, Dr.web Cure-it didn't find anything, and I included the quarantined files although AVZ is something a little strange, e.g.: *.com - files are normal DOS-Commands (therefore a screen capture with my a little bit "pissed" comments...I didn't sleep for 2 days because of Tenga). You can't find any reasonable answers:
Always do a backup - ehm - I have nearly 436 GB of data: backup on DVDs means about 100 DVDs per backup, I have neither the money nor the time to do this ... make a complete formatting of all hard disks and install your system and all your ten-thousends of programs again - ehm - this is a doctor who tells to his assistants: this man has two children (new system), he is infected by a virus - kill him, mother will educate the kids (Re-install progs) - No No No this man who wrote this page (e.g Ph.D. Johansson) is a ******** pointy-head using his unix OS with only a few silly little math-progs which are using 5% space of his 100 MB-HDD and he's getting nervous if this HDD is filled up to 10%!

Sincerely

Chris from Munich

****rem1 :all AVZ files were made using safe mode, I tried a lot of things (killing threads using my process-explorer) but the scripts crashed my system in normal mode more than a dozen times. I will send it with a new thread if I will manage the scripts in normal mode

****rem2 :I didn't include the quarantined files, because even as a zip-file they are more than 7 MB :embarasse

NickGolovko
29.06.2007, 10:32
AVZ - File - Custom scripts: copy the given Code, paste it and Run the script. The system will reboot.


begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('I:\WINDOWS\winstart.bat','');
QuarantineFile('\SystemRoot\system32\drivers\ikfil eflt.sys','');
BC_ImportQuarantineList;
BC_Activate;
RebootWindows(true);
end.

After that please upload the quarantined files according to the Rules.

Generally, Tenga is a classical virus that infects files. Our tools are not designed for this type of viruses. Have you tried scanning with Dr.Web CureIt utility, as described in the Rules?

Your current antivirus is avast! ?

FCN_Muc
30.06.2007, 13:33
Yes, I tried Dr. Web Cure-it as described, but it didn't find any infection etc. And my current AV is Avast! 4 Professional!

I had to Rar the quarantined files by myself, because virus.zip made by avz exceeded the quota by 160 bytes, the zip-file was to big to send it to you but only 160 bytes to big! Now I used a better compression by rar, the password is still "virus" as in the original zip-file! Why are my old files still added in the quota of attached files. It could be moment where someone has to send several MBs of attached files??????

Sincerely,

Chris Noll

NickGolovko
30.06.2007, 14:53
You should have used this link to upload files:

http://virusinfo.info/upload_virus_eng.php?tid=10711

(it is above, "Upload quarantined files").

Attaching files to the message is not allowed. ;)

According to VirusTotal your files look clean. Let's see what we can do.

Is that avast! which detects Tenga? Where does it find it? Next time it finds it, please upload the detected file and inform us about the upload: we will see whether it is true or false alarm. Do not forget using the link I've provided. :)

FCN_Muc
02.07.2007, 22:01
Avast has quarantined some files, but I don't know if they are encrypting these files. Should I send some?

drongo
02.07.2007, 22:21
Well, you should put them in Zip archive with password : virus
Then, please uplad the archive by the link :http://virusinfo.info/upload_virus_eng.php?tid=10711

FCN_Muc
08.07.2007, 20:22
Sorry the delay I had to wait for a new DSL-modem. I send you one example in a Zip-archiv to the link you told me!
Here the details:
File saved as 070708_212206_Virus_46911d3e2fa5f.zip
File size 70381
MD5 7dd14c3b4e4365e1e76ef9d282ac49b8

NickGolovko
11.07.2007, 08:24
Avast says it's Win32:Trojan-gen (so it is a heuristic detection). None of the leading vendors detects it, though VirusTotal shows several false positives. So this file looks clean.

I would like to see a file detected as Tenga, if you have any. :)