Hi,

Some friend of mine has been infected by W32.Tenga malware, also known as W32.Stanit, W32.Gael and so on (more infos there http://www.sophos.com/security/analyses/viruses-and-spyware/w32tengaa.html). From what I could understand, it keeps infecting random applications everyday. I immediatly advised him to give Kav a try, which is what he did. Using latest version (7.0.1.325), after a full scan with tweaked settings (such as high heuristic detection), KAV successfully detected the infected .exe and deleted them, but couldn't clean the virus itself. He also tried Avira classic, fully updated. The results are the same, applications infected were detected, but the malware remains. We could question the ability for both of these AVs to clean such an old malware, but that's not the point of this thread. I don't know what should I recommend to him anymore, as both of these products were, in my eyes, esteemed for years and known to be the most efficient if the not the best AVs.
Any hint ?

Thanks

I remember that in the past I have successfully cleaned very infected machine with this virus Tenga thanks to NOD32 v2.70.39

It might have been different variant , ESET NOD32 detected it with generic signature but did cleaned the files.

You can try this , too .

No matter the AV , the best would be to run a cleaning from non-infected environment (such as a bootable disk or another OS) . If my suggestion is not effective , tell your friend contact the Support dept. of their AV vendor

I suggest to try CureIt. You can grab it from here:
http://www.freedrweb.com/
It´s free and you don´t need to install. Just download and execute.
I hope it will delete the malware. It´s known to be the most efficient in this area.;)

Thank you both for your quick answers.
Well I guess any AV / Anti Malware would detect and clean/remove the infected files ... the main issue is removing the virus itself.
Anyway, I'll tell my friend to give Nod32 & Cureit a try.

-{ Quote: "Thank you both for your quick answers.
Well I guess any AV / Anti Malware would detect and clean/remove the infected files ... the main issue is removing the virus itself.
Anyway, I'll tell my friend to give Nod32 & Cureit a try." }-
also try superantiwpyare one of the three are bound to get rid of it.

-{ Quote: "I remember that in the past I have successfully cleaned very infected machine with this virus Tenga thanks to NOD32 v2.70.39
" }-

Yes. I can confirm that since i took a closer look at this virus when i was at ESET. For everyone who want's to learn a bit assembly here's my description of the Tenga Virus:

http://www.eset.com.br/threat-center/msgs/tengaa.htm

I will keep you guys up to date :-)

-{ Quote: "Hi,

Some friend of mine has been infected by W32.Tenga malware, also known as W32.Stanit, W32.Gael and so on (more infos there http://www.sophos.com/security/analyses/viruses-and-spyware/w32tengaa.html). From what I could understand, it keeps infecting random applications everyday. I immediatly advised him to give Kav a try, which is what he did. Using latest version (7.0.1.325), after a full scan with tweaked settings (such as high heuristic detection), KAV successfully detected the infected .exe and deleted them, but couldn't clean the virus itself. He also tried Avira classic, fully updated. The results are the same, applications infected were detected, but the malware remains. We could question the ability for both of these AVs to clean such an old malware, but that's not the point of this thread. I don't know what should I recommend to him anymore, as both of these products were, in my eyes, esteemed for years and known to be the most efficient if the not the best AVs.
Any hint ?

Thanks" }-

I once had a virus that would multiply itself.... I had like 50 of the same virus on my machine but I couldn't click delete as fast as it was multiplying... You say both AV's detect and delete it..But it's still there...

I'd just boot the computer into safe mode... That stopped it from multplying for me... And then Kaspersky had succesfully deleted the remaining ones.

-{ Quote: "Hi,

Some friend of mine has been infected by W32.Tenga malware, also known as W32.Stanit, W32.Gael and so on (more infos there http://www.sophos.com/security/analyses/viruses-and-spyware/w32tengaa.html). From what I could understand, it keeps infecting random applications everyday. I immediatly advised him to give Kav a try, which is what he did. Using latest version (7.0.1.325), after a full scan with tweaked settings (such as high heuristic detection), KAV successfully detected the infected .exe and deleted them, but couldn't clean the virus itself. He also tried Avira classic, fully updated. The results are the same, applications infected were detected, but the malware remains. We could question the ability for both of these AVs to clean such an old malware, but that's not the point of this thread. I don't know what should I recommend to him anymore, as both of these products were, in my eyes, esteemed for years and known to be the most efficient if the not the best AVs.
Any hint ?

Thanks" }-

Did You tried with Kaspersky a full scan into Safe mode? or even make a Rescue Disk with Kaspersky with databses updated.

Regards.

Avira offers a special removal tool for it:
http://www.avira.de/en/support/antivir_removal_tool_details.html

However your friend should keep in mind, that even cleaned executables might not be able to run properly anymore. This is especially true for binaries that do self-checks or installers which originally had overlay data, as file infectors sometimes irreparably damage files without the chance for cleaners to detect the damage as such.
Also it will often break signed executables if their signature is being checked on execution.

-{ Quote: "Avira offers a special removal tool for it:
http://www.avira.de/en/support/antivir_removal_tool_details.html

However your friend should keep in mind, that even cleaned executables might not be able to run properly anymore. This is especially true for binaries that do self-checks or installers which originally had overlay data, as file infectors sometimes irreparably damage files without the chance for cleaners to detect the damage as such.
Also it will often break signed executables if their signature is being checked on execution." }-

Yes. The problem here is that some parasitic fileinfectors checking only the header for section number, adding +1 to it and attaching themself as a new section at the end of the file. HOWEVER. They strip/overwrite the Overlay. Overlay data is basically similar to a "COPY /B Executable.EXE+Binarydata.DAT Installer.EXE".

-{ Quote: "Yes. I can confirm that since i took a closer look at this virus when i was at ESET. For everyone who want's to learn a bit assembly here's my description of the Tenga Virus:

http://www.eset.com.br/threat-center/msgs/tengaa.htm" }-


Very kind of you , the review and perhaps the threat analysis have been created by you personally ;D :)

Hello,

Boot from CD.
Remove offending files.
Boot into Windows.
Use existing tools (AV etc) to remove the remnants.

Mrk

So one finally got by Avira and Kaspersky. Bout time.:dry: ;)

-{ Quote: "So one finally got by Avira and Kaspersky. Bout time.:dry: ;)" }-
He was infected before installing KAV or KIS.
And like said harlan4096, if he scans in safe mode, KAV or KIS probably will clean it up.

Actually, I should have mentioned that he was ALREADY using KAV when he got infected. I just told him to make sure that he was using the latest version with latest definitions and tweaked heuristic scan settings.

If safemode/clean doesn't work tell him to contact support www.kaspersky.com/helpdesk

Sure.
That is still quite a questionable way of cleaning this. I mean, both KAV/Avira detected infected files (and keep detecting new infected files), but the user is never advised to do a full scan in safe mode. The way it is now is a never ending circle, removing different infected applications each day ...