I've been infected...BADLY!! pls help!

Discussion in 'malware problems & news' started by arjunned, Sep 28, 2009.

Thread Status:
Not open for further replies.
  1. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    I dont know if this the right thread to post ths, so if it isn't, mod's please move it to the rite one.

    I've been infected by a trojan. it registers itself as sichost.exe. Now i cant access task manager or msconfig. It keeps copying itself everywhere. This is in my office, where 3 comps are connected by lan, and have no internet access. Now 1 one of the three comps, i've disinfected with avira. but in the other 2, the trojan still remains. its copied it self into the sys32 folder, and i cant delete it wat-so-ever! Avira detects it as a HEUR/MALWARE, but upon moving it to quarantine, it just copies itself back to the same folder.

    I've tried scanning with MBAM as well but it doesn't even detect it! Avira just cant seem to remove it! I think it came from a usb pen drive, but i've formatted all the ones we have here and they're now clean, but i cant plug 'em in to the infected systems. Oh, i've even tried Dr.Web CureIt, but it doesn't detect it either.

    Also it seems to copied it self into every partion (3 on each PC). I just dont know how get rid of this! Pls help.

    Pls tell me as to what u need from my side if u know how to remove this *!@*#% !!!
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    See Securing Your PC and Data for general information, with disinfection specialist sites listed in the If you are currently infected post.

    That said, see the following links (all seem to mention the infection):Read the four links before starting. Personally, I'd recommend visiting a specialist site for focused assistance, but if you prefer or need to handle this yourself, I'd attempt simple manual removal from a safe mode boot, or manual removal/scan from a clean machine to which the infected drive was slaved (if possible) first.

    Blue
     
  3. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Are we talking about your work computer or your home computer? Tell me a little bit about your computer specs.
     
  4. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    @Blue: Thanks. Will check the links.

    @CogitoTesting: Work PC's. Specs? Well they're REALLY old PC's but they do they're job. Atleast to bare minimum. :p They're P4's with 1gb ram.
     
  5. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    K. Manually deleting it on one PC worked. Only one more PC to go. :)
    Thanks Blue.
     
  6. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    I presume we are talking about your work computers. If so what kind of security program(s) are you using? Are your clients self-managed or are they centrally managed?

    What I'm trying to do is to prevent the virus to spread further. I'll help you.
     
  7. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    Thanks man. But Blues Links helped a lot. Manually removing them did the trick. It didnt work at first so i booted into safe mode and deleted them. Scanned the PC's twice; all clean! Sent a mail to Avira. Coz it should have deleted it.

    PS: Clients are self-managed. They all use Avira. Just loaded them with Comodo Firewall.
     
  8. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    I'm glad those links worked for you. Now could you tell me what kind of protection you had installed when the infection occurred? How old are these computers anyway?
     
  9. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    Really old PC's. But enough to run AutoCAD and other softwares we need. We run Avira. And Avast on one comp with internet access. Updates for Avira are done manually.
     
  10. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    After getting it cleaned install Sandboxie. No more malware ever.
     
  11. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    But if the OP got the infection from a usb pen drive (as he posits in his opening post), then he would need the registered/paid version of Sandboxie and use the ForcedFolders feature to prevent future malware from being injected the same way.
     
  12. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
  13. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Actually, the usage scenario (typical office setting) is one in which doing the routine work from an LUA (limited user account), possibly augmented by SuRun would actually be a fairly powerful solution. Use SuRun to deal with any applications which, for whatever reason, need admin level access. I'd also have the Admin account password not known by the primary users to prevent a little too much self-managing... :)

    Blue
     
  14. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    I've been looking into SuRun, DEP, LUA etc. for quite while. Still Experimenting with it myself so i can set it up properly for PC's here. We've never had this problem from one of our own usb drives. Someone from outside got a pendrive loaded with viri. Need to prevent that from happening in the future.

    I love sandboxie, but i think it might be a bit of a hassle for the others here in the office. They just wanna get they're work done and go home. So i'm just gonna stick to the basics for now. :)

    Cheers.
     
  15. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    i vote to that ;)
     
  16. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    i think u are looking to far as u said "They just wanna get they're work done and go home"

    u may take a look at USB Threat Defender , its look suit your needs
    http://www.arzoosoft.com/utdefender.html

    or

    Naevius USB Antivirus
    http://www.naevius.com/usb_antivirus.htm

    cheers:)
     
    Last edited: Sep 29, 2009
  17. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    demoneye,

    Actually, they're not looking too far.

    It's a question of whether you wish to deal with a single symptom (infection via USB drive) or the underlying structural problem (ability to write to system folders basically at will). Dealing with discrete symptoms as they emerge leads to those patchwork quilt security solutions that ultimately fall under their own weight.

    LUA/SuRun is exceedingly simple. In an office environment, the application base is generally fixed over long timeframes. That type of scenario is one in which LUA is generally not an inconvenience of any sort and the scope of this solution goes well beyond USB devices.

    Blue
     
  18. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    yeah i know, i am using Surun+Lua on my other pc and its ok , but such setup may not suit all working environment when un trained ppl using the pc in windows os , so most of worker are noobs ,and just "use the pc and wanna go home " that the time what i suggest to the infected mate is come in to make life easier ;)


    cheers
     
Loading...
Thread Status:
Not open for further replies.