I've been infected...BADLY!! pls help!

I dont know if this the right thread to post ths, so if it isn't, mod's please move it to the rite one.

I've been infected by a trojan. it registers itself as sichost.exe. Now i cant access task manager or msconfig. It keeps copying itself everywhere. This is in my office, where 3 comps are connected by lan, and have no internet access. Now 1 one of the three comps, i've disinfected with avira. but in the other 2, the trojan still remains. its copied it self into the sys32 folder, and i cant delete it wat-so-ever! Avira detects it as a HEUR/MALWARE, but upon moving it to quarantine, it just copies itself back to the same folder.

I've tried scanning with MBAM as well but it doesn't even detect it! Avira just cant seem to remove it! I think it came from a usb pen drive, but i've formatted all the ones we have here and they're now clean, but i cant plug 'em in to the infected systems. Oh, i've even tried Dr.Web CureIt, but it doesn't detect it either.

Also it seems to copied it self into every partion (3 on each PC). I just dont know how get rid of this! Pls help.

Pls tell me as to what u need from my side if u know how to remove this *!@*#% !!!

 

See Securing Your PC and Data for general information, with disinfection specialist sites listed in the If you are currently infected post.

That said, see the following links (all seem to mention the infection):

• http://www.viruslist.com/en/viruses/encyclopedia?virusid=52156
• http://www.bleepingcomputer.com/startups/sichost.exe-20640.html
• http://www.threatexpert.com/files/sichost.exe.html
• http://www.prevx.com/filenames/X637720738862198367-X1/SICHOST.EXE.html

Read the four links before starting. Personally, I'd recommend visiting a specialist site for focused assistance, but if you prefer or need to handle this yourself, I'd attempt simple manual removal from a safe mode boot, or manual removal/scan from a clean machine to which the infected drive was slaved (if possible) first.

Blue

 

Are we talking about your work computer or your home computer? Tell me a little bit about your computer specs.

 

@Blue: Thanks. Will check the links.

@CogitoTesting: Work PC's. Specs? Well they're REALLY old PC's but they do they're job. Atleast to bare minimum. They're P4's with 1gb ram.

 

K. Manually deleting it on one PC worked. Only one more PC to go.
Thanks Blue.

 

I presume we are talking about your work computers. If so what kind of security program(s) are you using? Are your clients self-managed or are they centrally managed?

What I'm trying to do is to prevent the virus to spread further. I'll help you.

 

Thanks man. But Blues Links helped a lot. Manually removing them did the trick. It didnt work at first so i booted into safe mode and deleted them. Scanned the PC's twice; all clean! Sent a mail to Avira. Coz it should have deleted it.

PS: Clients are self-managed. They all use Avira. Just loaded them with Comodo Firewall.

 

I'm glad those links worked for you. Now could you tell me what kind of protection you had installed when the infection occurred? How old are these computers anyway?

 

Really old PC's. But enough to run AutoCAD and other softwares we need. We run Avira. And Avast on one comp with internet access. Updates for Avira are done manually.

 

After getting it cleaned install Sandboxie. No more malware ever.

 

But if the OP got the infection from a usb pen drive (as he posits in his opening post), then he would need the registered/paid version of Sandboxie and use the ForcedFolders feature to prevent future malware from being injected the same way.

 

That,and a EULA issue as well.
http://www.sandboxie.com/phpbb/viewtopic.php?t=472&sid=62c798d85540b4636c7533fb22d897df

 

Actually, the usage scenario (typical office setting) is one in which doing the routine work from an LUA (limited user account), possibly augmented by SuRun would actually be a fairly powerful solution. Use SuRun to deal with any applications which, for whatever reason, need admin level access. I'd also have the Admin account password not known by the primary users to prevent a little too much self-managing...

Blue

 

I've been looking into SuRun, DEP, LUA etc. for quite while. Still Experimenting with it myself so i can set it up properly for PC's here. We've never had this problem from one of our own usb drives. Someone from outside got a pendrive loaded with viri. Need to prevent that from happening in the future.

I love sandboxie, but i think it might be a bit of a hassle for the others here in the office. They just wanna get they're work done and go home. So i'm just gonna stick to the basics for now.

Cheers.

 

i vote to that

 

i think u are looking to far as u said "They just wanna get they're work done and go home"

u may take a look at USB Threat Defender , its look suit your needs
http://www.arzoosoft.com/utdefender.html

or

Naevius USB Antivirus
http://www.naevius.com/usb_antivirus.htm

cheers

 

demoneye,

Actually, they're not looking too far.

It's a question of whether you wish to deal with a single symptom (infection via USB drive) or the underlying structural problem (ability to write to system folders basically at will). Dealing with discrete symptoms as they emerge leads to those patchwork quilt security solutions that ultimately fall under their own weight.

LUA/SuRun is exceedingly simple. In an office environment, the application base is generally fixed over long timeframes. That type of scenario is one in which LUA is generally not an inconvenience of any sort and the scope of this solution goes well beyond USB devices.

Blue

 

yeah i know, i am using Surun+Lua on my other pc and its ok , but such setup may not suit all working environment when un trained ppl using the pc in windows os , so most of worker are noobs ,and just "use the pc and wanna go home " that the time what i suggest to the infected mate is come in to make life easier


cheers