Destroying a replicating worm? How?

[nibblesandbits]

Okay guys, so I install and ran super anti spyware, malware bytes, and avast! on a clients computer for them (yes, "FOR THEM" to make it legal ) ANYWAY. Let's leave the legality out of this thread, that's not my point.

She's infected with the tenga virus. I'm trying to get rid of it and even though we've gotten rid of about 3000 files infected (yeah I know, wow) it seems like it keeps coming back. I'm going on-site tomorrow evening or Friday and I was wondering what you suggest as far as trying to get rid of it? I'm thinking my first two attempts will be

1) Disable system restore and scan again with all three solutions.
2) Force a boot scan with AVAST to get rid of any running infected processes (once I figure out how to "force" a boot-time scan)


Any other suggestions for tackling something like this, let me know. This is the worst infection I've seen as far as getting it to go away completely.

EDIT:
FIGURED OUT HOW TO DO A BOOT TIME SCAN WHEN AN INFECTION IS DETECTED. STILL NEED TO KNOW HOW OTHERWISE THOUGH...

 

[14049752]

So....basically what you're asking is: How do I learn to remove viruses?


Running avast, sas and mbam isn't enough for a large portion of the infections these days. Pick up a few tools to do rootkit scanning and then manually go through the system and remove the nasties. Then run the scanners to remove the crap that you missed. If you're just clicking "scan" and hoping for the best, you really aren't doing your job.

Don't even bother getting angry, I'm not the only one that'll tell you this.

 

[nibblesandbits]

So....basically what you're asking is: How do I learn to remove viruses?


Running avast, sas and mbam isn't enough for a large portion of the infections these days. Pick up a few tools to do rootkit scanning and then manually go through the system and remove the nasties. Then run the scanners to remove the crap that you missed. If you're just clicking "scan" and hoping for the best, you really aren't doing your job.

Don't even bother getting angry, I'm not the only one that'll tell you this.

lol @ don't bother getting angry.

I'm in a good mood. I'm not going to get angry over a reply like that. You actually gave me a nugget of information. Unlike half the pigheaded replies I get here.

So thanks. Now names of programs would be nice.

Oh, and as far as "removing the nasties" it's a bit hard because they are pertinent exe files. Avast! is cleaning 99% of what it comes across. The more I think about it, it's gotta be system restore files that are infected keeping the infection going. When I disable it and scan then do the boot time scan, I don't know how it will miss anything. Also, avast does find rootkits, but if you know something better, let me know! I'd love to try it out and I love getting new tools for my 16GB "toolbox".

 

[14049752]

Rootrepeal is a good rootkit scanner. Hijackthis is good for a quick check of most common hiding places. Umm...regedit is good, too, but most of it is covered by hijack this. Process Explorer.... Umm....autoruns.........combofix..... There are others.

Oh, and as far as "removing the nasties" it's a bit hard because they are pertinent exe files

If that happens, you need to cut off the source of the infection first, then replace the files with non-infected. Either repair install, sfc /scannow, reinstall of the application, or whatever.

 

[angry_geek]

@nibbles Normally, I would be all about discussing new threats and how to remove them. However, this is an OLD threat. I just did a simple google search on the virus you mentioned, and I saw at least 6 methods to get rid of it just on the first page. Sophos lists all the steps necessary to remove it. I hope this link helps.

http://lmgtfy.com/?q=tenga+virus

 

[rusty.nells]

If you have infected .exe files, you might try checking the registry for the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

the default value should be "%1" %*

 

[mike_tech]

If you have infected .exe files, you might try checking the registry for the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

the default value should be "%1" %*

If you have infected .exe files, you might try checking the registry for the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

the default value should be "%1" %*

when i was clearing the virut virus it infected every .exe file on the system, easily got over 1500 infections. to fix the .exe files i used a kaspersky av boot disk. It repaired/disinfected everyone single .exe file, not one was left infected. Another good program for fixing .exe files is Dr Web cure it.

As well as manual removal i would add the following programs to the mix.

gmer (rootkit), Unhackme (rootkit) the best IMO.

Sounds to me that if you are still getting infected then its a resident in the memory. Until you clear that, re-infection is very possible. So a av with real time memory scanning will catch this little bugger in the act.

 

[iisjman07]

^^

I find DrWeb is brilliant for removing these infections, plus you can run their 'CureIT' 15mb portable program from BartPE/UBCD4WIN. It has cured every file infector I have ever seen (from virut, to html infectors) and for me it has never failed. I have also used Kaspersky, which worked 9/10 times, but struggled on one variant of virut which it deleted automatically and bollo**** up the system

 

[bagellad]

I would take the computer off site, use it as a chance to improve your virus removal skills and cut the customer a break time wise.

 

[ibamars]

Nibbles,

Just out of curiosity. Have you disconnected it from the internet and ran these programs in safemode? This virus appears to be a network virus if I remember correctly.