haiku

Virus.Win32.Tanatos!IK

Recommended Posts

I am a registered user of Online Armor ++.

On Sunday morning I awoke to find my overnight scan reporting two files infected with Virus.Win32.Tanatos!IK, my first virus in around two years.

I took a screenshot of the AV Scan results screen (see attachment PossibleViruses.docx in the Virus Scares zip) then went about confirming that the files were in fact infected. This included:

1. Scanning the files on an individual basis using Online Armor in right-click mode.

2. Scanning the files with two opposition products.

3. Performing a full scan using the EmsisoftEmergencyKit.

All products reported zero infections.

I eventually zipped the infected files, then went to bed 8).

This morning my overnight scan reported five files as being infected: the two original files plus the three zips (see attachment Virus Check Number 2.docx in the Virus Scares zip). This makes sense it that it is unlikely that the virus signatures would have become compressed.

So today I repeated the full scans using the EmsisoftEmergencyKit and OTL (see attached) and ask for your assistance.

Kind regards

-- haiku

PS At no time has it been possible to quarantine the files. Is this always so ?

Share this post


Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin]  File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin]  File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O33 - MountPoints2\F\Shell - "" = AutoRun
    O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Launch.exe
    [2011/06/19 14:15:10 | 000,000,000 | ---D | C] -- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    [1 C:\Users\Rowan\*.tmp files -> C:\Users\Rowan\*.tmp -> ]
    
    :Commands
    [Purity]
    [EmptyFlash]
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Attach the scan log from OA++ as well. Screen shots though helpful for seeing what is going on, are not all that useful when composing malware removal fixes.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I will follow your instructions when I return home from work this afternoon.

Last night I recovered one of the files reported with a virus from a one month old backup, i.e. long before the infection was reported. A file compared showed that the existing & recovered files were identical. Last night's scan reported both files as infected. I am wondering if this is a false positive ?

Regards

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin]  File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin]  File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O33 - MountPoints2\F\Shell - "" = AutoRun
    O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Launch.exe
    [2011/06/19 14:15:10 | 000,000,000 | ---D | C] -- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    [1 C:\Users\Rowan\*.tmp files -> C:\Users\Rowan\*.tmp -> ]
    
    :Commands
    [Purity]
    [EmptyFlash]
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Attach the scan log from OA++ as well. Screen shots though helpful for seeing what is going on, are not all that useful when composing malware removal fixes.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Hi -

I copied your script into OTL.exe, then ran OTL. The program freaked (HTML in text box not good) so I transferred the script to a text editor, reformatted the text and reposted into OTL, then re-ran OTL. NB: I did not run the script specifically as administrator.

OTL executed 100%, then rebooted - all OK.

I then ran the OA++ virus scan: it reported all the previously infected files as still being infected.

I am not sure where to find the scan logs, so I have archived all files marked with to-day's date: please see attached. Please let me know if I have the wrong files - with my luck ... 8)

Kind regards

Share this post


Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :Files
    C:\Windows\Installer\352e6d.msi
    D:\Temp\Temp.zip
    D:\Temp\VirusCheck(2).zip
    D:\Temp\VirusCheck.zip
    
    :Commands
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

sqlcli.msi is part of Microsoft SQL Server 2008 Service Pack 2 (KB2285068).

Share this post


Link to post
Share on other sites

Hi -

I re-ran OTL as per your request - please see attached log.

I then updated the virus signatures and performed a full scan. The virus warnings were still present (see attachment PossibleViruses02.docx)

I then took two of two completely different versions of sqlncli.msi - one from work and one from home, one 32-bit the other 64-bit, neither reporting a virus - and placed them on a USB drive.

I then tested the two files using my 'main' PC - the PC exhibiting the problem.

Both were immediately flagged as being infected.

(This basically duplicates my previous experiment of restoring the files from a backup of my hard drive. The files, which were previously flagged as being OK by OA++, are now flagged as infected)

I am reasonably sure that this is a false positive, but since my PC's are used in generating my income, I don't wish to take a chance.

Incidentally, I am running Windows 7 64-bit Ultimate: could this cause any problems ?

Kind regards

-- rowan

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.