please help me with a virus: win32/tenga.gen

hello everybody!

about two and a half weeks ago, my antivirus(NOD32) popped a meassege saying a have a virus. the virus's name is Win32/tenga.gen .
my hard drive is devided to two partiotions, C and D. C is where the operating system windows XP is installed, and so are all the programs. D is where all my personal informaion is stored, such as pictures, movies, documents etc.

i ran a scan on my computer, and NOD32 alrted that every exe file in partiotion D is infected with this virus. i couldnt use the option quarentine or delete because these are essential file, so i used the option clear, in hope it will remove the virus. i ran another scan and NOD32 found nothing this time. so i thought i removed the virus. but a few days later a found out all of those exe files are corrupted! they can no longer be used. i dont know what to do, and i'm asking for your help. i was told in another place to do a lot of virus scans, with some online services, but they found nothing. i dont konw if the virus has been removed or not, but i do know that there are many files that need to be fixed.

i also would like to know if i can burn pictures, and other documents that are not exe files, to a CD without worrying that the virus will transplant itself on the CD, because in that case, it has no point backing up.

can anyone help me please?

thank you,
nir!

 

Hi sela
Welcome to Windowsbbs

Can you give me a link to the place, and tell me if anything was done, tools ran etc.

Please do this.

Download a copy of HijackThis installer from here and save it to your Desktop.

1. Save HJTInstall.exe to your desktop.
2. Double-click on the HJTintall.exe icon on your desktop.
   (Let it install to the default location C:\Program Files\Hijackthis)
3. Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
4. Put a check by Create a desktop icon and then click Next again.
5. Continue to follow the rest of the prompts from there.
6. At the final dialogue box click Finish and it will launch HijackThis.
7. Click on the Do a system scan and save a log file button.
   (It will scan and the log should open in Notepad.)
8. Click on "Edit" > "Select All" to higlight the entire Notepad contents.
9. Then click on "Edit" > "Copy ".
10. Come back here to this thread and Paste the log in your next reply.
    (Right-click in the message body field and select "Paste ".)

CAUTION: DO NOT have HijackThis "fix" anything without carefully following expert guidance. Otherwise, you might render your computer unstable or even unbootable. Most of what HijackThis finds will be harmless or even required.


Download FindAWF from the link below, saving to the desktop.

http://noahdfear.geekstogo.com/FindAWF.exe

Double click it to run. Choose option 1 press enter.

Let the program run, a notepad will open after it has finished.

Please copy and paste the results back here.

That would not be a good idea at this point, unless you can run scans on each file to make sure it is not infected.

Please post the HJT log and the FindAWF log.
Thanks
Geri

 

thank you!
since i did many HJT scans, here is the covorsation between ans some one else who tried to help

ill wait for more guidence.

thanks,
nir

http://forums.whatthetech.com/HJT_log_W32_Tenggen_virus_t86029.html&p=421304#entry421304

 

Hi sela
OK, Thanks for that link.

Your D Drive is the one that shows up infected correct?
So Let's try it this way. Lets scan your D Drive only.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on D\Drive to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select D\Drive
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Also please run this and post the log.

Download FindAWF from the link below, saving to the desktop.

http://noahdfear.geekstogo.com/FindAWF.exe

Double click it to run. Choose option 1 press enter.

Let the program run, a notepad will open after it has finished.

Please copy and paste the results back here.

Please post the results of Panda, Kaspersky and the FindAWF logs.

Thanks
Geri

 

Panda's Online Scan results:

Incident Status Location

Possible Virus. Not disinfected D:\Michal\michal\burn\700usb\700usb.zip[Setup.exe]
Possible Virus. Not disinfected D:\Michal\michal\burn\700usb\Setup.exe
Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 21, 2007 7:52:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/12/2007
Kaspersky Anti-Virus database records: 491206
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
D:\

Scan Statistics:
Total number of scanned objects: 45953
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:34:46

Infected Object Name / Virus Name / Last Action
D:\0fa00d57325c27b0b73f9f709075a141\5d2d0f723449dd28a6d71f4ef1ac\update\update.exe Object is locked skipped
D:\0fa00d57325c27b0b73f9f709075a141\5d2d0f723449dd28a6d71f4ef1ac\update\updspapi.dll Object is locked skipped
D:\Install Files\Others\Nero Burning Rom\Install File - nue8.0.3.0r.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe/data0017 Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Install Files\Others\Nero Burning Rom\Install File - nue8.0.3.0r.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Install Files\Others\Nero Burning Rom\Install File - nue8.0.3.0r.iso/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Install Files\Others\Nero Burning Rom\Install File - nue8.0.3.0r.iso ISOimage: infected - 3 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7F743D24-1CC1-42AE-A865-3C62BB144EF4}\RP171\change.log Object is locked skipped

Scan process completed.

Awf:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 12/21/2007
The current time is: 19:54:34.84


bak folders found
~~~~~~~~~~~


Directory of D:\MICHAL\MICHAL~1.8\MICHAL\3RDYEA~1\SEMEST~1\AUTOMA~1\PLC\FOR_FL~1\M_LAST\MICHAL6\MICHAL3\MICHAL\FIRST.BAK

12/13/2005 09:47 AM 12,288 FIRST.C0
12/13/2005 09:47 AM 8,192 FIRST.C1
12/14/2005 06:04 AM 8,192 FIRST.C2
12/13/2005 09:47 AM 8,192 FIRST.C3
12/14/2005 06:04 AM 8,192 FIRST.C4
12/13/2005 09:02 AM 8,192 FIRST.C5
12/15/2005 02:53 AM 1,359 FIRST.DSK
12/13/2005 10:10 AM 4,096 FIRST.P1
12/13/2005 09:04 AM 4,096 FIRST.P2
12/15/2005 02:55 AM 6,144 FIRST.P3
12/14/2005 06:04 AM 4,096 FIRST.P4
12/15/2005 02:55 AM 240 FIRST.PRJ
12/14/2005 06:04 AM 8,192 FIRST.Q1
12/14/2005 06:04 AM 4,096 FIRST.Q2
14 File(s) 85,567 bytes

Directory of D:\MICHAL\MICHAL~1.8\MICHAL\3RDYEA~1\SEMEST~1\AUTOMA~1\PLC\FOR_FL~1\M_LAST\MICHAL6\MICHAL3\MICHAL\REF1.BAK

12/13/2005 09:47 AM 12,288 REF1.C0
12/13/2005 09:47 AM 8,192 REF1.C1
12/14/2005 06:05 AM 8,192 REF1.C2
12/13/2005 09:47 AM 8,192 REF1.C3
12/14/2005 06:05 AM 8,192 REF1.C4
12/13/2005 10:11 AM 8,192 REF1.C5
12/15/2005 10:29 AM 1,799 REF1.DSK
12/15/2005 09:51 AM 12,288 REF1.P1
12/15/2005 09:29 AM 4,096 REF1.P2
12/15/2005 10:30 AM 20,480 REF1.P3
12/15/2005 09:29 AM 4,096 REF1.P4
12/15/2005 10:30 AM 240 REF1.PRJ
12/15/2005 09:29 AM 26,624 REF1.Q1
12/15/2005 09:29 AM 12,288 REF1.Q2
14 File(s) 135,159 bytes

Directory of D:\MICHAL\MICHAL\BURN\MICHAL\3RDYEA~1\SEMEST~1\AUTOMA~1\PLC\FOR_FL~1\M_LAST\MICHAL6\MICHAL3\MICHAL\FIRST.BAK

12/13/2005 09:47 AM 12,288 FIRST.C0
12/13/2005 09:47 AM 8,192 FIRST.C1
12/14/2005 06:04 AM 8,192 FIRST.C2
12/13/2005 09:47 AM 8,192 FIRST.C3
12/14/2005 06:04 AM 8,192 FIRST.C4
12/13/2005 09:02 AM 8,192 FIRST.C5
12/15/2005 02:53 AM 1,359 FIRST.DSK
12/13/2005 10:10 AM 4,096 FIRST.P1
12/13/2005 09:04 AM 4,096 FIRST.P2
12/15/2005 02:55 AM 6,144 FIRST.P3
12/14/2005 06:04 AM 4,096 FIRST.P4
12/15/2005 02:55 AM 240 FIRST.PRJ
12/14/2005 06:04 AM 8,192 FIRST.Q1
12/14/2005 06:04 AM 4,096 FIRST.Q2
14 File(s) 85,567 bytes

Directory of D:\MICHAL\MICHAL\BURN\MICHAL\3RDYEA~1\SEMEST~1\AUTOMA~1\PLC\FOR_FL~1\M_LAST\MICHAL6\MICHAL3\MICHAL\REF1.BAK

12/13/2005 09:47 AM 12,288 REF1.C0
12/13/2005 09:47 AM 8,192 REF1.C1
12/14/2005 06:05 AM 8,192 REF1.C2
12/13/2005 09:47 AM 8,192 REF1.C3
12/14/2005 06:05 AM 8,192 REF1.C4
12/13/2005 10:11 AM 8,192 REF1.C5
12/15/2005 10:29 AM 1,799 REF1.DSK
12/15/2005 09:51 AM 12,288 REF1.P1
12/15/2005 09:29 AM 4,096 REF1.P2
12/15/2005 10:30 AM 20,480 REF1.P3
12/15/2005 09:29 AM 4,096 REF1.P4
12/15/2005 10:30 AM 240 REF1.PRJ
12/15/2005 09:29 AM 26,624 REF1.Q1
12/15/2005 09:29 AM 12,288 REF1.Q2
14 File(s) 135,159 bytes

Directory of D:\MICHAL\MICHAL~1.8\MICHAL~1\BURN\MICHAL\3RDYEA~1\SEMEST~1\AUTOMA~1\PLC\FOR_FL~1\M_LAST\MICHAL6\MICHAL3\MICHAL\FIRST.BAK

12/13/2005 09:47 AM 12,288 FIRST.C0
12/13/2005 09:47 AM 8,192 FIRST.C1
12/14/2005 06:04 AM 8,192 FIRST.C2
12/13/2005 09:47 AM 8,192 FIRST.C3
12/14/2005 06:04 AM 8,192 FIRST.C4
12/13/2005 09:02 AM 8,192 FIRST.C5
12/15/2005 02:53 AM 1,359 FIRST.DSK
12/13/2005 10:10 AM 4,096 FIRST.P1
12/13/2005 09:04 AM 4,096 FIRST.P2
12/15/2005 02:55 AM 6,144 FIRST.P3
12/14/2005 06:04 AM 4,096 FIRST.P4
12/15/2005 02:55 AM 240 FIRST.PRJ
12/14/2005 06:04 AM 8,192 FIRST.Q1
12/14/2005 06:04 AM 4,096 FIRST.Q2
14 File(s) 85,567 bytes

Directory of D:\MICHAL\MICHAL~1.8\MICHAL~1\BURN\MICHAL\3RDYEA~1\SEMEST~1\AUTOMA~1\PLC\FOR_FL~1\M_LAST\MICHAL6\MICHAL3\MICHAL\REF1.BAK

12/13/2005 09:47 AM 12,288 REF1.C0
12/13/2005 09:47 AM 8,192 REF1.C1
12/14/2005 06:05 AM 8,192 REF1.C2
12/13/2005 09:47 AM 8,192 REF1.C3
12/14/2005 06:05 AM 8,192 REF1.C4
12/13/2005 10:11 AM 8,192 REF1.C5
12/15/2005 10:29 AM 1,799 REF1.DSK
12/15/2005 09:51 AM 12,288 REF1.P1
12/15/2005 09:29 AM 4,096 REF1.P2
12/15/2005 10:30 AM 20,480 REF1.P3
12/15/2005 09:29 AM 4,096 REF1.P4
12/15/2005 10:30 AM 240 REF1.PRJ
12/15/2005 09:29 AM 26,624 REF1.Q1
12/15/2005 09:29 AM 12,288 REF1.Q2
14 File(s) 135,159 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


in each scan it found something. but i donnt know what to do about it. can u help?

thanks!
sela

 

Hi sela

Do you know what this is?
700usb
Could it be Pinnacle Studio Plus ?

Also, Just to put your mind at ease I don't believe that all your files are infected in your D Drive, Panda and/or Kaspersky would have picked that up I believe you are getting a false/positive from NOD32.

Thanks
Geri

 

hey!

the entire forlder 700Sub has been deleted! i dont know what that was, but my sister told me i can delete it.

what know?

thank you,
nir!

 

Hi sela

OK.

Download
OTMoveIt by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Please run a Kaspersky scan on your D Drive again and post the results.

Thanks
Geri

 

hi geri!

i used that program u gave me, and it moved all 4 files.

afterwards, i ran kaspersky again.
it found nothing. here's the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 22, 2007 11:55:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/12/2007
Kaspersky Anti-Virus database records: 491904
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
D:\

Scan Statistics:
Total number of scanned objects: 45940
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:35:48

Infected Object Name / Virus Name / Last Action
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7F743D24-1CC1-42AE-A865-3C62BB144EF4}\RP173\change.log Object is locked skipped

Scan process completed.


what know?

good night,
sela

 

Hi sela
OK Very Good.

Now open up OTMoveIt again and click the cleanUp button.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Scan with Nod32 and see if you still get the infection warning.
Like I said before I believe it was a false/positive but I'd like to know if it still finds anything.

Let me know.

Thanks
Geri

 

Geri,

i did as you told me:

i used the ATF Cleaner, and i pressed "Select All "

than i ran an in-depth analysis of NOD32 and it found nothing.

i understand the virus is removed, wright?

now i need to find a way to fix my exe files, corrupted by "win32/tenga.gen ".

how do we go on from here?

thanks,
sela

 

Hi sela
This is from your post on the other board.

Please try to open a few of those files and tell me exactly what the error messages are. and which exe files it is you tried to open.

Thanks
Geri

 

hey Geri!

here are a few examples:

1) eMule_Pro_2007_FixIt: the emule installer
the messeage:
"couuld not find fata segment "
messeage name: "Launcher Error "

2) klmcodec210: a codec pack installer
the messeage:
" the setup files are corrupted. please obtain a new copy of the program "
messeage name: "Error "

3) mv2p070RC2p: the MV2Player installer
the messeage:
"the installer you are trying to use is corrupted or incomplete. this could be the result of a damaged disk, a failed download or a virus.

you may want to contact the auther of the installer to obtain a new copy.

it may be possible to skip this check using the /NCRC command line switch (not recommended). "

messeage name: "NSIS Error "

4) winamp55_full_emusic-7plus_en-us: Winamp 5 installer
the messeage:
"the installer you are trying to use is corrupted or incomplete. this could be the result of a damaged disk, a failed download or a virus.

you may want to contact the auther of the installer to obtain a new copy.

it may be possible to skip this check using the /NCRC command line switch (not recommended). "

the same one as in case 3.

messeage name: "NSIS Error "

again, every singel exe file shows one messeage or another. these are just a few examples.

thanks,
nir

 

Hi sela
We first need to rule out the possibility of Windows Installer being corrupted on the machine.
Lets download something and try running it. Just a quick google came up with Network Magic as something that requires the Windows Installer to work, Need only to download and double click to run.
Let me know if it will run.

Geri

 

hi Geri

yes, the installation worked!
the prgram has been succecfully installed on my PC.

thanks,
sela

 

Hi sela
OK, That's good.

You can uninstall Network Magic

OK, Because these are not system files, but the installers for programs that are corrupted that are installed on your D Drive, the programs have already been install and set up, so you don't have to do anything really.

The only way to really fix them is to delete and redownload the program installers, but it is not really necessary, because it is just the installer and set up files that are corrupted fro the programs. Open one of the programs, it should still work.

Having any p2p file sharing apps such as Limewire, BitTorrent uTorrent eMule, etc.. is almost like inviting malware into your computer. There is absolutely no way for you to know which of the hundreds of thousands of users you are sharing files with are infected or not.
I strongly recommend removing any P2P applications.

Your Logs are clean of Malware.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forms.
http://www.windowsbbs.com/showthread.php?t=67958

Geri

 

hi!

thank you very much for everything...i really appriciate your time and effort!
ill try to prevent things like that in the future!
regards,
sela!