Solved

TPE encrypted virus

Posted on 2004-09-29
11
512 Views
Last Modified: 2012-05-05
I have windows XP and run Vet anti-virus. I was notified that my computer was infected with a TPE encrypted virus which VET could not clean but instead re-named and deleted except that when I run VET again it says it has done the same thing again and again and again. I have disbabled system restore and run VET in safe Mode after deleting all my Prefetch BUT it is still there. what can I do ? VET doesn't give me anymore info on the virus apart from what I've given you, that's it ! I look forward to your reply.
0
Comment
Question by:stayhappy
  • 3
  • 2
  • 2
  • +1
11 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12179249
Download Stinger from here http://vil.nai.com/vil/stinger/
and also use this online virus scan http://housecall.trendmicro.com/  to see if they all report the same virus.

Run these in safe mode aswell and see if there is any difference.

What is the exact name of the virus ?

What do you mean by this
run VET in safe Mode after deleting all my Prefetch ??

Try doing this
Remove temporary internet files, folders and cookies
Also remove windows Temp files going to

1) Start --> run --> typein:  %systemroot%/temp
2) Start  --> run --> typein: %temp%

Also you may want to reinstall your anti-virus to see if that would help

SR
0
 

Author Comment

by:stayhappy
ID: 12186323
I've done as you said and both scans bring up no trace of any virus at all , same result in safe Mode , BUT VET still says that I've got the virus. and it gives me NO name , NO other description apart from TPE encrypted virus . that's it !


What do you mean by "run VET in safe Mode after deleting all my Prefetch ??" i was advised to do that by someone else which gave no result. just though you should know.

haven't reinstalled my anti virus BUT I downloaded AVG Anti-virus Free Edition and ran that and that didn't detect a virus either
 
 
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12188717
>> What do you mean by "run VET in safe Mode after deleting all my Prefetch

I was asking that because you said that same message in your comment and I didnot understand what you meant by that..
0
 
LVL 6

Accepted Solution

by:
nomi17 earned 250 total points
ID: 12192757
It looks like there may be files left over in the registry that will cause the launch of this infection after every reboot.  

Download this file(RegScrub XP):
http://www.majorgeeks.com/download2048.html
This app scans your registry for invalid entries and deletes them (actually, it removes them and stores it just in case you need to restore).

Follow sunrays instructions to delete all temp files and cookies.  Boot in safe mode and rescan your computer and let VET detect, rename and delete the files in question.  

Once this is done, run RegScrub and let it scan your registry.  Select all entries if finds and delete them.
Reboot normally and run another VET scan and let us know how it goes.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Expert Comment

by:nomi17
ID: 12192774
Note:  Run Regscrub twice since the first scan will remove entries that are "tied" to others.  The second scan will remove anything leftover.
0
 

Author Comment

by:stayhappy
ID: 12196733
Thanx for your input.

I uninstalled VET and then ran stinger then the Regscrub ( 100+ problems located ) twice then reinstalled VET ( with upgrade ) and ran VET and no sign of virus. that means I'm Ok doesn't it ?
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 250 total points
ID: 12208447
Hi!  stayhappy

It probably means you're clean.
However, just to be sure -
Make sure the option to "Show all Files and Folders", including hidden and system, is enabled
Search your entire computer for any instances of the following files:
(particularly check the prefetch, dllcache, and all temp folders)
history.doc
polyengine.dos.tpe.11
polyengine.dos.tpe.12
polyengine.dos.tpe.13
tpe.obj
tpe-gen.com
tpe-gen.obj
tpe-v11.asm
tpe-v12.asm
tpe-v13.asm
Delete all that you find (if present)
Empty the recycle bin
Reboot your computer and you should be fine.

Regards...
RF
0
 
LVL 6

Expert Comment

by:nomi17
ID: 12275803
Hi stayhappy,

Was away on a much needed vacation!
Just wanted to follow up on your issue.  Hope the suggestions given on this post helped you solve your problem.  Please let us know.

Thanks,
nomi17
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now