Zniper
asked on
Pianoman Virus
Hi
we have a virus on one of our depots that corrupts office files.
Mcafee and malwarebytes doesnt do anything to it. System restore also disabled for safety.
https://forums.malwarebytes.org/index.php?showtopic=134599
https://community.mcafee.com/thread/53530
anyone know how to fixit ?
this is whats currently installed for AV
Computer Name: 20116PC-HASWELL
McAfee Agent
Version number: 4.8.0.887
Managed
Last security update check: 2013/10/11 01:19:48 PM
Last agent-to-server communication: 2013/10/11 01:17:10 AM
Agent to Server Communication Interval (every): 3 hours
Policy Enforcement Interval (every): 1 hours 20 minutes 0 seconds
Agent ID: {063A1BA4-14D5-489B-91B6-A C2CFF16F6E A}
ePO Server/Agent Handler
DNS Name:
IP Address:
Port Number: 443
McAfee VirusScan Enterprise + AntiSpyware Enterprise
Version number: 8.8.0 (8.8.0.975)
Build date: 2012/08/14
Anti-virus License Type: licensed
Scan engine version (32-bit): 5600.1067
DAT version: 7224.0000
DAT Created on: 10/10/2013
Number of Signatures in extra.dat: 0
Name of threats that extra.dat can detect: None
Buffer Overflow and Access Protection DAT version: 657
Installed Patches: 2
here is some print screens
we have a virus on one of our depots that corrupts office files.
Mcafee and malwarebytes doesnt do anything to it. System restore also disabled for safety.
https://forums.malwarebytes.org/index.php?showtopic=134599
https://community.mcafee.com/thread/53530
anyone know how to fixit ?
this is whats currently installed for AV
Computer Name: 20116PC-HASWELL
McAfee Agent
Version number: 4.8.0.887
Managed
Last security update check: 2013/10/11 01:19:48 PM
Last agent-to-server communication: 2013/10/11 01:17:10 AM
Agent to Server Communication Interval (every): 3 hours
Policy Enforcement Interval (every): 1 hours 20 minutes 0 seconds
Agent ID: {063A1BA4-14D5-489B-91B6-A
ePO Server/Agent Handler
DNS Name:
IP Address:
Port Number: 443
McAfee VirusScan Enterprise + AntiSpyware Enterprise
Version number: 8.8.0 (8.8.0.975)
Build date: 2012/08/14
Anti-virus License Type: licensed
Scan engine version (32-bit): 5600.1067
DAT version: 7224.0000
DAT Created on: 10/10/2013
Number of Signatures in extra.dat: 0
Name of threats that extra.dat can detect: None
Buffer Overflow and Access Protection DAT version: 657
Installed Patches: 2
here is some print screens
Since you have valid license of av, submit exe suspicious file to Mcafee to add on next dat file.
To remove, you can try with any antimalware as malwarebytes (http://www.malwarebytes.org) or Microsoft Security Essentials http://windows.microsoft.com/en-us/windows/security-essentials-download)
To remove, you can try with any antimalware as malwarebytes (http://www.malwarebytes.org) or Microsoft Security Essentials http://windows.microsoft.com/en-us/windows/security-essentials-download)
I did a quick search and found this:
http://technomag.co.zw/2013/05/28/pc-tip-of-the-day-beware-of-the-pianomancorrupt-virus/
and this
http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/how-do-i-remove-the-piano-man-corrupt-virus/a1d2b0b0-0a58-4ef5-8143-22cfa3abd21c
I highly recommend the MBAM route. Try using Chameleon instead though
http://www.malwarebytes.org/products/chameleon/
This is a good guide for most virii even though it is aimed at the System Care Rogue Antivirus:
https://forums.malwarebytes.org/index.php?showtopic=125373
http://technomag.co.zw/2013/05/28/pc-tip-of-the-day-beware-of-the-pianomancorrupt-virus/
and this
http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/how-do-i-remove-the-piano-man-corrupt-virus/a1d2b0b0-0a58-4ef5-8143-22cfa3abd21c
I highly recommend the MBAM route. Try using Chameleon instead though
http://www.malwarebytes.org/products/chameleon/
This is a good guide for most virii even though it is aimed at the System Care Rogue Antivirus:
https://forums.malwarebytes.org/index.php?showtopic=125373
ASKER
Special Thanks to Sophos !
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YRA/detailed-analysis.aspx
Runtime Analysis
Copies Itself To
C:\Hot fotos.exe
C:\LOVE.exe
C:\My Musik.exe
F:/Hot fotos.exe
F:/LOVE.exe
F:/My Musik.exe
c:\Documents and Settings\test user\C5DvYhs.exe
Dropped Files
c:\Documents and Settings\test user\My Documents\GOAT1PianoManCor rupt.XLS
Size
28K
SHA-1
5ef5a8cf1a4a5329a1bc5921aa a0af8f72d4 1ab3
MD5
e50a44bdd248c0294317090435 1319b7
CRC-32
78feda3f
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT2PianoManCor rupt.XLS
Size
32K
SHA-1
c27b0f7707a3c8b947bc52f10c 9371d51ed1 7f0d
MD5
8e82e07086bba972091144844e f612ed
CRC-32
adfed421
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT4PianoManCor rupt.XLS
Size
62K
SHA-1
9bb4d945526da7a1947e614fe1 51a320d3dd 43e9
MD5
49dea959e82e702da46dd81e0f 97108a
CRC-32
128fb0ed
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT3PianoManCor rupt.XLS
Size
47K
SHA-1
fb181ff332f83ecd3187081f66 fbcb026e8c 5c5b
MD5
a74b296fc1cb18fca119691870 9f487a
CRC-32
bbb76c3d
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT5PianoManCor rupt.XLS
Size
77K
SHA-1
b6d3b908f47c6ccb409d363add 5f1513fdd8 ab25
MD5
88c6d756932feded59888b9e34 742bab
CRC-32
d1f19490
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT7PianoManCor rupt.XLS
Size
107K
SHA-1
2ff735334af2bca654d5ff3b54 fd8fa104c4 2132
MD5
304ca555755196440f7faef3b2 749bf0
CRC-32
d0f8f22f
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT6PianoManCor rupt.XLS
Size
92K
SHA-1
0daf731548f9e7fc9d87094bc3 d1ed75aaa1 03fc
MD5
760ecaa3b4943e6dbf418bb56c 2cd10e
CRC-32
83e446c7
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT8PianoManCor rupt.XLS
Size
121K
SHA-1
331fb630bd73427351a5fed705 96193102d4 233e
MD5
388275bba7ec1e82d8efb35b78 5f3a17
CRC-32
f72ae313
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\sample1PianoManC orrupt.doc
Size
27K
SHA-1
c75f200a8b01c768905b2d661d 55ccb8b67f acb7
MD5
0c98a8d88a9267f203f0e1aecb 21bb9e
CRC-32
70f27b24
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT9PianoManCor rupt.XLS
Size
509K
SHA-1
27ed7fe1bae72c5f735f82a819 1e12d0c07e 77d9
MD5
0c0793f156b745f19b061e97bf 08ccf9
CRC-32
178ca3a3
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\sample1PianoManC orrupt.ppt
Size
12K
SHA-1
648c2a07df0886508bab30721d 064d07f740 4dd7
MD5
af154084509dfc85333f0b0154 8a7488
CRC-32
46dd0986
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\SAMPLE1PianoManC orrupt.XLS
Size
33K
SHA-1
a1d043fbb084e7a72978fd3daf 89b1ff4adb 94c6
MD5
1d0838e0253f255e1392beacd0 9f6b8d
CRC-32
88bee56e
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\Start Menu\Programs\Startup\fRDC 617.lnk
Size
667
SHA-1
430868bfa53f31a238d11c9218 c8c09e78a2 f51b
MD5
a9df2965f2fc3a85ae52c43282 2ea677
CRC-32
1367a8f5
File type
Windows Shortcut file (.LNK)
First seen
2012-11-05
Registry Keys Created
HKCU\Software\VB and VBA Program Settings\State\States
Status
1
Processes Created
c:\Documents and Settings\test user\c5dvyhs.exe
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YRA/detailed-analysis.aspx
Runtime Analysis
Copies Itself To
C:\Hot fotos.exe
C:\LOVE.exe
C:\My Musik.exe
F:/Hot fotos.exe
F:/LOVE.exe
F:/My Musik.exe
c:\Documents and Settings\test user\C5DvYhs.exe
Dropped Files
c:\Documents and Settings\test user\My Documents\GOAT1PianoManCor
Size
28K
SHA-1
5ef5a8cf1a4a5329a1bc5921aa
MD5
e50a44bdd248c0294317090435
CRC-32
78feda3f
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT2PianoManCor
Size
32K
SHA-1
c27b0f7707a3c8b947bc52f10c
MD5
8e82e07086bba972091144844e
CRC-32
adfed421
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT4PianoManCor
Size
62K
SHA-1
9bb4d945526da7a1947e614fe1
MD5
49dea959e82e702da46dd81e0f
CRC-32
128fb0ed
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT3PianoManCor
Size
47K
SHA-1
fb181ff332f83ecd3187081f66
MD5
a74b296fc1cb18fca119691870
CRC-32
bbb76c3d
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT5PianoManCor
Size
77K
SHA-1
b6d3b908f47c6ccb409d363add
MD5
88c6d756932feded59888b9e34
CRC-32
d1f19490
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT7PianoManCor
Size
107K
SHA-1
2ff735334af2bca654d5ff3b54
MD5
304ca555755196440f7faef3b2
CRC-32
d0f8f22f
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT6PianoManCor
Size
92K
SHA-1
0daf731548f9e7fc9d87094bc3
MD5
760ecaa3b4943e6dbf418bb56c
CRC-32
83e446c7
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT8PianoManCor
Size
121K
SHA-1
331fb630bd73427351a5fed705
MD5
388275bba7ec1e82d8efb35b78
CRC-32
f72ae313
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\sample1PianoManC
Size
27K
SHA-1
c75f200a8b01c768905b2d661d
MD5
0c98a8d88a9267f203f0e1aecb
CRC-32
70f27b24
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\GOAT9PianoManCor
Size
509K
SHA-1
27ed7fe1bae72c5f735f82a819
MD5
0c0793f156b745f19b061e97bf
CRC-32
178ca3a3
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\sample1PianoManC
Size
12K
SHA-1
648c2a07df0886508bab30721d
MD5
af154084509dfc85333f0b0154
CRC-32
46dd0986
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\My Documents\SAMPLE1PianoManC
Size
33K
SHA-1
a1d043fbb084e7a72978fd3daf
MD5
1d0838e0253f255e1392beacd0
CRC-32
88bee56e
File type
Unspecified binary - probably data
First seen
2012-11-05
c:\Documents and Settings\test user\Start Menu\Programs\Startup\fRDC
Size
667
SHA-1
430868bfa53f31a238d11c9218
MD5
a9df2965f2fc3a85ae52c43282
CRC-32
1367a8f5
File type
Windows Shortcut file (.LNK)
First seen
2012-11-05
Registry Keys Created
HKCU\Software\VB and VBA Program Settings\State\States
Status
1
Processes Created
c:\Documents and Settings\test user\c5dvyhs.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
took the definition of pianoman and added files to mcafee policy manually.
If you still have an issue you might want to try Combofix at bleepingcomputer.com
I've also used the above in combination with doing a system restore, although I see that's not an option in our scenario.
The most for sure solution is to copy off your data, if that's possible and then just do a wipe and reload of Windows. It's an extreme solution, but some times that's what you're left with.