Link to home
Start Free TrialLog in
Avatar of Zniper
ZniperFlag for South Africa

asked on

Pianoman Virus

Hi

we have a virus on one of our depots that corrupts office files.

Mcafee and malwarebytes doesnt do anything to it. System restore also disabled for safety.

https://forums.malwarebytes.org/index.php?showtopic=134599

https://community.mcafee.com/thread/53530

anyone know how to fixit ?

this is whats currently installed for AV

Computer Name: 20116PC-HASWELL

 

McAfee Agent

Version number: 4.8.0.887

Managed

Last security update check: 2013/10/11 01:19:48 PM

Last agent-to-server communication: 2013/10/11 01:17:10 AM

Agent to Server Communication Interval (every): 3 hours

Policy Enforcement Interval (every): 1 hours 20 minutes 0 seconds

Agent ID: {063A1BA4-14D5-489B-91B6-AC2CFF16F6EA}

ePO Server/Agent Handler

DNS Name:

IP Address:

Port Number: 443

 

 

McAfee VirusScan Enterprise + AntiSpyware Enterprise

Version number: 8.8.0 (8.8.0.975)

Build date: 2012/08/14

 

Anti-virus License Type: licensed

 

Scan engine version (32-bit): 5600.1067

 

 

DAT version: 7224.0000

DAT Created on: 10/10/2013

 

Number of Signatures in extra.dat: 0

Name of threats that extra.dat can detect: None

Buffer Overflow and Access Protection DAT version: 657

 

Installed Patches: 2

here is some print screens

User generated image
User generated image
User generated image
User generated image
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
If you haven't already done so, try rebooting your computer in safe mode and running Mawlarebytes again. While not the usually recommended way to run MWB, I've had luck doing this as it most times will usually gut the infection well enough that then running MWB in normal more will finish the task.

If you still have an issue you might want to try Combofix at bleepingcomputer.com

I've also used the above in combination with doing a system restore, although I see that's not an option in our scenario.

The most for sure solution is to copy off your data, if that's possible and then just do a wipe and reload of Windows.  It's an extreme solution, but some times that's what you're left with.
Avatar of Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz
Flag of Spain image
Since you have valid license of av, submit exe suspicious file to Mcafee to add on next dat file.

To remove, you can try with any antimalware as malwarebytes (http://www.malwarebytes.org) or Microsoft Security Essentials http://windows.microsoft.com/en-us/windows/security-essentials-download)
Avatar of Zniper
Zniper
Flag of South Africa image

ASKER

Special Thanks to Sophos !

https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YRA/detailed-analysis.aspx

Runtime Analysis
Copies Itself To

    C:\Hot fotos.exe
    C:\LOVE.exe
    C:\My Musik.exe
    F:/Hot fotos.exe
    F:/LOVE.exe
    F:/My Musik.exe
    c:\Documents and Settings\test user\C5DvYhs.exe

Dropped Files

    c:\Documents and Settings\test user\My Documents\GOAT1PianoManCorrupt.XLS

    Size
        28K
    SHA-1
        5ef5a8cf1a4a5329a1bc5921aaa0af8f72d41ab3
    MD5
        e50a44bdd248c02943170904351319b7
    CRC-32
        78feda3f
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT2PianoManCorrupt.XLS

    Size
        32K
    SHA-1
        c27b0f7707a3c8b947bc52f10c9371d51ed17f0d
    MD5
        8e82e07086bba972091144844ef612ed
    CRC-32
        adfed421
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT4PianoManCorrupt.XLS

    Size
        62K
    SHA-1
        9bb4d945526da7a1947e614fe151a320d3dd43e9
    MD5
        49dea959e82e702da46dd81e0f97108a
    CRC-32
        128fb0ed
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT3PianoManCorrupt.XLS

    Size
        47K
    SHA-1
        fb181ff332f83ecd3187081f66fbcb026e8c5c5b
    MD5
        a74b296fc1cb18fca1196918709f487a
    CRC-32
        bbb76c3d
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT5PianoManCorrupt.XLS

    Size
        77K
    SHA-1
        b6d3b908f47c6ccb409d363add5f1513fdd8ab25
    MD5
        88c6d756932feded59888b9e34742bab
    CRC-32
        d1f19490
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT7PianoManCorrupt.XLS

    Size
        107K
    SHA-1
        2ff735334af2bca654d5ff3b54fd8fa104c42132
    MD5
        304ca555755196440f7faef3b2749bf0
    CRC-32
        d0f8f22f
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT6PianoManCorrupt.XLS

    Size
        92K
    SHA-1
        0daf731548f9e7fc9d87094bc3d1ed75aaa103fc
    MD5
        760ecaa3b4943e6dbf418bb56c2cd10e
    CRC-32
        83e446c7
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT8PianoManCorrupt.XLS

    Size
        121K
    SHA-1
        331fb630bd73427351a5fed70596193102d4233e
    MD5
        388275bba7ec1e82d8efb35b785f3a17
    CRC-32
        f72ae313
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\sample1PianoManCorrupt.doc

    Size
        27K
    SHA-1
        c75f200a8b01c768905b2d661d55ccb8b67facb7
    MD5
        0c98a8d88a9267f203f0e1aecb21bb9e
    CRC-32
        70f27b24
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\GOAT9PianoManCorrupt.XLS

    Size
        509K
    SHA-1
        27ed7fe1bae72c5f735f82a8191e12d0c07e77d9
    MD5
        0c0793f156b745f19b061e97bf08ccf9
    CRC-32
        178ca3a3
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\sample1PianoManCorrupt.ppt

    Size
        12K
    SHA-1
        648c2a07df0886508bab30721d064d07f7404dd7
    MD5
        af154084509dfc85333f0b01548a7488
    CRC-32
        46dd0986
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\My Documents\SAMPLE1PianoManCorrupt.XLS

    Size
        33K
    SHA-1
        a1d043fbb084e7a72978fd3daf89b1ff4adb94c6
    MD5
        1d0838e0253f255e1392beacd09f6b8d
    CRC-32
        88bee56e
    File type
        Unspecified binary - probably data
    First seen
        2012-11-05

    c:\Documents and Settings\test user\Start Menu\Programs\Startup\fRDC617.lnk

    Size
        667
    SHA-1
        430868bfa53f31a238d11c9218c8c09e78a2f51b
    MD5
        a9df2965f2fc3a85ae52c432822ea677
    CRC-32
        1367a8f5
    File type
        Windows Shortcut file (.LNK)
    First seen
        2012-11-05

Registry Keys Created

    HKCU\Software\VB and VBA Program Settings\State\States

    Status
        1

Processes Created

    c:\Documents and Settings\test user\c5dvyhs.exe
ASKER CERTIFIED SOLUTION
Avatar of Zniper
Zniper
Flag of South Africa image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Zniper
Zniper
Flag of South Africa image

ASKER

took the definition of pianoman and added files to mcafee policy manually.