Win32 Tenga

[Dewbacca]

Today out of nowhere Avast started going off, reporting that every .exe on my 2nd drive had been infected with the win32 Tenga and after attempting to repair them, I had them sent to the chest and scheduled a boot time scan, and rebooted.

During the boot up, it proceeded to scan, found the infected files, AND DELETED THEM! No prompt or anything. After reading as much as I can find on the Tenga virus, I am suprised to find it :

A: on my system which is fully updated Win Xp
B: on my 2nd drive, but mysteriously not on the root, or any other drive on my network
C: that it wasn't detected before infection as I am a devoted fan of Avast and promote this team and its product to every computer owner I know. I don't suppose being a fan whould make much difference when trojans do their thing... but I had / have complete faith in Avast, which has stopped everything the internet has thrown at me for over 2 years. 
D: just recently was added to the VPS, wait.... just getting the Panda report... says there is a new Tenga-A... scratch D: altogether.

So, any suggestions what I should do after scanning thouroghly and getting ready to redownload all I lost with dialup? 

Ohhh, and oddly enough, and ya'll may already know this, it did't seem to affect anything in a .zip file. Or should I unzip and rescan?

[Lisandro]

Another sad story...
http://forum.avast.com/index.php?topic=15303.0

[igor]

The detection of Tenga was added a week ago - so it certainly should be detected (unless it was some new variant, which I doubt). Do you have the scanning of created/modified files enabled for Standard Shield?

How did you schedule the boot-time scan? There's an advanced option "Select default action for infected file" in the scheduling dialog; of course, if set to Delete, the file would be deleted; otherwise, avast! should ask you.

[Dewbacca]

As I wrote that I was on this computer (win2k advanced... down the network a bit) and had the ICS computer (infected win xp) scanning and opening pages to different online scans. While at this station I was reading and the most recent Tenga report I found was over a year old.... all indicators pointed to it being an older virus. Thus my suprise at finding Avast only added it a week ago.

Of course then I goto the other computer to check its progress, and the Panda page had finally opened up. That was the first I read of a "New" varient.

My faith in Avast is not shaken... maybe a little stirred... but it has served me so well in the past I can't complain. Many of my friends have lost more, and had much worse issues... JUST DELETING NORTON hahaha.

I also understnd there must be some size of window between Viri being released, and then being added to the VPS of ANY AV software. So I am greatful that Avast is availible to help me catch it before I backed up all of the infected files, or shared them with friends.

I set the standard as you suggested, to scan modified files, and am not quite sure how I scheduled the boot time scan... I've done it dozens of times... but I don't think it is set to automaticly delete files... I'll look into that, thank you.

But Please, don't anyone take this as a complaint, or a rant. I am Very Happy with Avast, and extremely satisfied with the quality of the product. I only wish I could afford the paid versions to help support the effort, and of course to help protect my network.

Thank you all, and may the Gods (and ups's) protect your computers.

[igor]

One year old? I doubt it... Symantec, Kaspersky, McAfee all have discovery date on 13th July 2005. Maybe some naming conflict?

[mrdm]

as long as i remember you can program the boot scan to delete files automatically, maybe you cheked that option...

[Dewbacca]

Well, its still on my system and infecting the same drive. Downloaded, among other things, the Avast cleaner tool, and around 10 am yesterday Avast reported that it was infected, along with any of the .exe's I had replaced.

In researching the "Release" date, near as I can decipher, I misunderstood the "Affects computers without Windows updates released in 2003" to mean they released the patches in response to the Tenga. I am mistaken... not the first time, so don't get excited.

My win2k Advanced server machine on my network (office surplus machines and cobbled together junk is all I own) is the only one not protected with Avast, and it runs my E-mule client, so I suspect it is the source of the infection. But fact is, I am just guessing here. Avast's Home (free) edition won't scan it across my network.

I have downloaded AVG and am running it on the win2k machine now. Any other suggestions to find the source of this infection? I have not opened E-mule since discovering the infection, but need to run it to replace my xp home disc so I can reinstall on my ICS machine. I'm on Dialup, so the Jotti upload of every file is out of the question, and the Avast Cleaner found nothing.

Also, as a second question I have been meaning to ask all along... the P2P shield lists many fileshare clients, but does not specificly mention E-mule. Is it covered in the P2P sheild, and will running Avast on the ICS host protect me with the E-mule client being run on a network machine?

[chocholo]

My win2k Advanced server machine on my network (office surplus machines and cobbled together junk is all I own) is the only one not protected with Avast, and it runs my E-mule client, so I suspect it is the source of the infection. But fact is, I am just guessing here.

If is that computer patched with Microsoft's updates, then it is probably not source of infection.

Avast's Home (free) edition won't scan it across my network.

I think that if you have access to admin share c$, then you can map it as network drive and scan it from Home version.

Also, as a second question I have been meaning to ask all along... the P2P shield lists many fileshare clients, but does not specificly mention E-mule. Is it covered in the P2P sheild, and will running Avast on the ICS host protect me with the E-mule client being run on a network machine?

Minimally in last two versions of avast! is eMule listed.

[Dewbacca]

AVG found 5 "instances" of a "Backdoor Trojan: Mosucker.W" on the win2k machine, and of course deleted them.... gee, this is a recurring theme.

I just recently updated to the "latest" version of the Avast program, so perhaps I should look a little closer at the P2P shield settings, thank you.

But with both machines fully patched (win2k-sp4, winxp-sp2), and also religiously using Grisoft's Dcombobulator and other appropriate blocker/stopper/malware fighters, I'd think I would be immune to the Tenga, but just 5 minutes ago Avast began reporting new infected .exe's (and I haven't put any new on the drive affected) on that same drive.

This time I did nothing with the files (as opposed to moving them to the chest, or deleting them) for furthur review. Maybe we can get to the bottom of this before it gets worse.

Anyone got a clue as to why I am getting infected? I would think either my updated system would prevent infection, or Avast would catch the file spreading it... not just catch the infected files AFTER the infection. Thats not very helpful.

[igor]

Do you have a shared drive? To me, it sounds like somebody is infecting your files from network.
Sure, there may be some unknown version of the virus (I mean, some packed dropper) running on background (you may check the running processes) - but I think the virus is quite "fast" on the infection, so it would probably infect the files immediatelly when activated, not after some time.

[Dewbacca]

The drive that keeps reporting the infection is a secondary drive on the xp/ics host computer, and it shows as a shared drive in the network places of my win2k advanced server machine. xp/ics host is protected by avast and has been scanned by it.

The win2k is where I run my file share (bearsharepro .exe was infected by something called a Mosucker.W and detected and quarrentined by AVG today, but has not been run in months), E-mule and it is now protected by AVG, which detected no Tenga.A trojan.

Both are fully updated (win2k to sp4, xp to sp2) and have had grisoft's Dcombobulator ran on them, as well as regular scans from a fully updated Ad-Aware SE.

Shall I post a hijack this log for your inspection?

[igor]

Shall I post a hijack this log for your inspection?

Sure, that cannot hurt.

[mgordon]

Turn off system restore before scanning and removing the virus, or it will just reinstall itself as you remove it.
If you don't it will end up infesting both avast, and most other .exe files on your computer, finally causing windows to crash.

[MFB]

mgordon, can you please resize your avatar?  Thanks in advance. 

[MonkeyWrench]

yes another sad story, now today i find out my pc has the win32 tenga, im going through trying to delete it but i cant believe avast hasnt picked it up.