Gen:Variant.Kazy.79682-virus - How to remove it manually without losing files on computer?
F-Secure found four viruses titled "Gen:Variant.Kazy.79682" from my pc last night.
F-Secure said the files infected by the virus are packed (like in a zip-file) and F-Secure can´t handle them automatically.
F-Secure said the files infected by the virus are titled "fi6F51EA7D8..." and "stream 3".
F-Secure suggested me to open the zip-files and remove the files infected by the virus manually, but when I searched from my computer (with Windows Explorer) "fi6F51EA7D8..." and "stream 3", my computer wasn´t able to find these "fi6F51EA7D8..." and "stream 3" files.
How am I able to remove the Gen:Variant.Kazy.79682-virus without losing my important master´s thesis files on my computer, when the computer can´t find the files infected by the virus?
Does anyone have an idea what Gen:Variant.Kazy.79682-virus usually does?
I´m writing my master´s thesis and I´m wondering is it wise to open my computer at all before Monday when I hopefully get customersupport from F-Secure?
Thank you so much for your replies!!
Comments
-
Sounds nasty, and I hope you get the help you need - but I think it's best left to someone more professional then me.
I guess this begs the question though, how did the machine become infected in the first place? Did it get past FS, or was FS not installed when the machine was infected?
-
It looks like a nasty little trojan;http://www.enigmasoftware.com/genvariantkazy-removal/
Emsisoft state that they know of this infection and that their AntiMalware product can detect it. http://www.emsisoft.com/en/malware/?Gen.Variant.Kazy.79682.AMN
You can sign up for their Forum where they have a separate section devoted to helping with malware removal; http://support.emsisoft.com/
Maybe worth a shot while waiting for the experts at F-Secure to get back to you. As you say, you will have to manually delete the infected files.
In the future I would highly recommend layered protection where you are not just relying on an AntiVirus; I can highly recommend Sandboxie/AppGuard/NoVirusThanks as excellent companions to an AV.
More importantly, I would always have imaging backup on any computer so you can revert back to a clean state; AX 64 Time Machine or Macrium Reflect are highly recommended in this regards.
Important thing here is not to panic as your thesis is still there together with the malware.
Once up and running clean again, take a backup to an external drive/load copies of your thesis on an external drive/flashdrive/online storage site.
Good luck.
-
BlackCat's advice sounds worth a try.
If it was my machine, what I might try is going into Task Manager and manually closing all running processes, except explorer.exe, and those belonging to F-Secure. Hopefully one of the processes will be the virus, and then I would try another scan with FS to see if it can deal with it. If at any time things go haywire, a reboot should get you (and the virus) up and running again.
But, as I've said, that's what I would do, sitting at my own machine, and it's a pure guess as to whether it would work. I would still recommend you get professional help by raising a support ticket with F-Secure, or perhaps try the Live Chat facility.
Good luck! -
Would it be unfair to suggest that it's a little disappointing that F-Secure didn't block this in the first place, given that it appears to be quite a well established trojan? It's all very well detecting the virus after it's infected the machine, but I thought the whole idea of security software was to prevent infections, not just detect them once it had let them in. It's a bit like shutting the stable door after the horse has bolted, but in reverse!
@Blackcat wrote:In the future I would highly recommend layered protection where you are not just relying on an AntiVirus; I can highly recommend Sandboxie/AppGuard/NoVirusThanks as excellent companions to an AV.
I agree, but would FS allow those to run alongside it? One thing I've often found irritating is that many vendors, FS included, claim that their product offers a 'complete solution', and that no other security software should be running on the machine. They even go to the point of insisting on removing other software upon installation of their own. In this case, it seems that solution was rather IN-complete, and does suggest that one product alone cannot be entirely bullet proof. -
IME, F-Secure IS 2013 and the beta 2014 run happily with either Sandboxie, AppGuard, or NoVirusThanks EXE Radar Pro.
I have even ran Malwarebytes Pro in real-time alongside F-Secure for several weeks even though until recently F-Secure removed this program as "it was considered incompatible".
I have ran layered defences for years now with an AV backed up by some sandbox or an anti-executable.
But much more important than security software IMHO is having a reliable backup procedure to an external drive. No security software can guarantee 100% protection so reliable backup procedures are essential.
So ANY Antivirus should not be considered as the only defense barrier to malware.
-
I have MWB installed, but only the on-demand version. FS kicked out SuperAntiSpyware back in 2012, but I do have Windows Defender running, which has never caused any problems. I tried PrevX, but things went a bit pear shaped from what I recall. I'll check out the ones you've mentioned, but I agree, backing up is essential too.
-
Hello Minde
I am truly sorry it took us so long to respond to your unsettling situation. The good news is that almost certain neither your PC nor your thesis were in real danger at any time
When a Security Product of ours reports anything malicious on your computer it has already detected and stopped it, preventing it from causing any harm to your system or your data.
So the message you saw did not mean that your system is compromised, but exactly the opposite, that an attack on your system was stopped.
As for where the attack originated from I can only speculate. Possible scenarios would be:
1) The file is stored on an unprotected file server in your network.
In this case the malware, although not causing any harm to that server, will try to infect your computer (and fail) every time you try to access that file.2) There is an unprotected and infected computer with active malware in your network.
If in addition your firewall allows for some reason traffic from that computer to your PC (which it usually will not)- or it is switched off, that compromised machine will try to infect your PC over and over again, causing sometimes a lot of virus messages within a short time.
3) You are accessing an exploited web page (usually a trusted page like a news service that has been "hacked") that tries to infect you via drive by download.
If your browser remembers your open tabs you might see the same virus warning repeatedly, every time you open your browser- or otherwise whenever you visit or reload that page.It is true that our security software under some circumstances will not remove infected files, they will however do no more harm than wasting your disk space. And of course cause additional virus warnings whenever you or a system process is accessing that file.
Reasons for _not_ deleting an infected file can be:
1) We deliberately do not remove the file because it is an important system file and removing it would render your computer unusable. Naturally also in those cases we prevent the malware embedded in those files from causing any harm your system or your data, so you will be protected despite the frequent virus warning you will get in this case (whenever the infected file is executed, or otherwise accessed)
2) The file is inside an archive. In that case we would have to delete the complete archive to remove it, including all clean files therein.
3) The file is a temporary file created by an application, like browser downloads in progress, network streams and similar. Those files are usually locked by the application creating them, which means they cannot be opened or executed to do their damage, but also not deleted by an Antivirus at that point. Those files are then either replaced with a permanent version or automatically discarded when the process is finished.
I suspect that is what happened in your case which is why you couldn’t find those files afterwards.
It is very likely that your system is in fact clean, and in any case safe, but to be absolutely sure and get peace of mind I would recommend to do a manual full scan:
1) Update the virus definitions manually to make sure your Antivirus has the latest database updates installed.
2) Run a full scan from the menu you see when right-clicking the F-Secure icon. “Advanced heuristics” are by default enabled, please keep it that way or if you changed that setting please enable it again. This will allows for a more through scan and is highly recommended especially if you suspect an infection.
3) For additional safety please enable “advanced process monitoring” in the real-time scanning settings and let the computer run in that regime for one to two days depending on how much you use it. This setting will slow your computer down somewhat, albeit insignificantly unless your computer runs only with the minimum hardware recommended for the operating system alone. This setting is specifically recommended in case you suspect an infection, and not needed otherwise in everyday use (unless you work in a high security or high risk environment).
For “extra triple safety” you can run in addition a full scan with our OnlineScanner. Although somewhat redundant it can provide an extra bit of peace of mind
I hope my explanations and instructions were helpful, if something wasn’t clear please let me know and will try to do better.
Again my sincere apologies for letting you hanging for so long,
OndrejP.S.:
Needless to say that it is also recommended to make sure that your computer has the latest hotfixes, patches and updates, and just as important your other applications like office programs, PDF reader, browsers, mediaplayers etc. are updated with the latest patches and fixes or upgraded to the latest versions.
Using outdated software will open the most common attack vectors to your computer which can, even if not leading to your PC being actually taken over result in a lot of virus warnings of this sort. -
Thanks, Ondrej, for that incredibly informative and enlightening reply! I will be recommending this article for inclusion in our Tribal Knowledge Base so that others with similar concerns can find the information quickly and rest easily!
If anyone has additional questions about this topic, please do post here, so we can make sure we identify all of your questions in our KB article, and share them with all our Community members!
// Chrissy
-
"Needless to say that it is also recommended to make sure that your computer has the latest hotfixes, patches and updates, and just as important your other applications like office programs, PDF reader, browsers, mediaplayers etc. are updated with the latest patches and fixes or upgraded to the latest versions.
Using outdated software will open the most common attack vectors to your computer which can, even if not leading to your PC being actually taken over result in a lot of virus warnings of this sort."So would not a vulnerability scanner (which a number of AVs have now-eg. BullGuard) be a good addition to F-Secure (within the program and not an online one) ?
-
-
Hi guys,
I've turned this conversation into a knowledge base article. Many thanks for your contribution!
http://community.f-secure.com/t5/Security-for-PC/Viruses-were-found-but-were-not/ta-p/31309Cheers,
Jenni
-
Don't know what download you're referring to. My understanding is that you may have to kill some processes to be able to delete the files manually. As previously described "F-Secure" can't delete certain files, for example locked files or files inside archives. So for certain types of infections you have to delete the files manually.
I found some additional information on Bitdefender forum saying that Gen:Variant.Kazy is a generic detection for Vundo and that "You don't have to replace the files because they were created by the trojan."
To F-Secure
When reading the post by @Ondrej that later @Jenni did a KB article on, I see two things that in my understanding are incorrect:
- The "advanced process monitoring" setting was removed in IS 2013 and only applies to 2012 and earlier. It's replaced with "Compatibility Mode" that is already off by default for maximum protection.
- The Online Scanner has no "full scan" option. It scans (only) active processes, memory + additional parts of the file system that typically gets infected, but it does not perform a "full scan".
-
NikK is actually right on both accounts.
“Advanced Monitoring” still exists in 2013 as functionality, but the dedicated setting has been removed. The logic has changed as well, “Advanced Monitoring” is now enabled by default, and will be disabled if “Compatibility Mode” is ticked.
As for the Online Scanner, the latest version also has no options anymore to choose what to scan, and it is somewhat debatable whether it's scan qualifies as “full scan” or not. In terms of malware scanning and removal it does a “full scan on everything that is active”, covering all types of malware, including rootkits. (Online Scanner scans for rootkits in the memory and then boots into Linux to clean them up). What it does not scan are inactive files, closed archives, external media (like USB sticks) or the users e-mails.
I based my answer on my general experience without actually checking the new GUIs. My bad.
Thanks NikK for spotting this and clearing things up