Re: Is anyone experience like this? How did you removed this threat?
- From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
- Date: Thu, 28 Feb 2008 18:47:29 -0500
From: "sebio" <sebio@xxxxxxxxxxxxxxxxxxxxxxxxx>
| hi to all viewer,
|
| i'm not sure if these is the right place to post virus problems, but i'm
| sure based upon previous reading some questions posted here, i got an idea
| and some tips how to do if such thing may happened.
| anyway, i have only a free AV installed on my PC but normally i do online
| scanning on AV, i use onecare online scan, norton online scan and kaspersky
| online scan on my PC, then last week I have infected buy a Trojan. on my
| partition volume F.
| cropped report:
| F:\System Volume Information\MountPointManagerRemoteDatabase Object is
| locked skipped
|
| F:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP36\A0004733.inf
| Infected: Trojan.Win32.Agent.ad skipped
|
| Scan process completed.
|
| Then I start removing the virus using kaspersky trial version but as i
| scanned it does not found the virus located on System volume, I also used
| ather removing software but to frustration got the same result as virus still
| on volume F.
|
| so I decided to reformat drive F, now resolved the issue but lost all data
| installed.
|
| then lately I scanned again using online kaspersky scanner & found out being
| infected by backdoor these time on volume C. system restore.
| as previous option reformatting drive, I don't think i should do that, if
| any suggestions how to delete these files located on system restore or how to
| access system restore, that would be very helpful to me.
| I'm trying to locate this file but i think it is hidden, even if i show all
| hidden files, i can't track the location.
| here's the scan result:
| C:\System Volume Information\MountPointManagerRemoteDatabase Object is
| locked skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/
| DbgSvc.exe Infected: Backdoor.Win32.Rbot.fzp skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/
| Svchost.exe Infected: Backdoor.Win32.Rbot.fzp skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab
| Infected: Backdoor.Win32.Rbot.fzp skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe
| Rsrc-Package: infected - 3 skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP84\change.log
| Object is locked skipped
|
| Thanks & Best Regards
This isn't the baest place to ask about virus/malware problems.
This is... microsoft.public.security.virus
This first thing to know is that formatting "F:" was the WRONG approach.
F:\System Volume Information\_restore is the System Restore Cache for the "F:" drive. It
is NOT the active area of the OS.
Just disableing the System Restore cache, rebooting, and then re-enabling the System Restore
Cache would have removed all malware backed up into this cache.
The same goes for... C:\System Volume Information\_restore
However, malware would NOT get into the System Restore Cache without being on th active
areas first.
Please perform the following...
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
http://www.pctipp.ch/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
.
- References:
- Prev by Date: Re: Is anyone experience like this? How did you removed this threat?
- Next by Date: Re: Newbie problrms with Office 2007.
- Previous by thread: Re: Is anyone experience like this? How did you removed this threat?
- Next by thread: Re: Is anyone experience like this? How did you removed this threat?
- Index(es):
Relevant Pages
|
