Jump to content

Is anyone experience like this? How did you removed this threat?

Guest sebio

By Guest sebio
in Windows XP

 Share

Recommended Posts

Guest sebio

Guest sebio

Posted
Posted

hi to all viewer,

 

i'm not sure if these is the right place to post virus problems, but i'm

sure based upon previous reading some questions posted here, i got an idea

and some tips how to do if such thing may happened.

anyway, i have only a free AV installed on my PC but normally i do online

scanning on AV, i use onecare online scan, norton online scan and kaspersky

online scan on my PC, then last week I have infected buy a Trojan. on my

partition volume F.

cropped report:

F:\System Volume Information\MountPointManagerRemoteDatabase Object is

locked skipped

 

F:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP36\A0004733.inf

Infected: Trojan.Win32.Agent.ad skipped

 

Scan process completed.

 

Then I start removing the virus using kaspersky trial version but as i

scanned it does not found the virus located on System volume, I also used

ather removing software but to frustration got the same result as virus still

on volume F.

 

so I decided to reformat drive F, now resolved the issue but lost all data

installed.

 

then lately I scanned again using online kaspersky scanner & found out being

infected by backdoor these time on volume C. system restore.

as previous option reformatting drive, I don't think i should do that, if

any suggestions how to delete these files located on system restore or how to

access system restore, that would be very helpful to me.

I'm trying to locate this file but i think it is hidden, even if i show all

hidden files, i can't track the location.

here's the scan result:

C:\System Volume Information\MountPointManagerRemoteDatabase Object is

locked skipped

 

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/DbgSvc.exe Infected: Backdoor.Win32.Rbot.fzp skipped

 

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/Svchost.exe Infected: Backdoor.Win32.Rbot.fzp skipped

 

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab Infected: Backdoor.Win32.Rbot.fzp skipped

 

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe

Rsrc-Package: infected - 3 skipped

 

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP84\change.log

Object is locked skipped

 

Thanks & Best Regards

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest philo

Guest philo

Posted
Posted

Re: Is anyone experience like this? How did you removed this threat?

 

 

"sebio" <sebio@discussions.microsoft.com> wrote in message

news:8565AAA7-71AA-4A1F-9BD3-6221692958F5@microsoft.com...

> hi to all viewer,

>

> i'm not sure if these is the right place to post virus problems, but i'm

> sure based upon previous reading some questions posted here, i got an idea

> and some tips how to do if such thing may happened.

> anyway, i have only a free AV installed on my PC but normally i do online

> scanning on AV, i use onecare online scan, norton online scan and

kaspersky

> online scan on my PC, then last week I have infected buy a Trojan. on my

> partition volume F.

> cropped report:

> F:\System Volume Information\MountPointManagerRemoteDatabase Object is

> locked skipped

>

> F:\System Volume

>

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP36\A0004733.inf

> Infected: Trojan.Win32.Agent.ad skipped

>

 

Some virus checkers can repair "infections" within system Volume Info

 

otherwise, turn off system restore and reboot

 

 

> Scan process completed.

>

> Then I start removing the virus using kaspersky trial version but as i

> scanned it does not found the virus located on System volume, I also used

> ather removing software but to frustration got the same result as virus

still

> on volume F.

>

> so I decided to reformat drive F, now resolved the issue but lost all data

> installed.

>

> then lately I scanned again using online kaspersky scanner & found out

being

> infected by backdoor these time on volume C. system restore.

> as previous option reformatting drive, I don't think i should do that, if

> any suggestions how to delete these files located on system restore or how

to

> access system restore, that would be very helpful to me.

> I'm trying to locate this file but i think it is hidden, even if i show

all

> hidden files, i can't track the location.

> here's the scan result:

> C:\System Volume Information\MountPointManagerRemoteDatabase Object is

> locked skipped

>

> C:\System Volume

>

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe

/data0000.cab/DbgSvc.exe Infected: Backdoor.Win32.Rbot.fzp skipped

>

> C:\System Volume

>

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe

/data0000.cab/Svchost.exe Infected: Backdoor.Win32.Rbot.fzp skipped

>

> C:\System Volume

>

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe

/data0000.cab Infected: Backdoor.Win32.Rbot.fzp skipped

>

> C:\System Volume

>

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe

> Rsrc-Package: infected - 3 skipped

>

> C:\System Volume

> Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP84\change.log

> Object is locked skipped

>

> Thanks & Best Regards

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

Re: Is anyone experience like this? How did you removed this threat?

 

From: "sebio" <sebio@discussions.microsoft.com>

 

| hi to all viewer,

|

| i'm not sure if these is the right place to post virus problems, but i'm

| sure based upon previous reading some questions posted here, i got an idea

| and some tips how to do if such thing may happened.

| anyway, i have only a free AV installed on my PC but normally i do online

| scanning on AV, i use onecare online scan, norton online scan and kaspersky

| online scan on my PC, then last week I have infected buy a Trojan. on my

| partition volume F.

| cropped report:

| F:\System Volume Information\MountPointManagerRemoteDatabase Object is

| locked skipped

|

| F:\System Volume

| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP36\A0004733.inf

| Infected: Trojan.Win32.Agent.ad skipped

|

| Scan process completed.

|

| Then I start removing the virus using kaspersky trial version but as i

| scanned it does not found the virus located on System volume, I also used

| ather removing software but to frustration got the same result as virus still

| on volume F.

|

| so I decided to reformat drive F, now resolved the issue but lost all data

| installed.

|

| then lately I scanned again using online kaspersky scanner & found out being

| infected by backdoor these time on volume C. system restore.

| as previous option reformatting drive, I don't think i should do that, if

| any suggestions how to delete these files located on system restore or how to

| access system restore, that would be very helpful to me.

| I'm trying to locate this file but i think it is hidden, even if i show all

| hidden files, i can't track the location.

| here's the scan result:

| C:\System Volume Information\MountPointManagerRemoteDatabase Object is

| locked skipped

|

| C:\System Volume

| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/

| DbgSvc.exe Infected: Backdoor.Win32.Rbot.fzp skipped

|

| C:\System Volume

| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/

| Svchost.exe Infected: Backdoor.Win32.Rbot.fzp skipped

|

| C:\System Volume

| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab

| Infected: Backdoor.Win32.Rbot.fzp skipped

|

| C:\System Volume

| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe

| Rsrc-Package: infected - 3 skipped

|

| C:\System Volume

| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP84\change.log

| Object is locked skipped

|

| Thanks & Best Regards

 

This isn't the baest place to ask about virus/malware problems.

 

This is... microsoft.public.security.virus

 

This first thing to know is that formatting "F:" was the WRONG approach.

 

F:\System Volume Information\_restore is the System Restore Cache for the "F:" drive. It

is NOT the active area of the OS.

Just disableing the System Restore cache, rebooting, and then re-enabling the System Restore

Cache would have removed all malware backed up into this cache.

 

The same goes for... C:\System Volume Information\_restore

 

However, malware would NOT get into the System Restore Cache without being on th active

areas first.

 

Please perform the following...

 

 

Download MULTI_AV.EXE from the URL --

http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

 

http://www.pctipp.ch/downloads/dl/35905.asp

 

English:

http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

 

To use this utility, perform the following...

Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }

Choose; Unzip

Choose; Close

 

Execute; C:\AV-CLS\StartMenu.BAT

{ or Double-click on 'Start Menu' in C:\AV-CLS }

 

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your

FireWall to allow it to download the needed AV vendor related files.

 

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}

This will bring up the initial menu of choices and should be executed in Normal Mode.

This way all the components can be downloaded from each AV vendor's web site.

The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

 

You can choose to go to each menu item and just download the needed files or you can

download the files and perform a scan in Normal Mode. Once you have downloaded the files

needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key

during boot] and re-run the menu again and choose which scanner you want to run in Safe

Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

 

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help

file.

 

Additional Instructions:

http://pcdid.com/Multi_AV.htm

 

 

* * * Please report back your results * * *

 

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest Kayman

Guest Kayman

Posted
Posted

Re: Is anyone experience like this? How did you removed this threat?

 

On Thu, 28 Feb 2008 15:34:02 -0800, sebio wrote:

> hi to all viewer,

>

> i'm not sure if these is the right place to post virus problems, but i'm

> sure based upon previous reading some questions posted here, i got an idea

> and some tips how to do if such thing may happened.

> anyway, i have only a free AV installed on my PC but normally i do online

> scanning on AV, i use onecare online scan, norton online scan and kaspersky

> online scan on my PC, then last week I have infected buy a Trojan.

 

<snip>

 

On-line scanners are the most unsafe and next to useless. Because by the

time you've started your infected Windows and connected to the

Internet via this infected code base, and start to look for scanning sites

through infected DNS, you are almost certain to have the malware

perfectly positioned to overrule your attempts to clean it. Also, you have

to use IE on very low security setting - ActiveX is required. Many users

will lower security in the Internet Zone to use the service and then forget

to set the Internet Zone back to highest possible security level, which is

the only way that IE should be set.

What happens if active malware is found? Don't expect that the on-line

scanner will do anything about it. Most of them are just just marketing

tools for selling you their products. Quite often, malware removal on the

NT based OS (Win 2K and XP) is far from easy. Sometimes a resident AV can

deal with it in Safe Mode.

 

David's Multi-AV is safer, because you don't have to be online to use it,

and it can be used in Safe Mode.

 

Download David H. Lipman's MULTI_AV.EXE from the URL:

http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:

http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

Further information can be found here:

ht

Additional Instructions:

http://pcdid.com/Multi_AV.htm

 

It's safer still if you can avoid running any code from the infected system

at all, and that can be done by working from Bart CDR boot.

But that means having a clean system to build the Bart disk, and more to

the point, a fair bit of effort and technical fiddling.

 

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD

http://www.nu2.nu/pebuilder/

 

Good luck :)

 Share
Go to topic listing
×
×
  • Create New...