Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FSVirus / split topic


  • Please log in to reply
23 replies to this topic

#1 FSVirus

FSVirus

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 03 June 2009 - 04:45 PM

Hi there!

Thank god I stumbled on to this topic. I also had/have the same problem. I currently have 4 files in Quarentine with all 4 supposedly being infected with the W32/Backdoor2.EMEB virus.

Can you please tell me what to do so I dont mess up my files. Please note that I just bought this computer last week and have barely used it.

Please tell me where to restore these files so I dont misplace them, please give me a dumbed down explanation :thumbsup:

1. C:\SYSTEM VOLUME INFORMATION\_RESTORE{...........LONG NUMBERS AND LETTERS}RP19\A0001972.EXE

2. C:\SYSTEM VOLUME INFORMATION\_RESTORE{...........LONG NUMBERS AND LETTERS}RP19\A0001973.EXE

3. C:\WINDOWS\SYSTEM32\DLLCACHE\FTP.EXE

4. C:\WINDOWS\SYSTEM32\FTP.EXE

Thank you.

BC AdBot (Login to Remove)

 


#2 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 03 June 2009 - 05:38 PM

Hi Boopme,

But how do I restore the (infected) files that are in my anti-virus's quarentine?

What happens to these 4 files? Im looking to restore them but not sure if the 2 go in c/system32 folder or? and the other 2 in volume info?

I will also do what you told me, ill just wait for an asnwer, thx.

I am running WIndows XP S3 btw.

Edited by FSVirus, 03 June 2009 - 05:52 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 PM

Posted 03 June 2009 - 07:03 PM

Is your PC operating normally now with these in quarantine? If so then these are not needed as the are infected copies of the real file and can be deleted by ruining the steps above. Then the last 2 deleted from your A/V's quarantine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 03 June 2009 - 09:08 PM

My PC is running normally, but I dont understand, arent these important files? I run a file search and dont find any of them anywhere, arent these the main and only files of their kind boopme?

Thx.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 PM

Posted 04 June 2009 - 09:53 AM

Hello, let's confirm what's happenning..
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 04 June 2009 - 10:47 AM

Hi, thx, I installed and ran the scan, these are the results. Just letting you know also the 4 (fake?) viruses are still in my quarentine. My ISP support told me to leave them in there and maybe it will be updated and they will be replaced, but he didnt sound too too sure. Just letting you know, I dont know how important these files are, the only different thing Ive noticed is a slight blinking to my desktop when it first starts, it lasts for barely half a second but its annoying.

Malwarebytes' Anti-Malware 1.37
Database version: 2229
Windows 5.1.2600 Service Pack 3

6/4/2009 11:44:54 AM
mbam-log-2009-06-04 (11-44-54).txt

Scan type: Quick Scan
Objects scanned: 97953
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 PM

Posted 04 June 2009 - 01:32 PM

Then leave them there.. They are quarantined and cannot harm the PC.

Did we run sfc /scannow?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 05 June 2009 - 10:38 AM

Then leave them there.. They are quarantined and cannot harm the PC.

Did we run sfc /scannow?


Ok ill leave them there than. What is sfc/scannow?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 PM

Posted 05 June 2009 - 02:50 PM

it's a file repair utility in XP. if you feel you have some file damge then you can run it.. You will need an XP install or restore CD.
Yoou go to Start>>Run
type sfc /scannow ,,,,space between c and /
Let it run and put CD in when asked.

BC Tutorial here How to Use SFC.EXE to Repair System Files
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 06 June 2009 - 09:04 AM

Thank you! Yes, I do have a Windows XP Home CD, just got it with the new computer.

#11 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 06 June 2009 - 09:45 AM

So I ran a sfc scan, it asked me for my windows CD, right after that I went to windows update and there was no updates, restarted checked again same thing no updates, I'm guessing everything looks fine at this point. Thanks again, please let me know if there is anything else you think I should do. The 4 files are still in quarentine.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 PM

Posted 06 June 2009 - 09:57 AM

Hi, I think you're good here,, Do this next and in a week if all is good you can delete them.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 08 June 2009 - 12:34 PM

Thx for everything! Would you leave those 4 windows files in the quarentine or delete them, they might be needed some day no?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 PM

Posted 08 June 2009 - 01:47 PM

Hi, the first two will rference nothing as they are restore points and will be remove with the last step. The third is an infected cache file and is useless. The last one has a potential value and i would just leave it there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 FSVirus

FSVirus
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 09 June 2009 - 05:18 AM

Hi there again,

My ISP' anti virus just ran a scan and it seems it picked up a new virus, OUCH! The one I put in bold letters, my anti-virus says it could be an archive bomb! I am not sure what the SuperAntiSpyware stuff is exactly?

Master Boot Records and Fixed Disk Boot Sectors
Scanned 1 Master Boot Record(s) for viruses.

Scanned 1 Boot Sector(s) for viruses.

Your Master Boot Record(s)/Boot Sector(s) are not infected.

Files
Drive C:\
C:\Documents and Settings\All Users\Application Data\Bell\Security Manager\Quarantine\20090527193437.zip
Some files in this archive could not be scanned because they are password protected. The real-time protection will automatically scan the files when you extract them from the archive.
C:\Documents and Settings\All Users\Application Data\Bell\Security Manager\Quarantine\20090604070000.zip
Some files in this archive could not be scanned because they are password protected. The real-time protection will automatically scan the files when you extract them from the archive.
C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-30-2009 - 12-49-04.SBU
Some files in this archive could not be scanned because they are password protected. The real-time protection will automatically scan the files when you extract them from the archive.
C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 06-06-2009 - 11-11-22.SBU
Some files in this archive could not be scanned because they are password protected. The real-time protection will automatically scan the files when you extract them from the archive.
C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp_ImageTool\root.img

File was infected with a virus which could be an archive bomb and was unable to be disinfected. File was quarantined instead.
Files scanned: 64765
Infected files: 1
Disinfected files: 0
Deleted files: 1
Files unable to scan: 4
Report Summary
Files scanned: 64765
Total infected files: 1
Total disinfected files: 0
Total deleted files: 1
Total files unable to scan: 4
Anti-Virus engine status
Last update: 6/8/2009 1:03:31 AM
Virus definition file: C:\Program Files\Common Files\Authentium\AntiVirus\def-w32i-20090605055900-20090607201900.msp

What do you suggest I do :thumbsup:

I want to remove this Nero program ASAP! Should I?

Edited by FSVirus, 09 June 2009 - 05:24 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users