Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Vault Or Delete?


  • Please log in to reply
5 replies to this topic

#1 Renoir

Renoir

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 17 August 2006 - 06:51 PM

Hello all,
I'm new to your list and I am wondering what I should do with a Trojan Horse Virus - Downloader Agent ETP which is at present in the Virus Vault of my AVG anti virus program. It has infected the file [b]A0053325.dll C:\system Volumn information\restore (F90AF224-EOA3-405D-AEBB-D6DB6D782604}\RP362\A0053325.dll
I am a newbee, and I am afraid to empty the vault or delete it, as it might delete the file??? Should I uninstall AVG and then reinstall it to be rid of the virus? I would appreciate any thoughts on this. Thank you. Renoir

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,636 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 17 August 2006 - 09:04 PM

Hi Renoir,

That's not a system file so it is safe to delete it from Quarantine.

Is AVG only finding anything in the system Volumn information folder? If so that is just your System Restore backups and as long as an infected file is in that folder it is locked down and won't affect you unless you use Sytem Restore.

You can purge your restore points so you don't accidentily reinfect yourself by disabling then re-enabling System Restore. How to can be found here:

Windows XP System Restore Guide.

Managing Windows Millenium System Restore.

You may still have something on you system that AVG has missed. After purging System Restore, update AVG, boot into Safe Mode and run a full system scan. If youhave anyanti-spyware or anti-trojan scanners update them and run them in safe mode as well.

Let us know if anything is found or if you have any unusual problems and we may need to take a closer look.

The thing about people

is they change

when they walk away.--Mipso


#3 Renoir

Renoir
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 19 August 2006 - 10:00 AM

Hello Papakid,
Thank you so much for your quick, and excellent info. response! I did what you said and used Ewido to do a full scan. It found 8 medium risk tracking cookies which it quarantined. :

C:\Documents and Settings\Evelyn\Cookies\evelyn@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Evelyn\Cookies\evelyn@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Evelyn\Cookies\evelyn@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Evelyn\Cookies\evelyn@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
C:\Documents and Settings\Evelyn\Cookies\evelyn@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Evelyn\Cookies\evelyn@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Evelyn\Cookies\evelyn@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Evelyn\Cookies\evelyn@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
Is it ok to leave them quarantined there? This is the first time I used Ewido and I think it is a great program!
Thanks again for your help.
Cheers! Renoir

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:02:17 AM

Posted 19 August 2006 - 10:07 AM

When an application quarantines, or puts something in its virus vault, it prevents it from actively harming your computer, but continues to "hold" it there until you take action to delete it. This process is in place in case it finds a "false-positive" or finds something that is essential to the operation of your computer; you can restore the file should it be necessary. In effect, it is similar to "are you sure you want to delete these files in your recycle bin?"
A good habit is to keep the files in your virus vault for several days before deleting them (this is also true of cookies, some of which may be necessary to access certain sites).
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,636 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 19 August 2006 - 12:28 PM

Yes, Quarantine is just an extra safety measure. Even the best anitivirus (AV) and other security scanners make mistakes at times--the good ones will correct that quickly, but it still happens.

The thorough scanners will also flag certain files and programs that can be used for either good or ill. Termed Riskware or hacker tools, and vaious other names, they are just bringing the presence of such files to your attention and letting you decide if it is something you are using to troubleshoot or repair a problem, or if it is something installed by a hacker or malware that may indicate an infection.

There are also times when legitimate files that have been infected so holding these files in quarantine until they can be cleaned or replaced insures they are handled properly. Most AV vendors will give you an option of whether or not to clean or delete a file as well as whether or not to quarantine it when found during a scan. This confuses many people. If an AV says a file can't be cleaned, rule of thumb is the file has been added in toto by malicious software and is safe to delete. But the safe course of action is to quaranine the file and investigate whether it is safe to delete or not.

BC has several resources to assist in this:

Startup Programs Database
The File Database
Uninstall Programs Database

Those will cover most files and give you an idea of if they are legit or not or whether they are associated with malware. Still there are some processes that will not appear in startup or those other databases, so another database to check:

TASK LIST PROGRAMS at AnswersThatWork

Of course we like to think that the greatest resource of all is the shared knowledge of BC's members, so don't ever hesitate to ask in the forums as you have done. :thumbsup:

It is rare tho now for there to be a file that needs to be cleaned. Those are mostly from true viruses, which don't show up much any more. There are still some out there tho, so using quarantine is still the safest course of action.

The problem with leaving files in quarantine is that other scanners will detect those files leading some to believe that they are still infected. As long as you understand that those files have been dealt with and no longer active then you can leave them in quarantine and not worry. It's basically what I do.

But since most of those files are bad in and of themselves, there is no need to keep them in quarantine. Tracking cookies you sure don't need as they keep track of your surfing habits and mostly only enable you to view ads that they think you will be interested in based on those habits. Not a really serious threat or an infection per se, but they won't damage anything if you just delete them and keep them cleaned up.

This is the first time I used Ewido and I think it is a great program!

Yes, ewido is a great program and I recommend you keep it. There is some confusion about the 30 day trial, leading some to believe that it can no longer be used when the trial is up. But there are only a few features that are disabled, such as scheduled updates and background monitoring that are disabled when the trial is up, and ewido will effectively scan and clean as long as you keep it updated manually.

Altho it is now called an antispyware, it is really more of an anti-trojan and even cleans some worms. Along with your antivirus, a firewall and a few anti-spyware apps, you'll have the recommended "layered approach" to security and will be in pretty good shape.

This doesn't mean that malicious software won't still get through. It is common that a well protected machine still gets infected, depending on how much high risk behavior you engage in and some other factors. You didn't mention what other security tools you have installed and use. I would still recommend Spybot Search & Destroy and Ad-Aware in addition to ewdio. The info in the following topic still applies: http://www.bleepingcomputer.com/forums/t/134/how-to-use-this-forum/

And other means of preventing infection are here:

Simple and easy ways to keep your computer safe and secure on the Internet


The thing about people

is they change

when they walk away.--Mipso


#6 Renoir

Renoir
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 19 August 2006 - 08:55 PM

:thumbsup: :flowers: Hi again,
Yes, I do have AdAware, Sptbot, AVG, Ewido, and Shredder....I am hoping (since I have received all of this good info from you guys) that this should do the trick! Thank you so very much! :inlove: :trumpet: Cheers! Renoir (Thanks again! You guys are great!)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users