Our eTrust Innoculate Realtime Scanner has been logging some odd things. It shows that a HTML/URL spoof/exploit/trojan (yeah, very specific, huh?) called "GMB5C2.HTM.0.AVB" was detected, but the cure failed and the file was restored. I'm just now getting familiar with Innoculate, so what does this mean, and what should I do about it?

Hm...thats actually very odd. Do you have any more information? A quick search on google showed nothing on "GMB5C2.HTM.0.AVB". Perhaps another name could help. I'm guessing that your AV wasn't able to take care of the infection "if it is one", so it just restorted the file. Maybe you should reconfigure it to delete or quarantine the file instead. I might be WAYYY off on this :).

Gluck

A couple of observations:

1. All AV companies tend to use their own naming conventions........there is no industry standard.

2. If you are running WinMe, 2k or later there will be a restore facility which will be "saving" your virus...........go to your AV website for detailed removal instructions.

Good luck

EDIT: Sorry, re-run updated AV etc in safe mode...........you cannot get rid of anything in Windows if it is open already.

You have to log on as the user who owns the file (Administrator alone won't do it..example: if user A infects a machine with a virus, and only user A has write access to the virus, then no other user will be able to take action on the file), make sure the owner has write access, and take action. Or, you can log on as an administrator, take ownership of the file, give yourself write access, and take action. This should do it..Good Luck.

WTF?

You have to log on as the user who owns the file (Administrator alone won't do it..example: if user A infects a machine with a virus, and only user A has write access to the virus, then no other user will be able to take action on the file), make sure the owner has write access, and take action. Or, you can log on as an administrator, take ownership of the file, give yourself write access, and take action. This should do it..Good Luck.

WAZZ can you explain what you mean by this.. I get the feeling you are not describing the home enviroment (for that matter many commercial windows enviroments..

Please note information such as Operating System Version is not specified.. we are assuming here it is WinXP he/pro?

Assuming that is is.. I have not had problems dealing with files in uncompressed/unencrypted folders, while in safe mode as Admin..

I repeat myself many times.. HAVE YOU TRIED THIS IN SAFE MODE..
1/ TURN OFF SYSTEM RESTORE BEFORE ATTEMPTING THE REMOVAL..
2/ UPDATE AV DEFS
3/ RUN A FULL SCANN IN SAFE MODE...

this has been working for me 95% of the time since WinMe when removing Virii, Trojans and worms..

cheers

interestingly CA's virus info page
http://www3.ca.com/virusinfo/browse.aspx

gives absolutely nothing on anything called GMB5C2.HTM.0.AVB or any shortened version of the name e.g. GMB5C2 - so I wonder if eTrust AV is just given you the file name it tried to quarantine. Have a look through the log files and see if theres any other type of name associated with this file.

Secondly go into AV preferences and make sure that the program quaratines suspect files rather than releasing them!

thirdly do what Und3rtak3r and nihil have said and run the AV in safe mode until you have isolated the virus/trojan/whatever

Z

Thanks, I will try out some of those suggestions and see what happens. Indeed, it's a wierd one, I couldn't find the name on Google search either, shortened or otherwise. And by the way, we're on Windows 2000, sorry I forgot to mention that.

Okay, here's a little more info, not sure if it'll be of any use, but...Evidently the file in question is a a mail attachment. We get all of our office e-mail through POP3it on Filemaker Pro, and all attachments are saved to a special shared folder on one of our servers, which is where this thing evidently resides.

EDIT: Another update....I went to the mail attachment folder that this is supposed to be in, and it's not there. Evidently it's named that for mail purposes, because in that folder you can see where it goes from gmB5C1 to gmB5C3, but our mysterious little gmB5C2 isn't there. I dunno, this part's still very much greek to me...gmB5C1 and gmB5C3 are both typical spam pages in HTML, so I imagine the missing middle guy isn't much different.

Besides it being spam, i'd worry of it being spyware also. Keep an eye out for that. Why are these spam pages sitting in your mail folder? Every so often delete emails that are obviously spam, or it could jeopardize your systems.

Edit: Users can accidentaly open these emails and let loose a virus or something.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=253702#post712667) by AngelicKnight
I went to the mail attachment folder that this is supposed to be in, and it's not there. Evidently it's named that for mail purposes, because in that folder you can see where it goes from gmB5C1 to gmB5C3, but our mysterious little gmB5C2 isn't there.

This leads me to believe you are setup to quarantine suspected viruses. I believe the reason the file is missing is that it has been move to the quarantine file/folder. Now I do not use eTrust Innoculate Realtime Scanner, but this is how my Symantec system is setup. Can you check your manuals or with Innoculate's tech support to find out where Innoculate stores it quarantined files? I think that is where your going to find this file.

Cheers:

I'm guessing the quarantine folder would most likely be in the :

C:\Program Files\eTrust\Quarantine or something very similiar to this path.

Oddly enough, I have yet to find a quarantine folder (at least there isn't one in Innoculate's folder under Program Files). Still looking...

Ok, find the file by doing a search from your account (Admin). Go to the properties of the file and take ownership of it (security tab, advanced, owner). Try to clean the file again after you do that.

you could also do a search for the folder itself :)

actually that won't help much Wazz ... now I've actually got onto my home PC... eTrust (which is what I'm running) actually completely renames the file - Angelic you need to look at eTrusts log files to find out what it has been renamed to - if it has indeed been renamed it should also tell you the file path

Z

PS from what I can gather eTrust doesn't quarantine a file as such - at least not in the same way as Symantec does - hence no quarantine folder - it renames the file and I think locks it so that no process can use it.... I could be wrong here though since it's been a while since I had a virus on my system

/me walks off to find a virus

Thanks guys. Well, let me show you exactly what it tells me. In the Realtime Scanner Log, I get this:

File:
D:\DATA\M\GM4\MAILBOX\ATTACH\~GMB5C2.HTM.0.AVB

Status:
Cure failed, file restored.

Infection Name:
HTML/URLSpoof.Exploit.Trojan

Infection Type:
Trojan

Detection Method:
Signature

Engine:
InoculateIT

User:
NT AUTHORITY/SYSTEM

You might find the quarantine file in the root of C:\ or whatever? That is where my AVG puts them, in a folder it created.

The .avb extension is your AV identifying it as a virus infected file.

I have no idea where it might have gone, you might search for all files with that .avb extension? I have seen plenty of e-mails which just had the head and the tail, the virus infected body had been deleted at the server.

Dou you keep getting a detection every time you run a scan?.........remember that you will have to make sure it is not in the restore utility in Win2k.

Good luck

Is your Action Option set to "Scan Only" by any slight chance? That would cause the error as well. Did you try my solution from the previous post? I'm curious to see what's up with this. No listing on "HTML/URLSpoof.Exploit.Trojan" either...??

The action for the Realtime Monitor is to "cure file" while the scanner action is set to "report only". Also, the option is set for a file to be renamed when it cannot be cured, and indeed the extension is changed to .avb. And Wazz, I haven't had any luck searching for it yet. Right now I have a search running for any *.avb files, so maybe that'll turn up something...

Something else to note: the trojan was found two consecutive days three times each, and hasn't appeared again since. Each time the exact action was performed, so all together there are six identical log entries. Also, there is currently nothing in the Move folder.

Also, that search for *.avb files did uncover some files identified by Inoculate, but our mysterious file in question was not among them.

Agel,

to make sure that trojan is realy gone, you have to check what programs are started when you boot your box. Under w2k you don't have nice utility called msconfig.exe so you have to do it manualy. Troyans often use registry key HLM\SOFTWARE\microsoft\windows\current version\run , also you could check what services are started in Computer Management.
Be carefull, you can easiely delete something that is needed for your system to run properly. search for fuzzy names.