-
January 21st, 2004, 04:46 PM
#11
I'm guessing the quarantine folder would most likely be in the :
C:\Program Files\eTrust\Quarantine or something very similiar to this path.
-
January 21st, 2004, 11:06 PM
#12
Oddly enough, I have yet to find a quarantine folder (at least there isn't one in Innoculate's folder under Program Files). Still looking...
-
January 21st, 2004, 11:27 PM
#13
Ok, find the file by doing a search from your account (Admin). Go to the properties of the file and take ownership of it (security tab, advanced, owner). Try to clean the file again after you do that.
"It is a shame that stupidity is not painful" - Anton LaVey
-
January 21st, 2004, 11:59 PM
#14
you could also do a search for the folder itself
-
January 22nd, 2004, 12:03 AM
#15
actually that won't help much Wazz ... now I've actually got onto my home PC... eTrust (which is what I'm running) actually completely renames the file - Angelic you need to look at eTrusts log files to find out what it has been renamed to - if it has indeed been renamed it should also tell you the file path
Z
PS from what I can gather eTrust doesn't quarantine a file as such - at least not in the same way as Symantec does - hence no quarantine folder - it renames the file and I think locks it so that no process can use it.... I could be wrong here though since it's been a while since I had a virus on my system
/me walks off to find a virus
Quis Custodiet Ipsos Custodes
-
January 22nd, 2004, 01:16 AM
#16
Thanks guys. Well, let me show you exactly what it tells me. In the Realtime Scanner Log, I get this:
File:
D:\DATA\M\GM4\MAILBOX\ATTACH\~GMB5C2.HTM.0.AVB
Status:
Cure failed, file restored.
Infection Name:
HTML/URLSpoof.Exploit.Trojan
Infection Type:
Trojan
Detection Method:
Signature
Engine:
InoculateIT
User:
NT AUTHORITY/SYSTEM
-
January 22nd, 2004, 02:01 AM
#17
You might find the quarantine file in the root of C:\ or whatever? That is where my AVG puts them, in a folder it created.
The .avb extension is your AV identifying it as a virus infected file.
I have no idea where it might have gone, you might search for all files with that .avb extension? I have seen plenty of e-mails which just had the head and the tail, the virus infected body had been deleted at the server.
Dou you keep getting a detection every time you run a scan?.........remember that you will have to make sure it is not in the restore utility in Win2k.
Good luck
-
January 22nd, 2004, 03:36 AM
#18
Is your Action Option set to "Scan Only" by any slight chance? That would cause the error as well. Did you try my solution from the previous post? I'm curious to see what's up with this. No listing on "HTML/URLSpoof.Exploit.Trojan" either...??
"It is a shame that stupidity is not painful" - Anton LaVey
-
January 22nd, 2004, 04:09 PM
#19
The action for the Realtime Monitor is to "cure file" while the scanner action is set to "report only". Also, the option is set for a file to be renamed when it cannot be cured, and indeed the extension is changed to .avb. And Wazz, I haven't had any luck searching for it yet. Right now I have a search running for any *.avb files, so maybe that'll turn up something...
-
January 22nd, 2004, 04:42 PM
#20
Something else to note: the trojan was found two consecutive days three times each, and hasn't appeared again since. Each time the exact action was performed, so all together there are six identical log entries. Also, there is currently nothing in the Move folder.
Also, that search for *.avb files did uncover some files identified by Inoculate, but our mysterious file in question was not among them.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|