Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: virus found

  1. #1

    virus found

    Scan type: Auto-Protect Scan
    Event: Threat Found!
    Threat: Trojan.Zlob
    File: C:\WINNT\system32\hp59FC.tmp
    Location: C:\WINNT\system32
    Computer: XXXXX
    User: Administrator
    Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
    Date found: 20 April 2006 15:18:27
    How do I delete this file ? Symantec cannot do it

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
    It appears to have deleted it?

    Have you tried running AV in safe mode?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I believe it's already deleted....

    Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    That's odd!

    Ok: Clean failed, quarantine failed. This would indicate AV failure to do anything.

    Next phrase is Delete Succeeded. Then ACCESS DENIED?

    My gut reaction to this kind of situation will be to construe a self-rewriting virus. Once scanned and detected, the behavior of the virus is to latch into the system memory and once the offending file is deleted, it proceeds to rewrite itself into a file with the same name that was deleted.

    What's odd about this is the "Access Denied" feedback. It means that the file attribute has been reset into a read-only and even possibly hidden/system. That will be the first time I'd say such a dynamic file attribute setting is implemented. I haven't encountered it so far.

    My brute approach (assuming this is located in only one folder and the process happens one step at a time) would be the following:

    1. Do the scan and let the AV do the deletion.
    2. If there is a loop report of "access denied", redo step 1 and immediately press the RESET button of the CPU after the deletion report.
    3. I'd go into safe mode with DOS (command prompt), look for the file name (if that has been reported) in the folder then nullify the attributes by typing the command ATTRIB -H -R -S -A [filename] then proceed to delete (with DEL [filename]).
    4. If possible within the Safe Mode, do the scan again and if the file still exists, then start looking at ALL folders in the hard drive to find out if there are replicates in the other folders that need to be physically deleted (the DOS command switch is /S for subdirectories).

    If all of the above fail to physically remove the Trojan, then maybe it is time to ask for help from an external scanner (such as TrendMicro Housecall).

    Note, however, that this is my personal method of approaching the problem and is not necessarily as effective as the other more sophisticated approaches. The loop and rewrite condition maybe found in the Processes in the Task Manager (the process as contained in a file or procedure may just be lurking in there!) . In that case, you may need to click on the "End Process" first while in normal Windows mode then proceed to delete the file using the Windows Explorer or in DOS mode.

    Slap me if you must but this is how I normally approach similar situations and I'd gladly welcome possible methodological improvements.

    Cheers!
    Si vis pacem, para bellum!

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well,

    Based on my experience of AV products over the years (including beta testing a Peruvian one...........you gotta watch out for them "gusanos" hombre! ..........yes, it was in Spanish)

    I would look at your default settings for "action to be taken" if malware is found? The options are usually:

    1. Report and continue scan.
    2. Repair
    3. Quarantine if you can't repair (an infected file)
    4. Delete if you can't repair or quarantine
    5. Deny access

    A modern worm (gusano ) is a stand alone creature so that the AV cannot repair it, and as it is not a valid system file that has been infected, it sees no point in quarantining it. So it deletes the file, or possibly sets it up for deletion on reboot.

    It blocks access to the file until it is deleted.

    Check your AV settings for action to be taken. Reboot into safe mode and rescan.............it should have gone.

    Whilst you are in safe mode please defragment your hard drive, as this will compact your AV pattern file and make it work faster

  6. #6
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Hi


    Were you running any other AntiSpyware apps (like Adaware SE) when the auto-protect scan kicked in and showed you this problem.

    If so, run your Adaware SE again and then delete all of your Quarantined files, get Ccleaner run it and clean out your temp files, and recycle bin.

    Reboot into safe mode with networking (if able) How to boot into Safe Mode with networking and go to Trend Micro Housecall and run a scan, follow their prompts for removal if any, also you should go to Norton and get the latest definitions and run a scan with Norton......Before rebooting into normal mode disable your System Restore how to guide run Ccleaner again and then reboot into normal mode...

    Usually because these Malware reside in your system restore points, everytime you run a scan of some sort, it may pick up the fact that there is a holdover from a previous scan (quarantined file) and activate your "Auto-Protect Scan", but be unable to completely delete it).


    Luck...
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    regradless of your AV settings..

    It is good form to know the beast that was detected..

    http://www.symantec.com/avcenter/ven...an.zlob.b.html
    (ok that is the info link for the second version ie b version)


    From this link it gives you instructions for a "full" cleanup, while the AV is supposed to do a full clean I never trust them.. Follow through and double check..

    One other thing dont trust just one AV company when researching.,. get the info from three or more companies.. one co may pick up on a Auto Download Key in the registry that the others missed.
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    Senior Member
    Join Date
    Oct 2005
    Posts
    197
    zlob sucks, it really sucks when it downloads bullsh*t spyware too. I'm pretty sure this is the same version as the one I've deltwith a million times. I hate it.

    SmitRem should kill it ( noahdfear.geekstogo.com )
    Also look for spyAxe/Falcon/Sherrif/Trooper
    www.help2go.com/Tutorials/Spyware_Information/ Remove_SpyAxe_with_smitRem.exe_(formerly_SpyAxeFix.exe).html

    Another thing you could try would be to use process explorer from sysinternals to kill explorer, suspend winlogon, then file run, goto win\sys32 and manually delete the files

    the new killbox also kills it on reboot I do beleave.

    Hope this helps. I hate it!
    meh. -ech0.

  9. #9
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    And once again, boys and girls, how does Spyaxe infect a Windows PC?

    By way of Internet Explorer, of course...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  10. #10
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by brokencrow
    And once again, boys and girls, how does Spyaxe infect a Windows PC?

    By way of Internet Explorer, of course...
    No. Through a poorly configured Intern Explorer.

    If you were infected via ActiveX, Javascript, or Java:
    - Change I.E.'s Internet Zone Security settings and make good use of the Trusted Zones feature.

    If you were infected via a buffer overflow:
    - Firefox has these, too. :-) (Heck, even Lynx has had at least one.)
    - Run your browser under a different user which only has read/write access to the cache directory and read access to the browser directory. If you need to download files, then make a specific file for this that the browser has write access too, but make sure it does not have execute rights to any folder.) If a buffer overflow is expoited under these circumstances, what's the worst that could happen? It reads from your browser directory or your cache directory? (Heaven forbid!) It writes and fills up your cache or download directory? ( Heaven forbid! Turn on Disk Quotas so that it doesn't fill up your hard drive.) It can't place any special binaries on your system and then execute them so it really can't do anything harmful.

    - X
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •