Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Cure failure

  1. #1

    Question Cure failure

    Our eTrust Innoculate Realtime Scanner has been logging some odd things. It shows that a HTML/URL spoof/exploit/trojan (yeah, very specific, huh?) called "GMB5C2.HTM.0.AVB" was detected, but the cure failed and the file was restored. I'm just now getting familiar with Innoculate, so what does this mean, and what should I do about it?

  2. #2
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Hm...thats actually very odd. Do you have any more information? A quick search on google showed nothing on "GMB5C2.HTM.0.AVB". Perhaps another name could help. I'm guessing that your AV wasn't able to take care of the infection "if it is one", so it just restorted the file. Maybe you should reconfigure it to delete or quarantine the file instead. I might be WAYYY off on this .

    Gluck

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    A couple of observations:

    1. All AV companies tend to use their own naming conventions........there is no industry standard.

    2. If you are running WinMe, 2k or later there will be a restore facility which will be "saving" your virus...........go to your AV website for detailed removal instructions.

    Good luck

    EDIT: Sorry, re-run updated AV etc in safe mode...........you cannot get rid of anything in Windows if it is open already.

  4. #4
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    You have to log on as the user who owns the file (Administrator alone won't do it..example: if user A infects a machine with a virus, and only user A has write access to the virus, then no other user will be able to take action on the file), make sure the owner has write access, and take action. Or, you can log on as an administrator, take ownership of the file, give yourself write access, and take action. This should do it..Good Luck.
    "It is a shame that stupidity is not painful" - Anton LaVey

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    WTF?

    You have to log on as the user who owns the file (Administrator alone won't do it..example: if user A infects a machine with a virus, and only user A has write access to the virus, then no other user will be able to take action on the file), make sure the owner has write access, and take action. Or, you can log on as an administrator, take ownership of the file, give yourself write access, and take action. This should do it..Good Luck.
    WAZZ can you explain what you mean by this.. I get the feeling you are not describing the home enviroment (for that matter many commercial windows enviroments..

    Please note information such as Operating System Version is not specified.. we are assuming here it is WinXP he/pro?

    Assuming that is is.. I have not had problems dealing with files in uncompressed/unencrypted folders, while in safe mode as Admin..

    I repeat myself many times.. HAVE YOU TRIED THIS IN SAFE MODE..
    1/ TURN OFF SYSTEM RESTORE BEFORE ATTEMPTING THE REMOVAL..
    2/ UPDATE AV DEFS
    3/ RUN A FULL SCANN IN SAFE MODE...

    this has been working for me 95% of the time since WinMe when removing Virii, Trojans and worms..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    interestingly CA's virus info page
    http://www3.ca.com/virusinfo/browse.aspx

    gives absolutely nothing on anything called GMB5C2.HTM.0.AVB or any shortened version of the name e.g. GMB5C2 - so I wonder if eTrust AV is just given you the file name it tried to quarantine. Have a look through the log files and see if theres any other type of name associated with this file.

    Secondly go into AV preferences and make sure that the program quaratines suspect files rather than releasing them!

    thirdly do what Und3rtak3r and nihil have said and run the AV in safe mode until you have isolated the virus/trojan/whatever

    Z
    Quis Custodiet Ipsos Custodes

  7. #7
    Thanks, I will try out some of those suggestions and see what happens. Indeed, it's a wierd one, I couldn't find the name on Google search either, shortened or otherwise. And by the way, we're on Windows 2000, sorry I forgot to mention that.

  8. #8
    Okay, here's a little more info, not sure if it'll be of any use, but...Evidently the file in question is a a mail attachment. We get all of our office e-mail through POP3it on Filemaker Pro, and all attachments are saved to a special shared folder on one of our servers, which is where this thing evidently resides.

    EDIT: Another update....I went to the mail attachment folder that this is supposed to be in, and it's not there. Evidently it's named that for mail purposes, because in that folder you can see where it goes from gmB5C1 to gmB5C3, but our mysterious little gmB5C2 isn't there. I dunno, this part's still very much greek to me...gmB5C1 and gmB5C3 are both typical spam pages in HTML, so I imagine the missing middle guy isn't much different.

  9. #9
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Besides it being spam, i'd worry of it being spyware also. Keep an eye out for that. Why are these spam pages sitting in your mail folder? Every so often delete emails that are obviously spam, or it could jeopardize your systems.

    Edit: Users can accidentaly open these emails and let loose a virus or something.

  10. #10
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by AngelicKnight
    I went to the mail attachment folder that this is supposed to be in, and it's not there. Evidently it's named that for mail purposes, because in that folder you can see where it goes from gmB5C1 to gmB5C3, but our mysterious little gmB5C2 isn't there.
    This leads me to believe you are setup to quarantine suspected viruses. I believe the reason the file is missing is that it has been move to the quarantine file/folder. Now I do not use eTrust Innoculate Realtime Scanner, but this is how my Symantec system is setup. Can you check your manuals or with Innoculate's tech support to find out where Innoculate stores it quarantined files? I think that is where your going to find this file.

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •