Is anyone experience like this? How did you removed this threat?

[sebio]

hi to all viewer,

i'm not sure if these is the right place to post virus problems, but i'm
sure based upon previous reading some questions posted here, i got an idea
and some tips how to do if such thing may happened.
anyway, i have only a free AV installed on my PC but normally i do online
scanning on AV, i use onecare online scan, norton online scan and kaspersky
online scan on my PC, then last week I have infected buy a Trojan. on my
partition volume F.
cropped report:
F:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

F:\System Volume
Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP36\A0004733.inf
Infected: Trojan.Win32.Agent.ad skipped

Scan process completed.

Then I start removing the virus using kaspersky trial version but as i
scanned it does not found the virus located on System volume, I also used
ather removing software but to frustration got the same result as virus still
on volume F.

so I decided to reformat drive F, now resolved the issue but lost all data
installed.

then lately I scanned again using online kaspersky scanner & found out being
infected by backdoor these time on volume C. system restore.
as previous option reformatting drive, I don't think i should do that, if
any suggestions how to delete these files located on system restore or how to
access system restore, that would be very helpful to me.
I'm trying to locate this file but i think it is hidden, even if i show all
hidden files, i can't track the location.
here's the scan result:
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume
Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/DbgSvc.exe Infected: Backdoor.Win32.Rbot.fzp skipped

C:\System Volume
Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/Svchost.exe Infected: Backdoor.Win32.Rbot.fzp skipped

C:\System Volume
Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab Infected: Backdoor.Win32.Rbot.fzp skipped

C:\System Volume
Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe
Rsrc-Package: infected - 3 skipped

C:\System Volume
Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP84\change.log
Object is locked skipped

Thanks & Best Regards

 

[philo]

hi to all viewer,

i'm not sure if these is the right place to post virus problems, but i'm
sure based upon previous reading some questions posted here, i got an idea
and some tips how to do if such thing may happened.
anyway, i have only a free AV installed on my PC but normally i do online
scanning on AV, i use onecare online scan, norton online scan and kaspersky
online scan on my PC, then last week I have infected buy a Trojan. on my
partition volume F.
cropped report:
F:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

F:\System Volume
Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP36\A0004733.inf
Infected: Trojan.Win32.Agent.ad skipped

Some virus checkers can repair "infections" within system Volume Info

otherwise, turn off system restore and reboot

Scan process completed.

Then I start removing the virus using kaspersky trial version but as i
scanned it does not found the virus located on System volume, I also used
ather removing software but to frustration got the same result as virus still
on volume F.

so I decided to reformat drive F, now resolved the issue but lost all data
installed.

then lately I scanned again using online kaspersky scanner & found out being
infected by backdoor these time on volume C. system restore.
as previous option reformatting drive, I don't think i should do that, if
any suggestions how to delete these files located on system restore or how to
access system restore, that would be very helpful to me.
I'm trying to locate this file but i think it is hidden, even if i show all
hidden files, i can't track the location.
here's the scan result:
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe
/data0000.cab/DbgSvc.exe Infected: Backdoor.Win32.Rbot.fzp skipped

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe
/data0000.cab/Svchost.exe Infected: Backdoor.Win32.Rbot.fzp skipped

C:\System Volume

Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe
/data0000.cab Infected: Backdoor.Win32.Rbot.fzp skipped

 

[David H. Lipman]

From: "sebio" <[email protected]>

| hi to all viewer,
|
| i'm not sure if these is the right place to post virus problems, but i'm
| sure based upon previous reading some questions posted here, i got an idea
| and some tips how to do if such thing may happened.
| anyway, i have only a free AV installed on my PC but normally i do online
| scanning on AV, i use onecare online scan, norton online scan and kaspersky
| online scan on my PC, then last week I have infected buy a Trojan. on my
| partition volume F.
| cropped report:
| F:\System Volume Information\MountPointManagerRemoteDatabase Object is
| locked skipped
|
| F:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP36\A0004733.inf
| Infected: Trojan.Win32.Agent.ad skipped
|
| Scan process completed.
|
| Then I start removing the virus using kaspersky trial version but as i
| scanned it does not found the virus located on System volume, I also used
| ather removing software but to frustration got the same result as virus still
| on volume F.
|
| so I decided to reformat drive F, now resolved the issue but lost all data
| installed.
|
| then lately I scanned again using online kaspersky scanner & found out being
| infected by backdoor these time on volume C. system restore.
| as previous option reformatting drive, I don't think i should do that, if
| any suggestions how to delete these files located on system restore or how to
| access system restore, that would be very helpful to me.
| I'm trying to locate this file but i think it is hidden, even if i show all
| hidden files, i can't track the location.
| here's the scan result:
| C:\System Volume Information\MountPointManagerRemoteDatabase Object is
| locked skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/
| DbgSvc.exe Infected: Backdoor.Win32.Rbot.fzp skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab/
| Svchost.exe Infected: Backdoor.Win32.Rbot.fzp skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe/data0000.cab
| Infected: Backdoor.Win32.Rbot.fzp skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP66\A0020006.exe
| Rsrc-Package: infected - 3 skipped
|
| C:\System Volume
| Information\_restore{293F2884-3D03-4F2C-813E-C74886B8ABE4}\RP84\change.log
| Object is locked skipped
|
| Thanks & Best Regards

This isn't the baest place to ask about virus/malware problems.

This is... microsoft.public.security.virus

This first thing to know is that formatting "F:" was the WRONG approach.

F:\System Volume Information\_restore is the System Restore Cache for the "F:" drive. It
is NOT the active area of the OS.
Just disableing the System Restore cache, rebooting, and then re-enabling the System Restore
Cache would have removed all malware backed up into this cache.

The same goes for... C:\System Volume Information\_restore

However, malware would NOT get into the System Restore Cache without being on th active
areas first.

Please perform the following...


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Kayman]

hi to all viewer,

i'm not sure if these is the right place to post virus problems, but i'm
sure based upon previous reading some questions posted here, i got an idea
and some tips how to do if such thing may happened.
anyway, i have only a free AV installed on my PC but normally i do online
scanning on AV, i use onecare online scan, norton online scan and kaspersky
online scan on my PC, then last week I have infected buy a Trojan.

<snip>

On-line scanners are the most unsafe and next to useless. Because by the
time you've started your infected Windows and connected to the
Internet via this infected code base, and start to look for scanning sites
through infected DNS, you are almost certain to have the malware
perfectly positioned to overrule your attempts to clean it. Also, you have
to use IE on very low security setting - ActiveX is required. Many users
will lower security in the Internet Zone to use the service and then forget
to set the Internet Zone back to highest possible security level, which is
the only way that IE should be set.
What happens if active malware is found? Don't expect that the on-line
scanner will do anything about it. Most of them are just just marketing
tools for selling you their products. Quite often, malware removal on the
NT based OS (Win 2K and XP) is far from easy. Sometimes a resident AV can
deal with it in Safe Mode.

David's Multi-AV is safer, because you don't have to be online to use it,
and it can be used in Safe Mode.

Download David H. Lipman's MULTI_AV.EXE from the URL:
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
http://www.pctipp.ch/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
Further information can be found here:
ht
Additional Instructions:
http://pcdid.com/Multi_AV.htm

It's safer still if you can avoid running any code from the infected system
at all, and that can be done by working from Bart CDR boot.
But that means having a clean system to build the Bart disk, and more to
the point, a fair bit of effort and technical fiddling.

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
http://www.nu2.nu/pebuilder/

Good luck