Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Qs on SP2 & SP3 after Trojan.Vundo infection


  • Please log in to reply

#1
shyviolet

shyviolet

    Member

  • Member
  • PipPip
  • 32 posts
Hello,

Today I ran a full MBAM scan and discovered that 7 files were infected with Trojan.Vundo., which were then quarantined and deleted.

After the MBAM log popped up, a message from Windows popped up telling me that:
1. several files were modified and could not be recognized by Windows.
2. running Windows with those files might make the computer more unstable.

I was asked to insert my recovery CD of Windows, but because I only have the backup CD of Windows XP Professional Service Pack 2, and not Service Pack 3 (which is what my system currently has), I let Windows accept the unrecognized files.

My questions are as follows:
1. Is it possible to insert the backup CD with the SP2, and then later download the SP3 from Microsoft? Will any programs or files be deleted or corrupted if I were to do this?

2. Should I just forget about inserting the backup Cd I have and let Windows run as is? It seems to be running ok for now.

3. Why was MBAM unable to prevent the trojans from infecting my computer? I thought the paid-for version was supposed to prevent such things and the free d/l was to only clean up the mess. I have KIS 2009 too, and it didn't detect anything :)

4. Should I post a HijackThis log in the forum? I don't want to waste anyone's time, but I also don't know if MBAM cleaned up every infected file.

Thanks. I really appreciate the people behind Geeks to Go :)
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I think these are False Positives

Can you boot into normal or safe mode ?
  • 0

#3
shyviolet

shyviolet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

I think these are False Positives

Can you boot into normal or safe mode ?


Normal mode.

This is a copy of the last part of the MBAM log:

Files Infected:
C:\System Volume Information\_restore{BEE56457-3872-4D17-AC12-A4DBB048E2E4}\RP10\A0015581.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BEE56457-3872-4D17-AC12-A4DBB048E2E4}\RP10\A0015582.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Do you still think they were false positives?

I'm running a full Kaspersky scan right now and so far nothing bad is coming up. I'll let you know the final result when it's done.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
they definitely were

restore all those files from the quarantine tab
  • 0

#5
shyviolet

shyviolet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

they definitely were

restore all those files from the quarantine tab


Done! I'm so glad I didn't delete them asap. But if I did delete them, could they still have been restored?

And how could you tell they were false positives? If you tell me, maybe you can save me the trouble of starting a new topic in this forum if this were to happen again.

Also, I've got two other items quarantined by MBAM. Are these false positives or can I delete them?

1. Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

2. Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.


Yay Rorschach112! :)
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Those two are bad. Don't restore them.


Am sure we could have restored the other ones if you did delete them. Would just be more work though


As to how I knew they were FPs. I keep an eye on the MBAM forum and saw others complaining about them, and I know what the file is anyway.


What other problems are you having ?
  • 0

#7
shyviolet

shyviolet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

As to how I knew they were FPs. I keep an eye on the MBAM forum and saw others complaining about them, and I know what the file is anyway.


So the next time I get asked by Windows to insert a backup CD after running an MBAM full scan, the detected malwares are to be considered false alerts? Is there a rule of thumb you can give me on false positives?

What other problems are you having ?


The false positives were the only problem I had. I admit they did freak me out!

The Kaspersky full scan came out clean. So KIS didn't fail me after all :)
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
There is no rule of thumb about false positives. You can run the file through a site like VirScan.org if you want to get other anti-virus programs to run it to see if its infected
  • 0

#9
shyviolet

shyviolet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Okay, another useful site to bookmark.

Thanks again!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP