[shyviolet]

Hello,

Today I ran a full MBAM scan and discovered that 7 files were infected with Trojan.Vundo., which were then quarantined and deleted.

After the MBAM log popped up, a message from Windows popped up telling me that:
1. several files were modified and could not be recognized by Windows.
2. running Windows with those files might make the computer more unstable.

I was asked to insert my recovery CD of Windows, but because I only have the backup CD of Windows XP Professional Service Pack 2, and not Service Pack 3 (which is what my system currently has), I let Windows accept the unrecognized files.

My questions are as follows:
1. Is it possible to insert the backup CD with the SP2, and then later download the SP3 from Microsoft? Will any programs or files be deleted or corrupted if I were to do this?

2. Should I just forget about inserting the backup Cd I have and let Windows run as is? It seems to be running ok for now.

3. Why was MBAM unable to prevent the trojans from infecting my computer? I thought the paid-for version was supposed to prevent such things and the free d/l was to only clean up the mess. I have KIS 2009 too, and it didn't detect anything

4. Should I post a HijackThis log in the forum? I don't want to waste anyone's time, but I also don't know if MBAM cleaned up every infected file.

Thanks. I really appreciate the people behind Geeks to Go

[Advertisements]

I think these are False Positives

Can you boot into normal or safe mode ?

[Rorschach112]

I think these are False Positives

Can you boot into normal or safe mode ?

[shyviolet]

I think these are False Positives

Can you boot into normal or safe mode ?

Normal mode.

This is a copy of the last part of the MBAM log:

Files Infected:
C:\System Volume Information\_restore{BEE56457-3872-4D17-AC12-A4DBB048E2E4}\RP10\A0015581.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BEE56457-3872-4D17-AC12-A4DBB048E2E4}\RP10\A0015582.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Do you still think they were false positives?

I'm running a full Kaspersky scan right now and so far nothing bad is coming up. I'll let you know the final result when it's done.

[Rorschach112]

they definitely were

restore all those files from the quarantine tab

[shyviolet]

they definitely were

restore all those files from the quarantine tab

Done! I'm so glad I didn't delete them asap. But if I did delete them, could they still have been restored?

And how could you tell they were false positives? If you tell me, maybe you can save me the trouble of starting a new topic in this forum if this were to happen again.

Also, I've got two other items quarantined by MBAM. Are these false positives or can I delete them?

1. Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

2. Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.


Yay Rorschach112!

[Rorschach112]

Those two are bad. Don't restore them.


Am sure we could have restored the other ones if you did delete them. Would just be more work though


As to how I knew they were FPs. I keep an eye on the MBAM forum and saw others complaining about them, and I know what the file is anyway.


What other problems are you having ?

[shyviolet]

As to how I knew they were FPs. I keep an eye on the MBAM forum and saw others complaining about them, and I know what the file is anyway.

So the next time I get asked by Windows to insert a backup CD after running an MBAM full scan, the detected malwares are to be considered false alerts? Is there a rule of thumb you can give me on false positives?

What other problems are you having ?

The false positives were the only problem I had. I admit they did freak me out!

The Kaspersky full scan came out clean. So KIS didn't fail me after all

[Rorschach112]

There is no rule of thumb about false positives. You can run the file through a site like VirScan.org if you want to get other anti-virus programs to run it to see if its infected

[shyviolet]

Okay, another useful site to bookmark.

Thanks again!