We run Windows Vista 64-bit, with McAfee Security Center Version 11.0. Begining last Monday March 5th we were alerted that we had a Trojan, at first McAfee had us shut down the computer and restart and it removed it.However yesterday and today after the resart scan McAfee detected it but says it can't remove it.Files keep being created in the following path
C:\Users\Owner\AppData\Local\Temp\. The first that couldn't be removed was yesterday in \c229f49e-5708.tmp than today \5daf19dc-5708.tmp we have gotten15 of them since the 5th. This alert occurs when we open Outlook, and the history log under Treats Detected says the process is an Outlook process.After the restart the file is in the above location. We have also had a Generic Expoilt!kvf Quarantined and 3 FakeAlert-FBM! Quarantined. The first time we recieved the message that McAfee could not remove the file we went to delete the file as McAfee told us to, it said we needed Admin. Permission to do that. What should be our next move? Please help.
Mike & Lisa
Is this Vista SP2? Admin Permission? Are you logged in as Limted/Standard account?
Try Stinger, downloadable from the link on this document I created: Anti-Spyware/Malware and Hijacker Tools
If that doesn't help then look further down for Malwarebytes Free and note well the remarks that it can be downloaded, updated and run all in 'Safe Mode with Networking' - often works when regular mode doesn't.
By the way you may have been alerted to another response to this thread earlier on. I removed it as that person is not posting helpfully.
Ex_Brit's advice may remove the infection but it is possible that you may be re-infected.
"Generic Exploit!kvf" is the name by which McAfee identifies a malware exploit of a known Java vulnerability (either CVE-2010-0840 according to Microsoft and some others, or CVE_2011_3544 according to Kaspersky and some others). The latest VirusTotal analysis of "viruuuuuuus.jar", done 6 days ago, appends the following information : Files - (as above) and obe.jar; File type - ZIP; and notes that this is "part of blackhole exploitkit".
If you want to know what you've been hit by, see a 2011 article from Websense at
Edit - See http://www.bleepingcomputer.com/forums/topic424607.html for the experience of one user who asked for their assistance in helping to remove an infection : it should be a fairly straightforward process.
The fact that you've been infected shows that you have an out-of-date version of Java, and updating it should be your first priority after removing the infection, or you will almost certainly be re-infected. The Exploit Kit also scans your system looking for vulnerabilities in unpatched installations - everything from Windows and Internet Explorer, through Adobe Reader and Flash, to Windows Media Player (updates for which are optional, and are often overlooked).
A while ago I suggested that McAfee should consider having a built-in tool to scan installed programs to see if they need updating, but we don't have that yet. In the absence of such a useful utility I suggest you get hold of Secunia's PSI or run an online scan with OSI. Just go to the Secunia website at http://secunia.com and select one of the options.
From time to time (when I remember) I post links to useful articles in Best Practices in Security Protection - some of which might be useful to you. When I have time I'll put something up there about the Blackhole Exploit Kit.
Message was edited by: Hayton on 12/03/12 16:50:32 GMT