http://www.funnycards.nm.ru/

a redirect to http://www.iframetraff.biz/dl/adv669.php with some param
that take to the trojan

the php pages seem to take to the trojan only if some param are passed
to the page

Daniele

Posted by par7133 on November 11, 2005, 6:32 pm

If you were Registered and logged in, you could reply and use other advanced thread options

After some virus or pages modifications I noticed that this guys have
ganed success to create difficulties to Mcaffee detection.
In particular Mcffee alert about the trojan presence in the temporary
files but it says that it can not delete or quarantine it.
In fact the browser page remain in stanby, probably running a
javascript, and avoiding Mcafee to take anyone operatione on the trojan
files.

Daniele

Posted by David H. Lipman on November 11, 2005, 7:15 pm

If you were Registered and logged in, you could reply and use other advanced thread options

|
| After some virus or pages modifications I noticed that this guys have
| ganed success to create difficulties to Mcaffee detection.
| In particular Mcffee alert about the trojan presence in the temporary
| files but it says that it can not delete or quarantine it.
| In fact the browser page remain in stanby, probably running a
| javascript, and avoiding Mcafee to take anyone operatione on the trojan
| files.
|
| Daniele

Please attach the logs. It is a case of misinterpretation of the logged events.

Attached is an excerpt of MY McAfee log ( v7.1E, Engine v5000, DAT v4626 )

Note the section where it states...
11/10/2005 10:50:47 PM Deleted (Clean failed)
or
11/11/2005 10:33:54 AM Delete failed (Clean failed)

In both cases, McAfee protected the PC as the PC was NOT infected and the file
was NOT
resident.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

begin 666 McAfee Log.txt
M#0HQ,2\Q,"\R,# U"3DZ,3<Z-3 @4$T)1&5L971E9" )1$Q)4$U!3BTQ7&QI
M<&UA;@E#.EQ0<F]G<F%M($9I;&5S7$]P97)A7'!R;V9I;&5<8V%C:&4T7&]P
M<C P,$99+FAT;0E%>'!L;VET+4UH=%)E9&ER+F=E;@T*,3$O,3 O,C P-0DY
M.C$W.C4P(%!-"41E;&5T960@"41,25!-04XM,5QL:7!M86X)1#I<=&5M<%QJ
M87)?8V%C:&4X,#<Y+G1M< E%>'!L;VET+4)Y=&5697)I9GD-"C$Q+S$P+S(P
M,#4).3HQ-SHU,R!030E$96QE=&5D("A#;&5A;B!F86EL960I( E$3$E034%.
M+3%<;&EP;6%N"40Z7'1E;7!<:F%R7V-A8VAE.# X,"YT;7!<2D%27T-!0TA%
M.# X,"Y435 )2E8O4VAI;G=O=PT*,3$O,3 O,C P-0DY.C$X.C P(%!-"41E
M;&5T960@*$-L96%N(&9A:6QE9"D@"41,25!-04XM,5QL:7!M86X)0SI<4')O
M9W)A;2!&:6QE<UQ/<&5R85QP<F]F:6QE7&-A8VAE-%QO<'(P,#!',"YJ87)<
M3U!2,# P1S N2D%2"4I6+U-H:6YW;W<-"C$Q+S$P+S(P,#4).3HQ.#HP,"!0
M30E$96QE=&5D( E$3$E034%.+3%<;&EP;6%N"4,Z7%!R;V=R86T@1FEL97-<
M3W!E<F%<<')O9FEL95QC86-H931<;W!R,# P1S$N:F%R"45X<&QO:70M0GET
M959E<FEF>0T*,3$O,3 O,C P-0DY.C(P.C0P(%!-"41E;&5T960@*$-L96%N
M(&9A:6QE9"D@"41,25!-04XM,5QL:7!M86X)1#I<=&5M<%Q*879A0V%C:&5<
M:F%V87!I7'8Q+C!<:F%R7&QO861E<F%D=C8V.2YJ87(M,C5C,C R9C(M,CDX
M.#9F,S0N>FEP7$Q/041%4D%$5C8V.2Y*05(M,C5#,C R1C(M,CDX.#9&,S0N
M6DE0"4I6+U-H:6YW;W<-"C$Q+S$P+S(P,#4).3HR,#HT,"!030E$96QE=&5D
M("A#;&5A;B!F86EL960I( E$3$E034%.+3%<;&EP;6%N"40Z7'1E;7!<2F%V
M84-A8VAE7&IA=F%P:5QV,2XP7&IA<EQJ879A+FIA<BTR.#8W.6%D8BTU.39F
M.60Q.2YZ:7!<2D%602Y*05(M,C@V-SE!1$(M-3DV1CE$,3DN6DE0"45X<&QO
M:70M0GET959E<FEF>0T*,3$O,3 O,C P-0DQ,#HU,#HT-2!030E$96QE=&4@
M9F%I;&5D("A#;&5A;B!F86EL960I( E$3$E034%.+3%<;&EP;6%N"40Z7'1E
M