Need help removing infected files

Hi,
I have been running the AVG Virus scan on a friends computer and it keeps finding over 9,000 infected files. It has taken me longer than I wish to admit to find where these trojans were camping out. Now that I have found them, I can not delete them. AVG keeps detecting them even after saying it's been healed. They are located; C;/Restore/Temp files. Since they will not delete, I put the computer into safe mode and currently running the AVG scan. My question is, since I'm not sure this method will finally remove them, is there another trick someone knows that is more effective that I can try ?

 

Hi Master Green

Turn off System Restore then run the AVG scan.

To turn it off, open the Control Panel and double click the System icon.
In the System Properties click the Performance tab.
Click the File System button.
In the File System Properties click the Troubleshooting tab.
Put a check beside "Disable System Restore ".
Click Apply and OK.

 

Hi,
Thanks for the reminder but that has and was done and the AVG still continues to find the infected files. I even uninstalled AVG and re-installed it and no difference in it's findings. I have downloaded Spybot and adware se which have found things as well as deleted them but can't seem to get rid of these infected files. The computer is a Windows 98 and has dial up (which takes forever to get things accomplished). I also used Panda virus scan which found 24 (infections) and removed 22. The computer appears to be running fine but getting these files (trojans) identified as Downloader Trojans Agent.2.BN and Agent.2.BM has been beyond the call of duty.

 

Hi,
I also wanted to add I have run a trojan scan and it found nothing plus I have also ran CWShredder which came up clean. I appreciate your assistance.

P.S...After posting my last reply, I came across Microsoft Article #263455 'Antivirus tools cannot clean infected files in the _Restore folder "
I am going to give that info a try and I'll report back.

 

I,m a bit confused.

Windows 98 doesn't have System Restore.

 

Hi,
Sorry about that, it is a Windows/Me "not" Windows 98...My error

 

You might try to delete the Temp files manually.
Navigate to the C:\Restore\Temp folder and delete the contents.

The Restore and Temp folders are hidden folders.
To unhide them, in Windows Explorer click Tools then Folder Options.
Click the View tab and put a dot beside "Show hidden files and folders. "
Click Apply.

 

Hi,
I guess I need to remember to make sure before posting that all the steps I covered are also mentioned. Once again, I apologize but your last post has also been done. What I am going to try also is something I read in another post which is boot with a floppy, and at the A:\ (prompt) type; smartdrv, then deltree c:\_restore and then deltree c:\windows\temp\*.* (type Y at what I want to delete) and when finished take out the floppy and reboot.

If you have other options, please keep me posted. Otherwise I will let you know how things go on my end.

 

If that doesn't work try this.
Start the computer with the boot disk.
At the A:\> prompt type these three lines
pressing Enter after each line. (note the space between the d and _ ) and (note the space between the l and * )

C:
cd _restore\temp
del *.*


You should get (All files in directory will be deleted.
Are you sure?)
Type a Y and press Enter.

Remove the disk and restart the computer.

 

Thank you...I will be trying that this evening and will post back.

 

Hi,
I tried your suggestion and after it asks are you sure and I click "Y" for yes, it just hangs there. I tried with removing the disks right after and leaving the disk for a few minutes and just hangs.

 

Deltree is for removing folders so if you are booted from a floppy and cd to c:\_restore you should be able to
deltree \temp (or maybe just deltree temp - been too long since I've run a non-NT system and they use rd or remdir)

Leave the floppy in the drive until the removal is done and make sure you are booted from the floppy rather than just having it loaded.

You will probably need to copy deltree.exe onto the floppy before you start though. While the plain del is available via the OS when you boot, deltree is a seperate command I think.

 

Okay...I'll leave the floppy in (which is a bootable floppy) and see what happens...All goes well and it says it's deleting the files but seems to just hang as no other options are given and no other indications are displayed on screen. Will post back with the results...Thanks again

 

Update: I have tried the two methods known to me to delete the restore/temp files and even though I noticed it went from 53,00 files (688 MB) to 50,000 files nothing removed them within a reasonable time. I am currently trying it again and will give it plenty of time to delete assuming because of it's large file capacity is maybe one reason it is slow in it's process of removing the files.

I have also tried lowering the slider (per the instructions in the Microsoft Article #263455) and even though I was in doubt about doing so because it's only at the half way mark, I tried and it will not move at this time.

Note; every time I try to remove these files independently or by selecting all I am prompted with a message saying "cannot remove them because they are currently in use" (Reminder; AVG virus scan detected 9,266 files in this directory as Trojans)...

 

More Updated info...Every time I try to enable system restore, reboot, go back in to disable system restore it continues to be automatically checked to disable. As far I know this has to be done manually and every time I go back in after un-checking it, it's checked again. I am wondering if it's been corrupted and that is why I can not delete these files ?

 

Certainly possible and maybe time for some 'system fix-up' efforts to see if that will allow you to get things back to normal.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

General clean-up instructions for Win95/98/ME

• Open a browser window and dump all TIF (temporary internet files) and cookies. Close.
• Open windows explorer and
  .. delete the contents of all temp folders
  .. delete any files in c:\ with a name filennnn.chk (where nnnn is any number so file0001.chk, file1034.chk, etc)
• verify that you have fewer than 500 files & folders directly under c:\. If you are close to that number, remove or move some files.
• empty the recycle bin
• boot to DOS
• from the command prompt do the following
  .. scanreg /fix <ENTER> (press the ENTER key)
  .. scanreg /opt <ENTER>
  ****note that 95 does not have scanreg.exe but a copy from 98 or ME will run fine if you can get one
  .. scandisk c:\ /nosave /autofix /surface <ENTER>
  .. Win /D:M (forces a safe mode windows start)
• Run another scandisk (start~programs~accessories~system tools) and check for a standard scan and to fix all errors found. The DOS scan couldn't check for long file name issues.
• Run a defrag
• Reboot to normal Windows.

 

Hi,
Thanks for your assistance, with all that I think I'll be eligible for my A+ Certification. Anyways, around noon time today I left the AVG scanning and approx 7 hrs later the AVG was done. I checked the virus vault and it shows them in there, I shut the computer off but will soon turn it back on and try to perform some of the things you mentioned. I'll report back as soon as that mission is accomplished...

 

Update: No matter how many times I run the AVG virus scan it still seems to detect them, I have tried removing the files by going into the A:\Prompt and that did not delete them. I did a disk cleanup, scan disk, defrag and emptied the temp Int files still no luck. I ran Spybot and AdwareSE muiltiple times and still no luck. Every time I go in and enable system restore, and then go back in to disable it, it's already done. I tried it with rebooting and without rebooting and it keeps getting disabled. Very strange. Since the computer is not being affected by them, boots up fine and the trojans are listed in the AVG Virus vault that maybe they are no longer a real threat and I will return the computer to it's owner and see what happens down the road. I have put in over 40 hrs trying to delete these infected files and I'm not only out of options but very exhausted...The only other option might be to fdisk/format but since nothing is being directly affected I figured it would be wise to save that option for a later date...