Widows Defender Unable to delete Virus

Widows Defender told me it has discovered that my computer has
"claria.GAIN.trickler" which I understand is a variation of the accursed Gator spyware. Windows Defender cannot/will not delete this SpyWare

I have AdAware, Norton antivirus and Spybot, but none of these detect this presence of this spyware.

Apparently the spyware is located at

C:\System Volume Information\_restore{7B9B1C2A-FCAB-443B-B720-7276D381E469}\RP47\A0007634.exe->(wise0088)
I can't find this file - I am I correct in suspecting it may be a system setting?

I have tried locating and downloading a removal tool on Google ... no luck

Can anybody advise me on what to do?

If anyone can assist would really appreciate it if they would send a c.c. of their reply to me at:
*** Email Address Removed by Staff to avoid SPAM.***
(I'm travelling and have no access to my ISP)

Thanks

Peter

 

Peter L Lovell-- I may not be much help, but first of all, posting your email address on this forum (or any other) is a an invitation to spammers to put you on their list. The one you posted should be deleted or edited.
If it is absolutely necessary that you have an email contact site while you travel, I suggest you get a free Email account for the duration of your travels. Perhaps Yahoo, Gmail, etc. and then delete it when you get back home. But if you can access any webbased email, I wonder why you cannot connect with this website.
Concerning your problem, I have never had Windows Defender find spyware so I have not been faced with your situation. I am disappointed it does not offer a way to quarantine or delete what it finds, especially claria.GAIN. There was a time when the predecessor to Defender was ignoring claria.GAIN, but I thought this had changed. Are you sure you have looked for opportunities to Delete from within Windows Defender?
Having said that, consider the following procedure
http://www.windowsbbs.com/showthread.php?t=37074
Be sure to update the reference files of the mentioned spyware detectors before scanning with them.
There are several suggestions how to delete this specific spyware.
1) In the Control Panel | Add or Remove Programs, look for Claria or GAIN. If these entries are there, remove them.
2)
http://www.google.com/search?source...2004-31,GGLD:en&q=remove+claria.GAIN.trickler

However, if you have this malware, you may have others, so a full scan per my first link may be a good idea.

 

Most anti-malware programs cannot delete the malware from a Restore Point. The System Volume Information folder contains your restore points. Your problem file is located in Restore Point 47 (RP47). To view this file/folder read the following site for information how to access the SVI folder.

System Volume Information Folder
-----------------------------------------------------

Windows XP System Restore Guide

 

Whiskeyman--You are so right and I overlooked Windows Defender's reference to the location of the Gain malware.
I am still surprised/disappointed that Defender does not offer to uninstall GAIN.

I am going to show ignorance here.
What would happen if Peter L Lovell used System Restore to a date before RP47? (like RP 46)
I know System Restore is not supposed to act as a malware remover but since he knows in which RP the malware first showed up, maybe it would work?
In any event, I agree that all Restore Points should be deleted after trying the earlier Restore Point whether or not restoring to RP 46 is successful.
And if unsuccessful, then certainly all Restore Points should be deleted and the other removal techniques procedures as you and I have mentioned should be used.

Do you have a good suggestion to allow Windows Defender (or any other procedure) to uninstall GAIN?


Peter L Lovell--As Whiskeyman's links have told you, C:\System Volume Information may be a hidden folder. You can access it as mentioned, or copy and paste this part of the address Defender provided into a Windows Explorer Address line. C:\System Volume Information\_restore{7B9B1C2A-FCAB-443B-B720-7276D381E469}\RP47
However the only purpose would be to determine the date of RP47 so you can use an earlier System Restore RP. Deleting RP47 would not help.
Have you tried any of the GAIN deletion techniques mentioned in the links I provided earlier?

 

I have only just started using System Restore. If one restores to a previous point do the newer ones get removed? If they do then that is how I would proceed. I think the creators of Gain/Claria/Gator have convinced many anti-malware companies that they are now legit and shouldn't be marked as evil. I know my Panda anti-virus program pops up an alert that Gain/Claria/Gator was detected and deleted.

I refuse to use Windows products for detecting and removing malware. I prefer to stick with a paid anti-virus/firewall program, SpywareBlaster and AdAware SE. Using this setup has kept me malware free for several years with very few false positives and removal of non-infected applications. Recently I started using CCleaner and have found that setting it up correctly and researching what it wishes to remove has kept AdAware from finding anything other than MRUs after it's initial install and scans.

I think Microsoft has a long ways to go in developing a truly trust worthy anti-malware application. I believe it to be better in having a beta program on a test machine only. I didn't even want to switch to XP until I had worked with it on several customer machines and studied many threads dealing with it's issues at all of the forums I belong to. Helping people with their problems by searching Internet, KBAlertz and Microsoft articles has finally convinced me that XP is decent, but I still need to gain more understanding of some functions.

 

Whiskeyman--

PeteC has answered that.
In fact it exactly the newer ones (which probably contain the GAIN malware) which need to be deleted.
As I said

And you cannot delete individual RP's. System Restore will not work if an individual RP is removed and the sequence is broken. Each new one builds on the older ones. So whether or not using a Restore Point earlier than RP47 helps, all SP's should be then be deleted.

It is also surprising that AdAware, Spybot and NAV (which Peter L Lovell says he has used) have not found and then offered to remove GAIN. I wonder if he is using the latest updates for these programs.
I also wonder if he has tried any of the removal procedures in my post #2above.

 

Done Everything!! Complete mystery.

Hi!

Spybot, Adaware, Norton an Defender are 100% up to date.

Only Defender shows the "claria.GAIN.trickler" spyware on my 'puter.

Did a system restore. Back two days. No good.

I suspect the spyware may have been in a programme I downloaded moons ago, installed, uninstalled, but didn't remove the executable files stored in my "downloads" directory.

Defender cites the file:

C:\System Volume Information\_restore{7B9B1C2A-FCAB-443B-B720-7276D381E469}\RP47\A0007634.exe->(wise0088)

I haven't a clue how to find this file.

All seems to be working well. The spyware seems to be a chimera and to be having no effect. Do you think I should give up and hope for the best or do you think it will rise up from the depths and bite me on my cyber bum? In other words should I leave it and see what happens?

Really appreciate your help you guys!!!

Pete

Pete

 

System Restore?

Back when I used Norton { History Now}I found to get rid of some ,hold ons, when I did a Virus complete Computer scan, I would simply turn off System Restore, run my scan , then turn System Restore back on again.

Until I did that, I believe System Restore just restored what I was trying to remove. After that until I stopped using Norton I turned SYSTEM RESTORE Off & On whenever I scanned.

I know that I needed to do that then with Norton, But for the life of me I can not remember exactly why I did that procedure?? loonychoons.

 

Hi Lenny,

Not a good idea - you loose restore points that way and you may one day run into a problem worse than something that a scanner caught with no means to restore the system. Scan problems can be re scanned and taken care of again. Even if it is a virus, any SR point prior to it is ok. Obviously, this is a matter of judgement and being aware of the state of one's system.

I certainly would not do this as a matter of routine.

SR will not restore anything by itself, you have to do that in the SR panel.

Regards - Charles

 

I still can't get rid of it of the darn thing!!

I've tried ABSOLUTELY EVERYTHING and I still can't get rid of it of the darn this "ghost" worm!!

I tried all the suggested "system restore" options - they don't work.

"Deep" scans by Norton 2005, AdAware, Spybot (BTW all are absolutely up to date) show nothing.

It's a brand new lap top ... I transferred the files and settings from my PC so the problem comes from the old PC. However the Microsoft Antispyware (the Defender's predecessor), the AVG , the Spybot and the AdAware on my old PC show nothing of this of a Claria.GAIN.trickler

A "quick scan" by Windows Defender on the lap top Shows nothing. Only the scheduled "deep" scan shows this message

Windows Defender cannot/will not remove this "Claria.GAIN.trickler" from my system.

I can't locate the file:

C:\System Volume Information\_restore{7B9B1C2A-FCAB-443B-B720-7276D381E469}\RP55\A0008515.exe->(wise0088) "[/I][/I]

If I can't find it I can't delete it or remove it manually and I'm dead scared of messing with my system file.

I'm going to the Ukraine for 10 months and will be absolutely dependent on my laptop. I would give up cos it's causing no immediate problem, but I am worried that this "ghost" "Claria.GAIN.trickler" will emerge from the depths of cyber space and bite me on the bum!!!

Peter

 

You Won't Believe This!!!

The moment I posted my last post I went back to Wndows Defender and tried deleting the line for the umpteenth (hundreth) time.

I couldn't believe my eyes when Wndows Defender IT DELETED IT!!!

Here endeth the saga, but it will for ever remain an unsolved mystery.

Thanks for all your help!!!!!!!

 

Charles

Thanks for that info. what I was talking about was and is ancient history. I would not do that now. I will have to do some research to try and remember why I had to do that. I think that it was something that came with the free tunes that someone downloaded to my computer. Thanks for keeping me on the straight and narrow. Lenny Chowns

 

Looney Tunes YOU GOTTIT! It was ITUNES!!!

It's amazing!

The suppliers had put ITunes on to my laptop before they sent it to me along with the other AOL and other useless ****. But I don't delete anything until I am absolutely sure it's totally useless.

I could see no I could see no use for for ITuness, it seems to be another and far less better verson of Real Player and Windows Media player, so I finally decided to delete it a couple of hours ago.

HEY PRESTO!!!

It seems that the unsolved mystery has finally been solved!

Methinks it was a really interesting case!!!

 

Peter L. Lovell

Peter I do not think that I helped as mush as the other Guys? Honest it was just a fluke that I remembered as much as I had. However you are welcome! By the way where do you hail from METHINKS is much in use in this area of the world. All the best loonychoons.