Trojans

Starting scan at 18:45:05:328...
Scan Memory
Memory not infected
Scan folder: 'C:\', recursive
Unable to scan C:\System Volume Information - Access is denied.
Finished scan at 18:55:27:625
Total number of files is 22673, number of infected files is 0
Average files per second is 36, average file size is 11195065

The above is the report using the online GFI Trojan scan which was unable to open the C:\System Volume Information file where three Antivirus programs I have used says a trojan is resident though none of them has been able to deal with this reported Trojan other than indicate its existence.

EZ Firewall, SpywareGuard, Kapersky AV, AVG6 are all running on my PC.

Is there a way to get around this Trojan/these infections using the Sys Restore??? appantley not or someone would have suggested it.

MINGHAWK:::: How did you clean up your PC???

Roy66

 

For Windows XP

Log on as Administrator.
Right-click the My Computer icon on the desktop and click Properties.
Click the System Restore tab.
Select Turn off System Restore.
Click Apply > Yes > OK. and fallow the prompts.

Re-enable System Restore by Unchecking Turn off System Restore.

For Windows ME

Right-click the My Computer icon on the Desktop and click Properties.
Click the Performance tab.
Click the File System button.
Click the Troubleshooting tab.
Select Disable System Restore.
Click Apply > Close > Close.
When prompted to restart, click Yes.
Next go back and Re-enable System Restore
by unchecking Disable System Restore

 

Lonny,

Thanks for your prompt response though it would seem to me to take that to take that particular line of action would be a bit drastic in that it will remove ALL restore points generated.

IF ?? via the Sys Restore facility one is able to backtrack to a point where eradication of this trojan is possible would it not be preferable to use such a method...IF...such provides the solution required?

Roy66

 

Thats the only way to get a virus or trojan out of system restore.

besides you realy wouldnt want to restore to an infected state.

Or like you say restore to a point several days before the infection
But it will still be in there then

Regards
Lonny

 

The readout I have been getting from the AV suggests a couple of places that Trojans are residing.
Don't know if this is a malfunction or a devious Trojan ploy.

I've had locations such as sys32xxxxxx SystemVolumeInformation
and diarybox.exe a program I downloaded.

Couldn't eradicate from sys32xxxxx couldn't open SystemVolume Information so I opted to shred diarybox.exe

Since then neither Kaspers AV or AVG6 has indicated a problem.

Hopefully.......that's the end of the matter.

roy66

 

The system volume information files are, as you've seen, inaccessible to the user and AV programs. The only way to remove the viruses from them is to delete the restore points. They are useless anyway since they are infected. If the system is healthy and working properly otherwise, turn off SR, run several online scans, empty TIF's, temps and recycle bin, reboot. Turn SR back on and create a manual restore point.

 

roy66 - the idea of retaining a system restore point from before the infection is reasonable sounding but, as noted, won't work.

Problem is, system restore only retains copies of system files and a few other files. It DOES NOT contain a flash backup of your system as GoBack and a couple others do.

I don't know of a virus that is polite enough to only mess with system files. But all of them do infect system files so most, if not all of your restore points contain infected files that your AV just can't deal with.

 

Well gentleman, it seems I am too naive as posted above I figured I had this thing licked, perhaps I was too much of a gentleman.

Went to bed and when I got up this morning what should I be greeted with but a glaring notice of the "return of the trojan ".

We have to this point discussed System restore/Restore points...is this the only option available???

By the way thanks I am always grateful for advice and assistance given.

roy66

 

Unless you want to continue harboring a trojan or format the drive, yes, that's the only option I know of. If someone else knows of a way to determine which restore point(s) are infected and how to delete it/them, I'd sure like to know it. Even MS tells you to disable system restore to remove some viruses.

 

If we or an anti virus program(could) tinker with or edit the system restore contents it will break it, windows would be unable to use any of them.

There is a new/few exploit's (unpatched) that add's and exe into either the recyle bin or in the system restore folder, then adds it to windws startup. I assume then it would be ok to delete the exe, but you would also have to clear all old restore points.

Post a log from HijackThis so our forum members can see
what's going on.The current version is 1.97.7 [created by merijn bellekom]
If you have been using msconfig to troubleshoot since the problem started first undo that and restart the PC.

Get it here http://radiosplace.com/
choose save, NOT OPEN
Save it to a PERMANANT folder,(for example C:\Anti Spyware) double-click HijackThis.exe,
and hit "Scan ". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, load it in Notepad, and copy its contents here.
Most of what it lists will be harmless, even essential,DON'T fix anything yet please. Also If you've used it before please dont have anything excluded

 

Thanks Lonny for your suggestion which has come after the horse/trojan has bolted.

I had already ran HijackThis and had the log ready to post but decided instead to do the undo restore thing and tossed the log into the recycle bin which eventually got emptied.

As the restore deal seemed the only option available I went with that.

Thankyou all