trojan within a...restore point?
Home > Home Recording Forum > Computers & Software > trojan within a...restore point?
Posted on Dec 06, 2007 09:29 pm
fortymile
Member Since: Jan 18, 2003
so i finally got around to treating both my systems with antispyware software, as much of it as i could find for free. avg, spybot, windows defender, and something else. there were trojans in both systems. got em all except one. when i sweep for that one now, there's only one trace/occurrence of it left. in what looks like a restore point. i'm not sure. all i know is that the location had the word [restore] in it. i did not want to quarantine it because i get nervous if anything even looks like a system file.
if anyone thinks they might possibly know what they would be looking at, i can find the exact location of the thing and see if anyone can say what that location is and whether it's safe to quarantine a trojan lurking there.
by the way, why is 'quarantine' so often the recommended action as opposed to 'delete?'
[ Back to Top ]
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 06, 2007 10:12 pm Quarantine is used in case the virus or trojan embedded itself in a system file. That way if there is a fix, and there usually is it can be repaired and you still have the system file intact after the fix instead of it being deleted.
Dec 06, 2007 10:23 pm it's just as good as 'delete,' tho, right?
any idea about the restore point thing?
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 06, 2007 10:42 pm Yes, Quarantine takes it out of the system and locks it in a virtual vault were it can't do anymore damage.
Ya, if you want to paste the result or location file here, if I can't see it someone else might be able to as well.
Dec 06, 2007 10:46 pm im doing a scan now. will post the location when its done, thanks
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 06, 2007 10:47 pm Cool, it might be tomorrow though that I get back. I'm about to fall asleep in my chair here.
Dec 06, 2007 10:49 pm that's cool i might not post it till tomorrow, thanx noize
Keith WarrenMans reach exceeds his graspMember
Since: Oct 23, 2007
Dec 07, 2007 12:56 am Ya know, I found one of those in my moms computer about a year ago- it came from pogo.com, oddly enough. They'll shove those things just about anywhere now-a-days.
Dec 07, 2007 03:00 am the trojan is in an .exe file located at: c:\system volume information\_restore
then there's a bunch of letters and numbers inside some { brackets and then more letters, numbers, backslashes.i don't feel like typing all that in.
the first part of the info above, there: is it safe to quarantine a file found there, or not? the 'system volume information' scared me out of doing anything about it.
Keith WarrenMans reach exceeds his graspMember
Since: Oct 23, 2007
Dec 07, 2007 03:40 am I dont know tons about this stuff, but I think as long as it's not an HKEY item, then yeah, quarantine that bad boy.
Dec 07, 2007 04:29 am k, i wanna get some more opinions, as many as possible. looking for something that really reassures me here...
Dec 07, 2007 04:52 pm anyone else?
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 07, 2007 04:53 pm Ya forty, it should be safe to quarantine it. I suggest though that after quarantining it you reboot and run another check. Then if all appears good set a system restore point of that. And if nothing seems to go haywire with the system then you can let it be deleted from the quarantine later down the road.
Dec 07, 2007 07:47 pm i feel about ready to give it a try. one more thing, though. sometimes when removing these things, the program will say it can't quarantine just the file, it needs to quarantine the archive it's in. if i get that message here, i shouldn't do it, right? i would be concerned that it would attempt to quarantine 'system volume information,' the whole thing!
Dec 07, 2007 08:03 pm Forty, any decent antivirus/antispyware program will not disable your computer by deactivating a system file. Use the quarantine, Luke.
If it can't do that without messing up your settings it should tell you so.
Should is the operative word here.
Dec 07, 2007 08:06 pm one time avg antivirus nuked my system beyond repair. it quarantined system files, and windows would no longer start. had to reinstall.
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 07, 2007 08:25 pm Ya, I remember you saying that before. I have used AVG for several years now and on the boyz game box I have to do a total nuke on occasion. But it, nor any other program have removed or disabled system files. I am thinking that your AVG experience was kind of a fluke and possibly the virus/trojan fighting back by trashing the system.
I just did a complete format and re install on my wifes as she let in a mean *** trojan and I am, or I should say she is damn lucky it didn't get turned loose on the network and infect mine or the boyz PC's. It completely shut down all of the major windows components, like system restore and any admin type applications. It would now even let me enter in safe mode. That is one nasty bugger.
So I am willing to bet your bad AVG experience was due to some monster in the system.
Dec 07, 2007 08:35 pm yeah, could be. or perhaps, because i was even more inexperienced with computers then than i am now, perhaps i just ignored a caution and told it to proceed anyway. no way to really remember.
aight, i'll Q it tonight.
olddogMember
Since: Jul 02, 2003
Dec 07, 2007 08:53 pm There are 2 ways you can get rid of the file.
The easiest way is to turn System Restore off on the affected drive. You will lose all restore points though so only do it if you don't think you'll want to restore to an earlier time.
You can then re-enable it if you want.
The second is, you need to give yourself access to the System Volume Information directory by changing the permissions on the folder. It's easy to do with XP Pro, but XP Home & Vista are a bit trickier. If you want to go this route let me know and I'll detail how to do it.
Dan
Dec 07, 2007 09:01 pm disabling system restore automatically erases all restore points? i'd do that, if that erasure then happens automatically. i would then set a new restore point. i have no need for my old ones that i can see.
Dec 07, 2007 09:19 pm the message i get when i tell it to quarantine is just too vague for me to trust, unless it really makes sense to one of you. i know that when i click yes, the action will be taken, with no further warnings. this is the message:
the file C\system volume information\_restore (then all the numbers and crap) cannot be quarantined because it is embedded in the archive(and then the same path name). do you want to quarantine the whole archive?
see, it's not really telling me if i can, or should, just asking me if i want to.
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 07, 2007 09:32 pm I think Archive is the key word here. Being that it is linked with restore I can only assume that it is embedded either now in an older archived file set. Or it is possible that it is seeing a file archive that one of the other virus scanners created when it fixed something.
You might want to do search on the C drive including hidden folder for the word restore and then archive to see if you can locate that exact file string and see exactly were it is on the system.
I would be wiling to bet it is in an archive and not a direct system file in use currently.
Dec 07, 2007 11:13 pm except that it used the word 'archive' when referring to another trojan's location, one i quarantined already. it found a trojan in one of my regular folders and said it couldn't quarantine because it was in the archive and would have to quarantine the whole archive. i moved everything i wanted to keep out of that folder, leaving only the infected file, and told it to quarantine that whole archive. it looks like it was just calling the folder an archive.
i dunno, i dont get avg. it's also the only program that's still finding this one remaining trojan.
Dec 08, 2007 12:17 am i have the exact location. the location is the full string of letters and numbers, the full file path. searching for the keyword 'restore' shows me that the specific file that's triggering the avg software is a file of type 'configuration settings.' the file is an .ini file.
the system volume information folder is over 4 gb big. obviously i should definitely not quarantine that 'archive,' right?
olddogMember
Since: Jul 02, 2003
Dec 08, 2007 02:58 am Turning System Restore off will delete all the restore point files.
If you want to go into the folder and manually delete the files you have to add your user account to the folder with full permissions in the Security tab under Folder Properties.
Even if you tell AVG to quarantine the archive, if I remember correctly the system won't allow it.
Dan
Dec 08, 2007 03:03 am well it sounds like turning system restore off is the simplest, least dangerous solution then, right? i'll look around for how to turn that off, but hopefully you might be around tomorrow if i gots questions?
J-botByte-MixerMember
Since: Dec 04, 2007
Dec 08, 2007 03:23 am Hi forty, Assuming you're using XP (I'm using XP-Home) if you want to turn off System Restore, you just need to go to your Start Menu, Click on Control Panel, (Or go to My Computer, and then Control Panel, which is on the left under "other places")
When in the control panel window, (depdning on how you have yours set up) Click on "performance and maintenance" then click System. Or if you're using the classic view, double-click system. In the window that opens, you should see a tab labeled "System Restore" Click on that tab, and you should see your current settings. To turn off system restore, you just need to click the checkbox. Then, click Apply at the bottom.
You will get a window warning you about the removal of previous restore-points and such. Clicking No will abort the change, and Clicking Yes will remove the system restore and all previous restore points.
-Jim
Dec 08, 2007 03:48 am yah i found it a little while ago, thanks.
i find that i can't do it. what if trojans and viruses have already messed up my system and i just don't know it yet? i find it hard to abandon restore points...
i'm being a total whimp about this. i just can't really figure out what the safest thing to do is
olddogMember
Since: Jul 02, 2003
Dec 08, 2007 12:50 pm When is the last time you used a Restore point? Second if you already have at least one Restore point with a trojan, do you really want to chance using any of the old ones? Windows also automaticallly deletes the oldest restore points as soon as the size gets close to the set maximum.
Just create a new one with your system in a known good state and continue on. :)
Dan
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 08, 2007 01:10 pm The long way around is to find the exact file or folder with the trojan in it and manually delete the trojan file. That is if you can find the offending files correct name. Usually AVG or another program can identify that name for you. But not always as they can have name that is very similar to a system file name. One thing to do is to open and view the actual file strings content or code and then manually delete it as well.
Dec 08, 2007 03:55 pm alright olddog has a point. i've never used a restore point. so i'll shut that off later today. i suppose then i'll reboot and turn it back on, and hopefully that resets that whole thing, removing all old restore points.
Dec 08, 2007 08:05 pm success. thanks guys; i went the olddog route.
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 08, 2007 09:10 pm Glad it worked out then. Now hopefully you won't be getting any more bugs in there for awhile.
Dec 08, 2007 11:12 pm i will use antispyware software from now on. i was under the impression that dangerous spyware (at least) would be caught by my antivirus software. you know, i thought it would catch things which were trying to install themselves, but i was wrong.
J-botByte-MixerMember
Since: Dec 04, 2007
Dec 09, 2007 03:30 am For the anti-spyware the guy I work with stakes his life on SpyZooka. They have a pretty low price for the license $30 I think or close to that, and the developer gaurantees that if the program doesn't find and remove all spyware on your machine, let him know, and he will have a patch/update out withing 24 hours.
www.spyzooka.com/
olddogMember
Since: Jul 02, 2003
Dec 09, 2007 01:27 pm I use Windows Defender, it's free and works well. I haven't had any spyware/malware on my computer since I started using it in it's beta stage.
Dan
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 09, 2007 03:07 pm AVG, Spybot Search and Destroy, HijackThis, AdAware and cwsshredder are what I use on all the machines here. They find just about everything I have come accrss. Spybot has a thing called Spybit-SD Resident that catches most anything that tries to activate itself before it does and allows you to approve or dis approve the process from being started or changed.
Go to Spyware info.com and they have detailed info on all the free and pay for apps that are worth a damn for doing this stuff.
Dec 09, 2007 03:55 pm spybot is catching a lot of stuff, even stuff i do on my own. i like how it's always lurking. i also have defender, avg, and adaware.
avg was the only one catching the trojan within the restore point.
Noize2uCzar of MidiAdministrator
Since: Apr 04, 2002
Dec 09, 2007 04:10 pm Ya OD makes a good point. WE have defender running on many PC's at work and it seems to work very well.
Keith WarrenMans reach exceeds his graspMember
Since: Oct 23, 2007
Dec 10, 2007 06:29 pm try CCleaner too- just make sure you dont erase your old pre-fetch data.
www.ccleaner.com/
zekthedeadcowEat Spam before it eats YOU!!!Member
Since: May 11, 2002
Dec 10, 2007 09:34 pm I just use linux... :)