Trojan Question

[James55]

This was found by an online symantec security check and I swear I cannot find the files on my computer and nav does not detect it. What to do??

D:\System Volume Information\_restore{17AB8B64-AA5E-4A0C-B064-2B695B43C137}\RP56\A0004950.exe is infected with Trojan Horse
D:\System Volume Information\_restore{17AB8B64-AA5E-4A0C-B064-2B695B43C137}\RP56\A0004951.exe is infected with Trojan Horse

[James55]

Found it in the registry under Search assistant/ACMru. Wtf?

[James55]

Ok fixed the registry but another scan gave me this again:

Virus Status: Infected!
Your computer is infected with at least one known virus or Trojan horse.




Warning! The scan detected a virus that is active in your computer's memory.
The scan ended to prevent further infection.



D:\System Volume Information\_restore{17AB8B64-AA5E-4A0C-B064-2B695B43C137}\RP56\A0004950.exe is infected with Trojan Horse
D:\System Volume Information\_restore{17AB8B64-AA5E-4A0C-B064-2B695B43C137}\RP56\A0004951.exe is infected with Trojan Horse

[war59312]

Disable system restore on all drivers and restart windows and re-enable system restore.

Problem soloved. That is if the scanner is telling the truth.

[James55]

Scanning again now. Last scan after reboot gave me this before enabling system restore.

Virus Status: Infected!
Your computer is infected with at least one known virus or Trojan horse.

No viruses were detected in memory

D:\System Volume Information\_restore{17AB8B64-AA5E-4A0C-B064-2B695B43C137}\RP56\A0004950.exe is infected with Trojan Horse
D:\System Volume Information\_restore{17AB8B64-AA5E-4A0C-B064-2B695B43C137}\RP56\A0004951.exe is infected with Trojan Horse

[James55]

I still get the virus warning on the scan again

[DoG]

You will have to delete the infected files manually from this folder:

Code:

D:\System Volume Information\_restore{17AB8B64-AA5E-4A0C-B064-2B695B43C137}\RP56\

Make sure that the options to view hidden and system files is checked in folder options.

If windows says you are not authorised to access those folders then turn off simple file and folder sharing, assign youself access to the folders and then delete the files.

[James55]

So far I cant find the folder. Its like it doesnt exist but I found stuff in the registry about it. This is too wierd and yes hidden files are enabled

[SlickVic78]

war59312 should be right... The infected file was captured within a snapshot most likely from System Restore... In order for you to removed the virus, you need to turn off System Restore for that drive (D: in your case), then restart the computer. Next turn back on System Restore and then run another virus scan on your system to see if it comes back up. The _Restore is associated with your System Restore snapshots.

James55, you are saying that after turning off System Restore on your D: drive, and then rebooting the system did not remove all of you past Restore Points? that is very interesting... If that is the case, then I would say to do what DoG suggested which is to continue to have System Restore off for your D: drive and then going in and manually remove the Restore Point directory that contains the virus, which is RP56. Once that is done, you should be able to turn back on System Restore for your D: drive.

-SlickVic78

[James55]

Still working on it. I did a scan with the recue disk and nothing found. Nav did not find it. Could it be that the online scan was screwed up?