Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 28 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter · #1 ·
Hi, I've had some big problems with my comp lately and it seems that no matter what i do, it fails to completely rid me of these viruses. I've scanned these forums quite a bit and even though i haven't downloaded the hijack this program, i have downloaded spybot search and destroy and i have adware 6.0, both updated, along with norton. First of all, in Outlook Express, my dad's email account is bugged to where the frontpage is altered and has ads that aren't suppose to be there. We just recently delt with the removal of the new W32.Swen virus and even though it looks as if we removed it, I think that some of it is still on our comp because the email containing the virus is spamming my dad's mailbox everyday and Norton detects all this and we delete the messages but they just come back. Now we got a general Trojan Horse (I think) because at random times 6 messages pop up saying Norton has detected a "Trojan Horse" and the messages are in 3 groups of 2, the first saying access denied and the second saying unable to repair. All of this loops around to me searching google and finding these forums, where i downloaded spybot and even that doesn't work on my comp because it goes so far and stops once it starts to scan C2.lop and it freezes and doesn't respond afterwards. Despite this, it did remove a lot of spyware i did have but i'd like it to go through the full scan. We're completely stumped so pls make suggestions. I'm sure that the first thing i should do is download the Hijack This program so I'll do that and wait for your reply. Thx alot.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #4 ·
okie dokie, just got back from eating so i still gotta fix my spybot with that link you provided, but here's the Hijack This log for my comp:

Logfile of HijackThis v1.97.2
Scan saved at 5:52:53 PM, on 9/24/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.newsexgate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = autoconfig server
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1211.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Video Poker - http://download.yahoo.com/games/clients/y/vps1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.yahoo.com/games/clients/y/grrq_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.7749768519
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab

Also one more thing to add, i think i might have found out what the trojan is spawning from because everytime i select this winmain.exe file the norton pops up the trojan thing, and if i try to modify it norton just spams my comp with trojan horse messages. Thx for the help.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #5 ·
i was reading another link that had the same virus that i had and did a norton scan. For some reason this time it found 4 infected files and i don't know why it didn't find them the one time i did the scan, who knows. Here's the scan results:

C:\System Volume Information\_restore{19B58392-252F-4748-9E12-FB1358C593A3}\RP1\A0000139.exe is infected with Trojan Horse
C:\System Volume Information\_restore{19B58392-252F-4748-9E12-FB1358C593A3}\RP1\A0000163.exe is infected with Trojan Horse
C:\System Volume Information\_restore{19B58392-252F-4748-9E12-FB1358C593A3}\RP1\A0001170.exe is infected with Trojan Horse
C:\WINDOWS\winmain.exe is infected with Trojan Horse

Other than performing the scan I read through some more posts and downloaded the ZoneAlarm firewall if that has any importance. I'll wait for a reply from you before i do anything else. Thx
 

·
Registered
Joined
·
46,353 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter · #8 ·
well currently the answer to your question is yes and no. Yes, norton deleted one of the trojans but i still have 3 left that i haven't found yet. And it really didn't delete it but rather quarentined whatever thats spelled. The full system scan on Norton is not picking up any viruses for some reason and im having to just look for files that might be infected and do individual scans on em. Yes, i have posted the Hijack This log I'm just waiting for some help now.
 

·
Registered
Joined
·
46,353 Posts
Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.newsexgate.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50

O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1211.dll (file missing)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Sidesearch (HKLM)

O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB

O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab

Restart your computer and delete:

The C:\Program Files\Lycos\Sidesearch folder.

Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

Install the program and launch it.

I strongly recommend that you read the help file to familiarize yourself with the program.

Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
After getting the latest referencefiles you are ready to scan.

Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

When it is finished let it fix everything it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
On this page you will find a link to Javacool's SpywareBlaster and Spyware Guard. Get them both and check for updates frequently.
The Immunize feature in Spybot used in conjunction with SpywareBlaster and SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
 

·
Registered
Joined
·
46,353 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter · #11 ·
flrman1, that was something i was unsure of because i have had it off when i fixed the swen.a worm. I turned it back on thinking thats what was causing my comp to be infected. I'll wait for you to tell me what to do with hijack but ill run another scan and restart because spybot was suppose to delete some spyware that was on my comp at restart. Thx for you help.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #13 ·
Me again, i checked and fixed what you said to do on hijack this and heres my new log:

Logfile of HijackThis v1.97.2
Scan saved at 7:54:47 PM, on 9/24/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = autoconfig server
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Video Poker - http://download.yahoo.com/games/clients/y/vps1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.yahoo.com/games/clients/y/grrq_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.7749768519
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I didn't find the lycos folder because im pretty sure i deleted it awhile ago when i started to acquire spyware on my comp. So is this suppose to fix the 4 viruses that the free norton scan found? Like i said before, the norton program that we bought and installed isn't catching these files for some reason and so i don't know if they are deleted. I've read the documents and its on the settings to scan all files also. I'll run it one more time afterwards and see if i can get anything out of it now that all this other stuff is done with. I just ran Adware 6.0 and just got 2 tracking cookies so thats pretty much clean. Hope I'm not too much of a pain for you, thx again.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #15 ·
Ok, im currently running the scan as i speak, and one more thing that i seem to not be able to get rid of, we have four Outlook Express email accounts and 3 of em work fine, but my dad, the one who d/l viruses all the time, has his main page altered to pop up ads and links that lead to a search engine when you click on show address book. Any idea on how i can fix that? Thx
 

·
Registered
Joined
·
46,353 Posts
Like I said before. Those files that you posted are being detected in System Restore. You have to turn off System restore.
 

·
Registered
Joined
·
46,353 Posts
As far as the problem with your dad's OE. I'm assuming he log's on under his own profile. You need to Scan with HJT under his profile and post that log.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #18 ·
ok, ive had my system restore off doing all of this so i think thats done, and if im correct in thinking that the profiles are the things like the administrator profile and then others well we only use one profile and all four are under it. I could switch to the administrative profile and use hijack there if i need to, but we dont use it. I'm just now running the trendmacro scan to get rid of the other 3 trojans. Anymore suggestions?
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #19 ·
Ah, one more thing, one way that i deleted a virus that i had was to manually find it in my computer and select it then running the norton scan specifically on it. It worked for that one cause norton didn't detect it doing a full system scan. Now i have a question about the other 3 which i cannot find and virus scanners aren't finding them either just the free online symantec/norton scan finds them and its worrying me:

C:\System Volume Information\_restore{19B58392-252F-4748-9E12-FB1358C593A3}\RP1\A0000139.exe is infected with Trojan Horse
C:\System Volume Information\_restore{19B58392-252F-4748-9E12-FB1358C593A3}\RP1\A0000163.exe is infected with Trojan Horse
C:\System Volume Information\_restore{19B58392-252F-4748-9E12-FB1358C593A3}\RP1\A0001170.exe is infected with Trojan Horse

The C:\System Volume Information folder does not exist anywhere not even in hidden files and nothing i do seems to be fixing this. Ive ran adware, spybot, norton, trendmacro, panda, and yes, i DO have my system restore off. Below is the virus that i found in my computer files and quarentined:

C:\WINDOWS\winmain.exe is infected with Trojan Horse

That no longer exists but if i can just clean out the other 3 along with my dad's OE everything would be ok. Any suggestions?
 

·
Registered
Joined
·
46,353 Posts
I'm telling you that this C:\System Volume Information\_restore is in system restore. Have you double checked to make sure that system restore is off?
 
1 - 20 of 28 Posts
Status
Not open for further replies.
Top