Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Find Out If I Still Have A Trojan Horse In My Computer.


  • Please log in to reply
12 replies to this topic

#1 angierm

angierm

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 23 March 2007 - 07:01 PM

Hi,

I have a WinXP Home SP2 machine and I have Symantec Antivirus Corporate Edition installed. I couple of days ago I noticed that my external HD was infected with some trojan horses and my antivirus deleted them. Then, yesterday my antivirus found another one called A0021299.exe placed in my external hard disk, too, the antivirus deleted it, but today, just a couple of hours ago, it detected the trojan again but with a different name A0021300.exe. The message says:

Virus name: Trojan Horse
File: G:\System Volume Information\_restore{98F0F445-116F-4524-BB11-C38F45612CRF}\RP146\A0021300.exe
Location: G:\System Volume Information\_restore{98F0F445-116F-4524-BB11-C38F45612CRF}\RP146
Action taken: Delete succeeded: Access denied

etc, etc.

I would like to know if this is really a trojan horse that some how is regenerating itself again and again.

Do you have any idea about what this could be?
Thanks

Angierm


BC AdBot (Login to Remove)

 


m

#2 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:05:56 AM

Posted 23 March 2007 - 07:06 PM

have you tryed turning your system restore off? it says Deleted Sucessfully: access denied try turning off your system restore instructions www.bleepingcomputer.com/tutorials/tutorial56.html



and scan again and see if it is still there

#3 angierm

angierm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 23 March 2007 - 07:36 PM

No I haven't try that. I took a look at that but the problem is with my external hard disk, so, before I tried to turning it off I noticed that my local partitions are in "supervise" mode and also I'm able to change the configuration but my external unit says "with out connection" or "out of line" and the configuration button is disable so I wonder if turning my system restore off will help :thumbsup: what is more, I have scanned my external unit again and I didn't found anything but the problem here is that I think it would probably happen again as I told you before :flowers: That's why I was asking if there is some way to found it out.

Angierm


#4 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:56 AM

Posted 23 March 2007 - 08:27 PM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

Post a Hijack This log in the appropriate forum by following the directions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:56 AM

Posted 23 March 2007 - 08:58 PM

NAV detected that file in the System Volume Information folder which is a part of System Restore - the tool that allows you to set points in time to roll back your computer. The System Volume Information folder is where XP stores these System Restore points and other information. This folder is protected by default and prevents programs from using or manipulating the files that are inside it. That's why NAV was denied access.

This is what you should do:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 angierm

angierm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 27 March 2007 - 12:08 PM

Thanks for your answers. Let me tell you that I have created the restore point, however, when I tried to run the Cleanmgr command it ask me to choose which partition should I free and I cannot see where to click "More options" Tab neither I found the System Restore Section in order to clean it up all the previous R.P. It just ask me to choose the partition and then to click "OK" in order to free disk space. My question is, if I choose partition C, will this delete my previous R.P. except the one I have created?

Thanks in advance.

Angierm


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:56 AM

Posted 27 March 2007 - 12:18 PM

When cleanmgr loads there should be two tabs at the top: Disk Cleanup and More Options. Are you saying you don't have the second tab? See the instructions here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 angierm

angierm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 27 March 2007 - 12:42 PM

Oh! :thumbsup: , that's right, I didn't let the process to finish that is why I wasn't able to see those other tabs, now I have done what you suggested. What should I next is to run another scan in order to see if I found something wrong, right?

Angierm


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:56 AM

Posted 27 March 2007 - 01:18 PM

The folder where the file resided that NAV detected should have been removed when the old restore points were purged. You can rescan with NAV to confirm its gone.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 angierm

angierm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 27 March 2007 - 03:24 PM

:thumbsup: it happens again, my antivirus detect another virus and it seems that the name increases, I mean one of them was A0021300, then A0021301 and so on. :trumpet: maybe the problem was that the System Volume Information folder is place in my external Hard Disk it is not a partition and neither part of my laptop so I wonder if I can follow the same procedure or if the R.P. includes a R.P. from my portable Hard Disk in order to deleted the previous R.P from unit G: that is my external HD. Any idea??? :flowers:

Angierm


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:56 AM

Posted 27 March 2007 - 06:52 PM

What's on your external Hard Drive? I use mine for backing up files, photos, utilities and misc. programs. I keep system restore turned off on this drive so it does not monitor it at all. See Fig 1 here on how to turn it off system restore. Fig 1. shows only the C: drive as being monitored in this example. However, yours should show your external drive which you can click on and turn off so that folder will be removed.

Edited by quietman7, 27 March 2007 - 06:54 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 angierm

angierm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 28 March 2007 - 12:17 PM

Hi quietman7, I use my external Hard Drive for the same purpose. I have done what you suggested, I turn system restore off in unit G and also I decided to change to Panda antivirus instead of NAV :flowers: , I run another scan in this unit and it detects some spyware that was eliminated and everything seems to be find now. Many thanks for your answer and many thanks to Master5270 and buddy215 too. :thumbsup:

Angierm


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:56 AM

Posted 28 March 2007 - 12:31 PM

Good job. :thumbsup: Glad we could help.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users