Hi, i had three files rated as suspicious and looks as follows:

alarm: Suspicious filename

Name: HTA file in suspicious location

File: C:\system volume information\_restore{f82617b8-3574-4b04...

This file or shall i say files, because this file displayed three times.These files has been deleted before because it showed this message before with a previous scan.
I didn't know exactly what action to take but i have taken the chance to delete it and not knowing what other programs i would disturb eventualy but now these files show up again.

I have no clue what these files mean or how i can find out :o , so if anybody can tell me where these files belongs to or how i can find out i would very much appreciate this because in my oppinion i have a possible infection at this point.

Hi subzerox, If you had a previous infection which you cleaned then these suspicious files are in your system restore file.
To clear this go to system restore settings and disable it. reboot and make sure there are no restore points then re-enable system restore.

HTH Pilli :)

well i'm not even sure it is a infection but it is rated as suspicious, i am going to do what you advised but is this a real infection?

-{ Quote: "is this a real infection?" }-Since it's in your sys restore....some of the more helpful info concerning the HTA is unavailable....so without that info it would be a Guess.

For example:

Suspicious Filename: HTA file in suspicious location
File: c:\program files\microsoft money\system\lnpg.hta

As noted in the below thread....it might have been placed there by your scanner because the "suspicious detection reports" were "too sensitive" ?

This thread---> http://www.wilderssecurity.com/showthread.php?t=37267

When i was going to disable system restore i had the following display from worm guard.......
Is this a normal message display or do i have to worry?

img214.echo.cx/my.php?image=screenhunter32hs.jpg

~added pic as attachment....Bubba~

Bubba i'm sorry if did something wrong when posting the link for the image but it was the first time ever doing something like that.

I'm kind of curious is the editing done because this looks better and faster to reply to or is the other way of posting the image "illegal".

Rstrui should be on your WormGuard allowed list when running XP. Please add this line to your Allowed list. Note you will have to change your path if you have windows on a different drive - folder than C:\
c:\windows\system32\restore\rstrui.exe

HTH Pilli

-{ Quote: "Bubba i'm sorry if did something wrong when posting the link for the image but it was the first time ever doing something like that." }- You did great http://www.wilderssecurity.com/images/icons/icon14.gif

-{ Quote: "I'm kind of curious is the editing done because this looks better and faster to reply to" }-It's a personal preference of mine to see the image as we follow along without leaving the confines of Wilders 8)-{ Quote: " or is the other way of posting the image "illegal"" }- Not even close to being illegal....and if it had been....I would not have left the clickable hyper link :o

Chill....your doing a great job ;)

It ain't much....but the below thread is an attempt to show to make an attachment in case you are unsure.

This thread---> FAQ: Screen Shots and Image Posting (http://www.wilderssecurity.com/showthread.php?t=63957)

Thanks Pilli, that did it i have those files removed.

@bubba

;D i'm chilled