can any one assist on how to get this virus out

[xenon1]

Time Module Object Name Virus Action User Info
8/30/2004 7:41:48 AM AMON file C:\System Volume Information\_restore{9791F2D4-25F9-4C69-B0E0-1C5B42CB7DEE}\RP130\A0059143.exe Win32/TrojanDownloader.Alchemic.A trojan error while cleaning - operation unavailable for this type of object NT AUTHORITY\SYSTEM
the program cant so it has to be done manualy but i cant find the system volume on the computer xp windows

[ronjor]

From the NOD help page.

You are most probably using one of the latter operating system - Windows ME or Windows XP on your machine. These systems are by default using the option for restoring the system files, which system automatically backups to the directory "_restore" on the system disk(normally to the directory "C:\_restore"). This way it is possible that the infected files join the backed-up files and become "undeletable".

Solution

The process depends on the operating system:

Windows ME

1. Right click on the "My Computer" icon on the Windows desktop and click "Properties"
2. Click on "Performance">"File system"
3. Click "Troubleshooting"
4. Check "Disable system restore"
5. Click on OK, Close and restart the system

Note: It is recommended to return to the standard behaviour of the system after the removal of the infected files - by unchecking the "Disable system restore"

Windows XP

1. Right click on the "My Computer" icon on the Windows desktop and click "Properties"
2. Click on the "System Restore"
3. Check "Turn off System Restore on all Drives"
4. Click OK, Close and restart the system

Note: It is recommended to return to the standard behaviour of the system after removal of the infected files - by unchecking the "Disable system restore"

[xenon1]

thank you for that will give it a try

also why is amon so bloody slow in checking all the files I have xp and it is taking forever to run through them

[ronjor]

What version of NOD?

[stalker]

Quote:

Originally Posted by xenon1

C:\System Volume Information\

Yeah, in times, when I was still using bunch of default services, blah, including System Restore (btw., now I deleted this folder on all partitions, and it looks much better, and minimalistic), it happened to me the same. My AV software alerted me about some file being infected, during "the whole volume" scan, and it was appearantly previously deleted malicious file. Later, I simply unchecked System Resore folders during scans (I now I do not use Restore, and I do not scan with AV often anymore)


- It is that I collect some of worms/trojans, that come with e-mail attachments, and I store them in an encrypted (licensed) Cryptaner PE's volume, and appearanly once I didn't move them all, nor rewrite them (with sdelete.exe, commandline utility from Sysinternals, I use for advanced file deletetion), so those worms/trojans that was left (and not moved), and were appearanly deleted the common way - through recycle bin, and were stored by Restore Service

But strange, just as a renamed files, similar to recycled Dd1.tmp, Dd2.tmp, etc. (no advanced protection/encryption, i.e. changing/modifying file content, or whatever), even icons were the same, so I actually recognized few files, I deleted recently.


Though, I suppose, if you uncheck System Restore, reboot, and boot again, files will be erased anyway, no further cleaning needed (cause next time being enabled, service will need space for new files and data).



P.S., It is kind of strange, System Restore backup also casual .exe files (ok, I understand it sure needs to backup installers, install-logs, etc., but some common .exe ??

Why should, cause even if you restore to some point in time back, software that was uninstalled, files deleted, registry keys/entries deleted, etc. will not suddenly by installed again, and ready to go/execute after restore (exept maybe for patches, DirectX, etc.). At least it wasn't in my case. Yeah, and how much space would that take. For each little software, system-modification.


And yeah, as I remeber you have option to limit space, but which files are stored and which not then, who/what decides about that. And maybe some installation could be destroyed, if stored "partially"




Cheers

[Blackspear]

Hi Xenon1

See the following thread for more information:

http://www.wilderssecurity.com/showthread.php?t=46701

Post number 15 onwards...

Are you aware that Nod32 has a new version available for FREE to current license holders? The above link will point you in the right direction...

Hope this helps...

Let us know how you go...

Cheers