3 trojans on my computer i can't get rid off....

Discussion in 'Trojan Defence Suite' started by newbie, Oct 29, 2003.

Thread Status:
Not open for further replies.
  1. newbie

    newbie Guest

    hi i just downloaded the trial version and it found 3 trojans:

    DM 1.0 (variant)
    Hir 2.0 (variant)
    pos id (embedded in file) Remote.Admin.RA 4.9.29

    i tried deleting them right click delete, but every time i reboot and rescan it finds one or more of them

    in c:\system volume information\_restore{..........}
  2. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    That file location is the System Restore area. Windows copies various files from your active system to that area in order to allow you to "roll your computer back" to a previous configuration if you need to. But, it doesn't know good files from bad files and very often it will copy a Trojan exe file into one of its restore points, too.

    Now the good news is that a Trojan can't run from the System Restore area. The bad news is you can't delete it (at least not safely) from there... Both Microsoft and the major anti-virus people all recommend that you wipe all files in all restore points in order to remove any malware that might have got caught in there by System Restore.

    What Microsoft says about malware in System Restore (link):


    What a couple AV site's say:



    I recommend clearing the System Restore area as described in these articles as this should get rid of the malware in there so TDS won't detect it anymore.

    When you've done this, the next question is: Are there any more occurrences of these findings that are NOT in :\system volume information\_restore ?
  3. newbie

    newbie Guest

    no the rest is clean.....but i thought i had turned off system restore (or at least an IT friend who installed everything) could one of these trojans heve turned on system restore?

    anyway thanks for the info
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    If you still have a copy of the file please send it to submit@diamondcs.com.au - zip it please and retain a copy for now

    This is a trojan dropper, Hir and DM are BINDERS and its dropping a Remote Anywhere variant.. so interested to see it ! might drop more things ;)
Thread Status:
Not open for further replies.