A Squared and False positives?

Discussion in 'other anti-trojan software' started by JerryM, May 23, 2005.

Thread Status:
Not open for further replies.
  1. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Using A squared free my son-in-law ran a scan and 20+ entries that it classed as malware files appeared.
    Most of them were concerened with NewDotNet. Here is an example.
    C:\System Volume Information\_retore{FB160F56-3CFO-4E10-9E02-CF29FD976
    AdWare.NewDotNet

    Another with all the same C:....except identified as AdWare.BrilliantDigital1007

    Maybe all are under this entry, which is also identified as malware.
    C:\Program Files\NewDotNet\newdotnet6-38.dll.

    I am reluctant to recommend deletion as the "restore" makes me suspicious that these are not true malware.
    He had used the trial of Trojan Hunter, and I ran a scan before the trial expired and nothing was found.

    What are some recommendations?
    If these are not true malware, I am tempted to tell him to uninstall A sq, and replace it with Ewido free.

    Thanks,
    Jerry
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    What is System Restore?

    One of the new features of Windows Me and Windows XP is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. If you experience a problem with your system that is caused by software, System Restore gives you the opportunity to go back to a point where things were working correctly.

    Windows XP stores this information in the SYSTEM VOLUME information folder. These folders are updated when the computer restarts.

    NOTE: Both the _RESTORE folder in WinME and the System volume information folder in Win XP are marked with the hidden attribute, and, by default, Windows is set to not display such files or folders.

    Even after you have found a virus and your AV has cleaned your PC you still might get an indication you still have the virus but it can not be deleted in these folders.

    Problem is..the system restore also has a copy of all those virus and trojans that have infected your system. They are in a compressed mode...your ANTIVIRUS knows they are there but can not help you get rid of them, so you must do it manually.


    GO TO THE FIRST LINK AND FOLLOW THE SCREEN SHOTS TO GET RID OF THIS IN THE "SYSTEM VOLUME INFORMATION" INFO FOLDER.

    NAME: Disabling System Restore on Windows XP
    ALIAS: Disabling Windows XP AutoRestore feature


    http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

    THE SECOND LINK WILL DO IT FOR WIN ME IN THE "_RESTORE FOLDER".


    NAME: Disabling System Restore on Windows ME
    ALIAS: Disabling Windows ME AutoRestore feature

    http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
     
    Last edited: May 23, 2005
  3. hayc59

    hayc59 Guest

  4. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I don't know how to post a picture. He sent me a jpeg of the screen, but I don't know how to post it. HELP?

    Jerry
     
  5. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Primrose,
    Thanks, but if we have to do that I'm afraid we are over our head. Let me see if I can find out about them first.
    Jerry
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    No you are not over your heads..if you click on the link above for the Win XP it has screenshots to do it step by step.


    http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  9. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I don't think he installed a screen saver.
    I googled and found the NDN site that had some discussions.
    http://www.newdotnet.com/

    I am looking over the instructions in the post.
    Thanks.
    Where can I find instructions as to how to post a picture?

    Jerry
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    In you next post..as you are making it..look at the bottom where it says manage attachments click on it..then navigate to that jpeg. upload it there..then close it when it is done..then hit the button to make the post..but you must also have text in the post.
     
  11. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Yes..newdotnet has an uninstaller.exe in it folder and most of the time you can even uninstall it from your add/remove programs
    see here
    http://www.newdotnet.com/removal.html

    ..if it is not corrupted already by a cleaner or other product that tried to remove it.. also that brilliant thingie has to be uninstalled.
     
  12. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks again. He is going to digest the info and do something probably tomorrow. I am in NM and he is in FL and it is about midnight, and he has to get up about 5 AM. I am going to try to post the screen he sent.
     

    Attached Files:

  13. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    THANKS. I had wondered how to do that. It was easier than I thought. I appreciate your help.

    Jerry
     
  14. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Those are not false positive..and hope you try to get rid of all of it first..by going to add/remove programs in your control panel and uninstall it..or going to the newdotnet folder and find the uninstall.exe..but still you will have the stuff in the system volume info..and best to follow those screen shot to clean out the system restore..then reboot..and then turn on system restore again..but also i guess you could use that a2 to clean them off..worth a try..

    it is your call. but since that is a jpeg of just part of the things found..you still have to deal with the others..

    a squared is right on the money for this stuff ;)
     
  15. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Primrose,
    Many thanks.
    I agree, and probably tomorrow he will take the action. I would want it off my computer. I also posted at the a-squared forum to give them a chance to make any comments.
    It would be nice if a-squred would remove them, but maybe the fact that they are in restore folder prohibits their complete removal by a squared.

    My son in law and I together would not make a pimple on a geeks nose, so we need a lot of help doing this sort of thing.
    I appreciate the help.

    Time for me to hit the sack. Good night and thanks again.
    Jerry
     
  16. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    good idea to post in the a2forum :D I am a moderator there still at times. But has been a while..so they might have reduced me to cleaning the floors.

    take you time and good luck Jerry.
     
  17. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Jerry,
    The paid versions most likey would have stopped it..the free version will find it. Hope you kept a tight group ;)
     
  18. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Hi Primrose,
    Thanks for the reply. You have really helped me, and have "hung in there" with me. My son in law, John, went fishing today and I have not talked to him. He works for the railroad in maintenance and is off Tues and Wed.
    I hope he finds some good bass fishing so I can go to FL and do some of it in the peak season next year.

    I am just a pretty good shot with a handgun. I was shootiing about 1000 rounds a month, but for the last year probably 600 or so a month.
    I'm 72 and not as steady as a young person, and have trifocals, but I make up for it with practice. I have always been a hunter and shooter, and was career military.

    I am using the paid version of Ewido. I think I will encourage my "kids" to get the paid version of a-squared. I also have tried Trojan Hunter, and like it a lot. I am not sure why I chose Ewido, but have no complaints.

    My AV is BitDefender 8.0, and I am happy with it. Look n Stop is my firewall. I used Kerio 2.1.5 for about 5 years on my old computer and it never let me down.

    Many thanks again for your help. I am always surprised at the response I get here, and at a couple of other forums. On balance this seems to be the best.

    Have a good evening, and I'll let you know how John comes out with the malware removal.

    Jerry
     
  19. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Go with your gut feeling on the products..you have a good handle on some of the best. Ewido is doing good at keeping up with the latest badboys and so is Asquared and Trojan Hunter these days.
    BD has always been there steady as a rock and you certainly know LnS is there for you also.

    Just remind him not to be taken in by some of the popup ads trying to lure him into trying their security fixes..products..and "free" services with those crazy warnings..none of them are legit and you just end up with more crap on the PC or a bill to pay for a product that falls way below your expectation.

    So that is why Wilders Community is here.. to help you sort fact and fiction. ;)

    Keep up the good work Jerry..

    Semper Fi here at 62. :ninja:
     
Thread Status:
Not open for further replies.