Can this be done?

Discussion in 'ESET NOD32 Antivirus' started by twodogs44, Dec 27, 2007.

Thread Status:
Not open for further replies.
  1. twodogs44

    twodogs44 Registered Member

    Joined:
    Feb 23, 2007
    Posts:
    109
    I was wanting to know if it is possible to delete the below files, without screwing up my machine? If so how do I do it.

    I ran nod32 today and found the below listed infected files, but nod did not remove them.


    File C:\System Volume Information\_restore{287AE135-C8DE-44BA-8794-AC62E425C35A}\RP418\A0032256.exe

    C:\Documents and Settings\DFoster\Local Settings\Application Data\Mozilla\Firefox\Profiles\ydb47t75.default\Cache\83F60C09d01 »CAB »mwsSrcSp.CommonCodebase.exe - a variant of Win32/AdInstaller application

    C:\Documents and Settings\DFoster\Local Settings\Application Data\Mozilla\Firefox\Profiles\ydb47t75.default\Cache\83F60C09d01 - a variant of Win32/AdInstaller application

    C:\Documents and Settings\All Users\Application Data\BOC425\evidence.boc »CAB »mwsSrcSp.CommonCodebase.exe - a variant of Win32/AdInstaller application

    C:\Documents and Settings\All Users\Application Data\BOC425\evidence.boc - a variant of Win32/AdInstaller application


    Thanks Dave.
     
    Last edited: Dec 27, 2007
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    It looks like it is all part of a single infection event... i.e. an installer CAB file downloaded using Firefox, which BOClean caught and saved in its evidence area, and System Restore saved a copy when the file was actually deleted by BOClean. None of those files are part of the running system itself and therefore, none are needed.

    It's best to remove them in this order...

    Start with the second and third lines, they are the copy of the CAB file that is sitting in the Firefox cache. You simply use the Firefox > Tools... Options... Privacy option to "Clear Cache Now" and those, and the rest of the cache will be emptied. The cache will simply start filling up again as you start browsing the web.

    The last two lines are the copy that BOClean saved. You can go directly to those files with Windows Explorer and delete them if you want. Normal file deletion. In the BOClean directory shown, the file you need to delete is called: evidence.boc

    However, the first file (with the \System Volume Information\ path in it) is the copy saved in System Restore. You should do that one last and not attempt to manually delete that file. System Restore files should not be deleted directly, even if you manage to find a way to do it (they are protected files).

    The way malware files are deleted from System Restore is to cycle it off and then back on again. However, that causes System Restore to delete all restore points, so, it's best to ensure that your system is stable and you don't anticipate having to use System Restore to rollback to a previous state. (If you happen to have an imaging or other system rollback/recovery application, and a current backup in it, then there's probably no issue clearing System Restore anyway.)

    To clear System Restore, go to "Control Panel" > "System" applet > "System Restore" tab > click "Turn off System Restore" check box and hit "OK". That will take a little time as the system deletes all restore points. When its done, you go in there again and remove the checkmark and hit OK to turn it back on. System Restore will start creating new restore points as time goes by and as you run installers for other software. But, once you cycled it clean, you won't be able to restore back to a point earlier then the point you cleared it. No older dates.
     
  3. twodogs44

    twodogs44 Registered Member

    Joined:
    Feb 23, 2007
    Posts:
    109
    Thanks much Low watermark, I got rid of everything but the Boclean items. Serched and could not find them or a way to them. Cleared my restore.

    Thanks for all your help.

    Dave
     
Thread Status:
Not open for further replies.