Trojan Horse Help Required

Discussion in 'malware problems & news' started by Extreme Neo 2, Mar 19, 2004.

Thread Status:
Not open for further replies.
  1. Extreme Neo 2

    Extreme Neo 2 Registered Member

    Joined:
    Mar 19, 2004
    Posts:
    2
    This is driving me mad !, Please Help Me !

    Dear All,

    Every 5-10 minutes I get the following message:

    AVG Resident Sheild

    Virus
    Trojan Horse Downloader.Winshow.P

    Is Found In File
    C:\System Volume Information\_Restore{F7277B93-F0DA-4881-8FA6-B91C24D336AA}\RP71\A0015127.dll

    Top Remove This Virus Please Run AVG For Windows.

    I have run AVG, and no virus is found, I have also run the following programs which also state nothing found:

    TDS-3
    Trojan Hunter
    Spy Hunter
    PC-cillin
    BPS Spyware-Adware Remover

    PLEASE CAN SOMEONE TELL WHAT TO DO TO REMOVE THIS VIRUS

    Thanks in advance for all your help !
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Take a look at this thread...

    http://www.wilderssecurity.com/showthread.php?t=17400

    The "c:\system volume information\restore..." folder is a part of the "System Restore" facility, a secured area run by Windows XP and used to allow you to return your system to a previous state should anything go wrong with it.

    Take a look at the thread link above and follow the instructions to clean out the System Restore area by turning it off and back on again. This will remove the piece of malware that got trapped in that folder which will stop those alerts.
     
  3. Extreme Neo 2

    Extreme Neo 2 Registered Member

    Joined:
    Mar 19, 2004
    Posts:
    2
    Thanks very much Low Water Mark

    Excellent ! :D
     
  4. Maxwell

    Maxwell Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    8
    How can you be sure that you are not just eliminating the alert but leaving the trojan? My experience has been that most times it is necessary to reformat to fully eliminate a trojan...is this not true. What is the checkpoint to make sure it's removed? :doubt:
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, there are truly a whole lot of possibilities here. First of all, it is the AV product itself that is identifying the presense of the malware, so I tend to think it is a piece of malware that it can identify.

    Certainly there are times when a system is so infected that a reformat may be required, but we generally don't rush to tell people to reformat their systems because there are many times that malware can be found, stopped and cleaned without issue.

    Now, we don't actually know that this system was even infected at all. All we actually know is that there is one file in the System Restore area that is being identified. Exe and dll files get into System Restore just by being present on a system (and being deleted)...

    If I download a basic trojan exe file, copy it from one folder to another and then just delete it, having never executed it, then I am not infected (and can not be infected by it). But, on Windows XP those actions will end up with a copy of that file being put in System Restore. I can remove it from there by the cycling of System Restore as described above, and I was never infected. I'd be wasting a lot of time by reformatting such a system.

    There are certainly times where systems get totally infected and ought to be reformatted, however, the original poster has used some pretty powerful scanners, as noted above, and only AVG has identified anything at all, and it's a file that is harmless in the System Restore area. After cycling System Restore, I'd rescan the system with all products and if a clean bill of health comes up, I'd recommend leaving it.

    The piece of information we don't have is where this all started. The original poster never said if they had an infection at some point, cleaned it with one or several of the above tools, and this one piece was left over, or if it was more like my example above, where a file was on the system and deleted at some point without ever being run, but got stuck in System Restore because that's how it works.

    Can we be 100% certain, no of course not, but multiple scans from multiple good scanners, and a system that runs normally without odd behaviors may very well be clean.

    If the original poster would like to provide a lot more background details, we can make a more in-depth recommendation.
     
  6. Maxwell

    Maxwell Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    8
    I don't know about you, but I tend to not trust the MS "helpers" as far as making sure my registry is correct, my system files are correct, etc.etc....ya know what I mean? HOW does one KNOW for sure that their system is clean....THAT is the question, and I would SURE love to hear what the answers are (maybe one will help me?)o_Oo_O :rolleyes:
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, feel free to start a new topic on that subject. It sounds like a worthy subject for in-depth discussion.
     
  8. Maxwell

    Maxwell Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    8
    Well, yeah. Any subject that might show "work arounds" for stupid MS stuff is a good subject in my opinion (any many others) Hahah
     
  9. Carmack

    Carmack Guest

    I'm experiencing the same dang thing.

    I'll on/off the system restore to see if that does anything. The only unfortunate part is that there is no scan that I can run to see if the offending trojan is dealt with or not - because no virus scanners will pick it up when actively scanning. Only AVG reports it, and even then, not while scanning, but rather as a passive "AVG Resident Shield" pop up. The odd thing is the pop up window tells you to run AVG scan, but when you do, it doesn't seem to find the offending item.

    And the file can't seem to be located using WinXP file search. Odd.

    I guess the only confirmation I'll have is if this pop up warning window no longer appears at random times on my computer.

    Keeping my fingers crossed.
     
  10. Carmack

    Carmack Guest

    Hmnnn...it's been a few days now, and no AVG Resident Shield warnings about this trojan horse. Looks like it's gone. Clearing the system restore seems to have worked.
     
Loading...
Thread Status:
Not open for further replies.