Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

General Security General Security
Search Search
Search for:
Tech Support Guy > > >

Recently installed Avira - finding 'Trojans' and Malware...


(!)

Sasquatch's Avatar
Sasquatch Sasquatch is offline
Member with 308 posts.
THREAD STARTER
 
Join Date: Dec 2002
05-May-2009, 03:50 PM #1
Recently installed Avira - finding 'Trojans' and Malware...
Have used AVG Free for years on the PC and laptop - both running XP Home, SP2, with IE7 on the PC and IE6 on the laptop. Now have a second PC I'm transitioning the old desktop stuff to. Have AVG on the old PC and Avira on the new PC (will refer to as PC1 and PC2).

Ran an Avira scan and found TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so, that many antivirus programs have missed.

It also found the same 'trojan' in the System Restore files.
Quote:
The file 'C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP693\A0061527.exe' contained a virus or unwanted program 'TR/Dldr.Keenval.B.2' [trojan]
Action(s) taken: The file was moved to '4a2d8ec9.qua'!
First, I tried scanning in 'Safe Mode' in order to clean the 'Restore' file, but it didn't work.

Do I need to delete all the 'Restore' files?

Same thing goes on the laptop. Avira scans are finding ADSPY/MySearch.G.1 [adware] in C:\System Volume Information\_restore......\A0095047.dll

It is also finding a 'trojan' in the 'Restore' files.

Again, do I need to delete all the Restore files or can they be cleaned?

Thanks!
TOGG's Avatar
Member with 5,633 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
05-May-2009, 05:30 PM #2
I think you do have to delete Restore Points to clear them of malware but I'm not certain of the method, so wait for a more knowledgeable response before you do anything because it's not free from risk.

While you are waiting it would probably be a good idea to run one or more online scans to get a second opinion as to the malware present on both computers. I only know of this one; http://www.eset.eu/online-scanner (read the Terms of Use if you do decide to try it), but there may be others listed in one of the 'Sticky' threads at the top of the Malware Removal Forum.

If you do run online scans don't be surprised if they seem to 'find' different things. Security companies often use different names for what is actually the same malware already found by another program.
Sasquatch's Avatar
Sasquatch Sasquatch is offline
Member with 308 posts.
THREAD STARTER
 
Join Date: Dec 2002
05-May-2009, 05:35 PM #3
Quote:
Originally Posted by TOGG View Post
If you do run online scans don't be surprised if they seem to 'find' different things. Security companies often use different names for what is actually the same malware already found by another program.
Yes, I figured that out the other night when doing research on some of the things that Avira was finding. The "bugs" have different names at every anti-virus company it seems.

Avira's web site explains a procedure to delete the Restore points I think... I'll have to check. Just didn't want to do it if there was a better way.

Thanks.
WhitPhil's Avatar
Computer Specs
Trusted Advisor - Gone but never forgotten with 8,684 posts.
 
Join Date: Oct 2000
Location: Whitby, Ontario
05-May-2009, 05:45 PM #4
Quote:
Originally Posted by Sasquatch View Post
Avira's web site explains a procedure to delete the Restore points I think... I'll have to check. Just didn't want to do it if there was a better way.

Thanks.
Just disable System Restore, reboot and re-enable it.

When it found the virus in TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so what is the FileName and what folder is it in?

If you have heuristics turned on, Avira could be finding it in error.
TOGG's Avatar
Member with 5,633 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
05-May-2009, 05:48 PM #5
Here's the link to the Security Tools; http://forums.techguy.org/malware-re...elp-tools.html Running online scans first would still be a good idea in case the Avira findings are false positives.

Although I don't know much about Restore points, I think the 'risk' in deleting them is what would happen if your system sufferred a serious crash immediately afterwards! If you don't have a backup system, such as an 'image' on an external hard drive, you could be in trouble
perfume's Avatar
perfume has a Photo Album
Computer Specs
Account Disabled with 2,011 posts.
 
Join Date: Sep 2008
Location: A DUDE WITH ATTITUDE! ALIEN.
Experience: Intermediate++
06-May-2009, 03:49 AM #6
Quote:
Originally Posted by Sasquatch View Post
Have used AVG Free for years on the PC and laptop - both running XP Home, SP2, with IE7 on the PC and IE6 on the laptop. Now have a second PC I'm transitioning the old desktop stuff to. Have AVG on the old PC and Avira on the new PC (will refer to as PC1 and PC2).

Ran an Avira scan and found TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so, that many antivirus programs have missed.

It also found the same 'trojan' in the System Restore files.

First, I tried scanning in 'Safe Mode' in order to clean the 'Restore' file, but it didn't work.

Do I need to delete all the 'Restore' files?

Same thing goes on the laptop. Avira scans are finding ADSPY/MySearch.G.1 [adware] in C:\System Volume Information\_restore......\A0095047.dll

It is also finding a 'trojan' in the 'Restore' files.

Again, do I need to delete all the Restore files or can they be cleaned?

Thanks!
Dear Sasquatch,
There are two things to consider here. 1) whether the Trojan diagnosis was right or an "error" as pointed out. 2) The backup. How can you backup an OS which is infected? Pointless, as it looks to me!

So, what can we do now? To resolve the First issue, kindly visit the jotti online malware scan and submit the suspect files for in-depth analysis by Twenty different A-Vs ( as you know the path to the files, should not be a prob.). That will clear up any doubts regarding the Trojan infection. If it is a Trojan infection, which was there since 1999(is the year right?), you must post a HijackThis log in the malware forum for analysis and further help!

The backup can be done later, OR if jotti comes up with an o. k (nothing found), then it's party time and you can take a backup and Restore, preferably (as Rich-M mentioned) to an extn. HD, which is the norm these days. Best Wishes
JamesFrance's Avatar
JamesFrance JamesFrance is offline
Member with 85 posts.
 
Join Date: Jun 2007
Location: Languedoc, France
Experience: Never too old to learn
06-May-2009, 08:45 AM #7
A safer method of removing restore points is here:

How to remove all previous infected restore points.

Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
WhitPhil's Avatar
Computer Specs
Trusted Advisor - Gone but never forgotten with 8,684 posts.
 
Join Date: Oct 2000
Location: Whitby, Ontario
06-May-2009, 01:48 PM #8
Note though, that the newly one created will also have a copy of the yet to be defined trojan/virus.

This file needs to be resolved first, before creating new Restore Points.
Sasquatch's Avatar
Sasquatch Sasquatch is offline
Member with 308 posts.
THREAD STARTER
 
Join Date: Dec 2002
06-May-2009, 03:39 PM #9
Quote:
Originally Posted by WhitPhil View Post
Just disable System Restore, reboot and re-enable it.

When it found the virus in TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so what is the FileName and what folder is it in?

If you have heuristics turned on, Avira could be finding it in error.
I do have the heuristics turned on, so it could be a false positive. I'll check the backup folder on my other HDD to see. The file on this HDD has been quarantined and deleted just to be "safe" since I didn't need that file intact any longer.
Quote:
Originally Posted by TOGG View Post
Here's the link to the Security Tools; http://forums.techguy.org/malware-re...elp-tools.html Running online scans first would still be a good idea in case the Avira findings are false positives.

Although I don't know much about Restore points, I think the 'risk' in deleting them is what would happen if your system sufferred a serious crash immediately afterwards! If you don't have a backup system, such as an 'image' on an external hard drive, you could be in trouble
As noted above, I'm in the process of setting up this new PC "at my leisure", so I actually have two "backup HDD images" right now. I'm in decent shape there.
Quote:
Originally Posted by perfume View Post
So, what can we do now? To resolve the First issue, kindly visit the jotti online malware scan and submit the suspect files for in-depth analysis by Twenty different A-Vs ( as you know the path to the files, should not be a prob.). That will clear up any doubts regarding the Trojan infection. If it is a Trojan infection, which was there since 1999(is the year right?), you must post a HijackThis log in the malware forum for analysis and further help!
I'll do that and post my results.
Quote:
Originally Posted by JamesFrance View Post
A safer method of removing restore points is here:

How to remove all previous infected restore points.

Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
Thanks, JamesFrance!

I'll run the online scans as soon as I can and post the findings here so we can close this soon.

Thanks everyone.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑