[Sasquatch]

Have used AVG Free for years on the PC and laptop - both running XP Home, SP2, with IE7 on the PC and IE6 on the laptop. Now have a second PC I'm transitioning the old desktop stuff to. Have AVG on the old PC and Avira on the new PC (will refer to as PC1 and PC2).

Ran an Avira scan and found TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so, that many antivirus programs have missed.

It also found the same 'trojan' in the System Restore files.

Quote:

The file 'C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP693\A0061527.exe' contained a virus or unwanted program 'TR/Dldr.Keenval.B.2' [trojan]
Action(s) taken: The file was moved to '4a2d8ec9.qua'!

First, I tried scanning in 'Safe Mode' in order to clean the 'Restore' file, but it didn't work.

Do I need to delete all the 'Restore' files?

Same thing goes on the laptop. Avira scans are finding ADSPY/MySearch.G.1 [adware] in C:\System Volume Information\_restore......\A0095047.dll

It is also finding a 'trojan' in the 'Restore' files.

Again, do I need to delete all the Restore files or can they be cleaned?

Thanks!

[TOGG]

I think you do have to delete Restore Points to clear them of malware but I'm not certain of the method, so wait for a more knowledgeable response before you do anything because it's not free from risk.

While you are waiting it would probably be a good idea to run one or more online scans to get a second opinion as to the malware present on both computers. I only know of this one; http://www.eset.eu/online-scanner (read the Terms of Use if you do decide to try it), but there may be others listed in one of the 'Sticky' threads at the top of the Malware Removal Forum.

If you do run online scans don't be surprised if they seem to 'find' different things. Security companies often use different names for what is actually the same malware already found by another program.

[Sasquatch]

Quote:

Originally Posted by TOGG

If you do run online scans don't be surprised if they seem to 'find' different things. Security companies often use different names for what is actually the same malware already found by another program.

Yes, I figured that out the other night when doing research on some of the things that Avira was finding. The "bugs" have different names at every anti-virus company it seems.

Avira's web site explains a procedure to delete the Restore points I think... I'll have to check. Just didn't want to do it if there was a better way.

Thanks.

[WhitPhil]

Quote:

Originally Posted by Sasquatch

Avira's web site explains a procedure to delete the Restore points I think... I'll have to check. Just didn't want to do it if there was a better way.

Thanks.

Just disable System Restore, reboot and re-enable it.

When it found the virus in TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so what is the FileName and what folder is it in?

If you have heuristics turned on, Avira could be finding it in error.

[TOGG]

Here's the link to the Security Tools; http://forums.techguy.org/malware-re...elp-tools.html Running online scans first would still be a good idea in case the Avira findings are false positives.

Although I don't know much about Restore points, I think the 'risk' in deleting them is what would happen if your system sufferred a serious crash immediately afterwards! If you don't have a backup system, such as an 'image' on an external hard drive, you could be in trouble

[perfume]

Quote:

Originally Posted by Sasquatch

Have used AVG Free for years on the PC and laptop - both running XP Home, SP2, with IE7 on the PC and IE6 on the laptop. Now have a second PC I'm transitioning the old desktop stuff to. Have AVG on the old PC and Avira on the new PC (will refer to as PC1 and PC2).

Ran an Avira scan and found TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so, that many antivirus programs have missed.

It also found the same 'trojan' in the System Restore files.

First, I tried scanning in 'Safe Mode' in order to clean the 'Restore' file, but it didn't work.

Do I need to delete all the 'Restore' files?

Same thing goes on the laptop. Avira scans are finding ADSPY/MySearch.G.1 [adware] in C:\System Volume Information\_restore......\A0095047.dll

It is also finding a 'trojan' in the 'Restore' files.

Again, do I need to delete all the Restore files or can they be cleaned?

Thanks!

Dear Sasquatch,
There are two things to consider here. 1) whether the Trojan diagnosis was right or an "error" as pointed out. 2) The backup. How can you backup an OS which is infected? Pointless, as it looks to me!

So, what can we do now? To resolve the First issue, kindly visit the jotti online malware scan and submit the suspect files for in-depth analysis by Twenty different A-Vs ( as you know the path to the files, should not be a prob.). That will clear up any doubts regarding the Trojan infection. If it is a Trojan infection, which was there since 1999(is the year right?), you must post a HijackThis log in the malware forum for analysis and further help!

The backup can be done later, OR if jotti comes up with an o. k (nothing found), then it's party time and you can take a backup and Restore, preferably (as Rich-M mentioned) to an extn. HD, which is the norm these days. Best Wishes

[JamesFrance]

A safer method of removing restore points is here:

How to remove all previous infected restore points.

Go to Start > All Programs > Accessories > System Tools > System Restore

• Select Create a restore point, and Ok it.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

[WhitPhil]

Note though, that the newly one created will also have a copy of the yet to be defined trojan/virus.

This file needs to be resolved first, before creating new Restore Points.

[Sasquatch]

Quote:

Originally Posted by WhitPhil

Just disable System Restore, reboot and re-enable it.

When it found the virus in TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so what is the FileName and what folder is it in?

If you have heuristics turned on, Avira could be finding it in error.

I do have the heuristics turned on, so it could be a false positive. I'll check the backup folder on my other HDD to see. The file on this HDD has been quarantined and deleted just to be "safe" since I didn't need that file intact any longer.

Quote:

Originally Posted by TOGG

Here's the link to the Security Tools; http://forums.techguy.org/malware-re...elp-tools.html Running online scans first would still be a good idea in case the Avira findings are false positives.

Although I don't know much about Restore points, I think the 'risk' in deleting them is what would happen if your system sufferred a serious crash immediately afterwards! If you don't have a backup system, such as an 'image' on an external hard drive, you could be in trouble

As noted above, I'm in the process of setting up this new PC "at my leisure", so I actually have two "backup HDD images" right now. I'm in decent shape there.

Quote:

Originally Posted by perfume

So, what can we do now? To resolve the First issue, kindly visit the jotti online malware scan and submit the suspect files for in-depth analysis by Twenty different A-Vs ( as you know the path to the files, should not be a prob.). That will clear up any doubts regarding the Trojan infection. If it is a Trojan infection, which was there since 1999(is the year right?), you must post a HijackThis log in the malware forum for analysis and further help!

I'll do that and post my results.

Quote:

Originally Posted by JamesFrance

A safer method of removing restore points is here:

How to remove all previous infected restore points.

Go to Start > All Programs > Accessories > System Tools > System Restore

• Select Create a restore point, and Ok it.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Thanks, JamesFrance!

I'll run the online scans as soon as I can and post the findings here so we can close this soon.

Thanks everyone.