1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Recently installed Avira - finding 'Trojans' and Malware...

Discussion in 'General Security' started by Sasquatch, May 5, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. Sasquatch

    Sasquatch Thread Starter

    Joined:
    Dec 2, 2002
    Messages:
    308
    Have used AVG Free for years on the PC and laptop - both running XP Home, SP2, with IE7 on the PC and IE6 on the laptop. Now have a second PC I'm transitioning the old desktop stuff to. Have AVG on the old PC and Avira on the new PC (will refer to as PC1 and PC2).

    Ran an Avira scan and found TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so, that many antivirus programs have missed.

    It also found the same 'trojan' in the System Restore files.
    First, I tried scanning in 'Safe Mode' in order to clean the 'Restore' file, but it didn't work.

    Do I need to delete all the 'Restore' files?

    Same thing goes on the laptop. Avira scans are finding ADSPY/MySearch.G.1 [adware] in C:\System Volume Information\_restore......\A0095047.dll

    It is also finding a 'trojan' in the 'Restore' files.

    Again, do I need to delete all the Restore files or can they be cleaned?

    Thanks!
     
  2. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,700
    I think you do have to delete Restore Points to clear them of malware but I'm not certain of the method, so wait for a more knowledgeable response before you do anything because it's not free from risk.

    While you are waiting it would probably be a good idea to run one or more online scans to get a second opinion as to the malware present on both computers. I only know of this one; http://www.eset.eu/online-scanner (read the Terms of Use if you do decide to try it), but there may be others listed in one of the 'Sticky' threads at the top of the Malware Removal Forum.

    If you do run online scans don't be surprised if they seem to 'find' different things. Security companies often use different names for what is actually the same malware already found by another program.
     
  3. Sasquatch

    Sasquatch Thread Starter

    Joined:
    Dec 2, 2002
    Messages:
    308
    Yes, I figured that out the other night when doing research on some of the things that Avira was finding. The "bugs" have different names at every anti-virus company it seems.

    Avira's web site explains a procedure to delete the Restore points I think... I'll have to check. Just didn't want to do it if there was a better way.

    Thanks.
     
  4. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    Just disable System Restore, reboot and re-enable it.

    When it found the virus in TR/Dldr.Keenval.B.2' [trojan] in a file that was probably from about 1999 or so what is the FileName and what folder is it in?

    If you have heuristics turned on, Avira could be finding it in error.
     
  5. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,700
    Here's the link to the Security Tools; http://forums.techguy.org/malware-removal-hijackthis-logs/110854-security-help-tools.html Running online scans first would still be a good idea in case the Avira findings are false positives.

    Although I don't know much about Restore points, I think the 'risk' in deleting them is what would happen if your system sufferred a serious crash immediately afterwards! If you don't have a backup system, such as an 'image' on an external hard drive, you could be in trouble
     
  6. perfume

    perfume Banned

    Joined:
    Sep 12, 2008
    Messages:
    2,011
    Dear Sasquatch,
    There are two things to consider here. 1) whether the Trojan diagnosis was right or an "error" as pointed out. 2) The backup. How can you backup an OS which is infected? Pointless, as it looks to me!

    So, what can we do now? To resolve the First issue, kindly visit the jotti online malware scan and submit the suspect files for in-depth analysis by Twenty different A-Vs ( as you know the path to the files, should not be a prob.). That will clear up any doubts regarding the Trojan infection. If it is a Trojan infection, which was there since 1999(is the year right?), you must post a HijackThis log in the malware forum for analysis and further help!

    The backup can be done later, OR if jotti comes up with an o. k (nothing found), then it's party time and you can take a backup and Restore, preferably (as Rich-M mentioned) to an extn. HD, which is the norm these days. Best Wishes(y):)
     
  7. JamesFrance

    JamesFrance

    Joined:
    Jun 3, 2007
    Messages:
    85
    A safer method of removing restore points is here:

    How to remove all previous infected restore points.

    Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.
     
  8. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    Note though, that the newly one created will also have a copy of the yet to be defined trojan/virus.

    This file needs to be resolved first, before creating new Restore Points.
     
  9. Sasquatch

    Sasquatch Thread Starter

    Joined:
    Dec 2, 2002
    Messages:
    308
    I do have the heuristics turned on, so it could be a false positive. I'll check the backup folder on my other HDD to see. The file on this HDD has been quarantined and deleted just to be "safe" since I didn't need that file intact any longer.
    As noted above, I'm in the process of setting up this new PC "at my leisure", so I actually have two "backup HDD images" right now. I'm in decent shape there.
    I'll do that and post my results.
    Thanks, JamesFrance! (y)

    I'll run the online scans as soon as I can and post the findings here so we can close this soon.

    Thanks everyone.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/824569