I ran Avast thorough with a high level for the first time and it found 5 infected files (I previously was running AVG but it missed them)! The reason I ran the virus software is because I had a message the “administrator disabled taskbar”. I succusfully got the taskbar to run after Avast did its job! ;D
The result of the scan was that 3 of the 5 viruses were put in the chest but the remaining two I could not rename, delete or put in the chest.
I followed instructions in Avast and turned off the system restore, rebooted, and tried scanning the files again. (I had trouble finding a couple… is there a way to just scan the ones that were flagged as not being able to be vaulted without having to scan the entire system again?) AVast flagged them as infected but AGAIN I could not delete them or move them or rename them. (I presume they are not false positive?)
When trying to remove it or rename it Avast tells me that the file cannot be moved, or renamed, or deleted (even when I clicked delete on system startup)
Virus name:
Win32:Trojan-gen {Other}
The file resides in the following directories:
C:\Documents and Settings\Owner\Local Settings\Application Data{8E94F725-8C1B-4DBD-B9F5-A623113F7B57}\Pando.msi\Data1.cab\oovooinst.exe
C:\System Volume Information.…\oovooinst.exe
FYI… the Win32:Trojan-gen{Other} was successfully moved to the chest from 3 other directories as follows!
I also had a bunch of files that AVast states “UNABLE TO SCAN: ARCHIVE IS PASSWORD PROTECTED”. The majority of them are Recovery.ini and Recovery.reg files (there are approx 140 of these listed) and they reside in the following directory:
C:\Documents and Settings\All Users\application Data.…\sbRecovery.reg and Recovery.ini.
Other files that Avast states it is unable to scan due to archive password protected are bmp files and they reside in:
C:\Program Files\Common Files\Wise Installation Wizard.…(a bunch of .bmp files show up in this directory) It states the archive is password protected so Avast couldn’t scan them.
I have no idea on the password thing nor do I know what these files are – do I need to address them? Should I omit archive files when I do a thorough scan? :-\
Ok, for the files that can’t be removed by avast, you can either try doing a boot-time scan, or by restarting the computer in safe mode, and delete the files manually.
As for the files that are “Password Protected” those files are just in a quarantine. Don’t worry about them. Avast can’t scan them because they are locked away in a quarantine to protect you and your computer from further damage.
The password protected .bmp files are strange though. See what avast does when you do schedule a boot time scan and report back to us.
I think the problem is where the infected file is located, it is inside two archives first an .msi (installation file) next inside a .cab (cabinet archive file) and avast can’t extract or delete or move/rename it from deep inside these files
C:\Documents and Settings\Owner\Local Settings\Application Data{8E94F725-8C1B-4DBD-B9F5-A623113F7B57}\Pando.msi\Data1.cab\oovooinst.exe
The same is true of the detection found in the C:\System Volume Information.…\oovooinst.exe as it is effectively the same problem.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
Ok so I ran the boot scan and it removed the file in the System Volume but not the Pando BURIED in the cab etc…
I’m sooooo happy I’m only dealing with one issue now as opposed to the many I came here with. Thank you sooooooo much!!! You guys are the best and so very kind for helping in this way.
Now… I’m going to the Pando website to see what to do about this file that may be malware (after I run malwarebytes). If I can’t resolve it there I will start the system in safe mode and delete it… if I can figure that out!
OMG! I actually sound like i know what I’m talking about thanx to you.
Grateful in Florida,
Janice
When I did a full scan of my system, the files that had a virus in them and were vaulted showed up again! Could it be that I turned on system restore again? I thought after I shut it off that I should go back and turn it on after I cleaned up my files. So do I have to re-do everything I did and leave the system restore to off at all times?
(2)…
I can’t find how to access the system volume information folder. When I look at my list of directories I don’t see anything with that name. I want to delete it because I have a trojan in there that Avast wouldn’t delete or lock in the chest.
One more thing…
I ran the boot scan and see I have a couple trojans. One of them was locked in the pando file. When i follwed the path to the pando directory I couldn’t open it to access the “list of files” in that directory. I deleted the entire application by pressing delete - and then deleting it from my recycle bin. Still, when I ran the boot scan again, the darned file still showed up as if it was still residing in the Pando directory.
‘whew’ … this is tiring work! I need to find out how to keep viruses out so I don’t have to do this again! i have spybot, malwarebytes and AVast running along with Windows firewall… is there something else I need to run?
PS…
The .bat files didn’t show up this time on the scan.
Oops… I forgot to list the log file results… here ya go:
3/25/2009 3:30:27 PM Owner 856 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Owner\Local Settings\Application Data{8E94F725-8C1B-4DBD-B9F5-A623113F7B57}\Pando.msi\Data1.cab\oovooinst.exe” file.
3/25/2009 5:23:49 PM Owner 856 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Pando Networks\Pando\oovooInst.exe” file.
3/25/2009 6:05:31 PM Owner 856 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{3A601F7E-0C8C-42EA-8CAD-C73AB55DD4C2}\RP696\A0277407.msi\Data1.cab\oovooinst.exe” file.
3/25/2009 8:06:52 PM Owner 856 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{3A601F7E-0C8C-42EA-8CAD-C73AB55DD4C2}\RP696\A0277408.exe” file.
3/25/2009 8:33:19 PM Owner 856 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\MailSwitch.ocx” file.
3/26/2009 2:01:38 AM Owner 856 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Owner\Local Settings\Application Data{8E94F725-8C1B-4DBD-B9F5-A623113F7B57}\Pando.msi\Data1.cab\oovooinst.exe” file.
3/26/2009 9:46:46 AM Owner 3140 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Owner\Local Settings\Application Data{8E94F725-8C1B-4DBD-B9F5-A623113F7B57}\Pando.msi\Data1.cab\oovooinst.exe” file.
3/30/2009 5:45:42 AM Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Owner\Local Settings\Application Data{8E94F725-8C1B-4DBD-B9F5-A623113F7B57}\Pando.msi\Data1.cab\oovooinst.exe” file. I deleted this application (PANDO) which said it was a windows installer program of some sort (I couldn’t open it to find this pando.msi directory and follow the path so i delted the entire application but when I ran Avast this appeared again and it won’t let me delete it or move it etc. ‘sigh’ Is it ok that I deleted Pando?
3/30/2009 9:09:27 AM Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{3A601F7E-0C8C-42EA-8CAD-C73AB55DD4C2}\RP1\A0000006.msi\Data1.cab\oovooinst.exe” file. How do I get to this file? I can’t find a “System Volume Information” folder to open?
3/30/2009 9:47:16 AM Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{3A601F7E-0C8C-42EA-8CAD-C73AB55DD4C2}\RP6\A0007434.msi\Data1.cab\oovooinst.exe” file.
It’s a hidden folder and only the system (not the users) has access rights to it.
Disable System Restore on Windows ME, XP or Vista. After disabling you can enable it again.