Edit: New Danger: Malware infected a System Restores File!

Okay, so yesterday I did a thorough scan of the computer. It detected a trojan horse and the recommended action was to move it to the chest, so I did. I didn’t know what to do… and so the next day I restored the file and then deleted it from the chest. Then I did another thorough scan (my sister checked her msn and facebook during the middle of the scan and I tried to tell her, but she ignored me) and some files could not be scanned because of something that starts with A… or something. Anyway, the trojan was detected again and I don’t know what to do. How can I permanently remove this trojan from the computer?

I have Windows XP. I really don’t have any idea what service packs I have… but we do all Windows Updates via Turn Off when available.
The virus is called JS:Cardst [trj]
C:\Documents and Settings-my sister’s account name, which I will not tell-\Local Settings\Temp\WERb3b9.dir00

EDIT: Why is nobody answering?? :cry:

  • System Restore -
    Oh noes! A malware … or maybe a trojan has infected a System Restore file, which I heard is bad. What should I do???
    My other computer is still scanning, and I moved it to the chest so I can’t see it right now. Please help!

Can somebody please answer??? :cry:

If I’m reading your post correctly, you restored the file, then deleted it from the chest? If so, that’s (one possible) way it got back onto the computer.
This is a trojan horse, for stealing CC info. (Many trojans re-spawn themselves after a restart.)
Some info about the named trojan here: http://www.f-prot.com/virusinfo/descriptions/cardst.html
What I’d do is run a full disk cleanup, given that it seems to be based in the temporary files. And clear the Java cache.
For the former: Start>programs>accessories>system tools> disk cleanup. Tick everything except “compress old files” (which I’ve found can cause problems).
For the second, Control Panel>Java>Temporary internet files>Settings>Delete files.
Check Avast is up to date.Run a full scan again. If it finds the file, upload it to http://www.virustotal.com/
After a few minutes the results from several different scanners will appear. The reason for doing this is to be sure it is malware, rather than a false positive.
Don’t have any other programs open on the computer, not let your sister use it while this is going on.
Don’t perform any banking/CC transactions on this computer, until it’s known to be clean.

It’s normal for some files to be not able to be scanned. The reasons vary, and some of those reasons could start with an “A”. But I think it’s probably because they are archive files. That’s nothing to be concerned about.

You’ll have to check your windows update settings. Turn off when available isn’t a valid setting.
To find your service pack, Control Panel>System, it’s right there in the “general” tab. Probably SP2, or 3.

I don’t know why no-one (except me) answered, yet. Maybe some folk are asleep (or at work) on the other side of the world. The forum is contributed to be volunteers.

HI
let me elaborate on tarq57’s post

Items in the chest stay in the chest Just like Vegas

Rt click on the ball and updated avast
rt click on the ball and schedule a boot time scan
reboot
move your trojan to chest

create a folder C:\suspicious
copy whatever is in chest (except System backup files) to your new folder
C:\suspicious
go online to the virus total website
navigate to your new folder and upload each file
post the links back here

TAsk 2
any antispyware/ antimalware on your computer?
go to malwarebytes.org
run anti-malware free scan and Rogue Remover free scan
any hits Click REMOVE a backup will be made
post the logs here

evidently A-squared also gets this one
http://www.emsisoft.com/en/malware/?Trojan.JS.Cardst
A-squared free

Oh… and I have Service Pack 2.
Thanks Tarq for telling me my email was on my profile. I didn’t even know it was on there!

Wyrmrider - Sorry, I don’t know much about computers, but my sister told me that a reboot removes all programs downloaded by the user. Is that correct??

it might if they are in Temp
download to a folder you create in “program files” if you want to keep them
also your download program will have a copy if you have not cleaned it up

but yes - if you just click “open” instead of “save” they are most likely gone
give your sister a big thanks

remember where you “save” keep it simple

CCleaner (Slim version) is the best tool to clean your hard drive.

Oh dang… most of the programs on my computer (except the ones downloaded in Mozilla Firefox where save is the only option - including avast) were downloaded by clicking ‘Run’. Is that … bad? And if it is… oh my goodness, what should I do??

Oh, and I followed Tarq57’s advice and it worked. JS:Cardst was not detected. Now my other computer where I first tried avast is infected by Malware, but it only affected Java Temporary Files, so I’ll just clear those.

I would never advise download and run in one step as you never know what might be in that executable.

It is best to save to your hard disk first followed by an avast scan of the file (right click) and install off-line if that proves clear.

If you still find a virus in system restore, check out the link in my post Here: http://forum.avast.com/index.php?topic=38160.0

Follow the directions for Windows XP. Don’t forget to turn System Restore back on when your done.