How to remove SHeur2 rootkit-gen virus on a 64-bit machine?

Anybody have any idea?

The critical feature for doing this, “Boot-Time Scan”, is unavailable for 64-bit machines.

Anybody know a work around? Another technique? Another software better suited for 54-bit machines?

TIA

I have answered your other topic, http://forum.avast.com/index.php?topic=47367.0.

Norman Malware Cleaner

http://www.norman.com/support/support_tools/58732/en

Thanks DavidR, saw your post and I appreciate it.

Thanks for the link Pondus, will look into it. I appreciate it.

Well, I tried running Avast in safe mode as well as AVG in safe mode, but neither program was able to remove the problem, assuming it’s still there.

Here’s what I get when I first start up: a popup window window telling me a program wants to run whose identity is unknown. It’s in C:\System Volume Information_restore{39810A01… and it’s name is A0067216.exe. I of course select the cancel button instead of the run button, but it’s there every time I boot up.

Anybody know what’s going on here? I don’t see any mischief going on once I go about my usual tasks, but it bothers me that this “warning” pops up each time Windows loads. I keep thinking that the virus is still there, if only I could run a Boot-Time Scan to isolate it and eradicate it.

Did you try the others anti rootkit tools in david reply? That file path is a system restore, you need to disable the system restore, to delete the file form there, then renable the system restore again

Hi Frustrated Avast User,

Please stick to one thread, it will get very confusing otherwise…

You’re running avast! and AVG at the same time?
Not a good idea…
Pick one and stick with it.

-Scott-

Not sure what you mean by sticking to one thread. This is the only thread where I’m discussing the specific virus problem and looking for solutions. The other thread, which you are apparently confusing as a duplicate thread, was asking why the Boot-Time Scan feature in Avast 4.x was not available for 64bit operating systems.

No, I never said I was running Avast and AVG at the same time. I ran each one separately in safe mode to see if either one could find and eradicate the problem.

Thanks for your reply.

I tried running the Norman Malware Cleaner in safe mode but this too failed to find the problem.

So you’re saying if I disable the system restore I’ll be able to delete the “A0067216.exe” file? And there’s no harm in deleting this file? I was assuming that the file got contaminated but that it’s a necessary file nonetheless and must be in the system, that it would first need to be scrubbed to remove the contaminant and restored to its original state. So you think there’s no harm in deleting the file outright, that the file itself is the contaminant and needs to be deleted?

TIA

There is no harm deleting system restore points.I delete them all the time.

There might be no direct harm in deleting restore points, but what it does is lose any possibility of using system restore to go back and resolve a problem.

For most parts avast doesn’t require you to disable system restore to remove an infected restore point, and if needs be the boot-time scan should be able to overcome that. This leaves clean restore points intact allowing for future use of system restore.

This is what I meant, you asked about the virus in both, was responded to in the other, and are replying in this one. It is confusing…

Regardless, disabling system restore will delete the restore points.

Just a side note: how exactly did you realise you had the infection?
Was it just the file trying to run from sstem restore or was there another detection?

The point about the two AV’s
It doesn’t matter whether you run one at a time, having 2 installed is not a good idea.
As I said before, this will cause complications later.

EditDidnt see DavidR’s post…but isn’t it 64bit, so no boot-time scan?

Ah, yes it is 64bit so no boot-time scan, however disabling system restore I would only do if whatever the problem was related to the windows/system folders or an infected restore point and avast couldn’t remove it from the location.

I’m somewhat confused as to how a restore point is trying to run as to all intents and purposes a restore point is inert. The system volume information folder is a protected area and system restore creates the restore point, changing the original file name to one it assigns.

So I don’t know if a controlling element outside of system restore could run a file placed in a restore point as it shouldn’t know what the file name was changed to. What exactly is displaying the message about it trying to run ?

To the same degree I don’t know if it is possible for a malicious process to create its own fake malicious restore point given that it is meant to be a protected area and given as I though 64bit OSes had tighter security controls.

So I’m a little unsure a) how/if this can be done and b) where that run command might be (see #### below).

It could be a start-up command (I don’t know if 64bit OS has msconfig, startup tab) or if it is a registry entry, a registry search for the A0067216.exe file name in the data or value fields.