what to do if a trojan is found in system restore?

there are trojans found in my system restore when i scanned my drive from avast home edition
the name of trojans are

win32: Swizzor [trj]
win32: Trojan-gen {other}
win32: Agent-EID [trj]
win32: Spyware-gen [trj]

what to do next?

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.

The step 2 could clean (and as a side-effect, broke) the system restore points.
The step 6 will delete all restore points (and you could create a new one after that).

here is my HijackThis log file attached

if you know where they are located post a virus total of them and if you feel unsure you can alway move them to the chest like its say its recommand for most people and ALWIL his self :slight_smile:

Correct me if im wrong.

Thank.

Mr.Agent


Not much to worry about in your HJT log except for …

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

Since these were found in System Restore, I suggest you turn off System Restore, restart your computer, and then turn System Restore on again. Create a new restore point.



Hi samnetx -

I have not been able to be here for a few days plus I have been doing a little research that was suggested by a friend on here. It seems that win32: Swizzor [trj], etc is a sign of a lop infection. So, it seems you may have had a lop infection in the past since these were found in system restore on your computer. Do you remember having a bad computer infection during the recent past?

If you would like, you can follow the below instructions to be sure you do not still have the remains of a lop infection. You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure “Run fixit” is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt and the new HJT log.


again i found something in System Restore

previously when trojans were found disabled system restore and again enabled it
i found adware in system restore detected by Malwarebytes
SUPERAntiSpyware detected trojan and spyware in system restore and registry
nothing is found in folders WINDOWS and PROGRAMFILES scanned by MBAM and SAS

i reinstalled Outpost firewall pro 2009 because
i think its happening due to Windows Firewall sp3 not avast home shields

my recent OS history
Trojan.lop was detected in recent past by MBAM
i remember having bad system infection my OS crashed in recent past
with AVG - 3 times in 2007 i reinstalled WINDOWS xp sp2

with avast - 2 times in 2008 i reinstalled WINDOWS xp sp2

from November 2008 upto 2009 July
i have not reinstalled windows xp
now days i found no lack of performance in my computer but i still found Trojans,spyware,adware
mostly in system restore

i want to know about FIXWAREOUT

here are my log files attached of MBAM and SAS

Charley, those links you posted,seem to be dead, well for me they are

samnetx, if you are sure your system is clean, ( not including anything in system restore ) Disable system restore, and re-enable.You will lose all restore points, and anything in them

Try disabling system restore for a few days and then enable it again.

It’s not necessary to wait some days. Disable, boot, enable will be enough.


Sorry about the bad links. :frowning:

Yeah, I suggested fixing the restore points in my first post. Apparently, that was not followed.


Hi CharleyO

I really followed your suggestion the first time you asked me to do, I turned off System Restore, restarted my computer and then turned System Restore on again but I didnt created restore point because it is created automatically when System Restore turned on.

I was using Windows xp firewall sp3 at that time. Now I installed Outpost Firewall Pro 2009 when I found trojan & adware detected by SAS & MBAM once again. I use internet about 5 to 8 hours daily and I think it is due to Windows Firewall sp3.
Nothing is detected by avast, MBAM & SAS in folders [Windows] and [Programfiles].

I dont know why trojans, adwares are found in System Restore.

samnetx

If you post (attach) the MBAM and SAS logs and we can take a look at them to see what was found. That helps us to help you.

Hi DavidR

I have posted (attached) the MBAM and SAS logs in this topic on July 12, 2009. You can take a look at them to see what was found.

samnetx

Sorry I though you had run them again.

One more time Trojans found in System Restore by MBAM.

I am unable to trace why it is happening again and again in System Restore.

I am surprised that SAS detected Comodo Memory Firewall infected files may be False Positive

samnetx

Found something in System Restore again.
View the screenshot

How to send Quarantined files of Malwarebytes Antimalware to VirusTotal?

I searched for the infected file to be send to Virustotal for analysis which I have Quarantined earlier in MBAM but I am unable to search the same in my Hard disk.

Give me information to send file to virustotal which I have quarantined earlier in MBAM.

Tell me if I can enable the MBAM protection module after purchasing, I think it has no conflicts with avast.

samnetx

You can’t, as it just allow restore and not extract to a different folder.
I won’t worry that much. If it is a false positive, it’s ok, you just broke that system restore point.
If it is infected, the system restore point is broken now, you can’t use it.

At least with version 4.8 of avast, MBAM resident is compatible.
Most probably it will be compatible also with avast 5 (not sure).

Here is a VirusTotal of the infected file. It is Riskware and Trojan
(edit) I have used this software BPS Spyware Remover (Riskware) in the past as a Spyware Remover (downloaded from internet) and my computer crashed two time in two years. I recently deleted its files from the harddisk.

http://www.virustotal.com/analisis/1b90b4b5493533b0d42f36608f3850630a4df57ce4ebe85ddf65973ec3ca4fe0-1253830470

Give me your valuable suggestion, how to get rid of System Restore virus, trojans which are always found after few days.

samnetx

Disable System Restore on Windows ME, XP or Vista. After disabling you can enable it again.