Win32.Trojan-gen viruses on an ME PC

Viruses and worms
1

Hi,
My PC with ME OS is infected with Win32.Trojan-gen virus on the following three files:
C:_Restore\Temp\A0521534.CPY
C:_Restore\Temp\A0521910.CPY
C:_Restore\Temp\A0521933.CPY

This was detected by the avast home edition latest version software. I tried to take all 4 actions (delete, rename, repair and move to chest), but all of them failed (access denied). I also try to schedule a boot time scan, but for some reason, the boot time scan was inactivated. I could see the entry but it just would not let me select.
Please help me to remove those three files.

2

The C:_Restore folders are used by system restore and as such are protected by Windows. This will stop avast taking action.

You will need to switch off system restore, reboot, check for infection again and if clear enable system restore again.

I don’t believe that the boot scan works with ME, so the option in the menu is greyed out.

3

Thanks. I turned off and turned on the system restore, and the scanned files decreased from several thousand files to about 40 files. The infected files could not be found, which is good.

There were also more than 2000 files that could not be scanned , mostly under \Windows directory. Since avast does not support ME, I am wondering if there is any work around to get them scanned by avast. I suspect that my PC is still infected due to various errors constantly appearing at different times.

4

I didn’t say that avast doesn’t support ME, ME doesn’t support boot scan, a limitation of ME not avast.

You haven’t said why they were not scanned? Give an example of a few (not all 2000), they are more likely to be in groups of the same reason, etc.

There could be many reasons, password protected, in which case avast doesn’t know the password so can’t check them. Some programs encrypt or otherwise protect their programs/files.

5

Hi,
Sorry, I meant to say avast does not support ME boot scan, but for some reason boot scan was left out.

They are mainly under /Windows/All Users/Application Data that were unable to be scanned. I could not find the reason why there were not scanned. There are 1973 entries in the “Results of last scan” window and the "result " column says “Unable to scan Ar…” I could not expand the field to see everything. Just to give you an idea, I will list some of the file names:
\Windows\All Users\Application Data.…\sbRecovery.ini
\Windows\All Users\Application Data.…\nSupd9x.inf
\Windows\All Users\Application Data.…\nSupdata.ddl
\Windows\All Users\Application Data.…\CnsIminSV.cab
\Windows\All Users\Application Data.…\cnsio.ddl
\Windows\All Users.…\sbRecovery.reg
\Windows.…\anyuser@www.commission-junction[2].txt
\Windows.…\default@www. publicadvertising[1].txt
\Windows.…\default@servedby.advertising[4].txt
Many many more.

Some of the entries repeatedly appear in the table. I know this is probably vague, but hopefully it will be a good start.

Thanks again.

6

Since most of them are in all users application data, they would appear to be programs installed by you. Try following the path and see if you can identify the programs responsible.

The SBrecovery I believe are from spyware blaster (could be wrong) and when you delete or fix any problems, it makes a backup so you can recover them if required. Once you are sure these have caused no problem (e.g. your computer still runs ok), you can delete the recovery items from within SB.

The last three are strange.

  1. unless you are using commission-junction (afiliate payment etc.
    2 & 3. These seem to be some form of add tracking (cookies).

Have you tried running hijackthis because there may be other stuff on your system?