visus in system restore?

  mrwoowoo 23:53 05 Sep 2007

avg and spyware terminator both picked up a trojan virus.I removed it and rescanned my system and all was ok.
About an hour later it was back. So reasoning that it may have been in system restore ,i turned it off and rescanned with both avg and terminator in safe mode.
My understanding is that by turning off system restore this deletes all resore points/files and therefore the virus.My questions are,
1.Is it likely that the virus was in system restore?
2. Is it safe to turn system restore back on now?
I would think the answers are,yes and yes.

  johnnyrocker 23:56 05 Sep 2007

indeedy you are quite right, most hide in restore files with xp and the procedure you adopted should be ok but if you have updated av i would ask how it got in?


  mrwoowoo 00:06 06 Sep 2007

Thanks johnny,thats confirmed what i suspected.
All my security software is up to date,but it was my firewall that picked it up first as an outgoing access attempt.Strange!
GANDALF <|:-)> please take note (O:!

  rdave13 00:10 06 Sep 2007
  Jak_1 00:50 06 Sep 2007

You have done the right things. The problem is that when they do get into system restore no av program can delete them from there whilst it is active. So by turning off sys restore allows the av to get rid of the nasties however it does clear previous restore points. If it didn't the you could get the nasty back!

  mrwoowoo 01:09 06 Sep 2007

goood link rdave13.
It's back again..C:\WINDOWS\system32\QMYYKcOb.exe
and c:\windows\prefetch
these are what my firewall is showing.
Is it safe to manually delete these from these folders?

  mrwoowoo 01:13 06 Sep 2007

my firewall is showing this as an intrusion attempt blocked.
These are the target applications,or at least the first one is.

  mrwoowoo 01:21 06 Sep 2007

right,getting silly now.
My firewall has gone from unknown application to now telling me the injector application is in fact spyware terminator realtime shield.
As i said,they are just the target folders and not the trojan that i got rid of after all.
Guess i just configure my firewall to allow it.

  rdave13 02:35 06 Sep 2007

Yes. Maybe apologies to the wizard..?

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Alienware 17 R4 2017 review

These brilliant Lego posters show just what children's imaginations are capable of

Mac power user tips and hidden tricks

Comment réinitialiser votre PC, ordinateur portable ou tablette Windows ?