Can't get rid of this

[Joseph Natale]

Hello all,

I have tried booting and removing this in "Safe Mode" and
it still comes back every time after re-boot. Doen anyone
know whow to completely remove this?

c:\winnt\system32\ide21201.vxd

Thanks!
Joe...

 

[Bill Sanderson]

I see that symantec detects this as a part of several different adware
detections (google on the filename and symantec and removal.

One thing you might try is Trend Micro's online scanner. Trend Micro also
detects ad-ware now, and their online scanner removes. Trend Micro also
lists this as a component of adware which it removes.

http://housecall.trendmicro.com

 

[Bill Sanderson]

Whoops! Please submit a Tools, suspected spyware report and note the
presence of this VXD. Microsoft Antispyware should probably be detecting
this.

 

[Kevin Tan]

Before going into safe mode, disable System Restore.

You may need to go into safe mode and do the following: -

1. Delete it from the location.

2. Go to Registry Editor and remove it from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ,
HKCU\Software\Microsoft\Windows\CurrentVersion\Run &
HKU\Software\Microsoft\Windows\CurrentVersion\Run

3. Run MSconfig and remove it from Startup. (you can
download this msconfig.exe from driverdownloads.com)

Restart PC and enable back System Restore once it's ok.

Regards

Kevin

 

[Bill Sanderson]

Kevin - I know lots of people post this advice, but I'm having trouble
understanding the basis for it.

Viruses or spyware--executables of any kind--situated in the System Restore
restore point files cannot infect without action on the part of the user to
restore that particular restore point.

If a virus or spyware executable or data file were, in fact, stored in the
System Restore storage area, but not as part of a restore point, removing
the restore points would not delete it.

It seems to me that this advice removes a useful safety feature at a point
when the user is most likely to need it.

Can you show me clear evidence which shows an infected entity, or spyware,
resident and active in the System Restore storage area?

 

[Spider]

Kevin - I know lots of people post this advice, but I'm having trouble
understanding the basis for it.

Viruses or spyware--executables of any kind--situated in the System Restore
restore point files cannot infect without action on the part of the user to
restore that particular restore point.

If a virus or spyware executable or data file were, in fact, stored in the
System Restore storage area, but not as part of a restore point, removing
the restore points would not delete it.

It seems to me that this advice removes a useful safety feature at a point
when the user is most likely to need it.

Can you show me clear evidence which shows an infected entity, or spyware,
resident and active in the System Restore storage area?

Thanks for bringing this up Bill. I think the system restore needs to
be deleted at some point, but not at the point I am seeing people
recommending. You are correct in that nothing in there is causing a
current problem. The only potential problem is using one of them as an
actual restore point after cleaning. While I can't cite any specific
cases of spyware in the system restore I have seen viruses get detected
in system restore so I would assume that spyware can as well. But, to
delete the restore points before the system is clean and normal is bad
advice. What if the removal process goes kaput? It's better to have a
restore point with possible spyware in it then to have nothing at all to
fall back on. Personally, when I clean an XP system I get it as clean
as I can with no obvious signs of trouble first. The last step would be
to turn off system restore. When it goes from monitoring to turned off,
all restore points have been removed. Immediately turn it back on. As
it goes from off to on, a current clean restore point is created. This
provides you with one good restore point made right after cleaning. The
user is without a restore point for all of one minute and no reboots.

--

Spider

http://spiderathome.blogspot.com/
http://spider1.blogspot.com/
http://groups.yahoo.com/group/24hrsupporthelpdesk

 

[Bill Sanderson]

Personally, when I clean an XP system I get it as clean as I can with no
obvious signs of trouble first. The last step would be to turn off system
restore. When it goes from monitoring to turned off, all restore points
have been removed. Immediately turn it back on. As it goes from off to
on, a current clean restore point is created. This provides you with one
good restore point made right after cleaning. The user is without a
restore point for all of one minute and no reboots.

Your practice is similar to mine--If you need to clean SR, do it after the
machine is clean, and stable. Yes, spyware and viruses are detected in the
SR storage area--no, they don't magically become active and infect the
machines from this area.

 

[Steve Wechsler [MVP]]

I agree 100% with both of your views. Better to have a leaky lifeboat
than a submerged one

Steve Wechsler (akaMowGreen)

MS-MVP 2004-2005

................. In memory of our dear friend, MVP Alex Nichol .......
............................ 1935-2005 ..............................

 

[Robin Walker [MVP]]

Viruses or spyware--executables of any kind--situated in the System
Restore restore point files cannot infect without action on the part
of the user to restore that particular restore point.

Is this in fact the case?

I thought that Windows XP System File Protection was capable of restoring
WITHOUT USER INTERVENTION into the C:\WINDOWS hierarchy any executable file
present at the latest restore point that is deleted or modified by the user,
or by an anti-virus or anti-spyware product.

This is why many anti-viral manufacturer web sites positively insist that
System Restore in XP or ME must be turned off before a scan intended to
disinfect.

And I think this is why many end-users say that they did an MSAS
disinfection, but the malware came back "later".

 

[Spider]

Is this in fact the case?

I thought that Windows XP System File Protection was capable of restoring
WITHOUT USER INTERVENTION into the C:\WINDOWS hierarchy any executable file
present at the latest restore point that is deleted or modified by the user,
or by an anti-virus or anti-spyware product.

This is why many anti-viral manufacturer web sites positively insist that
System Restore in XP or ME must be turned off before a scan intended to
disinfect.

And I think this is why many end-users say that they did an MSAS
disinfection, but the malware came back "later".

If system file protection did such a thing then I would think that would
require system restore to be active at all times. My understanding of
system file protection is that it protects only registered windows
system files and uses a system hidden dllcache folder to store known
good copies of all system critical files. To the best of my knowledge,
system file protection is not dependent on system restore in any way.


--

Spider

http://spiderathome.blogspot.com/
http://spider1.blogspot.com/
http://groups.yahoo.com/group/24hrsupporthelpdesk

 

[Bill Sanderson]

Is this in fact the case?

I thought that Windows XP System File Protection was capable of restoring
WITHOUT USER INTERVENTION into the C:\WINDOWS hierarchy any executable
file present at the latest restore point that is deleted or modified by
the user, or by an anti-virus or anti-spyware product.

This is why many anti-viral manufacturer web sites positively insist that
System Restore in XP or ME must be turned off before a scan intended to
disinfect.

I believe Spider is correct about the mechanism of SFP, and about the fact
that it is entirely a separate mechanism from System Restore. SFP is
present in Windows 2000, which has no System Restore facility.

Here's a good description of SFP, albeit for an OS not covered by this beta:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsetup/html/winme.asp

(I think this is quite applicable to the facility as present in Windows 2000
and Windows XP.)

http://support.microsoft.com/kb/222193/EN-US/

is another reference, this time explicitly for Windows 2000 and up.

None of these references mention any connection to System Restore.

Here's what Symantec actually says about turning off System Restore--I think
it is pretty clear, and bears out the advice I'm giving:
It doesn't mention reinfection occurring in any automatic way from the SR
store, just that the A/v cannot clean automatically, and that reinfection
can occur through using the restore point.
-------------------------------------------------------------------------------
(excerpt from :
http://securityresponse.symantec.com/avcenter/venc/data/downloader.trojan.html)
----------------------------------------------------------------------------------
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you
temporarily turn off System Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on your computer in case they
become damaged. If a virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from
modifying System Restore. Therefore, antivirus programs or tools cannot
remove threats in the System Restore folder. As a result, System Restore has
the potential of restoring an infected file on your computer, even after you
have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even
though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows
documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me
System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools
Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
-------------------------------------------

 

[Ron Kinner]

I agree with the majority here. System Restore stays on
until done then you turn it off and on so that there is
nothing evil lurking there. The antivirus people like to
turn it off because their software detects viruses in the
system restore files but can't do anything about it.

As far as SFP, I have yet to see a case where spyware
managed to get into the dllcache. For a while I looked
every time but never found anything there. Used to be
you could turn it off but with SP2 it's nearly impossible.

I have seen protective software that would not allow
HijackThis to Fix Checked. Believe Ad-Aware's AdWatch is
one such. I've also seen reports that Spybot S&D's BHO
would cause similar problems but have never seen it
myself.

Of course, there is a lot of malware out there that has
two parts and if you delete only one part the remaining
part recreates its other half - perhaps with a different
name.

I also do not trust the XP prefetch folder and always
delete its contents before a post-spyware-removal reboot.

Ron