question about backdoor.subseven

[toad]

Got a laptop with ME on it.

Ran AVG anti-virus, found 25 instances of backdoor.subseven.

All 25 instances are in C:\_RESTORE\TEMP\

this is a hidden folder that I unhid.

When I try to move the viruses to AVG's virus vault, it says they can not be
removed from the RESTORE\TEMP folder.

I don't know if I'd have any more success with Norton because when I tried
to install 2002, it said that my version was expired. I removed all
symantec and norton files/folders manually from registry and it still said
it was expired upon reinstall.

I'm not sure what I have to do to quarantine these viruses. Apparently I
can't remove them.

I got the instructions for manual removal and none of the references in
system.ini, win.ini, nor in the registry were present.

I'm guessing that means these viruses aren't accomplishing their goal, but
there's 25 of them and it'd be nice to remove them.

any advice?

 

[null]

Got a laptop with ME on it.

Ran AVG anti-virus, found 25 instances of backdoor.subseven.

All 25 instances are in C:\_RESTORE\TEMP\

this is a hidden folder that I unhid.

When I try to move the viruses to AVG's virus vault, it says they can not be
removed from the RESTORE\TEMP folder.

I don't know if I'd have any more success with Norton because when I tried
to install 2002, it said that my version was expired. I removed all
symantec and norton files/folders manually from registry and it still said
it was expired upon reinstall.

I'm not sure what I have to do to quarantine these viruses. Apparently I
can't remove them.

I got the instructions for manual removal and none of the references in
system.ini, win.ini, nor in the registry were present.

I'm guessing that means these viruses aren't accomplishing their goal, but
there's 25 of them and it'd be nice to remove them.

any advice?

Disable System Restore to flush the _RESTORE subdirectories. Or you
can boot up with your system disk and type

deltree /y c:\_restore


Art
http://www.epix.net/~artnpeg

 

[toad]

Disable System Restore to flush the _RESTORE subdirectories. Or you
can boot up with your system disk and type

deltree /y c:\_restore

I disabled system restore, rebooted, ran AVG. It didn't find all the
viruses and I think it's because it couldn't search a couple of the _restore
folders. but it did find about 9 backdoor.subseven viruses in 1 (or more)
of the _restore folders. The software still won't move them to the virus
vault (quarantine) them.

I have always found virus removal to be pretty easy, even if I have to
delete stuff in system.ini, win.ini, or the registry, but now for the first
time in my life I have 2 computers that have viruses that I can't remove or
quarantine. I suppose I could delete the actual infected files, but on the
ME box, those are in the _restore folder and windows doesn't recommend
deleting (which is why they're normally hidden). On my XP box, I've got a
bunch of klez viruses that I can't remove as well. Got norton on that
system and also disabled restore.

frustrated incorporated

 

[null]

I disabled system restore, rebooted, ran AVG. It didn't find all the
viruses and I think it's because it couldn't search a couple of the _restore
folders. but it did find about 9 backdoor.subseven viruses in 1 (or more)
of the _restore folders. The software still won't move them to the virus
vault (quarantine) them.

Then do as I suggested. I've deleted the _restore subdirectories on my
Win ME PC without ill effect. In fact, I've chosen to eradicate PC
Health (and other stuff) using this free utility:

http://www.beta10.com/oppcomme.htm

since I use a backup drive instead.

I have always found virus removal to be pretty easy, even if I have to
delete stuff in system.ini, win.ini, or the registry, but now for the first
time in my life I have 2 computers that have viruses that I can't remove or
quarantine. I suppose I could delete the actual infected files, but on the
ME box, those are in the _restore folder and windows doesn't recommend
deleting (which is why they're normally hidden).
Nonsense.

On my XP box, I've got a
bunch of klez viruses that I can't remove as well. Got norton on that
system and also disabled restore.

frustrated incorporated

Try the Sysclean proggy at my web site. For your Win ME PC, I suggest
keeping the free F-Prot for DOS on hand and updated. See my F-Pup
download which should make it easier for you.

And learn some safe hex


Art
http://www.epix.net/~artnpeg

 

[Robin T Cox]

'm not sure what I have to do to quarantine these viruses. Apparently
I can't remove them.

I got the instructions for manual removal and none of the references
in system.ini, win.ini, nor in the registry were present.

I'm guessing that means these viruses aren't accomplishing their goal,
but there's 25 of them and it'd be nice to remove them.

any advice?

Try Anti-Trojan 5.5, which has just recently become freeware:
http://www.emsisoft.com/en/support/anti-trojan/Default.aspx

 

[bobg]

Just don't worry about it!!! It can't do any harm if you don't 'Restore' to
that item. It won't replicate and it won't
bother you if you let it alone. It will eventually 'go away' by itself. If
you want to hasten it's removal, you can select the 'smallest setting' for
system restore. That should not keep your rig from making Restore points
later. Good luck! bobg

 

[Gabriele Neukam]

On that special day, toad, ([email protected]) said...

The software still won't move them to the virus
vault (quarantine) them.

Did you already run the AVG in Safe Mode (you can initiate Safe Mode by
holding the Ctrl key at boot up, and choosing Safe Mode), or did you try
the menu entry which makes Windows ask you for every program start if
you want it or not (dang, what is the Englisch name for
Einzelbestaetigung, is it step by step?)?

Something rarely known is the fact that you can suppress the automatic
start of programs on boot up, by keeping the shift key down all time,
until Windows is completely loaded (this feature is a remnant of Windows
3.x); which is close to Safe mode, but the drivers are still loaded
(which means you can access your CD drive in Win9x).

I haven't yet known of a trojan that installs itself as a driver (which
would circumvent this method), but you never know when finally such a
beast will turn up.


Gabriele Neukam

(e-mail address removed)

 

[toad]

Then do as I suggested. I've deleted the _restore subdirectories on my
Win ME PC without ill effect. In fact, I've chosen to eradicate PC
Health (and other stuff) using this free utility:

Well, I'm not a scholar on WME and this isn't my computer, it's my uncle's,
so maybe you can answer a few questions...

1)What's the purpose of _restore?
2)What are the drawbacks to removing the folder?
3)do I delete the whole thing, or just remove specific folders from it?
4)this program you talk about, does it cost money? If it came to paying
money, we'd prefer to get a burner or zip, backup, and format clean, but
that's too time consuming.

thanks

 

[toad]

On that special day, toad, ([email protected]) said...


Did you already run the AVG in Safe Mode (you can initiate Safe Mode by
holding the Ctrl key at boot up, and choosing Safe Mode), or did you try
the menu entry which makes Windows ask you for every program start if
you want it or not (dang, what is the Englisch name for
Einzelbestaetigung, is it step by step?)?

After disabling system restore, I went to safe mode and couldn't activate a
function to run a scan with AVG.

Step by step confirmation (to my recollection) is an option to minimize
driver use upon boot up. I used F8 and went to safe mode.

If I do an AVG scan in normal mode with system restore disabled, it doesn't
scan all the _restore folders, so it only found about 7 or 9 of the subseven
instances and it wouldn't remove the one's it did find and as mentioned, it
won't run in safe mode with system restore disabled. or maybe it won't run
in safe mode period... don't think I've tried running AVG in safe mode with
system restore enabled. not sure if that'd help... probably a waste of
time. This computer is real slow and probably because of the restore
folder. I know when I ran spy sweeper, it spent most its time in _restore
and it took hours upon hours to delete only 50% of what it found. It takes
about an hour to do a spy sweep scan or virus scan.

Is there risks to removing the _restore folder? is it wise, what's it for?
that may be a big help, because removing that would remove the viruses, but
if it's going to screw up the computer, I don't want to mess with it.

thanks for your help

 

[toad]

Just don't worry about it!!! It can't do any harm if you don't 'Restore' to
that item. It won't replicate and it won't
bother you if you let it alone. It will eventually 'go away' by itself. If
you want to hasten it's removal, you can select the 'smallest setting' for
system restore. That should not keep your rig from making Restore points
later. Good luck! bobg

what do you mean by "select smallest setting" and "keep your rig from making
restore points"? If I go into troubleshooting options for File System,
there's only boxes to check and uncheck, no settings per se.

 

[FromTheRafters]

I haven't yet known of a trojan that installs itself as a driver (which
would circumvent this method), but you never know when finally such a
beast will turn up.

http://securityresponse.symantec.com/avcenter/venc/data/trojan.slanret.html

 

[null]

Well, I'm not a scholar on WME and this isn't my computer, it's my uncle's,
so maybe you can answer a few questions...

1)What's the purpose of _restore?

It's a repository of special files and folders needed for System
Restore. The idea is to be able to restore Windows to a previous state
when there were no problems.

2)What are the drawbacks to removing the folder?

None if you choose other means of backup and restoration as I have.

3)do I delete the whole thing, or just remove specific folders from it?

Doing a deltree /Y c:\_restore in pure DOS as I suggested creams the
whole set of subdirectories, freeing up drive space. You would also
disable System Restore or eradicate PC Health entirely as I have.

However, since you're not talking about your own PC, the issue of
eradicating the System Restore is moot. But in any event, as I've
said, there is no harm is deleting the whole c:\_restore set of
subdirectories.

4)this program you talk about, does it cost money? If it came to paying
money, we'd prefer to get a burner or zip, backup, and format clean, but
that's too time consuming.

All the programs at my web site are free.


Art
http://www.epix.net/~artnpeg

 

[MickKi]

Hi Art,

[snip]
All the programs at my web site are free.

Would you have the help file for trojfind?

There's apparently a version 3.0 out but it needs WinRAR to decompress it.

Regards,

Mick

 

[null]

Hi Art,

[snip]
All the programs at my web site are free.

Would you have the help file for trojfind?

No. It wasn't packaged along with TroyanFind Info.exe

There's apparently a version 3.0 out but it needs WinRAR to decompress it.

I know nothing of versions numbers. Don't see any on the GUI. And
there are many "unzippers" that handle RAR. I use Power Archiver.


Art
http://www.epix.net/~artnpeg