Results 1 to 7 of 7
  1. #1
    3 Star Lounger
    Join Date
    Jun 2002
    Location
    Duluth, Minnesota, USA
    Posts
    215
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Viruses in _RESTORE

    Edited by WyllyWylly to remove request for answers via email. See <!rule=10>Rule 10<!/rule>.[/i] <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

    I have been hit by a virus, and in checking, my virus checker is telling me that there are a lot of viruses in various files in various folders off of the root C:_RESTORE. I cannot access _RESTORE or see the sub-folders. I cannot delete the directory either.

    I also have a virus reported in C:WINDOWSSYSTEMROIN.EXE. I cannot delete that file either.

    Any suggestions? All help welcome.

    Thanks, Douglas

  2. #2
    3 Star Lounger
    Join Date
    Jun 2001
    Location
    Lewiston, Maine, USA
    Posts
    293
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Viruses in _RESTORE

    Douglas,
    Disabling 'Restore' will remove your _RESTORE directory and everything associated with it. Turning it back on after rebooting should leave you with a clean directory. Hope this helps.
    Right click on My Computer, select Properties, then select the Performance tab. From there click on the File System button at the bottom - Then Troubleshooting tab and you're there. Look at the bottom of the listing for Disable System Restore. Select that line and click on ok until your back to the desktop and reboot.
    Go through the same procedure and reboot again and voila - you've got a clear restore directory.

  3. #3
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Viruses in _RESTORE

    You didn't say what viruses you have or what software you're using for detection. I've never had any get in a protected folder so I'm not sure about my response. First thing is, go to Folder Options in either Control Panel or Windows Explorer. Make sure you have selected the radio button to SHOW hidden files, and UN-SELECTED the next two entries for hiding file extensions and protected system files. Next, I would boot to SAFE MODE and try deleting what you need to delete. Don't know if it will work or not - I've never had to do it. If it does, you better run another full system virus scan, 'cause your software may yet require you to do some "manual" removal and/or registry editing. You may need to check the vendor's web site for instructions. Good luck!

  4. #4
    3 Star Lounger
    Join Date
    Jun 2002
    Location
    Duluth, Minnesota, USA
    Posts
    215
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Viruses in _RESTORE

    All,

    I have done the following:

    1) Edited system.ini and win.ini to remove "run" calls for the file "roin.exe" that existed in my c:windowssystem folder. I was able then to delete that file. It contained the virus BKDR_SUB7.22A

    2) I disabled the "restore" function as suggested by BLEDUC in the second post in this thread. I rebooted, re-enabled "remote" and re-booted again. I then reran my virus checker against c:_RESTORE. All of the viruses were still there.

    I still show BKDR_LITMUS.203 and TROJ_PORNDIALA and TROJ_PORNDIALC in c:_RESTORE.

    I am using Trend OfficeScan as my virus checker.

    Thanks for your help. If anyone else has suggestions, I am all ears.

    Douglas

  5. #5
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Viruses in _RESTORE

    I don't think disabling the restore function will erase the existing files. You'll have to do that manually, I believe.

  6. #6
    Uranium Lounger
    Join Date
    Jan 2001
    Location
    Cincinnati, Ohio, USA
    Posts
    7,089
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Viruses in _RESTORE

    Yikes. You didn't have a virus; you had/have one of the nastiest trojan/backdoor programs around. I strongly suggest that you read this article on removing Sub7 from your machine, and get a firewall installed ASAP. You've also been hit with the Litmus backdoor, which isn't quite as bad - but I believe you may still be vulnerable. Certainly you're on someone's list (that someone being a worthless deviant IMHO).
    -Mark

  7. #7
    3 Star Lounger
    Join Date
    Jun 2002
    Location
    Duluth, Minnesota, USA
    Posts
    215
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Viruses in _RESTORE

    Thought I would give a recap so someone else can know what to do (or not do).

    I took all of the above suggestions about viewing hidden files and extensions. I also went back, disabled the "restore" function, rebooted, and went after the files in C:_RESTORE that were shown to contain viruses. I was able to delete the first, then the second, but when I went after the third file, everything in C:_RESTORE disappeared - everything. I re-enabled the "restore" function and rebooted after crossing my fingers. I was able to get the system back up and running after some fiddling around. Everything appears fine at this point. No more viruses, and I now have a virus checker running in the background. I do have a firewall in place via my LInkSys cable modem / wireless router combination.

    That's it for now. I thank all of you who chipped in and helped. This place is a great resource.

    Douglas

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •