Any ideas on this problem?

  • Thread starter Thread starter MB
  • Start date Start date
M

MB

Folks, my friend is having some computer problems and I don't know what to
advise. I had him summarize the problem (see below). Any ideas?
Oh, he runs a Compaq with XP Home.




AVG ANTI-VIRUS SYSTEM QUESTION.

I have been trying to solve a problem whereby my computer freezes and I
then have to do a reboot. The problem is either my computer, Party
Poker.Com, or my ISP. I have discounted PartyPoker.Com since I've also
gotten disconnected a few times when just surfing. I've worked with the
techs at my ISP and tried everything possible with no success. My ISP is
AOL. The immediate response from a lot of you will be DUMP AOL. I won't
argue the merits of AOL, but read on and I'll explain what I am looking for
advice on.

I'm an idiot and do not have a firewall. I didn't even use a virus program
until I started trying to solve this problem. I have downloaded (AOL
Spyware) (AdWare 6) and AVG Anti-Virus System - Free Edition). I have run
AOL Spyware and AdWare 6 and have eliminated any ad tracking files that I
found.

Here is the strange part. On four occasions I have had a screen pop up out
of the blue with the following information on it.

****************************************************************************
**************************
AVG RESIDENT SHIELD


Virus

Trogan horse Downloader.Presario.A

C:/System Volume
Information\_restore-(C3A256EC-F74E-4D1B-B627-49321DAD0241)-\RP142\A0020605.
exe

To remove this virus run AVG for windows.

****************************************************************************
***********************

I have run the AVG program 3 times and it tells me there are no virus's
detected.

I then ran a search on my computer to locate the file and it said that no
such file existed.

If anyone has solid suggestions as to how to solve the Virus screen
question, I would appreciate your help.
 
MB said:
Folks, my friend is having some computer problems and I don't know
what to advise. I had him summarize the problem (see below). Any
ideas?
Oh, he runs a Compaq with XP Home.
Click to expand...

<snip>

MB, the virus that was detected in the folder that contains all of your
System Restore points. AVG by default apparently does not scan this folder.
In order to remove the virus you need to disable (then enable again if you
want) System Restore.

To disable system restore: go to Start, Settings, Control Panel, System,
Click on the System Restore tab, Check the box called "Turn off System
Restore", Click Apply. Uncheck the box and click Apply again if you wish to
turn it back on.

Personally, I leave it off for 2 reasons:

1. Viruses cannot hide in restore points
2. It takes up unnecessary hard drive space

However it is quite useful if you ever have a problem where your computer
can't boot up or if you experience some other major problem.
 
The said:
<snip>

MB, the virus that was detected in the folder that contains all of your
System Restore points. AVG by default apparently does not scan this folder.
In order to remove the virus you need to disable (then enable again if you
want) System Restore.

To disable system restore: go to Start, Settings, Control Panel, System,
Click on the System Restore tab, Check the box called "Turn off System
Restore", Click Apply. Uncheck the box and click Apply again if you wish to
turn it back on.

Personally, I leave it off for 2 reasons:

1. Viruses cannot hide in restore points
2. It takes up unnecessary hard drive space

However it is quite useful if you ever have a problem where your computer
can't boot up or if you experience some other major problem.
Click to expand...
Hmm. Is the file automatically deleted when System Restore is switched
off? What is the exact location of the file?
 
mhagen said:
Hmm. Is the file automatically deleted when System Restore is switched
off? What is the exact location of the file?
Click to expand...

Every file (at least every restore point) in C:\System Volume Information\
is deleted when System Restore is disabled.

The exact location of those files/restore points is C:\System Volume
Information\
 
The said:
Every file (at least every restore point) in C:\System Volume Information\
is deleted when System Restore is disabled.

The exact location of those files/restore points is C:\System Volume
Information\
Click to expand...
Thanks much!
 
MB said:
Does disabling and then enabling system restore take care of the virus??
Click to expand...

There are some good threads in the archives (either a.c.a-v or
a.comp.virus), including manual deletion.

michael
 
It will take care of the infected file(s) that are hiding in the System
Volume Information folder. Disable then re-enable System Restore, and then
do another full system virus scan with your AV program. If nothing is
detected, the virus should be gone.
 
AVG by default apparently does not scan this folder.

Then where did this text come from
::::::::::::::::::::::
AVG RESIDENT SHIELD


Virus

Trogan horse Downloader.Presario.A

C:/System Volume
Information\_restore-(C3A256EC-F74E-4D1B-B627-49321DAD0241)-\RP142\A0020605.
exe
::::::::::::::::::::::?
 
Criminal said:
AVG by default apparently does not scan this folder.

Then where did this text come from
::::::::::::::::::::::
AVG RESIDENT SHIELD


Virus

Trogan horse Downloader.Presario.A

C:/System Volume
Information\_restore-(C3A256EC-F74E-4D1B-B627-49321DAD0241)-\RP142\A0020605.
exe
::::::::::::::::::::::?
Click to expand...

it came from the on access scanner, of course... the on access scanner
scans whatever is accessed in a certain way (read/execute/whatever, it
depends on the product) regardless of where the file is... it's not so
much that avg scanned a file in that location as it scanned a stream of
data being put into memory by the system that corresponds to a file in
that location... applications executed in the user's context cannot
access the system restore folders in a default xp configuration - avg
resident shield is reading the data in memory and finding out where it
came from and reporting that, rather than going to a location on disk
and scanning a file...
 
kurt wismer said:
it came from the on access scanner, of course... the on access scanner
scans whatever is accessed in a certain way (read/execute/whatever, it
depends on the product) regardless of where the file is... it's not so
much that avg scanned a file in that location as it scanned a stream of
data being put into memory by the system that corresponds to a file in
that location... applications executed in the user's context cannot
access the system restore folders in a default xp configuration - avg
resident shield is reading the data in memory and finding out where it
came from and reporting that, rather than going to a location on disk
and scanning a file...
Click to expand...

Cool! So he would never again see reports of malware in his restore points cause there wouldn't be any
reason for the AV to ever report malware in the restore unless it is just that moment being put there or
restored from there? Why do I keep seeing stuff about clearing the restore points cause the AV keeps
saying it is there but it can't act on it to remove it - - is it being accessed every time? I thought that AV
could read there but not write there and that was the reason it could see but not touch. AVG not scanning
"by default" that folder is a good thing if you don't mind malware ridden restore points cause alternatively
you would keep getting alerted to malware you were powerless to act upon.
 
Criminal Element said:
AVG by default apparently does not scan this folder.
Click to expand...

#include <stdxcuse.h>

Wow! Sorry for misattributing to mhagen - - tired I suppose . . .
 
Criminal said:
#include <stdxcuse.h>

Wow! Sorry for misattributing to mhagen - - tired I suppose . . .
Click to expand...
No problemo. I noticed that but couldn't trace back the thread.
 
Criminal said:
Cool! So he would never again see reports of malware in his restore points cause there wouldn't be any
reason for the AV to ever report malware in the restore unless it is just that moment being put there or
restored from there? Why do I keep seeing stuff about clearing the restore points cause the AV keeps
saying it is there but it can't act on it to remove it - - is it being accessed every time?
Click to expand...

i suspect that is exactly what is happening... something about the
magic of the system restore... i understand that restore points are an
aggregation of changes and that in order to record those changes
differences between the current state and the previous state(s) may
need to be calculated - that is probably why the restore points are
being accessed and causing the on-access scanners to sound the alarm...
I thought that AV
could read there but not write there and that was the reason it could see but not touch.
Click to expand...

if you can actually 'see' (as in browse to it in windows explorer) then
you've already changed the permissions on the folder and it no longer
is a default configuration...
AVG not scanning
"by default" that folder is a good thing if you don't mind malware ridden restore points cause alternatively
you would keep getting alerted to malware you were powerless to act upon.
Click to expand...

well, it seems like people experience such alerts anyways, only a
different module of their av product is doing the alerting...
 
kurt wismer said:
i suspect that is exactly what is happening... something about the
magic of the system restore... i understand that restore points are an
aggregation of changes and that in order to record those changes
differences between the current state and the previous state(s) may
need to be calculated - that is probably why the restore points are
being accessed and causing the on-access scanners to sound the alarm...
Click to expand...

Tnx for explaining this to me I understand better now. :)
 
Back
Top