tons of viruses, wrms, and trojan horses in c:/restore/temp file

[allison]

  just did my first scan and was expecting to find some difficulties but ended up finding over 60 viruses, worms, and even trojan horses that had all attached themselves onto my c:/restore/temp file.  I have disabled system restore (pretty sure anyway, I checked the box that says disable system restore in my control panel) but it still won't let me either move them or remove them.  thoughts?

[whocares]

hi,

after disabling system restore, you need to REBOOT:
rescan afterwards and tell us the results

Also please read the link below "VirusRemoval"

 

[allison]

my computer was already set with system restore disabled (has been for some time now as far as I can tell b/c I don't ever remember disabling it myself, lol) so i have rebooted and then reran the program numerous times since.  i even ran the program (or tried to) in safe mode but my puter froze up and stopped running the scan mid way through checking my c:/_restore/temp folder.  the scan seems to find the same files every time just with slightly different file names (from A0041208.0 to A0041208.1 then back again) regardless of "attempting to remove at next reboot" (reboot done in both safe mode and then again in normal).  when adaware ran it found the same files but also could not remove them (even at next system start up). 
i actually have 2 titled Jeefo, 1 Kindal-UPX, 19 called Keenval, 38 called Trojan-gen, 2 NcaseSpy(Trj), and 4 Trojano-324(Trj) all in this one C:/_Restore/Temp file.
thoughts?  any feedback would be muchly appreciated
just for further information, I have Windows Me and it is fully updated

[lee16]

If you are on windows Xp or 2000 schedule a boot time scan from within avast (open avast > menu (top left hand corner) >boot time scan)

If the problem still persist, post a hijackthis log, you can get hijackthis (and other useful info) from here: http://members.home.nl/edeijl/ache/cleaning.htm

--lee

[allison]

not sure... is this what you meant and wanted?...

Logfile of HijackThis v1.99.1
Scan saved at 4:26:53 PM, on 27/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\Q2OEM\MY DOCUMENTS\MY RECEIVED FILES\FRAMXPRO\FREERAM XP PRO 1.40.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ashWebSv.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Q2OEM\MY DOCUMENTS\MY RECEIVED FILES\FRAMXPRO\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: POWERR~1.EXE
O4 - Startup: DataViz Messenger.lnk.disabled
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .asp: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npnzinst.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

[DavidR]

Extract from Eddy's HJT Analyser Tool

CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :
--------------------------------------------------------------------------------
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
o2 - bho: (no name) - {029ca12c-89c1-46a7-a3c7-82f2f98635cb} - (no file)
o2 - bho: msntoolbandbho - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o3 - toolbar: (no name) - {0494d0d9-f8e0-41ad-92a3-14154ece70ac} - (no file)
o3 - toolbar: msn - {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o9 - extra button: (no name) - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - (no file)
o9 - extra button: dell home - {ee117daa-a30b-40fc-945c-38ae1b80c1fa} - http://www.dellnet.com (file missing) (hkcu)
o16 - dpf: {90c9629e-cd32-11d3-bbfb-00105a1f0d68} (installshield international setup player) - http://www.installengine.com/engine/isetup.cab
o16 - dpf: {a17e30c4-a9ba-11d4-8673-60db54c10000} (yahooymailto class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
o16 - dpf: {b8be5e93-a60c-4d26-a2dc-220313175592} (zoneintro class) - http://messenger.zone.msn.com/binary/zintro.cab32846.cab
o16 - dpf: {14b87622-7e19-4ea8-93b3-97215f77a6bc} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatspaclient.cab31267.cab

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
o4 - hkcu\..\run: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background


For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php

[allison]

I have done all that, rebooted, reran avast and the viruses are still in my c:/_restore/temp folder.  what else can i do to get rid of them?

[DavidR]

Disabling system restore should have cleared the _restore points, why it didn't I have no idea it does in XP, though I have never used winME, so I can't say why it didn't clear the restore points.

With system restore disabled can you go into the _restore folder and clear the temp folder?

Have you searched the windows help file about system restore and how to clean it up or delete restore points? I have no winME experience so I'm unable to offer any advice about it.

[allison]

When I try to open the _restore folder it doesn't even show the existance of a temp folder so i have no idea how to manually clear this way.  I tried doing a search for files or folders named temp and it didn't show up here either.  Interestingly enough, I downloaded a program that was one of the links on other suggestions for problems.  This program listed all of my start programs and when i did this, it showed a different folder (not restore) which seemed to contain the problem viruses and deleted this folder.  Have rebooted since and all the viruses seem gone except one:  a SdBot-1550[Trj] still appears in my restore/temp file; however, all the others are no longer showing up in the scan.  Just thought I'd mention this for others who might have the same problem I have as another possible course of action.  I still don't know how to get rid of this trojan horse but the other 60 or so seem to be gone.  Thoughts though on this last one???

[lee16]

doesn't even show the existance of a temp folder so i have no idea how to manually clear this way.

Are you showing hidden files and folders?
To unhide them, open any folder and go to Tools >folder options > View, then scroll down to where it says 'Hidden files and folders' and then check/tick the 'Show hidden files and folders'.
Then again try and go into the _restore folder and clear the temp folder.

BTW, when you disabled system restore and rebooted could avast delete the virus/malware instances then?

--lee

[allison]

already had it showing hidden files.  still would not show.  did a search instead for simply "restore"  and the c:\_restore came up as well as c:\restore.  when i open the folder no files show but when i right click and do an avast scan of just this folder, it searches 30 000 files or so all of which are apparently in a temp folder inside this folder but the temp folder does not show.  I tried to manually delete the entire _restore folder but it would not let me, saying that the source files were currently in use.
btw, i already had (and still have) system restore disabled on my computer.  avast would still not delete the files.  could only delete (all but one of) them by running the startup items check, seeing them in a differently titled folder (?!) and deleting this folder.  Almost all of the items that are "unable to scan" (a different message thread) are also in this _restore\temp folder. 
Basically I can't delete anything when they are already running and can't stop them from running. 

[Lisandro]

Allison, I think the better will be trying to work at Safe Mode (F8 while booting) and trying to delete there.

But you can try How to Remove Files with Reserved Names in Windows XP.

[allison]

yeah, tried both in safe and regular mode to delete files in this _restore folder.  would not let me access them either way - both times said that it couldn't do anything as they were currently in use.  i actually have 2 restore folders.  1 seems to be normal, good, regular computer use stuff, the other one, the one with the underscore seems to be just full of viruses and things I've downloaded but for some reason a copy is kept there as well and won't go away. 
for the record, i have reduced the number of viruses on my computer down from about 60 to 2 (in addition to numerous files that avast cannot scan b/c either there is "not enough storage is available to process this command", the "CAB archive is corrupted", "ZIP archive is corrupted", or "the file is a decompression bomb".  34 files still show up of this variety).  ALL of these files are in this same _restore/temp folder that i cannot touch.

also, just for the record, i can now no longer access MS Office (ANY of the programs) and cannot play the games that I have downloaded (from the bought CD's - even after uninstalling and reinstalling them).  oh yeah, and my web cam no longer runs either - tells me its not plugged in even tho ive double checked twice, unplugged adn plugged back in

Thoughts???  (well, other than just throw out the computer and buy a new one) :'(

[FreewheelinFrank]

This might help?

http://www.experts-exchange.com/Operating_Systems/WinME/Q_20734033.html

You'll have to sign up to see the answer, but you get an interesting newsletter ever month, and access to a lot of solutions to problems.

[Lisandro]

yeah, tried both in safe and regular mode to delete files in this _restore folder.

But, did you try to disable the System Restore?
1. Right click on the 'My Computer' icon on the Windows desktop.
2. Click 'Properties'.
3. Click on the 'System Restore'.
4. Place a tick in 'Turn off System Restore on all Drives'.
5. Click OK.
6. Close and 'Restart' your system.

In addition to numerous files that avast cannot scan b/c either there is "not enough storage is available to process this command", the "CAB archive is corrupted", "ZIP archive is corrupted", or "the file is a decompression bomb".  34 files still show up of this variety.  ALL of these files are in this same _restore/temp folder that i cannot touch.

Can you try to repair your installation?
Go to Control Panel > Add/Remove programs > avast! antivirus > Remove
Then choose Repair function in the popup window (Repair).
You must be connected to the internet while repairing.

also, just for the record, i can now no longer access MS Office (ANY of the programs) and cannot play the games that I have downloaded (from the bought CD's - even after uninstalling and reinstalling them).  oh yeah, and my web cam no longer runs either - tells me its not plugged in even tho ive double checked twice, unplugged adn plugged back in

You're infected and the MS Office is compromissed...
You can try reinstall/repair MS Office but it won't be the final solution...
First you must be clean: run avast, Ad-aware and SpyBot and get rid of your infections.