hello! i have an virus questions that i hope someone here can help shed some light on. here is some background:
i have windows XP SP3 running, and use zone alarm, pc tools AV, spybot, and ad-aware. on sunday I ran an intelli-scan, and nothing turned up. I then unplugged the machine to switch to another one.
on monday, i hooked my original machine back up, and ran intelli-scan, but this time it turned up 2 infections for this virus (trojan.obfuscated.a.gen). according to the program, it's the same infection, with two different files in the same directory:
program files/common files/kodak/usbscan/inst_act.exe
program files/common files/kodak/usbscan/usbinst_act.exe
i removed them using pc tools, and then ran a full scan, and they appeared again, but this time in a different location:
system volume info/.../ao144483.exe
system volume info/.../ao144484.exe
so this time around, it is in system restore points. this time pc tools quarantined one and removed the other. i ran an intelli-scan and it showed up clean.
yesterday (tuesday), i went home and ran everything: intelli- and full scan on pc tools, quick scan on ad aware, full scan on spybot. they all turned up clean.
i'm confused because:
1) did the trojan move somehow? if so how can i be sure it's actually gone rather than moved somewhere where pc tools and the other programs aren't detecting it?
2) the file paths for each of the trojan findings show a different file but the same infection (trojan.obfuscated.a.gen); is each one actually a different virus?
3) if the second finding of the virus on Monday (through the full scan) shows the virus in the system restore points, how did pc tools get rid of it? i thought that it wouldn't be able to completely if the virus was in the restore points?
thanks in advance for shedding light on this confusing subject, it is much appreciated!!!
It used to be that once upon a time the System Restore folders were well enough protected that nothing wrote to them. As time went on malware writers found a way to do this, and now it is common place that the system restore is infected to give the malware a good chance to repropogate itself.
Because malware has given itself the ability to write to the system restore points, alot of antimalware applications have given themselves the ability to access and delete infections from the restore files. This requires a reboot, so before the operating system fully loads and tries to protect the restore points, the antimalware apps clean the junk.
When ever I perform a malware disinfection, for a second AV opinion I disable my antivirus and other realtime protection and run an online scan. If / when the scan comes back clean the first thing I do is purge the restore points and create a new clean one.
I used to use spybot and adaware, but now I have traded them for Malwarebytes' Anti-Malware and SUPERAntiSpyware. In my opinion they have a much better detection and removal rate. The downside is the free versions don't run resident (I actually prefer this as it frees up system resources, and I update run my scans periodically).
Even if it is just for curiosity sake, I would download the 2 apps and run them, I'm sure you will be surprised the junk they can detect. If you do this make sure you include all drives and if you can, any removable media in the scans.
+100 to "malwarebytes antimalware" -i tried many scanners and this is the best one, it literally and i mean literally removes every single virus i know and i know, it has updates almost every day so be sure to keep up with those whenever you scan my recommendation of virus removal:
-Restart and boot into safemode
-Open software (malwarebytes)
-Run full scan
-Open this before you go to sleep becuase in safe mode especially, everything works slow and it will take like...many hours depending on how full your drive is.
-In safe mode since less processes are running, it can scan them and see if they are infected becuase it cant scan running proceses.
-Best scan is a boot scan where it scans all your services before you boot