Hey,

My virusscanner AVG regularly warns me about a trojan horse on my comp. It's called Backdoor Agent 2.H. AVG asks me to run a test to remove the trojan horse. During this test, it cannot be found because it is located in c:\System Volume Information\restore. AVG does not have access to that file, and neither do I.

How can I solve this problem? Is there a removal tool available for this specific trojan horse, or does anyone know what to do to get rid of it?

Thanks a lot!

Wendy

Wendy:

Turn off System Restore. When SR is running, its files are locked and inaccesible. The files can only be deleted; accomplished by turning off SR. That done, AVG will be able to do its work. 8-)

Solarian

Report Offensive Follow Up For Removal

PS If AVG can't solve the problem, try the online scanning services below. Leave System Restore turned off.

TrojanScan
Anti-Trojan.org

Solarian

Report Offensive Follow Up For Removal

Thanks a lot, I'll try that. But how do I turn SR off? I think I know how to do it, but I'm not sure. Can you explain it to me? And is it easy to turn it back on? What's the use of SR?

Wendy

Wendy:

To turn off System restore, click on Start, All Programs, Accessories, System Tools, System Restore.

When the dialog box appears, click on System Restore Settings. Place a check in the box which reads Turn Off System Restore. Click APPLY and OK. The dialog box will close.

To turn SR back on, remove the check mark and click APPLY and OK.

The purpose of System Restore is, as the name implies, to restore your PC to a time when it had no problems [Note: This will not work if SR has already been infected with malware--such as in your case.]

For example, let's say you install a new piece of software. But after the installation, your computer is acting strangely, or perhaps not at all. By using a System Restore point from a time before the problem started, you can set things right.

After you've cleaned out that trojan, reboot your PC and turn SR back on for future protection. Not all malware attacks the SR files. Unfortunately, in your case, it did.

Solarian

Report Offensive Follow Up For Removal

Help, I still can't fix the problem. I turned off the windows xp restore, then ran AVG for a test. AVG detected nothing suspicious.

Then I ran the trojanscan you recommended me, but it didn't test the system volume information directory. So I logged in as some kind of administrator (we all have to use a diff name and password to log in on this comp), and tried the trojanscan again. Then it runs a really short scan and automatically closes the internet window before anything suspicious is found.

Using the administrators account on this comp makes the trojanscan window look different too. I don't know if that is important. There's the check boxes, but I can't just check them like I could before using another account. There's red and blue check boxes. I tried diff things, still the same result: nothing found and internet window closed immediately.

What else can I do to fix the problem?

Wendy

PS: When I turned of the SR, the following message appeared: You have chosen to turn off SR. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Is there any chance the trojan horse got deleted together with the SR points? Maybe that's why AVG can't find anything. Or am I wrong?

Wendy

Wendy:

The box which said "If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer" was supposed to show. It's just confirming that you want to turn off System Restore. (I neglected to mention the box in my SR instructions.)

You wrote: "Is there any chance the trojan horse got deleted together with the SR points?"

Nothing, of course, is a certainty when dealing with PCs and malware, but I believe there's a good chance the trojan is gone. You said that, after running the online scan, plus AVG, they found nothing. That's a excellent sign. Most malware (trojans, viruses, etc.) like to hide in, and cause replication from, the files in System Restore. When you turned off SR, it deleted all the files it contained. Malware hiding there would have been deleted as well.

I'll check your thread, here, for the next few days. If you have any further questions or problems, let me know. 8-)

Solarian

Report Offensive Follow Up For Removal

PS If your PC is running satisfactorily now, turn System Restore back on. Just reverse the instructions I gave above (remove the check mark, etc.).

Before you click Apply and OK, you may want to move the slider control all the way to the left. As I recall, the slider defaults all the way to the right, which takes a 200MB chunk of space off your hard drive.

The extreme left side will give you 6-8 restore points. About a week's worth, depending on the size of your hard drive. However, if you want to able to go back weeks and weeks, then put the slider on the right. Or in the middle somewhere. Not knowing how the computers is used (how often software is installed; registry changed, et al), I can't make an exact suggestion.

Solarian

Report Offensive Follow Up For Removal

Hey,

I've been working on my comp all evening now, and I didn't get any warning about a virus or trojan horse, so I suppose the problem is solved. Thank you very much for helping me out!

PS: I turned the SR back on, I already knew I had to do that ;)

Wendy