July 9, 2008 08:59am pdt

1. rpggamer... 67,716
2. IndiGenus 44,200
3. briancassin 13,000
4. younghv 11,000
5. michko 6,432
6. moh10ly 6,406
7. johnb6767 5,530
8. phototropic 5,500
9. debuggerau 5,150
10. orangutang 4,500
11. war1 4,100
12. Richard_... 3,500
13. and235100 3,400
14. goban 2,600
14. -Mystique- 2,600

1. rpggamer... 103,753
2. IndiGenus 59,515
3. michko 36,302
4. younghv 32,688
5. Sheharya... 23,825
6. phototropic 23,010
7. war1 18,030
8. johnb6767 17,050
9. r-k 15,899
10. briancassin 13,000
11. orangutang 8,500
12. moh10ly 8,307
13. rindi 7,598
14. and235100 7,350
15. jvuz 6,632

05.12.2008 at 06:00AM PDT, ID: 23394341

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.3

System is generating virus alerts

Zones: Desktop Anti-Virus, Windows XP Operating System, Shell Scripting

Tags: Microsoft, Windows XP, Xp Service pack 2

Hi,

My system is generating some alerts most of time:
Malicious code found in file C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0033318.0NF. I have anti virus installed its Fsecure corporate edition.

I tried to access that path but its not accessible. How could i remove it.

Start your free trial to view this solution

Question Stats

Zone: Virus & Spyware

Question Asked By: terhana

Solution Provided By: IndiGenus

Participating Experts: 5

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.12.2008 at 06:21AM PDT, ID: 21546711

Rank: Master

IndiGenus:

Hi,
That is a restore point and can be simply cleaned out by resetting system restore.

http://www.sophos.com/support/knowledgebase/article/10386.html

Good luck,
Dave

Accepted Solution

05.12.2008 at 06:38AM PDT, ID: 21546848

Rank: Sage

rpggamergirl:

As IndiGenus posted, those viruses are in the System Restore.

Turning Off System Restore will purge/delete all your restore points along with all the viruses that are in there.
Reboot and remember to turn System Restore back on again and immediately create a new restore point.

If it helps, How to Create a New Restore point.
http://www.winxptutor.com/createrp.htm

Assisted Solution

05.12.2008 at 06:40AM PDT, ID: 21546873

Rank: Wizard

Jonvee:

Had already typed this so will post it anyway, to back up above comments >>>

Yes, as already suggested the _RESTORE folder is part of your System Restore circuitry. Possibly you have a genuine virus(or Malware?) within it, but this can probably be overcome by disabling then re-enabling System Restore.
This article can help>
http://www.pchell.com/virus/systemrestore.shtml

If you did find your System Restore was not functioning, there is a method of repairing System Restore by running the following command >>

Select Start > Run > type %SystemRoot%\inf Press Enter.

Details here >>
"When to reinstall System Restore in Windows XP":
http://searchwinsystems.techtarget.com/tip/1,289483,sid68_gci1144995,00.html

Upon completion it would be prudent to run further virus & Malware scanners to ensure a clean machine.

Assisted Solution

05.12.2008 at 05:09PM PDT, ID: 21551420

Rank: Sage

orangutang:

You can also use:
http://support.microsoft.com/kb/309531
to gain access to it without removing all of restore points.

05.19.2008 at 03:06AM PDT, ID: 21596340

terhana:

Hi All,

I tried by disabling system restore and then re enabling it but still i am receiving such alerts:
Malicious code found in file C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP270\A0041689.0NF.
Infection: Worm.Win32.Perlovga.a

These alerts generates whenever my system is locked or i am not using it for some time. During normal usage i am not receiving any alert.

05.19.2008 at 04:04AM PDT, ID: 21596567

Rank: Master

IndiGenus:

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

05.19.2008 at 04:09AM PDT, ID: 21596598

terhana:

I have downloaded the tool and scanned it.

Attached is the log file.

hijackthis.log (12 KB) (File Type Details)

Log file scanned by hijackthis tool

05.19.2008 at 04:24AM PDT, ID: 21596678

Rank: Master

IndiGenus:

Hmm....looks ok. Question, did you turn your PC off in between turning system restore off, then back on again? Wonder if they didn't get cleared out. Looking at my instruction to do this it does not advise this, so my bad. Follow the link to instructions that Jonvee gave as it advises this correctly, then see if problem still persists.

05.24.2008 at 07:36AM PDT, ID: 21639291

Rank: Guru

moh10ly:

Do the following..
Restart to safe mode.
Open my computer
To see hidden files:
1.On the Tools menu in Windows Explorer, click Folder Options.
2.Click the View tab.
3.Under Hidden files and folders, click Show hidden files and folders.
4. Uncheck the Hide protected operating system files (recommended) option.
Click OK
Goto C:\
You will be able to locate SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\
Delete the folder "RP270" that is found inside the above path.

If this folder is not found, then you should apply a check disk for Partition C.

terhana

06.23.2008 at 06:41AM PDT, ID: 21846069

Hi All,

Again i am receiving same alerts like before:

Malicious code found in file E:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18\A0006564.0NF.
Infection: Worm.Win32.Perlovga.a

moh10ly

06.23.2008 at 06:45AM PDT, ID: 21846114

Disable system restore. once
reboot - Enable system restore.

Do Full scan using Trend micro online scan.
this should work.

Jonvee

06.23.2008 at 07:03AM PDT, ID: 21846282

I agree with moh10ly, and you may want to read the following Microsoft Article on Viruses and why they cannot be cleaned in the _Restore Folder
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q263/4/55.ASP&NoWebContent=1

If unresolved you can also try AVG Antivirus Free 7.5.488 >
http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10645435.html

Also a-squared which is a complementary product to antivirus software>
a-squared Free:
http://www.emsisoft.com/en/software/free/

If still no good try the Kaspersky free online virus scanner>
http://www.kaspersky.co.uk/virusscanner

20080236-EE-VQP-29 / EE_QW_2_20070628