linque
asked on
McAfee keeps removing things - but nothing found
McAfee keeps removing files simultaneously with it's alert. Each time it refers to different trojans. Recently it took out two files from my system restore. I just ran the entire scan on my WINDOWS folder and it found nothing. I am about to scan the entire drive, but I'm not sure what to do at this point.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
linque:
Thanks for acepting the answer, but if turns out that war1's suggestion was more helpful then you can post a request in the Support area (link at upper-right of this page) to re-open the question so you can reassign the points.
Thanks for acepting the answer, but if turns out that war1's suggestion was more helpful then you can post a request in the Support area (link at upper-right of this page) to re-open the question so you can reassign the points.
ASKER
Hi - I've run the RootkidRevealer program. It had 4 lines:
HKLM\SOFTWARE\Microsoft\Cr
HKLM\SOFTWARE\Microsoft\Sc
C:\System Volume Information\_restore{6E7E8
E:\System Volume Information\_restore{6E7E8
I have 2 hard drives - the E is a backup/clone I create every so often. I suppose I should disable it.
But I have no idea what this is about. I do think the long numbers after {restore may be the same I'm seeing in Mcaffee. I will have to wait until the next time it displays, however, to be certain.
HKLM\SOFTWARE\Microsoft\Cr
HKLM\SOFTWARE\Microsoft\Sc
C:\System Volume Information\_restore{6E7E8
E:\System Volume Information\_restore{6E7E8
I have 2 hard drives - the E is a backup/clone I create every so often. I suppose I should disable it.
But I have no idea what this is about. I do think the long numbers after {restore may be the same I'm seeing in Mcaffee. I will have to wait until the next time it displays, however, to be certain.
Overall this is good news. It shows that you don't have a rootkit.
You can clear the System Restore by disabling it, then re-enabling it:
Control Panel -> System -> System Restore
then "check" the box that reads "Disable System Restore"
Then reboot and "un-check" that box to reenable system restore.
That will clear out the old copies and remove any old trojan hiding in there.
To be on the safe side, you can also do the following:
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
This will tell us if there anything bad still "active" in your system.
I would not worry about the E: drive.
You can clear the System Restore by disabling it, then re-enabling it:
Control Panel -> System -> System Restore
then "check" the box that reads "Disable System Restore"
Then reboot and "un-check" that box to reenable system restore.
That will clear out the old copies and remove any old trojan hiding in there.
To be on the safe side, you can also do the following:
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
This will tell us if there anything bad still "active" in your system.
I would not worry about the E: drive.
ASKER
Thank you so very much! I'll attempt to do the Hijackthis also!
linque,
As I posted in my first comment, McAfee is finding trojans in System Restore files. You need to uninstall and reinstall System Restore to get rid of those files.
As I posted in my first comment, McAfee is finding trojans in System Restore files. You need to uninstall and reinstall System Restore to get rid of those files.
ASKER
This was awkward! I assume the question was reopened due to the conclusions reached after running RootkitReveal. I understand the reasoning. War1 sensed that I should stop and re-start my system restore. On the otherhand, I've learned about a new tool which gave me hard evidence about what was going on. Both wise people.
I reopened because war1 asked in CS to do so :)
And after I read here it was clear that the second expert agrees so I just reopened :)
Annie
And after I read here it was clear that the second expert agrees so I just reopened :)
Annie
No problem with that.
linque, in case you find anything interesting with HijackThis do post back.
linque, in case you find anything interesting with HijackThis do post back.
ASKER