[Solved] Fix for trojan in your System Restore files..

[gardenperson]

I am on windows XP home SP3

I have been having a nightmare trying to get rid of this virus/spy/adware whatever it is and i am having no luck.

The name of it is 'not-a-virus:AdWare.Win32.Zwangi.ae.'
Zonealarm keeps finding it and i have deleted and deleted on reboot but it still does not go away.
I run spyware and adware every day, update them everyday too. I have scanned with MBAM and run Ccleaner, even D/L'd superantispyware after reading a thread in here today and ran that. I keep all my security programs up to date.
I have not run zonealarm anti virus in safe mode yet because i am not that sure on the exact process. I ran MBAM in safe mode today but it found nothing (deep scan).
I can find no answers online (that i actually understand) to solve this problem. Some of the answers i found seem to involve a lot of 'sending reports' to forums but i was hoping that this would not be that much of a complicated issue.
When i look at my log viewer after deleting i see that this issue says that some files are still infected. In the column that says 'type' it says 'on access.....' and the rest of the line is not viewable due to the size of the box containing that information.


not-a-virus:AdWare.Win32.Zwangi.ae was found in C:\System Volume Information\_restore{52095AB4-547A-456A-A73F-E9E029D9B17D}\RP187\A0036348.dll on 04/11/2009 15:44:34

not-a-virus:AdWare.Win32.Zwangi.ae was found in C:\System Volume Information\_restore{52095AB4-547A-456A-A73F-E9E029D9B17D}\RP187\A0036349.exe on 04/11/2009 16:41:54

not-a-virus:AdWare.Win32.Zwangi.ae was found in C:\System Volume Information\_restore{52095AB4-547A-456A-A73F-E9E029D9B17D}\RP187\A0036350.exe on 04/11/2009 17:31:10
These are coming up every 40 minutes or so and when i quarantine them they are still coming back.

I am just hoping i don't have to do a restore!

[GeorgeV]

Quote:

Originally Posted by gardenperson

I am on windows XP home SP3

I have been having a nightmare trying to get rid of this virus/spy/adware whatever it is and i am having no luck.

The name of it is 'not-a-virus:AdWare.Win32.Zwangi.ae.'
Zonealarm keeps finding it and i have deleted and deleted on reboot but it still does not go away.
I run spyware and adware every day, update them everyday too. I have scanned with MBAM and run Ccleaner, even D/L'd superantispyware after reading a thread in here today and ran that. I keep all my security programs up to date.
I have not run zonealarm anti virus in safe mode yet because i am not that sure on the exact process. I ran MBAM in safe mode today but it found nothing (deep scan).

* Snip *

I am just hoping i don't have to do a restore!

Try this Forum Link from the Helpful Hints and Links section..

http://www.zaforums-stg.com/showthread.php?t=71586

or this Forum Link on how to Clean your Computer..

http://www.zaforums-stg.com/showpost...07&postcount=2

Please Post back with your Progress Report..
--------------------------------------------------------

[gardenperson]

Thanks for the response.
After i posted this i managed to find the solution (and it was, as is usually the case ) quite simple. I found the solution by typing the result of the search into google rather than the name of the virus/adware/spyware whatever.
This is what i found.

System Volume Information is where your system restore points are saved...in case you ever have to use system restore.

One of the restore points has become infected.

That trojan is in your System Restore files which are basically locked by Windows so your Avast (or whatever antivirus you are running) cannot touch it, to remove the infected file.

The solution is easy. You simply need to delete all your old system restore points. To do so:
go to control panel > system > system restore > check mark "Turn off system restore on all drives" > apply > answer "yes" > OK > reboot. Then turn System Restore back on again.

Once the old restore points have been purged, the trojan will be gone too!

Thanks again George. I hope this becomes useful to someone else who is not too PC savvy (like me).

[GeorgeV]

Quote:

Originally Posted by gardenperson

Thanks for the response.
After i posted this i managed to find the solution (and it was, as is usually the case ) quite simple. I found the solution by typing the result of the search into google rather than the name of the virus/adware/spyware whatever.
This is what i found.

System Volume Information is where your system restore points are saved...in case you ever have to use system restore.

* Snip *

Once the old restore points have been purged, the trojan will be gone too!

Thanks again George. I hope this becomes useful to someone else who is not too PC savvy (like me).

Your Welcome..

Thank you for your Feedback..

[gardenperson]

BTW. Is there any way the title of this thread can be changed so people who might search a similar problem can find it?
I should have titled it to be more relevant to the actual topic and only thought of that in hindsight. I was getting wound up by the problem at the time and was just looking for a solution to MY problem and not thinking about other people who might come across the same sort of problem in the future.

[GeorgeV]

Yes.. Title has been changed..