Trojan in system restore!!! Help please

sammystingray · Post by **sammystingray** » Tue Apr 30, 2002 11:42 am

I received a trojan while my norton was down, and I found it about five minutes after it was opened, and quickly restored my system to the last clean date. It is in my restore files and can not be deleted or cleaned because it is in use. Can it harm my security from a restore file?? If this is a backdoor type of thing, how does that all work? By being in a restore file I am not currently using ....would this be like a quarantine, or does it still have access to everything???? Any thoughts on how to remove or what to do would be VERY appreciated.

blebs · Post by **blebs** » Tue Apr 30, 2002 2:21 pm

As long as you've reverted the drive back to before the trojan was installed, you should be safe. It can't be executed locked away in system restore.

TonyT · Post by **TonyT** » Tue Apr 30, 2002 4:01 pm

http://www.commodon.com/threat/threat-sub7.htm

sammystingray · Post by **sammystingray** » Tue Apr 30, 2002 5:18 pm

Thanks, it was opened before I restored, so does that mean it is still running or not?? Are all the effected files locked up in that restore copy, or can it still run when trapped in an old restore file? How can I delete the restore file? What's a good program to see if I'm being watched? Thanks again.

sammystingray · Post by **sammystingray** » Fri May 03, 2002 3:21 pm

Hey guys, thanks for the help.....I have spent the last few days learning more about trojan horses (RATs), IP/port scanners than I thought I'd ever know. The link from Tony T really helped me find the server.....I can't thank you enough!!. Many other removal pages were either incorrect or did not apply to my situation. The trojan was infact running while in limbo because it placed the server onto the restored copy.......... the old copy of restore I used because it was before the trojan was infected also. The file was called "netstart" which I now know to be the default since I have also aquired sub7 to investigate what I was up against. The server file was placed in C\windows and the registry under \\\\run services. Since it was given to me, 1536 attacks (most by me checking my port status) were made on my system by 8 sources. 37 port scans not including my own(all ports are checked regularly and all are stealth) , and 23 attempted attacks by sub7 users trying to find a backdoor. Not one single one made it through my firewall, so I am pleased. I am actually now glad to have received the trojan due to the great learning experience it offered!!! Is it sick to find entertainment in virus removal???? Also if anyone wonders about removing restore copies......I spent two days only to figure out it takes two minutes!!!

...........start-settings-control panel-system-performance-file system-trouble shooting- and then simply disable restore, reboot, enable it again and reboot..........copies are gone, and so is my trojan troublemaker.

Thanks guys.

My anti virus was currupt for a week or so, and that's when I got it......it figures!

I now have norton corporate edition running, so I hope to not have to ask a question like this ever again. Tony T.....thanks again for the link, obviously the server file was my main concern.

sammystingray · Post by **sammystingray** » Fri May 03, 2002 3:46 pm

BTW blebs, it can infact run on the restored copy, and it did......is that what the wink at the end of you post is for???? I seriously hope not.

blebs · Post by **blebs** » Fri May 03, 2002 5:07 pm

Originally posted by sammystingray
BTW blebs, it can infact run on the restored copy, and it did......is that what the wink at the end of you post is for???? I seriously hope not.

No it wasn't. I don't know why, but I relate system restore to Go Back and they're 2 completely different programs, that would give you 2 completely different results. I'm sorry if I miss lead you. I sure didn't mean to. I'll chalk that one up as another lesson learned.

sammystingray · Post by **sammystingray** » Fri May 03, 2002 9:11 pm

blebs, I am sorry if you felt accused. I just wasn't sure about the wink thing. I do thank you for you help! The fact is that it did transfer to the restored copy which was a date well before it was opened or even downloaded. I am not sure what exactly system restore saves and replaces, but the trojan server was placed onto the restored copy from the copy sent to limbo. I 100% completely appologize for any judgements, but since I am new here, I just am not sure how this board goes. Thanks, and I am truly sorry for any accusations, but being considered intelligent by myself, I look for people doing me wrong. I am sorry your efforts were not appreciated by me the way they should have been..........just worried about all this computer stuff, and I am quite new here and easy to mess with.

blebs · Post by **blebs** » Fri May 03, 2002 9:45 pm

No harm done and I didn't take it as an accusation. Stick around and learn away. There are a lot of knowledgeable people here. Unfortunetaly, I didn't think it was possible for the trojan to do such a thing, so I learned something new too. Everyday, there is something to be learned, even if your a old member.

AzN_ChRoNiC · Post by **AzN_ChRoNiC** » Wed May 22, 2002 6:16 pm

"Any thoughts on how to remove or what to do would be VERY appreciated." [/B]

Well it is actually very easy to delete the backup files created by system restore, I found this out when I had a 9 GB hard drive and wanted to free up some space. Go to the system properties, performance tab, file system..., troubleshooting tab, and check disable system restore. Restart your computer, and VOILA! Backup files deleted

SG Broadband Community

Trojan in system restore!!! Help please

Trojan in system restore!!! Help please

UPDATE

Re: Trojan in system restore!!! Help please