TROJAN that won't go away



Rio
07-09-2005, 10:48 PM
Keep getting the following pop-up box:

"eTrust EZ Antivirus real-time protection has found that C:\System Volume
Information\_restore{E05B5124-1BB6-4283-8120-E9F83827104B} \RP
195\A0012238.exe is Win32.Imiserv.F trojan"

I did full scan using McAfee, Avast! and nothing. Then, followed
instructions found on this newsgroup, by David Lipman
(www.claymania.com/removal-trojan-adware.html)
and did, step-by-step (took me the whole day, literally) and thought I've
gotten rid of it. But no. It is still popping up and I have no idea how to
get rid of this or whatelse to do.
Help, anyone, please? My O/S is Window XP
thank you.

Malke
07-09-2005, 10:48 PM
Rio wrote:

> Keep getting the following pop-up box:
>
> "eTrust EZ Antivirus real-time protection has found that C:\System
> Volume Information\_restore{E05B5124-1BB6-4283-8120-E9F83827104B} \RP
> 195\A0012238.exe is Win32.Imiserv.F trojan"
>
> I did full scan using McAfee, Avast! and nothing. Then, followed
> instructions found on this newsgroup, by David Lipman
> (www.claymania.com/removal-trojan-adware.html)
> and did, step-by-step (took me the whole day, literally) and thought
> I've gotten rid of it. But no. It is still popping up and I have no
> idea how to get rid of this or whatelse to do.
> Help, anyone, please? My O/S is Window XP
> thank you.

The file is in your System Restore. Since you know your system is clean
(presumably), go to Start>Programs>Accessories>System Tools>System
Restore. Make a new System Restore point, calling it something useful
like "Clean". Now use Disk Cleanup (Start>Run cleanmgr [enter]) and use
the More Options tab to remove all but the last System Restore point,
which will be the new one you just made.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

rio
07-09-2005, 10:48 PM
Malke,
I just wanted to say thank you - very delayed I realize. I did what you told
me and of course it makes total sense. So thank you for the help.

"Malke" wrote:

> Rio wrote:
>
> > Keep getting the following pop-up box:
> >
> > "eTrust EZ Antivirus real-time protection has found that C:\System
> > Volume Information\_restore{E05B5124-1BB6-4283-8120-E9F83827104B} \RP
> > 195\A0012238.exe is Win32.Imiserv.F trojan"
> >
> > I did full scan using McAfee, Avast! and nothing. Then, followed
> > instructions found on this newsgroup, by David Lipman
> > (www.claymania.com/removal-trojan-adware.html)
> > and did, step-by-step (took me the whole day, literally) and thought
> > I've gotten rid of it. But no. It is still popping up and I have no
> > idea how to get rid of this or whatelse to do.
> > Help, anyone, please? My O/S is Window XP
> > thank you.
>
> The file is in your System Restore. Since you know your system is clean
> (presumably), go to Start>Programs>Accessories>System Tools>System
> Restore. Make a new System Restore point, calling it something useful
> like "Clean". Now use Disk Cleanup (Start>Run cleanmgr [enter]) and use
> the More Options tab to remove all but the last System Restore point,
> which will be the new one you just made.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Malke
07-09-2005, 10:48 PM
rio wrote:

> Malke,
> I just wanted to say thank you - very delayed I realize. I did what
> you told me and of course it makes total sense. So thank you for the
> help.
>
You are most welcome. I'm glad you've got things sorted. Thanks for
taking the time to let me know.

Stay safe,

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

GTS
07-09-2005, 10:48 PM
Malke,

Are you completely confident that removing all but the last RP after
cleanup, as contrasted to disabling and re-enabling SR, is effective to
purge all parasites I tend to do the latter but have seen differing
opinions.
--

"Malke" <invalid@not-real.com> wrote in message
news:uwc5m1mVFHA.2328@TK2MSFTNGP10.phx.gbl...
> Rio wrote:
>
>> Keep getting the following pop-up box:
>>
>> "eTrust EZ Antivirus real-time protection has found that C:\System
>> Volume Information\_restore{E05B5124-1BB6-4283-8120-E9F83827104B} \RP
>> 195\A0012238.exe is Win32.Imiserv.F trojan"
>>
>> I did full scan using McAfee, Avast! and nothing. Then, followed
>> instructions found on this newsgroup, by David Lipman
>> (www.claymania.com/removal-trojan-adware.html)
>> and did, step-by-step (took me the whole day, literally) and thought
>> I've gotten rid of it. But no. It is still popping up and I have no
>> idea how to get rid of this or whatelse to do.
>> Help, anyone, please? My O/S is Window XP
>> thank you.
>
> The file is in your System Restore. Since you know your system is clean
> (presumably), go to Start>Programs>Accessories>System Tools>System
> Restore. Make a new System Restore point, calling it something useful
> like "Clean". Now use Disk Cleanup (Start>Run cleanmgr [enter]) and use
> the More Options tab to remove all but the last System Restore point,
> which will be the new one you just made.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User

David H. Lipman
07-09-2005, 10:48 PM
From: "GTS" <x>

| Malke,
|
| Are you completely confident that removing all but the last RP after
| cleanup, as contrasted to disabling and re-enabling SR, is effective to
| purge all parasites I tend to do the latter but have seen differing
| opinions.
| --

If you understand the concepts and understand the risks, use the method you feel comfortable
with.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Malke
07-09-2005, 10:48 PM
David H. Lipman wrote:

> From: "GTS" <x>
>
> | Malke,
> |
> | Are you completely confident that removing all but the last RP
> | after
> | cleanup, as contrasted to disabling and re-enabling SR, is effective
> | to
> | purge all parasites I tend to do the latter but have seen
> | differing opinions.
> | --
>
> If you understand the concepts and understand the risks, use the
> method you feel comfortable with.
>
Thanks, Dave. We are in total agreement. I like to leave a System
Restore point until I'm quite sure everything is fine so as to have a
fallback position - although usually if things are That Hosed, the
fallback position isn't necessarily useful :-). Then I like to make a
new clean point and get rid of the old ones. But if the OP likes to be
really, really sure he could always just disable/enable SR once he
knows everything is OK.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

GTS
07-09-2005, 10:48 PM
Malke,

I don't clear the RP's until cleanup is completed and I have done several
test reboots and complete application and network testing. I sometimes
service PC's with 20 plus Viruses/Trojans and 1200 or more parasite items.
Because System Restore essentially builds a Delta, I'm not totally confident
that the 'create new/delete all but last' is foolproof, though it is
probably adequate. (I like to nail every subtle remnant including the types
that some specialized tools like Bazooka tend to turn up after other tools
report clean.) Microsoft recommends the disable/reenable approach, but
their tech net documentation on System Restore is dated and contains some
inaccuracies.

(One of these days I plan to do some testing on the issue by backing up the
completely cleaned machine and doing a System Restore and reexamination.
Will share the results.)
--

"Malke" <invalid@not-real.com> wrote in message
news:OWOtAcoWFHA.2448@TK2MSFTNGP12.phx.gbl...
> David H. Lipman wrote:
>
>> From: "GTS" <x>
>>
>> | Malke,
>> |
>> | Are you completely confident that removing all but the last RP
>> | after
>> | cleanup, as contrasted to disabling and re-enabling SR, is effective
>> | to
>> | purge all parasites I tend to do the latter but have seen
>> | differing opinions.
>> | --
>>
>> If you understand the concepts and understand the risks, use the
>> method you feel comfortable with.
>>
> Thanks, Dave. We are in total agreement. I like to leave a System
> Restore point until I'm quite sure everything is fine so as to have a
> fallback position - although usually if things are That Hosed, the
> fallback position isn't necessarily useful :-). Then I like to make a
> new clean point and get rid of the old ones. But if the OP likes to be
> really, really sure he could always just disable/enable SR once he
> knows everything is OK.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User

GTS
07-09-2005, 10:48 PM
Thanks, but yes I understand the concepts and I already feel free to do what
I'm comfortable with :)
--

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23SuowKjWFHA.2520@TK2MSFTNGP09.phx.gbl...
> From: "GTS" <x>
>
> If you understand the concepts and understand the risks, use the method
> you feel comfortable
> with.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>


TROJAN that won't go away