| Downloader:trojan.funweb.A in restore.... My friend called me last night, they have a virus.
They use AVG and cannot remove it, as it is located in their c:/_restore/temp folder.
Funny thing, i turned off system restore for them about 8 months ago, and it shows as turned off when following the steps to shut it off. I told her to clear the restore files, she says nothing happens, ie there are none to clear.
Any ideas how to get rid of this? She had dialup so d/l'n a lot of programs will be hard.
The name of the trojan is downloader:trojan.funweb.A
I cannot find any reference to it on avg or symantec site
Will a scan in safe mode do anything different? |
|
| Is it possible for this to be a FP?
She tells me she updated her AVG yesterday and this is when this virus popped up.
I can't seem to find anything in any of the virus encyclopedia's, even AVG's, which is strange.
Also, when i tell her to go to the path that avg says the trojan is in, she says it doesnt exist. She says there is no temp folder, etc in the _restore folder....could these just be hidden? |
|
| reply to QN_52
said by QN_52:
Will a scan in safe mode do anything different?
I was going to suggest that. Scanning in Safe Mode ensures nothing but the minimal drivers for your O.S. is loaded and running in memory -- no third party programs {including no malware} will be loaded in memory and locked by the O.S. Good Luck! 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
1 edit | reply to QN_52
said by QN_52:
Is it possible for this to be a FP? She tells me she updated her AVG yesterday and this is when this virus popped up. I can't seem to find anything in any of the virus encyclopedia's, even AVG's, which is strange.
It is most likely adware. See this thread: »TrojanHunter and Adware -- and you'll see the similarities to the "downloader:trojan.funweb.A" and all the "trojandownloader" entries in TrojanHunter -- I don't think it's a real virus or trojan, but adware.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
|
|
1 edit | reply to QN_52
Just have her disable system restore and then re-enable it with a new restore point. This will clear the files in System Restore since that is where you say AVG is finding it.
Cannot repair, quarantine, or delete a virus found in the _RESTORE or System volume information folder
»service1.symantec.com/SUPPORT/na···13515106
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
BTW trojan.downloader.funweb sure sounds like adware to me. I would not be surprised if this is one that AVG has recently added. In fact, funweb sounds a lot like what you get from Smiley Central & funweb products. There is a good discussion of it here:
Smiley Central, Is it safe to use?
»forum.gladiator-antivirus.com/in···ic=14639
Have her check to see if that is what she has on her PC - it may be what is triggering AVG.
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/ |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to QN_52
Can you tell them to also clean out any quarantine folder they might have for other scanners they might have installed and then even though the are sure the ME system restore is disable and cleaned out..maybe you can give them this info..especially the last link with screen shot just to double check..you might even want to turn the restore on then reboot..then off again reboot..and then scan and of course like Randy stated have them do it in the safemode.
I do not think ME allows different system restore for different users...but not sure on that point. Never had ME.
Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
»support.microsoft.com/default.as···ontent=1
NAME: Disabling System Restore on Windows ME
ALIAS: Disabling Windows ME AutoRestore feature
(with screenshots)
»www.europe.f-secure.com/v-descs/···is.shtml
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
| Thanks for your responses.
I believe Calamityjane's reference to smiley central is bang on, i remember seeing that on her startup folder somewhere...i'll tell her to check it out.
System restore is currently off, and always has been for about 8 months. thats why i dont undestand why its in that folder? Anyways, i'll tell her to enable it, reboot, disable it, re-enable it then scan with it disabled. Hopefully that will clear everything out (even though there should be nothing in there anyways?)
I'll get back to youall later tonight. |
|
| She indeed had Mywebsearch email plugin on her computer. Told her to delete it from add/remove programs, uninstalled sucessfully.
Re-booted to safe mode and did a scan and was able to remove the file this time, rebooted and did another scan and it came back clean.
Thanks to those who responded. I will give her system a check over the next time i see her, about a month, with hiajack this, etc.
Thanks again |
|
| You're welcome - glad we could all help. Thanks for posting back with your findings.
She probably has a funwebproducts in her Downloaded Programs Folder as well. That one is detected and prevented by Spyware Blaster but it won't remove it once it is there. Not one of your really harmful items, but something to look for once you get a HijackThis log on that PC.
That product is not detected by Adaware or Spybot because it is fully disclosed in the terms of agreement when you download the Smiley Central product. If I were you, I would caution your friend about reading those agreements carefully next time they are downloading programs from the internet.
Additionally, here are some free programs and recommendations everyone really needs these days to avoid such parasites
»Security »How do I prevent browser hijacks and spyware?
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/ |
|
