Expert: Brian Benosky - 11/10/2010

Question
QUESTION: Hi Brian, my PC ran the  weekly schedule scan and it found these but I dont understand what action "failed" means.  I did run the eset scan yesterday but it didnt find anything.
Suspicious items (4)
Suspicious:W32/Malware!Gemini (Suspected infection)
C:\System Volume Information\_restore{03E957AE-ADF5-4273-8663-8CB88CF2939F}\RP1281\A0138943.exe Action: FAILED
C:\System Volume Information\_restore{03E957AE-ADF5-4273-8663-8CB88CF2939F}\RP1277\A0136419.exe Action: FAILED
C:\Program Files\GordianKnot\vStrip_gui.exe Action: FAILED
C:\Program Files\Ares\(Codecs)\[codec] All Video Codecs for Mediaplayer [svcd, avi, mpeg, mpg, divx]\Codecs! Play Anything! Quicktime, Real, Divx5.5,Xvid. Yup! Everything!\XviD Codec 17.07.2003.1100.exe Action: FAILED



ANSWER: Hi Elizabeth

Your anti-malware program failed to delete these files.  The first two are System Restore files, probably from when you were infected.  You can delete these by turning off System Restore, then turning it back on again.  
The Gordian Knot entry deals with a video editing program you have installed.  This is a legitimate entry, but was heuristically detected by your scanner.  It can be left alone.
The last entry is a bit of a puzzler.  Ares Galaxy was an popular early p2p program.  Some versions of the program came bundled with adware.  If you do not use it, try uninstalling it.  
Any problems, just let me know.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian, how do I turn off system restore and do I need to reboot after I turn if off to turn it back on?

I am not sure if I use Ares Galaxy, how would I find that out?
Sorry for all these stupid questions.

ANSWER: Hi Elizabeth

Check to see if Ares is installed by going into your Control Panel and looking in your Add/Remove Programs.  Or check in the folder C:\Program Files\Ares for an Uninstall.exe.
As for System Restore, follow the directions below:

Steps to turn off System Restore

  1. Click Start, right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
  4. Click OK.
  5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
     You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

     Do you want to turn off System Restore?
     After a few moments, the System Properties dialog box closes.

Steps to turn on System Restore

  1. Click Start, right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
  4. Click OK.

     After a few moments, the System Properties dialog box closes.

Finally, they are not stupid questions!  I should have written out the instructions in the first place, so it's my bad.  Let me know how you make out.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian, thanks for the instructions.  I did as you suggested adn then ran the scan again.  It did find one again on the restore file which again I did as previously instructed and ran another scan, now everything is clear.

Sometimes when I shut down my computer at night and restart it in the morning, when I open up my browser, it asks if I want to go to the home page or last view because it was shut down unexpected.  Would that have been because of the virus?

Answer
Hi Elizabeth

I'm glad you have a clean PC once again!  The latest browsers can save open pages and tabs in case of power failure, or if you just want to pick up where you left off.  Just make sure that you close all tabs and browsers before shutting down your computer and it won't ask you anymore.  The virus may have unexpectedly closed your browsing session, causing the pop-up the next time you started it.  But the pop-up query itself is part of the browser.  Hope that helped.

Brian