Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Hello,

I didn't copy the names, something about a "backdoor" on the first one, I don't remember the others. They were deleted so don't have the names. I got a little panicky and followed the directions to get them off the laptop. The funny thing is that this laptop is hardly ever online, as I seldom use it so I wasn't expecting problems.

Thanks

What are the chances of NIS missing 3 trojans on my computer?

I recently installed Kaspersky on my laptop (windows XP) after using NIS (uninstalled completely). The new Kaspersky found 3 trojans in "volume information" (restore?) and deleted them etc. but I was wondering if they were false possitives. Not sure I want to use the Kas. if it's going to be giving false positives as I'm computer challenged and don't know how to deal with these things. I'm thinking I'll just keep the NIS on the other 2 computers, but not if it misses 3 (!) trojans.

Any opinions on NIS missing 3 trojans?

Ok

Good thing they were deleted then. Some trojans are better detected by some than others.

But it would have been handy to have the samples so Symantec could have written tye signatures for these trojans you mentioned

I'm not familiar with Kasperskys programs, but if you open it you should have an option to look at the quarantined files or at the logbook. There you should be able to find the names of the files it identified as trojans and the names of the threats. With that information we have a better chance of telling you if it was a false positive or not.

I will actually have a look at a computer tonight that I know found a few trojans in the system restore with a freshly installed antivirus program that I belive was Kaspersky. I will try and find what that was.

Thank you both for the help.

I checked the log and found the information (told you Kaspersky is new to me).

1. Trojan program Backdoor.Win32.Agobot.afk 
File: C:\System Volume Information\_restore{DC0F6FA1-168A-4B6E-951C-3ADB109AF7F0}\RP123\A0013439.exe//CryptFF//PE_Patch//UPack

2.Trojan program Rootkit.Win32.Agent.p 
File: C:\System Volume Information\_restore{DC0F6FA1-168A-4B6E-951C-3ADB109AF7F0}\RP123\A0013440.sys//CryptFF

3.Trojan program Backdoor.Win32.Agobot.afk 
File: C:\System Volume Information\_restore{DC0F6FA1-168A-4B6E-951C-3ADB109AF7F0}\RP123\A0013441.exe//CryptFF//PE_Patch//UPack

Hope that's not too much information. if it is tell me and I'll try and remove/delete.

thanks!

How did you scan your system with Norton Internet Security? Which types of scans did you perform: Full Scan, or just Quick Scans? The threats you've identified should be detected by Norton software:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99

http://www.symantec.com/security_response/writeup.jsp?docid=2005-060715-2135-99

 Any additional information you can provide is appreciated. We want to understand why these threats were not found for you. Thanks!

I did a full scan when NIS updated to 2008 a few months ago. Then it was probably the quick scans that come up when one clicks on the scan button. I don't use the computer very often like I said and it's packed away most of the time. When I go to use it I update NIS first thing, because I know it's been a while and updates are needed.

OK, so I guess they weren't false positives.

thanks

The answer to why the trojans never got detected by Norton is quite simple actually. The \system volume information\ is in the exlusions list by default. So if the trojans never actually were "live" in the system during the time you had Norton, or in other words, if they already was in that folder before Norton got installed they would not be detected during a scan.

Below is a quotation from the Symantec writeup on why you should disable system restore during cleanup.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

This might be a remain from the old days that simply stayed in the program as antivirus programs obviously can access the system restore these days (edit: You need user rights to the folder). I don't know about Nortons ability to do so if you were to remove it from the exclusion list though.

That’s very similar to the issue. Quick Scan will scan files with Startup entries or with System-Start INI or batch entries - the typical areas where infections are found. It appears that Katierose has only run Quick Scans for the past few months, which is most likely why the infections were found in an area where Quick Scan doesn’t scan. A Full Scan would catch these trojans, which is why we recommend scheduling a Full System Scan regularly. Thanks!

What are these trojans?