Spyware In System Volume Information, No Action Possible

Hi all,

I did a Full System Scan and a Deep System Scan and there were some threats remaining that were located in System Volume Information which BitDefender could not take action against and of which I can't find manually and delete.

E:\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP6\A0000207.com Gen:Trojan.Heur.6000FFBDBD No action was possible

E:\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000233.com Gen:Trojan.Heur.6000FFBDBD No action was possible

Object Name Threat Name Final Status

\System Volume Information\_restore{B05D9507-EE70-45B6-8866-87A0578AA978}\RP7\A0003933.exe=](Instyler o)=](Instyler Module 75)=](NSIS o)=]lzma_solid_nsis0006 Adware.Iebar.A Infected (no action was possible, file was in an archive)

\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]svchost.exe Generic.Keylogger.C6F510F4 Infected (no action was possible, file was in an archive)

\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]svchosthk.dll Generic.Perfloger.BD9DEACE Infected (no action was possible, file was in an archive)

\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]svchostwb.dll Trojan.Keylogger.Perfect.1.4.7 Infected (no action was possible, file was in an archive)

\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]rinst.exe Trojan.Keylogger.Perfect.1.4.7 Infected (no action was possible, file was in an archive)

I have also attached the complete logs of both scans. Note, the Deep System Scan didn't complete since my computer restarted overnight due to Windows Update so I'll be rerunning it again .

An additional symptom I've noticed is whenever I restart, I can't open my hard drives by double-clicking; it asks to choose a program to open them. I always go into regedit and delete the first mountpoints2 I find to temporarily fix the problem but if anyone can shed some light on this I'd be grateful.

/applications/core/interface/file/attachment.php?id=4880" data-fileid="4880" rel="">1236618956_1_02_Full_Scan_.xml

/applications/core/interface/file/attachment.php?id=4881" data-fileid="4881" rel="">1236590283_3_02_Deep_Scan_.xml

Find more posts tagged with

Comments

john305

Hi yes all u have to do is turn off system restore reboot and turn it back on again. You of course lose all restore points but there infected anyway.

Niels

Dear Tiedwai,

It might be that BitDefender prevents the deletion of these restore points. Open BitDefender switch to advanced view go to antivirus,high light the shield tab, uncheck real-time protection is enabled choose 5 minutes. After you have done that:

Click on start,right click on (my) computer,choose properties,system restore,check turn system restore off for all stations press on apply and ok. Reboot your pc. Do the same thing but now uncheck turn system restore off for all stations press on apply and ok.

Can you please download fix drive? Extract it and double click on fixdrive.exe. Select the drive letter of your hard disk that you have problems with opening it and press on fix. Reboot your pc.

Kind regards,

Niels

Tiedwai

Hi yes all u have to do is turn off system restore reboot and turn it back on again. You of course lose all restore points but there infected anyway.

Thanks for the reply. I did this and did a new scan (new log is attached). There was still one item (Adware.iebar.A) in there that was in System Volume Information.

Dear Tiedwai,

It might be that BitDefender prevents the deletion of these restore points. Open BitDefender switch to advanced view go to antivirus,high light the shield tab, uncheck real-time protection is enabled choose 5 minutes. After you have done that:

Click on start,right click on (my) computer,choose properties,system restore,check turn system restore off for all stations press on apply and ok. Reboot your pc. Do the same thing but now uncheck turn system restore off for all stations press on apply and ok.

Can you please download fix drive? Extract it and double click on fixdrive.exe. Select the drive letter of your hard disk that you have problems with opening it and press on fix. Reboot your pc.

Kind regards,

Niels

Thanks for the reply. I will try this when I get home tonight and do another scan overnight. (I fixed my drives already from help elsewhere but thanks for the help on that matter as well).

A new thing popped up: Trojan.FakeAV.GR. Would this be fixed if I just deleted the cache for Mozilla?

/applications/core/interface/file/attachment.php?id=4887" data-fileid="4887" rel="">1236789148_1_02_Deep_Scan2_.xml

1236789148_1_02_Deep_Scan2_.xml

Tiedwai

A new thing popped up: Trojan.FakeAV.GR. Would this be fixed if I just deleted the cache for Mozilla?

Quick comment before I run the scan and go sleep: I can't seem to change folder options to be able to view hidden files; it just automatically reverts back when I press ok.

Tiedwai

Dear Tiedwai,

It might be that BitDefender prevents the deletion of these restore points. Open BitDefender switch to advanced view go to antivirus,high light the shield tab, uncheck real-time protection is enabled choose 5 minutes. After you have done that:

Click on start,right click on (my) computer,choose properties,system restore,check turn system restore off for all stations press on apply and ok. Reboot your pc. Do the same thing but now uncheck turn system restore off for all stations press on apply and ok.

Can you please download fix drive? Extract it and double click on fixdrive.exe. Select the drive letter of your hard disk that you have problems with opening it and press on fix. Reboot your pc.

Kind regards,

Niels

Okay I tired this and ran a deep scan last night. BD still can't get rid of the same 2 infections: Adware.Iebar.A and Trojan.FakeAV.GR.

In addition, I can't turn on viewing of hidden files.

Any further ideas? =]

/applications/core/interface/file/attachment.php?id=4889" data-fileid="4889" rel="">1236872129_1_02_Deep_Scan_3_.xml

1236872129_1_02_Deep_Scan_3_.xml

rootkit

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

http://www.atribune.org/ccount/click.php?id=1

Double-click ATF Cleaner.exe to open it

Under Main choose: Select all

Then click the Empty Selected button.

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Download Repara.zip, extract Repara.ini on your Desktop. Right click on it and choose Install. It will ask if you want to import the information in Window registry. Click Yes.

http://rapidshare.de/files/46045701/Repara.zip.html

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.

2. Right-click the My Computer icon, and then click Properties.

3. Click the System Restore tab.

4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:

5. Click Apply.

6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.

7. Click OK.

8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

This will solve your problems

Tiedwai

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

http://www.atribune.org/ccount/click.php?id=1

Double-click ATF Cleaner.exe to open it

Under Main choose: Select all

Then click the Empty Selected button.

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Download Repara.zip, extract Repara.ini on your Desktop. Right click on it and choose Install. It will ask if you want to import the information in Window registry. Click Yes.

http://rapidshare.de/files/46045701/Repara.zip.html

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.

2. Right-click the My Computer icon, and then click Properties.

3. Click the System Restore tab.

4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:

5. Click Apply.

6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.

7. Click OK.

8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

This will solve your problems

Thanks for the reply. I think I know why turning off System Restore is not solving my problems. My old boot up drive was infected and became unable to boot up, so I installed XP onto a new harddrive. Could it be that the System Restore files from the old boot up drive are not being deleted when I'm turning off System Restore with the new harddrive as the boot drive?

john305

The only thing i see possible is that you still have a virus and when you turn system restore back on when it makes the restore point it adds the virus again . Try makeing sure that system restore only monitors the c drive and see it that works with a clean restore volume. Dont let it monitor all drives to start with once you are sure c drive restore is ok you can check the other drives and see what one adds the virus.

Tiedwai

The only thing i see possible is that you still have a virus and when you turn system restore back on when it makes the restore point it adds the virus again . Try makeing sure that system restore only monitors the c drive and see it that works with a clean restore volume. Dont let it monitor all drives to start with once you are sure c drive restore is ok you can check the other drives and see what one adds the virus.

Actually, I haven't been turning system restore back on, it's being kept OFF and these scans are still picking up stuff in System Volume Information on every drive but C drive (new boot up drive).

That's why my thought was that the old system restore points from the old boot up drive were not being deleted when I'm turning off system restore while booted up on the new boot up drive.

Tiedwai

My latest BD scan shows 1 remaining issue:

However, scans with Malwarebyte and Kaspersky and Superantispyware do not show any threats left.

Is there a way I can find out if this is a false positive?

Note: System Restore is still OFF.

Tiedwai

Latest: I used a program called Icesword to manually delete everything in the System Volume Information folders for all my drives.

I'll be running scans with BD and other programs in the next day or so and see if everything's clean.

rootkit

Please run a full scan and paste here the scan log.

Tiedwai

My Deep Scan and Full System Scan are attached; no problems remaining. =]

/applications/core/interface/file/attachment.php?id=4907" data-fileid="4907" rel="">1237221449_1_02_Full_Scan_.xml

/applications/core/interface/file/attachment.php?id=4908" data-fileid="4908" rel="">1237308798_1_02_Deep_Scan_.xml

1237221449_1_02_Full_Scan_.xml

1237308798_1_02_Deep_Scan_.xml

rootkit

The logs are clean. Those files are password protected or overcompresed and BitDefender can't scan them.