Spyware In System Volume Information, No Action Possible
Hi all,
I did a Full System Scan and a Deep System Scan and there were some threats remaining that were located in System Volume Information which BitDefender could not take action against and of which I can't find manually and delete.
E:\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP6\A0000207.com Gen:Trojan.Heur.6000FFBDBD No action was possible
E:\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000233.com Gen:Trojan.Heur.6000FFBDBD No action was possible
Object Name Threat Name Final Status
\System Volume Information\_restore{B05D9507-EE70-45B6-8866-87A0578AA978}\RP7\A0003933.exe=](Instyler o)=](Instyler Module 75)=](NSIS o)=]lzma_solid_nsis0006 Adware.Iebar.A Infected (no action was possible, file was in an archive)
\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]svchost.exe Generic.Keylogger.C6F510F4 Infected (no action was possible, file was in an archive)
\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]svchosthk.dll Generic.Perfloger.BD9DEACE Infected (no action was possible, file was in an archive)
\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]svchostwb.dll Trojan.Keylogger.Perfect.1.4.7 Infected (no action was possible, file was in an archive)
\System Volume Information\_restore{4FBD8D9F-6E63-4B0B-A1EC-1859D8717B04}\RP8\A0000231.exe=](RAR Sfx o)=]rinst.exe Trojan.Keylogger.Perfect.1.4.7 Infected (no action was possible, file was in an archive)
I have also attached the complete logs of both scans. Note, the Deep System Scan didn't complete since my computer restarted overnight due to Windows Update so I'll be rerunning it again .
An additional symptom I've noticed is whenever I restart, I can't open my hard drives by double-clicking; it asks to choose a program to open them. I always go into regedit and delete the first mountpoints2 I find to temporarily fix the problem but if anyone can shed some light on this I'd be grateful.
Comments
-
Hi yes all u have to do is turn off system restore reboot and turn it back on again. You of course lose all restore points but there infected anyway.
0 -
Dear Tiedwai,
It might be that BitDefender prevents the deletion of these restore points. Open BitDefender switch to advanced view go to antivirus,high light the shield tab, uncheck real-time protection is enabled choose 5 minutes. After you have done that:
Click on start,right click on (my) computer,choose properties,system restore,check turn system restore off for all stations press on apply and ok. Reboot your pc. Do the same thing but now uncheck turn system restore off for all stations press on apply and ok.
Can you please download fix drive? Extract it and double click on fixdrive.exe. Select the drive letter of your hard disk that you have problems with opening it and press on fix. Reboot your pc.
Kind regards,
Niels0 -
Hi yes all u have to do is turn off system restore reboot and turn it back on again. You of course lose all restore points but there infected anyway.
Thanks for the reply. I did this and did a new scan (new log is attached). There was still one item (Adware.iebar.A) in there that was in System Volume Information.Dear Tiedwai,
It might be that BitDefender prevents the deletion of these restore points. Open BitDefender switch to advanced view go to antivirus,high light the shield tab, uncheck real-time protection is enabled choose 5 minutes. After you have done that:
Click on start,right click on (my) computer,choose properties,system restore,check turn system restore off for all stations press on apply and ok. Reboot your pc. Do the same thing but now uncheck turn system restore off for all stations press on apply and ok.
Can you please download fix drive? Extract it and double click on fixdrive.exe. Select the drive letter of your hard disk that you have problems with opening it and press on fix. Reboot your pc.
Kind regards,
Niels
Thanks for the reply. I will try this when I get home tonight and do another scan overnight. (I fixed my drives already from help elsewhere but thanks for the help on that matter as well).
A new thing popped up: Trojan.FakeAV.GR. Would this be fixed if I just deleted the cache for Mozilla?0 -
A new thing popped up: Trojan.FakeAV.GR. Would this be fixed if I just deleted the cache for Mozilla?
Quick comment before I run the scan and go sleep: I can't seem to change folder options to be able to view hidden files; it just automatically reverts back when I press ok.0 -
Dear Tiedwai,
It might be that BitDefender prevents the deletion of these restore points. Open BitDefender switch to advanced view go to antivirus,high light the shield tab, uncheck real-time protection is enabled choose 5 minutes. After you have done that:
Click on start,right click on (my) computer,choose properties,system restore,check turn system restore off for all stations press on apply and ok. Reboot your pc. Do the same thing but now uncheck turn system restore off for all stations press on apply and ok.
Can you please download fix drive? Extract it and double click on fixdrive.exe. Select the drive letter of your hard disk that you have problems with opening it and press on fix. Reboot your pc.
Kind regards,
Niels
Okay I tired this and ran a deep scan last night. BD still can't get rid of the same 2 infections: Adware.Iebar.A and Trojan.FakeAV.GR.
In addition, I can't turn on viewing of hidden files.
Any further ideas? =]0 -
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
http://www.atribune.org/ccount/click.php?id=1
Double-click ATF Cleaner.exe to open it
Under Main choose: Select all
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Download Repara.zip, extract Repara.ini on your Desktop. Right click on it and choose Install. It will ask if you want to import the information in Window registry. Click Yes.
http://rapidshare.de/files/46045701/Repara.zip.html
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.
This will solve your problems0 -
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
http://www.atribune.org/ccount/click.php?id=1
Double-click ATF Cleaner.exe to open it
Under Main choose: Select all
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Download Repara.zip, extract Repara.ini on your Desktop. Right click on it and choose Install. It will ask if you want to import the information in Window registry. Click Yes.
http://rapidshare.de/files/46045701/Repara.zip.html
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.
This will solve your problems
Thanks for the reply. I think I know why turning off System Restore is not solving my problems. My old boot up drive was infected and became unable to boot up, so I installed XP onto a new harddrive. Could it be that the System Restore files from the old boot up drive are not being deleted when I'm turning off System Restore with the new harddrive as the boot drive?0 -
The only thing i see possible is that you still have a virus and when you turn system restore back on when it makes the restore point it adds the virus again . Try makeing sure that system restore only monitors the c drive and see it that works with a clean restore volume. Dont let it monitor all drives to start with once you are sure c drive restore is ok you can check the other drives and see what one adds the virus.
0 -
The only thing i see possible is that you still have a virus and when you turn system restore back on when it makes the restore point it adds the virus again . Try makeing sure that system restore only monitors the c drive and see it that works with a clean restore volume. Dont let it monitor all drives to start with once you are sure c drive restore is ok you can check the other drives and see what one adds the virus.
Actually, I haven't been turning system restore back on, it's being kept OFF and these scans are still picking up stuff in System Volume Information on every drive but C drive (new boot up drive).
That's why my thought was that the old system restore points from the old boot up drive were not being deleted when I'm turning off system restore while booted up on the new boot up drive.0 -
My latest BD scan shows 1 remaining issue:
\System Volume Information\_restore{B05D9507-EE70-45B6-8866-87A0578AA978}\RP7\A0003933.exe=](Instyler o)=](Instyler Module 75)=](NSIS o)=]lzma_solid_nsis0006 Adware.Iebar.A Infected (no action was possible, file was in an archive)
However, scans with Malwarebyte and Kaspersky and Superantispyware do not show any threats left.
Is there a way I can find out if this is a false positive?
Note: System Restore is still OFF.0 -
Latest: I used a program called Icesword to manually delete everything in the System Volume Information folders for all my drives.
I'll be running scans with BD and other programs in the next day or so and see if everything's clean.0 -
Please run a full scan and paste here the scan log.
0 -
My Deep Scan and Full System Scan are attached; no problems remaining. =]
0 -
The logs are clean. Those files are password protected or overcompresed and BitDefender can't scan them.
0