Assistance with Trojan-gen in System Volume Information

After doing a 15 hour scan of my desktop I found two Win32:Trojan-gen (other) virus’. One was in an add on to Flight Simulator and the other is located in C:\System Volume Information_restore{bunch of numbersandletters}\RP852\A0215510.exe. both files were moved to the chest and I have not shut my computer down and restarted, as yet. I have read some threads on here and I’m sure my question is answered somewhere, but being new to the virus’ affected, I’m really uncertain which threads actually pertain to my situation. So my question is:

Now that they are in the chest, what now? Does this mean the virus is contained and my computer is now virus “free”?

Run Avast and scan your hard-disk again to see if the infected files are all in the chest now. I would also run SUPERAntiSpyware and Malware Bytes Anti-Malware to be more sure, probably also boot into safe mode and run Avast again. I’m no super-expert, but if after all that your PC works fine and Avast finds nothing, I guess your system is saved. :slight_smile:

Most probably…

Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

Then we can assure you’re virus free :wink:

I am using windows xp
I installed and ran SUPERAntiSpyware - it only found cookies when i ran it in the quick scan mode
I will install Malware Bytes Anti-Malware and run it
I’m sorry, I don’t know what you mean when you say “Boot time scanning”
I think when you say “boot” i would actually be rebooting… yes?

A “boot scan” does involve rebooting, yes.
By doing this certain malware that is “locked” (unable to be moved) can be processed before the OS loads completely. Allow an hour or three. After the boot scan has been scheduled using the steps posted by Tech, it will run next time you reboot. The time will vary depending on how many files on your hard drive. But allow plenty of time.

sweetie89123: To boot-scan your hard-disk click on Start, then Programs, then Avast! Antivirus and then click on Help.

Then you will see the contents on the left side of the Help window. Open Simple User Interface, then open How to…? and then click on Scheduling the Boot-Time Scan.

Read how to do the boot-scan. Hint: to open the Menu, click on the “eject” like button in the upper left side of Avast’s main window (user interface). After all is set, Avast will ask you to reboot your PC - confirm and the boot-scan will occur.

When it’s all over and you’re back in Windows, run SUPERAntiSpyware and Malware Bytes Anti-Malware and then (optionally) Avast again to see if everything is gone. :slight_smile:

If the boot-time scan will find more infected files, write here…

Good luck! :slight_smile:

boot time scheduling (with pictures) : http://www.digitalred.com/avast-boot-time.php

ok… so i did the two other scans and now I’ve gone back into avast and done a scan of the archives. It looks like many/most of the archive files, Avast was unable to scan becasue it’s password protected. (not sure how that happened… ??) and the last four files it found Avast was unable to scan because
the file is a decompresson bomb ??? Now i’m trying to remain calm… but…

This is the log from Malwarebytes:

Malwarebytes’ Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 3

9/7/2009 8:52:01 PM
mbam-log-2009-09-07 (20-52-01).txt

Scan type: Quick Scan
Objects scanned: 115120
Time elapsed: 8 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) → Quarantined and deleted successfully.

You can try a full system scan, although mbam catches almost everything in quick scan. if you are afraid that malwares might be in different drives, you can perform a full scan. and post logs using additional options while posting instead of copy pasting from file.

did you do a boot time scan?.

i have not done the boot scan yet. I was going to do that tomorrow afternoon when i have the time to devote to it…

please do that and come back later.

Don’t worry about the decompression bomb, it sounds frightening, but it’s nothing else than a big file which contains a lot of data (smaller files), so that’s nothing to worry about. :slight_smile:

Run SAS and MBAM again in safe mode to see if any bad files are still free (not quarantined) and do the Avast boot-time scan too.

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

If you can give some examples of those file names, the locations and reason given why it can’t be scanned might help us further ?

The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

I have done the boot scan and there are no infected files
After the boot scan I did quick scan in both SUPERAnitSpyware and Malwarebytes which produced nothing but cookies. So I’m guessing that means that my computer is Trojan free??? !!! ;D

Please say it’s true!!

Also, I’ve been following along with these instructions on my laptop too and will do a scan boot on it next. If I run into any issues after the boot scan and the additional scans on SUPERAntiSpyware and Malwarebyes, I’ll post back here.

I don’t know how to thank you all for walking this NOVICE thru this frightening experience. you all are great!!

i guess the other thing i don’t know is what to do with the two files in the chest? do i leave them there or if not, how do i move them and delete them?


You can leave them in the Chest. It is a protected area and they can do no harm while they are in the Chest.

If you want to delete them from the Chest, wait for at least 2 weeks to be sure there are no adverse effects to your computer. Then, right click each file in the Infected section of the Chest and select to scan with avast. If they are still showing infected, you can then safely delete them from the Chest.