OS: WInXP SP3
Avast Version: 4.8
Firewall: COMODO
AS: Spybot S&D

Hello.

Upon performing a full scan I recieved alerts from avast, identifying 4 files on my pc as being infected by Win32:Malware-Gen virus/worm. The files were moved to the chest. However I’m not too sure what to do next. The files it identified as being infected are:

A0172145.dll
C:\System Volume Information_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP942

A0172332.dll
C:\System Volume Information_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP942

A0177941.dll
C:\System Volume Information_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP992

VOL_TO~1.dll
C:\Program Files\vol_toolbar

This is my first time using a technical forum and I’d appreciate any help anyone can offer and thank you for your time.

Hi, RONIN2010, welcome to the forum.

Please post your operating system (vista, XP etc) and details of any other security programs you use (firewall, etc.) or have used in the past.

Can you list the items in the chest with their full file names and original locations (file path).

As a good “second oipinion” malware scanner, try downloading installing, updating and running a quick scan with MBAM, get it here (blue button/free version.) It’s good.

Sorry, just updated my first post with the requested info. Your questions have been answered in my first post.

You have done the right thing, ‘first do no harm’ don’t delete, send virus to the chest and investigate.

So in theory there is nothing else to do (you could run the MBAM scan as suggested), see below:

• Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

• Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

• So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

Now it isn't possible to restore/reinsert a restore point from the chest as it is a protected area and no way to link it back into the system function, so it would be lost in space (so to speak) even if you were able to insert it back in.

I see what you mean regarding the restore points. However I am a little curious about the last file, VOL_TO~1.dll. This from what I know is actually a Verizon online toolbar for Internet Explorer. Since these are DLL’s I imagine deleting them will do more harm than good, except for the restore points. I’m running a 2nd scan and will be running another scan with the MBAM once I get home. If the MBAM returns any results I will post them here, once it has completed. What would be your reccomended course of action at this point?

i would recommend you scan with MBAB and see what it comes up with and then quarantine and remove what it comes up with if it does. it will first quarantine it and then remove it when you hit the remove button, meaby you know this already:).

another program that is highly recommended is superatispyware that you could download install ad scan with for an second opinion and it works well with Avast and MBAB.

http://filehippo.com/download_superantispyware/

good luck and write back on your progress or if you have any more questions.

and finally welcome to the forum from me:)

Hmmm… Your advice is noted. However I am a little intrigued by a lot of the posts that I have been seeing in this forum regarding false positives. I had a problem with avast doing this somewhere between november and december of last year, when an update in the av definitions, caused Spybot to be flagged as a virus. Still recovering from that episode. That is why I’m nervous regarding these, as they are DLL’s and from my knowledge, deleting DLL’s, can do more harm than good. Seeing as one of the “infected” files is a Verizon IE toolbar, (VOL_TO~1.dll) which was installed per a security suite I got from them ages ago… Could it be that it may be mistaking the toolbar as a virus? I’m assuming that if that is the case, it could be identifying the system restore points, that have a record of this file as infected as well. But I would think that if that was the case, it would be identifying more than just a few system restore points. But to be safe I will definitely run malware bytes once I get home as a second measure.

Let’s get a few second opinions on whether this toolbar dll is indeed infected, or more likely to be a FP.

Create a new folder on your drive somewhere, title it “suspicious”. (no quotes).
Go to the Avast program settings, and under “exclusions” add this folder to the area that won’t be scanned. Let me know if you want a step-by-step for that.
Go to the Avast chest, and restore a copy of the file to the new folder.
Open the link to VirusTotal (multi-online scanner service) and click the “browse” button, navigate to the new folder, highlight the dll in that folder, and have it upload.
It will take a minute or three for all scanning to be done. (Also see below). Once scanning is copleted, please post the URL of the results page, copied from the browser address bar, to your reply.

If the file has already been scanned (fairly likely) click on the permalink, have a look, and copy the URL of that page from the browser address bar to your reply.

It is not altogether unlikely the toolbar is infected. It may even be considered to be adware or spyware by many security companies. I’ve never used it (I don’t. Can’t stand most toolbars), but from what I’ve read there are at least a few users who have had trouble with this one. If there is an attached AV component to the toolbar, it is possible that is conflicting with the Avast standard shield, and it is probably best removed. (This can be done via add/remove programs, or browser tools>addons)

If the results indicate to you that it is a FP (for example, only two scanners, Avast and GData flag it as malware) then right click on the file from within the chest, and from the available options send it to Alwil as a suspected FP. It will be sent next time your database is updated, either manually or automatically. If it is indeed a FP, it will be fixed within a very few database updates after that. Quite possibly the next update.
Following an iAVS update after sending the FP (assuming you have seen fit to do this) right click on the file from within the chest again, and select “scan”. When/if it scans clean, it can be restored. (A copy will be kept in the chest also, for safe keeping.) When you are happy all is well (the toolbar works) it can be deleted from the chest.

The flawed iAVS update that was released just in early December was an error. That was major. There is info about it on the Avast Blog.
This sounds like a more “routine” series of FPs (it seems there have been a few more than normal, over the past 2 or 3 days) that should be put right quite soon. All the AV’s have FPs from time to time. All of them. In the past I’ve had them with Norton, with AVG, and with Avira. Not recently, though, because the only AV I’ve used for ~3 years is Avast.
I’d rather have the odd FP than a real one gets through. (Unfortunately, they all occasionally let one slip through, too.)

Hope this helps a bit.

I will definitely do that. I’m currently in the middle of running a quick scan with MBAM and waiting to see what it turns up. It’s already hit on a infected file, so I’m wondering exactly how much it’s going to get. This now brings the tally to 5 infected files and it’s still scanning… It seems like everytime I run another scan, something else is turning up. Once the scan is complete I will post the log file for the MBAM scan.

No one told you to delete the VOL_TO~1.dll file, it is in the chest and if it is a required file you should see indications of this, e.g. if and when it is required a call to run the file you would or should get a windows error, file missing, etc. That is why we suggest leaving the file in the chest for a few weeks to see if there are any adverse effects of being moved to the chest.

Deletion isn’t really a good first/early option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate. The investigation on the infected restore points effectively says there is no real downside to their removal, nothing about VOL_TO~1.dll being deleted.

You can use virustotal for confirmation or otherwise for that.

Yes David thanks. I misread someone’s post… So would it hurt anything after a few weeks, instead of deleting the files, just leaving them in the bin? I’m going to have to submit the file (VOL_TO~1.dll) to virustotal just to make sure that file is not a FP, like you had said. Right now I just finished up running my scans. I first ran an MBAM scan (which found one additional file “DEVBIED.PKG”) and then ran another extensive Avast scan (which found 0) This is what I have so far:

5 files quarantined by Avast:

A0172145.dll
C:\System Volume Information_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP942

A0172332.dll
C:\System Volume Information_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP942

A0177941.dll
C:\System Volume Information_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP992

VOL_TO~1.dll
C:\Program Files\vol_toolbar

DEVBIED.PKG
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE

1 file quarantined and removed by MBAM:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.

Log file for MBAM:

Malwarebytes’ Anti-Malware 1.44
Database version: 3671
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/1/2010 7:16:31 AM
mbam-log-2010-02-01 (07-16-31).txt

Scan type: Quick Scan
Objects scanned: 166762
Time elapsed: 18 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

There is no issue leaving them in the chest, they can do no harm there. It is just that most people are champing at the bit to delete them and three weeks just gives time to see any possible effect of having moved it to the chest.

I would suggest that you check scan this one DEVBIED.PKG at virustotal and also VOL_TO~1.dll if you haven’t done so.

don’t worry my friend bcoz avast is cleaning ur System Restore that is C:\System Volume Information directory, it means that when u will restore all files to your pc the virus will never back again.

Will do. I’m currently running another MBAM scan for extra measure, this time a full scan, just to double-check that it’s not missing anything. Once that’s done I’ll upload the log, as well as the results for the two files at virus total. May be just a case of FP’s… Hoping that’s the case at least. Maybe that would explain the system restore entries, as I thought I had removed that toolbar when I uninstalled the verizon security suite ages ago. As for the DEVBIED.PKG file… that’s a bit odd, seeing as that’s a VB file. But I will definitely have these checked at virustotal.

Do you mean by restoring a copy of the file to the new folder by, right-clicking the file in the chest and choosing “extract” and then extracting it to the new folder? Just wanted to make sure, haven’t done that before and that’s the options I’m getting when I view the file in the chest.

Do you mean by restoring a copy of the file to the new folder by, right-clicking the file in the chest and choosing "extract" and then extracting it to the new folder? Just wanted to make sure, haven't done that before and that's the options I'm getting when I view the file in the chest.

No worries, thanks for clarifying! I’ll give it a go once my scans have finished and upload the logs.

Okay, here’s what I have.

MBAM Logfile:

Malwarebytes’ Anti-Malware 1.44
Database version: 3675
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/2/2010 5:07:04 AM
mbam-log-2010-02-02 (05-07-04).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 389964
Time elapsed: 2 hour(s), 4 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Virustotal scan of file VOL_TO~1.DLL:

http://www.virustotal.com/vt/en/recepcion?e44227a77c1cade44d4bbf1d86c45f13

(file was showing a size of 0 bytes…)

Virustotal scan of file DEVBIED.PKG:

http://www.virustotal.com/analisis/3a63e0a519fb3bcba9f951e29c2cfcfe35dbddd3946e113f0364e08de266c287-1265109255

It seems fairly clear or likely that “DEVBIED.PKG” is a FP.
The link to the other analysis doesn’t work. Perhaps the file was not uploaded? What size is the .dll file (go to C:\Suspicious, locate the file, right click and select properties).
Could you try analyzing it again, please? (Chances are it’s a FP also.)

Just for future reference,these VT results should be treated as a guide (a good guide) not as absolute. Eg: I have seen times where only one or two vendors detected an actual malicious file. The same file re-analyzed a day, two days, three days later showed increasing numbers of vendors flagging it.
Just so you are aware of that. It’s a tool.

Thanks Tarq57. I tried uploading VOL_TO~1.DLL to virustotal three times but to no avail I kept getting a message stating 0 bytes recieved. When I click the properties of the file it says it’s 1904128 kb. Another odd thing I’ve discovered, is that this same file was flagged previously in the scan that occurred around december, the same one that flagged spybot as a virus. I’ve had my definitions updated to the latest and ran another scan this morning with avast. No results were found. And yet when I extract this file to the suspicious folder, it’s still showing this file to be a virus.

What is the full name of the file?
Try uploading it to jotti instead.
Strangeness.