Avast! Home detected “Win32:Trojan-gen {Other}”. On a Boot-Scan, on my C:, E: and G: drives.
The Trojan on C: was quite easy to get rid of -Format C:
But on E: and G: there is a problem.
The Trojan has infected a stdio.dll file in the System Volume Information folder and I don´t know how to access the those folders (System Volume Information).
The log:
File E:\System Volume Information_restore{1C7F5AFE-6060-4E5D-9352-18F2EF960421}\RP107\A0029454.exe\script\dlls\stdio.dll have been effected by Win32:Trojan-gen {Other},
Delete: Error 42111 {Operation don´t work with this kind of file-typ.}
File E:\System Volume Information_restore{1C7F5AFE-6060-4E5D-9352-18F2EF960421}\RP108\A0029456.exe\script\dlls\stdio.dll have been effected by Win32:Trojan-gen {Other},
Delete: Error 42111 {Operation don´t work with this kind of file-typ.}
File G:\System Volume Information_restore{1AD76BC6-F679-4058-9842-756673DA28CD}\RP21\A0005349.exe\script\dlls\stdio.dll have been effected by Win32:Trojan-gen {Other},
Delete: Error 42111 {Operation don´t work with this kind of file-typ.}
(My avast is Swedish, so I´ve translated the sentences above, sorry for the misspelling).
How can I get rid of this Trojan on those Hard Drives? I don´t whant to format those too.
I don´t have a clue what those files can be.
The infected file stdio.dll is inside not a folder but inside a _Restore point for the file(s) A0029454.exe, etc.
Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.
So the avast log indicates the detection, but you didn’t mention what action you took ?
Send to Chest (Quarantine) being the best.
Format is an action of ‘Last Resort’ and you were/are nowhere close to that by a very long way based on the information you gave.
I told Avast to delete the infected file(s).
I don´t use Restore Points so If there is a way to delete the contents of the System Volume Information/_restore folder, please let me know.
Format is indeed a drastic solution, but I format my C: drive every 5-7 months or so, and the time was right. (that´s why I don´t use Restore Points).
How can I delete _Restore folder(s)? A “Access denied” shows up.
Disable System Restore on Windows ME, XP or Vista. After disabling you can enable it again.
You’ll delete the infected points and the the infected files then.
Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
I don’t use System Restore either and mine is completely disabled (as Tech give links to how to disable), but it shouldn’t be disabled without having to replace it or you could be in for more frequent formats than is your current practice.
I disabled and enabled the system restore feature then made a boot-Scan with Avast! and he didn´t find anything.
Now what?
Did Windows XP delete the old restore points on the Hard drives when I enable/disabled the feature?
I made a full boot-scan, just to be sure. (Windows still be windows) :
And Avast! found the Win32:Trojan-gen {Other} again. Same kind, same place.
Seems that the Trojan comes back after reboot?
EDIT:
Avast! Seems to find the Trojan if System Restore is enabled. And misses the Trojan when it´s Disabled.
IF my hypothesis is right, How can I delete the infected Files? I´m I safe from the Trojan?
You could try and delete those System Restore points - they are RP107, RP108, and RP21,
This is rather drastic action but since these RPs are snapshots, the scanner may be going off at records on image rather than actual files themselves. I have done this deletion myself to see if there are any adverse effects and everything seems okay. But see if a second opinion is posted on the forum anyway, befoe you actually do this, because I dont know your computer exactly because Im not there.
To access System Volume Information –
Find Folder Options in Control Panel (may be under Appearance and Theme category).
In Folder Options
on the View tab, click Show hidden files and folders.
then clear the Hide protected operating system files (Recommended) check box.
click Apply, then OK. (remember to set these back to default when you are finished).
Find System Volume Information folder
you need to go to root folder, where you installed your Windows to - this is usually C:\
if access is denied, then right-click the folder and select Sharing and Security
choose Security and Add the name of a User through which you will access the folder (your account)
open the folder and delete those three restore points (RPs) - I would leave the rest of the RPs for now
emply recycle bin, restore Folder Options to default, and restart the computer
Run your scanning routines again and see whether those entries are still coming up.
BTW - you will still be able to access System Volume Information folder until you Remove your User account name from Sharing and Security in the folder.
I´ve tried mkis method, but I could´t get it right.
So I downloaded Dr.Web. The scan took nearly 4 hours, but it was worth it. Dr.Web Rescue CD killed everything!
Thanks again for the help guys!
