My first virus?

Viruses and worms
1

Ok, This is a "first post, (I already replied to a previous post instead of starting a new one) but I have a problem. While on FaceBook I opened and was surfing through an unrelated app when I got an alert from Avast. I stopped IE and rebooted to run a scan in safe mode. Avast found 6 “trojans” but couldn’t delete the files. Iv’e removed the hard drive and scanned it on another computer running Avast. That machine found a trojan (with a different name) and I deleted it. I re-installed my HD and started up in safe mode for another scan. This time the virus doubled and still wouldn’t delete. I stopped Avast and tried an installation of “Microsoft security essentials” which told me there were no problems. I ran anothe scan with Avast and these were the issues.

Warning #1
C:\DELL\Drivers\R118081\dmbcu.msi\Data1.cab\mobileink.exe
Win32:Malware-gen
Virus/Worm
091122-0, 11/22/2009
Warning #2
C:\DELL\Drivers\R118081\dmbcu.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen
Virus/Worm
091122-0, 11/22/2009
Warning #3
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047713.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #4
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047713.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #5
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047722.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #6
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047722.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #7
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP315\A0047738.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #8
Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP315\A0047738.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm
Warning #9
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP318\A0047936.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #10
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP318\A0047936.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #11
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048040.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #12
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048040.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #13
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048282.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #14
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048282.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009

At the end I got the same results
“Error occurred during file deleting: The operation is not supported for this type of archive”?

I tried to deleted the files with run cmd, but that told me it could not find the path specified.
Is this a real virus?
I’m not exactly an advanced user and don’t know what to do.
Anybody? ???

2

@ Russkatt
Ignore this instruction above.

Generally - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

If the file can’t be sent to the chest (or when trying to delete) what errors are displayed, e.g. file in use, etc. ?

If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php. Don’t opt for deletion (you have no options left), always send to the chest and investigate.

Look in the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file, check this file using notepad and copy and past the info on the detection.

At the end I got the same results "Error occurred during file deleting: The operation is not supported for this type of archive"?

Basically avast can’t extract the infected file from within an archive (probably .msi file) without possibly damaging the complete archive.

  • Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

  • Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

  • So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

This may be your best option though:
– Create Clean Restore Point - Clear old Restore Points.

Now you are clear of infection create a clean System Restore point:

  1. Click Start, All Programs, Accessories, System tools, System Restore.
  2. In the pop-up that appears fill in the radio button to Create a Restore Point
  3. Click NEXT
  4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
  5. Click CREATE

You now have a clean restore point, you should clear the old ones:

  1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
  2. Click OK on the C: drive
  3. Click the More Options tab
  4. In the System Restore section click the Clean Up button

You can use the explorer search till you are blue in the face but you won’t find the exe as it is inside the C:\DELL\Drivers\R118081\dmbcu.msi file and then inside the \Data1.cab\ before you get to the exe file you are searching for, mobileink.exe

The same is true of the C:\DELL\Drivers\R118081\dmbcu.msi\Data1.cab\dmbcu.exe detection.

I suspect that this may be a false positive, given that it is so tightly packed away and a Dell Driver.