I performed a virus scan about a week ago and the operation returned about a dozen infected files, which I deposited into the virus chest. The problem is that I immediately removed/erased the files from the chest without thinking to much about it. From skimming the posts here, I don’t think I was supposed to do that. At any rate, my computer has not been functioning properly since the scan. I think that one or more of the infected files that were erased could have been files necessary for proper function of my computer. I have searched for a file recovery option, but have not as yet located it.
Can anyone be of assistance concerning this matter?
There is no hard and fast what you should or shouldn’t do, but it doesn’t make sense to move something to the chest and then delete it, you could just as easily cut out the middle man and deleted them right away, not a good decision.
Deletion isn’t really a good first (or early) option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them. Having deleted them from the chest they are gone/history they are no more.
The fact that your system doesn’t appear to be running well isn’t a 100% indication you deleted something important, you could possibly have hidden or undetected malware.
Only by telling us what was detected before can we even hazard a guess if you might have deleted something important.
What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
You may find it easier to go to the source file, open it with notepad and copy and paste the entries for the infected files (nothing else, there will be other entries) into your next post.
9/10/2006 3:47:41 PM Brian 1544 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\setup.exe (E:\setup.exe) returning error, 0000A474.
6/6/2007 1:40:36 PM SYSTEM 1264 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
6/6/2007 1:40:36 PM SYSTEM 1264 An error has occured while attempting to update. Please check the logs.
7/1/2007 5:41:36 PM Brian 2652 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP954\A0138668.exe” file.
7/1/2007 5:55:40 PM Brian 2652 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\WINDOWS\system32\dbxDgrevCheck.dll” file.
11/27/2008 12:17:17 PM SYSTEM 1264 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
11/27/2008 12:17:17 PM SYSTEM 1264 An error has occured while attempting to update. Please check the logs.
12/31/2008 8:24:33 AM Brian 1924 Sign of “Win32:Downloader-KK [trj]” has been found in “C:\Documents and Settings\Brian\Local Settings\Temp\ICD1.tmp\UERS_9999_N91S2507NetInstaller.exe” file.
12/31/2008 8:29:54 AM Brian 1924 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Brian\Local Settings\Temp\UPRP_0001_D21M2103\installer.exe[Embedded_R#005470]{app}\UPRPPChk.dll” file.
12/31/2008 8:33:46 AM Brian 1924 Sign of “Win32:WinFixer-W [trj]” has been found in “C:\Documents and Settings\Brian\Local Settings\Temp\UPRP_0001_D21M2103\installer.exe[Embedded_R#005470]{app}\uprpcw.exe” file.
12/31/2008 8:41:16 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Program Files\Common Files\Wise Installation Wizard\WISC27B94AA60AB4B509D630928CDC889C3_5_5_3.MSI\Cabs.w1.cab\InstPlug.exe[UPX][Embedded_R#INSTPLUG][Embedded_R#DIGITALRIVER]” file.
12/31/2008 8:43:00 AM Brian 1924 Sign of “Win32:Agent-YBZ [trj]” has been found in “C:\Program Files\Common Files\Wise Installation Wizard\WISC27B94AA60AB4B509D630928CDC889C3_5_5_3.MSI\Cabs.w1.cab\DeskTopAuthor4_Manual.exe” file.
12/31/2008 8:43:09 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Program Files\Common Files\Wise Installation Wizard\WISC27B94AA60AB4B509D630928CDC889C3_5_5_3.MSI\Cabs.w1.cab\dbdrm.dbp[UPX][Embedded_R#INSTPLUG][Embedded_R#DIGITALRIVER]” file.
12/31/2008 8:44:21 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Program Files\DeskTopAuthorEval\dbdrm.dbp[UPX][Embedded_R#INSTPLUG][Embedded_R#DIGITALRIVER]” file.
12/31/2008 8:45:54 AM Brian 1924 Sign of “Win32:Agent-YBZ [trj]” has been found in “C:\Program Files\DeskTopAuthorEval\DeskTopAuthor_Manual.exe” file.
12/31/2008 8:46:09 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Program Files\DeskTopAuthorEval\InstPlug.exe[UPX][Embedded_R#INSTPLUG][Embedded_R#DIGITALRIVER]” file.
12/31/2008 8:46:35 AM Brian 1924 Sign of “Win32:Spyware-gen [trj]” has been found in “C:\Program Files\iplaynet\ipReset.exe[Embedded_I#464e8]” file.
12/31/2008 8:46:48 AM Brian 1924 Sign of “Win32:Timesink [trj]” has been found in “C:\Program Files\iplaynet\ipReset.exe[Embedded_I#64ae8]” file.
12/31/2008 8:46:51 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Program Files\iplaynet\ipReset.exe[Embedded_I#9cae8]” file.
12/31/2008 9:10:13 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190260.MSI\Cabs.w1.cab\InstPlug.exe[UPX][Embedded_R#INSTPLUG][Embedded_R#DIGITALRIVER]” file.
12/31/2008 9:11:01 AM Brian 1924 Sign of “Win32:Agent-YBZ [trj]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190260.MSI\Cabs.w1.cab\DeskTopAuthor4_Manual.exe” file.
12/31/2008 9:11:12 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190260.MSI\Cabs.w1.cab\dbdrm.dbp[UPX][Embedded_R#INSTPLUG][Embedded_R#DIGITALRIVER]” file.
12/31/2008 9:11:19 AM Brian 1924 Sign of “Win32:Agent-YBZ [trj]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190261.exe” file.
12/31/2008 9:14:55 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190262.exe[UPX][Embedded_R#INSTPLUG][Embedded_R#DIGITALRIVER]” file.
12/31/2008 9:15:08 AM Brian 1924 Sign of “Win32:Spyware-gen [trj]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190263.exe[Embedded_I#464e8]” file.
12/31/2008 9:15:11 AM Brian 1924 Sign of “Win32:Timesink [trj]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190263.exe[Embedded_I#64ae8]” file.
12/31/2008 9:15:15 AM Brian 1924 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190263.exe[Embedded_I#9cae8]” file.
12/31/2008 9:15:16 AM Brian 1924 Sign of “Win32:Timesink [trj]” has been found in “C:\System Volume Information_restore{ED28D15B-E4CB-41F7-9E40-60E52CF4B817}\RP1557\A0190263.exe” file.
12/31/2008 9:25:29 AM Brian 1924 Sign of “Win32:Downloader-KK [trj]” has been found in “C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe” file.
1/3/2009 9:06:02 AM SYSTEM 1284 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
1/3/2009 9:06:04 AM SYSTEM 1284 An error has occured while attempting to update. Please check the logs.
Well a quick look at the file names and their locations indicate there are no system files, nor files that are likely to have a impact on the system.
The detections in the C:\System Volume Information_restore points, are placed there by system restore when you delete or move files from the system folders, etc. and they are effectively inert unless you use system restore to a point which would include these infected restore points.
However, if there is any doubt on a restore point it is best out of the C:\System Volume Information\ folder so it can’t possibly bite you in the rear some time in the future. So at worst you simply couldn’t use that restore point in the future, which isn’t that much of a big deal considering why it is in the C:\System Volume Information_restore folder, you previously deleted or moved it from a system folder. The older that restore point is the less benefit it is as if there was a problem from the original deletion it should have presented itself.
So I would suggest running some more tools.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Also after running the above, use this analysis tool.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.
You suggested running more tools. I understood that it is not wise to have more than one anti-virus software loaded at one time. At any rate, here is the HijackThis Logfile. Thanks for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:21 AM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
