virus found: what to do now?

I just was told to download this software by a good friend of mine. I have, and since have found a virus on it: C:WINDOWS/system32. Says the original filename is reboot.exe. The virus description is: Win32:Trojan-gen. I am new to how to remove viruses, is this something that I really need to be concerned about? I tried to read through the advice and tools section and all that did was confuse me further. If anyone can help me, I’d greatly appreciate it. THanks in advance.

Tammy Smith

Well I don’t have that file in that location or anywhere in the windows or sub folders, nor anywhere on by c: partition.

So I would say it looks like a good detection - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

So that is what you should do when detected send to the chest and investigate.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

I did a boot scan, and found a whole BUNCH of things :(:(:frowning: What does that tell me?

Here are just a few of them:
C:/system volume information/_restore{B119CA20-415D-A39B-D714ACAC9DA}/RP184/A0038243.exe (win32:kolab-CG)

then I have several more under the system volume information.

Also have:
C:/Program Files/Quicknation

and then the one I was asking about the C:/windows/system32 one.

These are all in the virus chest now what do I do?

Well all it tells me is there was stuff undetected in windows normal mode, there isn’t enough info to say anything else. You haven’t given a file name (which are very helpful) of the one in the quicknation folder ?

As I said earlier - There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

In the past if you remove infected files from the system folders system restore creates a restore point just in case, so that same restore point could be detected by avast later.

If there is any doubt about a restore point I would tend to remove it as it could possibly reinfect your system if you use system restore in the future. So if you allowed avast to move it to the chest then that restore point wouldn’t be available in the future.

You could probably go a step further and clear out all restore points and start afresh. Disable System restore on all drives and reboot, that will clear all restore points, enable system restore again. This will create a clean restore point, giving you that fresh start and you would be surprised how much hard disk space that could give you back.

tbhelper.dll is the original filename of the quicknation one. The avast says its adware but was not given any options to remove it.
Can I run any programs other than avast that could get rid of these adwares, worms and trojans?

I disabled system restore, then reenabled it. Deleted all my restore points, and I did another boot scan, didn’t come up with the same viruses, none at all! Do I STILL need to redo all my passwords to every site I’ve been visiting? Do I need to do anything else? I still have the infected files in the virus chest, I haven’t done anything to them yet.

Well a google search for tbhelper.dll doesn’t show any association with malware which is a password stealer so it may be adware as avast detects.

I don’t know what you mean by “avast says its adware but was not given any options to remove it.” Do you not get the normal detection pop-up with Move to chest, Delete, etc. when it is detected (those are the options) ?

Whilst the win32:kolab family is related to worm infection that could transmit personal identifiable
information. This could mean passwords, but there is insufficient detail about a specific variant of win32:kolab-CG to say exactly what it does. But since these were found in the restore_ points it could well be old previous detections in the system folders.

Personally if I used on-line banking or any other security related sites, ebay, etc. I would advise changing those passwords now. Any others like forums, etc. you could change but the urgency would be less so.

I was told one of the win32:kolab-CG that was detected on my AnyDVD program was a FALSE positive? What does that mean?

The detection of a good file as infected, that is what a false positive means.

I don’t know who told you it was an FP, but you shouldn’t take their word for it but confirm it for yourself using virustotal as I outlined above in my first reply.