Win32:inject-BS [TRJ]

Viruses and worms
1

Hi,

anyone have any idea what to do about this?

Sign of “Win32:Inject-BS [Trj]” has been found in “C:\System Volume Information_restore{9412C93C-0090-47CA-A8EA-74E7A26BA2B5}\RP132\A0031148.MSI\Cabs.w1.cab\registration_helper.prg” file.

Just got it a few times and wondered if there was anything to worry about, and if so how to get rid of it!

I’m on XP Pro SP2 and running Avast! 4.7 Home and my definitions are right up to date.

Or am I just been paranoid?!?!?

2

The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only really effective way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
Windows XP System Restore Guide

I don’t think your paranoid, though it is a strange thing to be in the C:\System Volume Information\ folder which, is usually reserved items deleted from the system folders and I cant figure out why the cabs.w1.cab would be in any of the system folders.

There has been another detection on the Cabs.w1.cab recently in the forums so it might be similar. Though because of the nature of system restore if you used it in the future you could possibly placing an infected file back in its original location. So if I had ‘any’ doubt about a restore point I would clear it all (disable system restore, reboot, scan, enable if clean) and have a clean start.

3

I’ve had the same problem and wondered if it was related to a new version of Adaware that I installed yesterday.
Anyway, followed your advice and disabled System Restore, re-booted , re-scanned ( now clean) and re-enabled System Restore.
Thanks for the advice

4

Sorry I don’t know about that I haven’t tried the new AdAware 2007 yet, I’m waiting for a while while the kinks are ironed out. One would seem to be problems installing because of a missing file, but I wouldn’t have thought that it would result in a restore point being created in the System Volume Information\ folder.

5

Cool, sounds like a solution. I’ve got Adaware 2007 in didn’t see it, but I shall try it.

UPDATE: worked perfectly :slight_smile: thanks David ;D