I found this while doing a night time scan of my machine.
I’m using XP SP2 and the most recent update of Avast! Antivirus.
Here’s my log viewer export.
7/10/2007 3:09:13 AM Z. Daniel Phoenix 27024 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\System Volume Information_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe%PARTNERDIR%\NNWDAC638.EXE[Embedded#08138][Embedded#25aa8]” file.
7/10/2007 3:54:15 AM Z. Daniel Phoenix 27024 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\System Volume Information_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe%PARTNERDIR%\NNWDAC638.EXE[Embedded#08138]” file.
7/10/2007 3:54:18 AM Z. Daniel Phoenix 27024 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\System Volume Information_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe%PARTNERDIR%\NNWDAC638.EXE” file.
7/10/2007 3:54:20 AM Z. Daniel Phoenix 27024 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\System Volume Information_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe%PARTNERDIR%\VVSNInst.exe\VVSN.exe” file.
7/10/2007 3:54:23 AM Z. Daniel Phoenix 27024 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\System Volume Information_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe%PARTNERDIR%\VVSNInst.exe” file. 7/10/2007 3:54:23 AM Z. Daniel Phoenix 27024 Sign of “Win32:Ldpinch-EU [Trj]” has been found in “C:\System Volume Information_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe%SYS%\rkinstaller.exe” file.
From what I read about variants of the ldpinch virus… this trojan is a PSW trj, and will reinfect the computer upon restart.
I chose to move all infected files to chest, but the only one that’s there is the actual infected a0043309.exe . The other files that I hit move to chest gave an error that said error in moving “cannot find specified file”.
I disabled System Restore, and I’m running a spyware search using Ad-Aware SE right now.
All the detections are in System Restore, which is Window’s backup of system files.
If you have rebooted after disabling System Restore, that will have deleted all the old, infected files.
You should turn System Restore back on after a reboot.
A better way to clean system restore for the future is to create a new, clean System Restore point, and then deleted all older, infected System Restore points:
I would re-enable system restore, create a clean restore point and then delete all older points, as described above.
Also, I've heard you can run a scan at reboot with Avast? Would that be recommended as well?
Yes, that’s called the boot time scan. It certainly is a good idea to run one when an infection has been detected.
If you right-click the avast! scanner screen, you will get an option to schedule a boot time scan. Just be careful if you have a cordless keyboard because it may not work during the scan.
I’m also getting desktop config files in my startup folders.
I just noticed it when going to my system tools folder.
This is what’s popping up in the config file via notepad.
[LocalizedFileNames]
Windows Explorer.lnk=@%SystemRoot%\system32\shell32.dll,-22067
Command Prompt.lnk=@%SystemRoot%\system32\shell32.dll,-22022
Notepad.lnk=@%SystemRoot%\system32\shell32.dll,-22051
Synchronize.lnk=@%SystemRoot%\system32\shell32.dll,-22062
Tour Windows XP.lnk=@%SystemRoot%\system32\tourstart.exe,-1
Program Compatibility Wizard.lnk=@%SystemRoot%\system32\compatUI.dll,-115
Address Book.lnk=@%SystemRoot%\system32\shell32.dll,-22017
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21761
I selected a boot scan and allowed Avast! to restart my computer, now it’s stuck in a weird loo. I’ll try to explain in all my non-techy ness.
System shut down just fine, and rebooted. My asus P5N-E logo kicks on, and after that I get 2 quick flashes of my bios, then… (when the windows logo would normally start (or when Aavst would start a boot scan) the screen goes blank, and I get: No Signal Input Check Video Cable.
After 2 or 3 seconds of that message it restarts and does it over again.
Trying to hit F8 at just the right time to get into Safe Mode was challenging, but I did get it twice.
Trying to start in Safe Mode and Last Config’s that worked gave me the exact same problem.
I would post a new topic about this problem- it’s obviously an exceptional event, and one that the somebody from the avast! team should really look at, as they are the ones who really understand what the boot time scan does and why it might be causing this problem, and I’m sure it’s something they’ll want to look into.