Win32:Small-JUB [Trj] (in System Volume Information/ Restore

Hello, after Avast! finding this Trojan I quarantined it, copied all the
information to a text file, I searched all over avast.com, and support,
knowledge base, Viruses area, reference, wild, scripted ALL that,
only found 1 reference to it but didn’t say a darn thing other than the name.

So what exactly to do ?
How might this have gotten into the System Volume _restore ?
I don’t have games other than default windows games.
I did however turn avast off a few days ago for couple hours trying to
determine what was slowing down my computer, it’s running great now,
(with avast running too :).

Yesterday I let Avast! update and it said it need to restart the computer,
I sais I would do it later, But I scanned and it found this, and I have not restarted yet.

Is this going to mess up my Hard drive Volume information ?
or Boot up or worse not boot up areas ?

How do I find this file, AND maybe tell when it was installed or created ?

Oh, I use Housecall online and Windows Live online scan every few days, they didn’t find this, I was thinking about doing it again, if they can detect it, will they be able to in the Avast Quarantine ?

Okay. I have,
Avast!4.7 Home Edition Free.
Build: Apr2008 (4.7.1169)
VPS File, Compilation date: 04/06/2008, File Version: 080405-1

I did a manual Scan of the entire computer, with “Through”, and “Scan
Archives”.
About half way through Avast sounded and said it found and infection,
(Nope I do not recall “exactly what it said”), But I had to choose what to do,
So I quarantined it.
Here is what it found.

Trojan Horse
Win32:Small-JUB [trj]
C:\System Volume Information_restore{171E4291-8B9B-43DF-912F-0388D5AED1ED}\RP43\A0012737.exe{app}\MahJong2.exe
080405-1, 04/06/2008

By the way even with show ALL and hidden and all that, I can not seem to
find the system volume folder.
I do, do fairly frequent manual system restore points.
and always when I install something which isn’t often my computer does
not have alot on it.
Hope I didn’t forget or miss anything.:slight_smile:
If I did please don’t scold me to much, but yell all you want :smiley:

I do have Hijack this, but have not ever had the need to use it, (on this computer)

Hi DADSGETNDOWN,

Probably a FP, look here: http://www.spywaredata.com/spyware/spyware-adware/process/3925/results.php
Upload the suspicious file to Virustotal and see whether other scanners flag this s well. Please post the virustotal report in your next reply,

polonus

Hey, thanks for that Quick reply.
I guess you mean http://www.virustotal.com/ , I never heard of it :slight_smile:
I NOW, did find the System Restore Folder, somehow the show system folders was not checked.
BUT, How can I find this file ?
I searched and It can’t find mahjong2,
I manually went ot the avast chest, and there are 6 files in there,
00000001,00000002,00000003,00000004 ALL of which are from last year and
very small file sizes.
BUT the one from yesterday, 00000005, is 5.15 MB.
and then there is the XML file.
SHOULD I upload this 00000005 ?, or open Avast and restore it ?

AND When hovering my mouse over the System Volume Info folder it says EMPTY, and I can not access it “access denied” even though I went to properties and unchecked read only, AND STUFF.
And I am Logged in as admin and all that.

Hi DADSGETNDOWN,

I contemplate on the results,

polonus

Hi DADSGETNDOWN,

Don’t use explorer to view the files in the chest, the file names aren’t the original and the files are encrypted, you can’t upload to VT from the chest.

Right click the avast ‘a’ icon, select avast! Virus Chest, the area of interest is the Infected Files section.

There is also a System Files section, which contains back-up copies of important system files so leave them alone.

Heh, I understand that.
but It didn’t answer that set of questions :smiley:

Hi there David, I do not have that choice when I right click the “A” Icon.
Also I did upload that File 00000005 from the chest to VirusTotal, but didn’t come up with anything I do have the results if you want to see them.
But ofcourse IF it’s encrypted then that might explain the nothing results ?

Hi

C:\System Volume Information\_restore{171E4291-8B9B-43DF-912F-0388D5AED1ED}\RP43\A0012737.exe\{app}\MahJong2.exe

That won’t mess up your hard drive. The detection is in a system restore point.

What you submited was an encrypted file, if you found it with windows explorer.

You need to submit the file that is in the chest.

Start by creating a folder on your desktop. Name it something you can remember.

start avast, open the chest, click on the infected file button.
Right click the file, select extract
a browse box will open, use it to get to the folder you created, click ok

Now go back to virustotal and submit the fle from that location.

Yep I was doing that just before I read your post, but wasn’t sure if I was to Extract or not THANKS!
I did that and this is copied from the results page, ONLY avast! out of 32
seems to have a name for it.

========RESULTS========
File A0012737.exe received on 04.07.2008 00:25:43 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 1/32 (3.13%)
Loading server information…
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.05 -
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.06 Win32:Small-JUB
AVG 7.5.0.516 2008.04.06 -
BitDefender 7.2 2008.04.06 -
CAT-QuickHeal 9.50 2008.04.05 -
ClamAV 0.92.1 2008.04.07 -
DrWeb 4.44.0.09170 2008.04.06 -
eSafe 7.0.15.0 2008.04.01 -
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.06 -
F-Prot 4.4.2.54 2008.04.06 -
F-Secure 6.70.13260.0 2008.04.06 -
FileAdvisor 1 2008.04.07 -
Fortinet 3.14.0.0 2008.04.06 -
Ikarus T3.1.1.20.0 2008.04.06 -
Kaspersky 7.0.0.125 2008.04.07 -
McAfee 5267 2008.04.04 -
Microsoft 1.3408 2008.04.06 -
NOD32v2 3005 2008.04.06 -
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.06 -
Prevx1 V2 2008.04.07 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.07 -
Sunbelt 3.0.1032.0 2008.04.05 -
Symantec 10 2008.04.06 -
TheHacker 6.2.92.266 2008.04.05 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.06 -
Webwasher-Gateway 6.6.2 2008.04.05 -
Additional information
File size: 5405000 bytes
MD5…: 753c170962a88044d1332423b33b69ea
SHA1…: 0789878a2c27ea92393ec2e458cfe7a98d85317a
SHA256: 91dda53d37b8b5b30f45dcaae6154ee543c2247fc3c77d1953c24d831af504f4
SHA512: 9df05206673b318c8bfc67941070430c46c250c172cb83866b6a13c53caa0969
3cddcb63088bd9f7161f6b6bb45ba6e4ad0c2e622f804b646ed432dfb0d3eb1e
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4094e4
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8c50 0x8e00 6.56 637d0318e65d66f449407b46e95e059b
DATA 0xa000 0x248 0x400 2.72 db132afa620772f9f6d44271e57847c4
BSS 0xb000 0xe48 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xc000 0x8c8 0xa00 4.25 07beaac03baa14255d548202c5f668a1
.tls 0xd000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xe000 0x18 0x200 0.20 d293bf8d4ebe9826d58e1d27c25fe4b6
.reloc 0xf000 0x850 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x10000 0x2800 0x2800 4.29 7cd56f45fb6bf81089af5509efabbafc

( 8 imports )

kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll: MessageBoxA
oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll: InitCommonControls
advapi32.dll: AdjustTokenPrivileges

( 0 exports )

packers (Kaspersky): Armadillo
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=753c170962a88044d1332423b33b69ea

I would say that it is a false positive. You can submit the file to avast from the chest. Right click it, select email to alwil software. Clearly enter in the message field that you believe it to be a FP, include the avast vps version and a link to this thread.

If you want to restore it, right click, restore. It may get detected again, so you might not want to restore it yet. It’s only in a system restore point, so it not a big concern.

majong2.exe is that a pogo game?

It is there (see image) if you are using avast 4.8.1169, what version are you using ?

I can assure you that the avast chest being a protected area, nothing will go up there, all you will see is a 0 byte size file, no update.

In there is the problem.
I didn’t download it, I didn’t see or let it download, I would have never let it, So I am wondering a few things.
When and better yet how did it download without my knowledge or atleast seeing it and catching it ?
Since it is now extracted, I now see that it is clearly a “Mahjong Medley Free Trial Setup”
I NEVER download trials, or games for that matter.
I am VERY leary and aware of crap like this I frequent security etc etc forums, I read CNET everyday, I do only use the free programs affered there after careful review reading and hopefully logical considerations.
So I would like to know, How did it download ? it might have happened when I had Avast! Off, giving the reason I wasn’t notified, But I would like to think I would have been notified other ways with in windows or Windows defender.
I would like to get into the Restore where it was and find when it was created, AND Delete that whole restore by itself.
Since it was downloaded without my knowledge, to me, IT IS no doubt a Trojan/Malware/Spyware, even though it probably does have the free trial game too Lol.
But there again, IF they wanted it to install or for me to install it,how would I ever see it in the system restore, I would have to use that exact restore point right?
and it might not even install it still. Lol.

Hi yah again David.
nope in in first post.
Avast!4.7 Home Edition Free.
Build: Apr2008 (4.7.1169)
VPS File, Compilation date: 04/06/2008, File Version: 080405-1

By the way sir, you say,
“I can assure you that the avast chest being a protected area, nothing will go up there, all you will see is a 0 byte size file, no update.”

I don’t understand.
How is it protected ?
It looks like any regular folder and I can go into it and there are no 0 byte files they all have a file size.
and what does “nothing will go up there” mean?
Just so I’m clear :slight_smile:

You should do a manual program update to 4.8, until then you can access the chest from the Simple User Interface, Menu or directly by double clicking on the ashChest.exe file in the avast4 folder.

avast won’t allow files in the chest to be executed or accessed by outside influence, like some one trying to upload it and that is why all you will have at the other end will have is the file name you told it to upload but nothing n the way of content, 0 byte file size. That is the whole purpose of the chest to isolate infected files protecting your system.

I find nothing malicious about the game. It could have been on a game disk. I don’t know how you got. I found things like yahoo games, real arcade.

You are right the game wouldn’t run if you don’t restore the exe.

Anyway, you cannot remove one restore point. You can however remove all but the most recent.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

The files in the avast chest are encrypted. That is why when viewed through explorer, you will only see numbers, not the actual file name. In the chest you should be able to see the true file name.

Try it. Open explorer and go to the chest, see what it shows there, then open the chest and click on the all chest files button. Those system files belong here BTW.

Oh I guess the chest does not work if that is the case.
because right from the chest folder I uploaded that 00000005, is 5.15 MB file, and as the report from VirusTotal in my post, (can’t find the post now), but I have it saved to my computer, it said,
00000005 Additional information
File size: 5405008 bytes.
Which is “almost” same size as the original file, A0012737.exe Additional information
File size: 5405000 bytes
both of those are according to VirusTotal.
But ofcourse the 00000005 must be encrypted because even though it says it scanned it didn’t come up with any results, it did come up with a report I can paste here Looks alot like the one for A0012737.exe but with no real results.

BUT, I did extract the original file A0012737.exe to the chest,
C:\Program Files\Alwil Software\Avast4\DATA\chest, and uploaded it and got results, so it must be the file that Avast moves there, renames and encrypts and not just what it is in the folder itself yes ?

Yes sir I still need to restart my computer so Avast can do its thing it wants to do :slight_smile:

Well it looks like it will allow a copy from the explorer interface to the renamed and encrypted files in the chest folder, but if you try to move(remove) it out of the chest you will get an error.

The renaming and encrypting of the files in the chest make them useless outside the chest as they can’t be executed and the program/registry entry, which preciously called them couldn’t do so as the name would be different.

I don’t know if there have been any changes associated with the 4.8 version, but previously people reported just getting a 0 byte file size when trying to upload to VT. The VT scan will I guess be of the raw data in the File, which would be unlikely to have the same signature associated with the unencrypted file.

Can’t send it it says,

Emailing selected files

Action was completed with errors!

The following file cannot be sent by email:
A0027830.exe (FileID: 8)
The file is bigger than the limit: 1024 kB

Emailing selected files

The program will try to email 1 selected file(s) from the Chest to ALWIL Software

Action was completed with errors!

Seems that you can’t send the file both by email and from Chest. Am I right?

Program Settings, Chest, increase the Maximum size of file to be sent, to cater for the size of the file you want to email.