x:\System Volume Information\_restore

system · February 2, 2010, 5:04pm

below is part of the scan log reported last night, any idea how I should prevent this kind of infection? like “F:\System Volume Information_restore”???

1265087600 Administrator 3740 Sign of “Win32:Adware-gen [Adw]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022219.exe{app}\BaiduBar.DLL” file.
2/2/2010 12:14:45 AM 1265087685 Administrator 3740 Sign of “Win32:Malware-gen” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022224.exe%MAINDIR%\MagicSet.exe” file.
2/2/2010 12:15:15 AM 1265087715 Administrator 3740 Sign of “Win32:CDN [Adw]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist\3721\CNS1.exe” file.
2/2/2010 12:15:30 AM 1265087730 Administrator 3740 Sign of “Win32:Trojan-gen” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist\3721\CNS1.dll” file.
2/2/2010 12:15:42 AM 1265087742 Administrator 3740 Sign of “Win32:Agent-UJY [Trj]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist\3721\CnsMinKP2K.sys” file.
2/2/2010 12:15:53 AM 1265087753 Administrator 3740 Sign of “Win32:Agent-UFK [Trj]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist\3721\CnsMinKPXP.sys” file.
2/2/2010 12:16:01 AM 1265087761 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR$R0” file.
2/2/2010 12:16:02 AM 1265087762 Administrator 3740 Sign of “Win32:Downloader-ZM [Trj]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR$R0” file.
2/2/2010 12:16:02 AM 1265087762 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR$R0” file.
2/2/2010 12:16:02 AM 1265087762 Administrator 3740 Sign of “Win32:Adware-gen [Adw]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR$R0” file.
2/2/2010 12:16:02 AM 1265087762 Administrator 3740 Sign of “Win32:Adware-gen [Adw]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:02 AM 1265087762 Administrator 3740 Sign of “Win32:Adware-gen [Adw]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:02 AM 1265087762 Administrator 3740 Sign of “Win32:Asibar [Adw]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:02 AM 1265087762 Administrator 3740 Sign of “Win32:Trojan-gen” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:03 AM 1265087763 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:03 AM 1265087763 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:03 AM 1265087763 Administrator 3740 Sign of “Win32:Malware-gen” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:03 AM 1265087763 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:03 AM 1265087763 Administrator 3740 Sign of “Win32:Malware-gen” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\Assist$R0” file.
2/2/2010 12:16:05 AM 1265087765 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\shell$R0” file.
2/2/2010 12:16:06 AM 1265087766 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\shell$R0” file.
2/2/2010 12:16:06 AM 1265087766 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\shell$R0” file.
2/2/2010 12:16:06 AM 1265087766 Administrator 3740 Sign of “Win32:Spyware-gen [Spy]” has been found in “F:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022238.exe$INSTDIR\shell$R0” file.
2/2/2010 4:06:46 AM 1265101606 Administrator 3636 Sign of “Win32:Trojan-gen” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022367.exe\data\cool.exe” file.
2/2/2010 4:06:47 AM 1265101607 Administrator 3636 Sign of “Win32:Adware-gen [Adw]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022367.exe\data\sogoutb_setup_pp365yue.exe$INSTDIR$R0” file.
2/2/2010 4:06:58 AM 1265101618 Administrator 3636 Sign of “Win32:Adware-gen [Adw]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP66\A0022369.exe$INSTDIR$R0” file.
2/2/2010 4:07:05 AM 1265101625 Administrator 3636 Sign of “Win32:CDN [Adw]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR\Assist\3721\CNS1.exe” file.
2/2/2010 4:07:05 AM 1265101625 Administrator 3636 Sign of “Win32:Trojan-gen” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR\Assist\3721\CNS1.dll” file.
2/2/2010 4:07:06 AM 1265101626 Administrator 3636 Sign of “Win32:Agent-UJY [Trj]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR\Assist\3721\CnsMinKP2K.sys” file.
2/2/2010 4:07:07 AM 1265101627 Administrator 3636 Sign of “Win32:Agent-UFK [Trj]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR\Assist\3721\CnsMinKPXP.sys” file.
2/2/2010 4:07:07 AM 1265101627 Administrator 3636 Sign of “Win32:Spyware-gen [Spy]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR$R0” file.
2/2/2010 4:07:07 AM 1265101627 Administrator 3636 Sign of “Win32:Downloader-ZM [Trj]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR$R0” file.
2/2/2010 4:07:07 AM 1265101627 Administrator 3636 Sign of “Win32:Spyware-gen [Spy]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR$R0” file.
2/2/2010 4:07:07 AM 1265101627 Administrator 3636 Sign of “Win32:Adware-gen [Adw]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR$R0” file.
2/2/2010 4:07:08 AM 1265101628 Administrator 3636 Sign of “Win32:Adware-gen [Adw]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR\Assist$R0” file.
2/2/2010 4:07:08 AM 1265101628 Administrator 3636 Sign of “Win32:Adware-gen [Adw]” has been found in “G:\System Volume Information_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP67\A0022386.exe$INSTDIR\Assist$R0” file.

Pondus · February 2, 2010, 6:04pm

any idea how I should prevent this kind of infection?

Do you mean that avast did not stop this? or did you fiend this after installing avast?

system · February 2, 2010, 6:05pm

I have no idea how to prevent this thread from keeping infecting your system, others here might be better at helping you about it, but you may already delete all these restore points no ? … this said you might have an FP too, further investigation needed.

system · February 2, 2010, 6:06pm

yeah, we don’t even know if the OP has Avast installed…
edit: he just mentioned a log…OK, should be avast. But as you said not clear if all that stuff was blocked or not.

Pondus · February 2, 2010, 6:11pm

check your computer for malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and post your scan logs here

system · February 2, 2010, 9:42pm

Log 1. Local Drives:

Malwarebytes’ Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/2/2010 4:33:47 PM
mbam-log-2010-02-02 (16-33-35).txt

Scan type: Quick Scan
Objects scanned: 107382
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) → No action taken.
HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\MSx (Rogue.MSAntiVirus) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow*.safetyincludes.com (Trojan.Zlob) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow*.securemanaging.com (Trojan.Zlob) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow*.securewebinfo.com (Trojan.Zlob) → No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) → Bad: (http://windowsisearch.com/search?q={searchTerms}) Good: (http://www.Google.com/) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.SearchPage) → Bad: (http://windowsisearch.com) Good: (http://www.Google.com/) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) → Bad: (http://windowsisearch.com/search?q={searchTerms}) Good: (http://www.Google.com/) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.SearchPage) → Bad: (http://windowsisearch.com) Good: (http://www.Google.com/) → No action taken.

Folders Infected:
D:\WINDOWS\system32\848700 (Trojan.BHO) → No action taken.

Files Infected:
D:\WINDOWS\system32\find.exe (Malware.Tool) → No action taken.
D:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk (Hijack.Trace) → No action taken.
D:\WINDOWS\system32\serauth1.dll (Trojan.Agent) → No action taken.
D:\WINDOWS\system32\serauth2.dll (Trojan.Agent) → No action taken.
D:\WINDOWS\EXPLORER.MS (Heuristics.Reserved.Word.Exploit) → No action tak

Pondus · February 2, 2010, 9:50pm

Malwarebytes database is showing 3510…meaning you did not update the program before you scanned
Latest database is 3681 always update before scan, MBAM is updated several times a day

The log says " NO ACTION TAKEN " if you want to quarantine the infections you must click the " REMOVE SELECTED " button after the scan

system · February 2, 2010, 10:09pm

To Logos

Yes, all the all these restore points have been deleated.

what’s “FP”???

system · February 2, 2010, 10:17pm

thanks Pondus ;D
I am updating it now and all listing findings in my local drives were removed.

Here is another log with Full Scan

Malwarebytes’ Anti-Malware 1.44
Database version: 3681
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/2/2010 5:16:03 PM
mbam-log-2010-02-02 (17-16-03).txt

Scan type: Full Scan (F:|G:|)
Objects scanned: 122611
Time elapsed: 17 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{988934a4-064b-11d3-bb80-00104b35e7f9} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{a1dd29ed-2598-48e9-9793-64a9cd08ac94} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{87ca3845-37fe-414c-81cf-e08a7d0f6779} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{f08555b0-9cc3-11d2-aa8e-000000000000} (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Pondus · February 2, 2010, 10:22pm

what's "FP"

What is a False Positive?
http://antivirus.about.com/b/2007/02/13/what-is-a-false-positive.htm

False Negative
http://antivirus.about.com/od/whatisavirus/g/falsenegative.htm

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

What is a Virus Signature?
http://antivirus.about.com/od/whatisavirus/a/virussignature.htm

x:\System Volume Information\_restore

Announcements