"TROJAN" in System Volume Information folder

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We sent the following tech support request, and system information, to our
Anti Virus Software provider, Grisoft (AVG). We got the reply (immediately
below). We have followed the instructions in the reply to our request, (the
SAME procedure outlined by BRUCE CHAMBERS and DOUG KNOX in an 11/15/04 post
re the NETSKY virus in the same folder, i.e. System Volume Information), and
we have performed ALL the procedures outlined by DAVID H. LIPMAN, i.e.
loading/running McAfee’s STINGER and Trend Micro’s SYSCLEAN (in the same
11/15/04 post) to the letter, but Earthlink’s SPYAUDIT program CONTINUES to
find a “Trojan Horse†virus, reporting it as a “DP Trojan†and indicates its
IMMEDIATE REMOVAL is CRITICAL.

Contact with Earthlink produces NO useable information (surprise, surprise).
AVG’s “Virus Vault†lists the program as a “Generic Downloader BXP†Trojan
Horse, but the reply to the tech support request mentioned above tells us it
is “IMPOSSIBLE†to access the file directly for deletion. AVG no longer
locates the file since we deleted it from the Virus Vault, but Earthlink’s
SPYAUDIT STILL reports the “DP TROJANâ€.

In addition, the Windows Security Center continually tells me my AVG 7.1
reports it is OFF. I have configured and RE-configured the program, and RUN
it several times but Security Center CONTINUES to report the Anti Virus
software that it IDENTIFIES is OFF.

Can anybody help?


AVG’s TECH SUPPORT REPLY:

Dear Sir/Madam,

Thank you for your email.
According to your information the file is stored in System Volume
information folder. Also according to the file name it really is a virus
itself and not a correct file that has been infected.
Files placed in the System_volume_information folder are source files for
the system restore function that is available in Windows XP operating system.
Files that were healed were moved in their original INFECTED state into this
folder and it is necessary to DELETE them by following these steps:

1) Close all open programs. Then right-click My Computer on the Windows
desktop
2) Click on Properties
3) Click on the System Restore tab
4) Check Turn off System Restore on all drives
5) Restart the system
6) Go through the first four steps again and uncheck the item mentioned in
step 4.

Also please note that if the file is stored in this location it is not
possible for you to manipulate it. It is denied by your operating system. The
only way to remove the virus is described in the procedure above.



OUR ORIGINAL REQUEST FOR AVG TECH SUPPORT:
 
From: "lazaruslong" <[email protected]>

< snip >

|
| AVG’s TECH SUPPORT REPLY:
|
| Dear Sir/Madam,
|
| Thank you for your email.
| According to your information the file is stored in System Volume
| information folder. Also according to the file name it really is a virus
| itself and not a correct file that has been infected.
| Files placed in the System_volume_information folder are source files for
| the system restore function that is available in Windows XP operating system.
| Files that were healed were moved in their original INFECTED state into this
| folder and it is necessary to DELETE them by following these steps:
|
| 1) Close all open programs. Then right-click My Computer on the Windows
| desktop
| 2) Click on Properties
| 3) Click on the System Restore tab
| 4) Check Turn off System Restore on all drives
| 5) Restart the system
| 6) Go through the first four steps again and uncheck the item mentioned in
| step 4.
|
| Also please note that if the file is stored in this location it is not
| possible for you to manipulate it. It is denied by your operating system. The
| only way to remove the virus is described in the procedure above.
|
| OUR ORIGINAL REQUEST FOR AVG TECH SUPPORT:
|


AVG's email reply is correct. Dump the contents of the System Restore Cache as prescribed.

Reboot the PC and then re-enable the System Restore Cache.

This will remove any latent infectors stored in the cache.

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
 
Thank you David; but I DID follow that procedure...four times. I also
followed the procedures you prescribed for getting rid of the NETSKY virus to
someone in this newsgroup 11/15/04, i.e. ran Sysclean and Stinger. Both to
no avail. Both report "access denied" to numerous files. Sysclean's log
reports it found 8 viruses but also reports it FAILED to clean the 8. And
Earthlink's SPYAUDIT program STILL reports the "Trojan DP" mentioned.
Any other possibilities?
 
From: "lazaruslong" <[email protected]>

| Thank you David; but I DID follow that procedure...four times. I also
| followed the procedures you prescribed for getting rid of the NETSKY virus to
| someone in this newsgroup 11/15/04, i.e. ran Sysclean and Stinger. Both to
| no avail. Both report "access denied" to numerous files. Sysclean's log
| reports it found 8 viruses but also reports it FAILED to clean the 8. And
| Earthlink's SPYAUDIT program STILL reports the "Trojan DP" mentioned.
| Any other possibilities?

The log you provided specifically showed...

"C:\System Volume
Information\_restore{60C4F85F-FA27-457A-A148-4E83D6FC2482}\RP346\A0045023.exe"

That is definitely the System restore Cache. I down't want to belittle you are berate you
but if you properly disabled the System Restore cache as in the directions in the following
URL -- http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm and rebooted the PC,
then the System Restore Cache will be flushed out and no infector will exist there.

Here is what I want you to do. Follow the directions for Disabling the System Restore cache
and then reboot the PC.

Download the following tool which provides anti virus scanners from; Trend Micro, Sophos,
Mcafee and Kaspersky. Go through the menu and download the files needed for each scanner.
However, don't run the scanners just yet. After you download the the needed files for the
AV scanners, choose "Reboot the PC" from the menu and then go into Safe Mode ( hit the F8
key during boot up to get into Safe Mode ) and re-run the utility and then scan the computer
using the AV scanners in Safe Mode.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe



When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *
 
Dear Dave;

Sorry for the delay in responding to your last post…we had yet another
emergency (not computer related).

We have not yet had opportunity to download/run the utility or scanners you
referred us to but are beginning that procedure now.

In the meantime, further reflection on our dilemma made us realize we may be
speaking of two DIFFERENT Trojans, and following the procedure you
prescribed, i.e. turning off System Restore and re-booting to flush the
Volume Info folder may, in fact, have gotten rid of the

"C:\System Volume
Information\_restore{60C4F85F-FA27-457A-A148-4E83D6FC2482}\RP346\A0045023.exe"

We have now realized the virus mentioned above was reported by AVG (thus it
was put in the Virus Vault). Earthlink however, continues to report a “DP
TROJAN†in our system but doesn’t give any further information as to
filename/path/etc. And contact with Earthlink is an exercise in futility.

We HAVE, in perusing the posts on this page, become intrigued with KASPERSKY
LAB, and attempted to run its FREE ONLINE SCANNER as a check against
Earthlink’s SPYAUDIT. Kasperky’s scanner downloaded and APPARENTLY
INSTALLED, along with ALL the current def files, and reports it is “READYâ€,
but we have found NO WAY to START the program. Reading the help file
provided tells us it will ACTIVATE by accessing the website from within the
program, but we can’t seem to get INTO the program. Any ideas there? We
sent an email request to Kaspersky’s tech support (two days ago), but, as
yet, haven’t gotten any response.

Thanx for all your time and attention to our plight.

BTW, we’re pretty thick-skinned and don’t take any of your suggestions as
“belittling†or “beratingâ€.
 
Dear David;

Sorry to be so long getting back to you. But thank you VERY much for your
concern and help.
We DID download/install Webroot's Spysweeper, as well as SPYWARE DOCTOR.
Spysweeper has apparently done the trick as Earthlink's SPYAUDIT no longer
alerts us to the "DP TROJAN" it continually reported. However we've since
downloaded/installed two FREEWARE programs (SPYBOT and SECRETMAKER) and they
BOTH appear to be more thorough (and user-friendly) than either Spyware
Doctor or Spysweeper. Any thoughts on the freeware mentioned?
 
From: "lazaruslong" <[email protected]>

| Dear David;
|
| Sorry to be so long getting back to you. But thank you VERY much for your
| concern and help.
| We DID download/install Webroot's Spysweeper, as well as SPYWARE DOCTOR.
| Spysweeper has apparently done the trick as Earthlink's SPYAUDIT no longer
| alerts us to the "DP TROJAN" it continually reported. However we've since
| downloaded/installed two FREEWARE programs (SPYBOT and SECRETMAKER) and they
| BOTH appear to be more thorough (and user-friendly) than either Spyware
| Doctor or Spysweeper. Any thoughts on the freeware mentioned?

If that is SpyBot Search and Destroy -- That's an A1 ecellent application.
I know nothing aboy Secret Maker.

One must be careful of rogue anto spyware applications. Woves in sheeps clothes.

Spyware Warrior is a good source for Rogue anti spywarea applications.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
 
Thanx so much for the input David. The SecretMaker is another freeware
download from cdNET. It's got rave reviews from both the editors and a 4 1/2
star rating from users. It's apparently a very popular download with quite a
few features. You might want to check it out for future reference.
Thanx again.
 
Back
Top