Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Restore Points Reinfected With Trojan


  • This topic is locked This topic is locked
13 replies to this topic

#1 lliztiz

lliztiz

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:52 AM

Posted 27 October 2007 - 01:20 PM

I have the same problem. BitDefender identified Trojan.Downloader.Small.CHE in C:\SystemVolumeInformation\_restore{66FED....}\RP2\A0000005.exe.. Disinfection failed. I previously had a large number of restore point files infected with this same Trojan. I closed down System Restore, ran another scan, and it was clean. However, now I am being reinfected somehow. So, if getting rid of the restore points doesn't solve the problem, what should I do? Thanks for any help.

Mod Edit: Split post from active topic. ~TMacK

Edited by TMacK, 27 October 2007 - 02:01 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,997 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:52 AM

Posted 27 October 2007 - 03:46 PM

The malware would also be in some other location.
You need to follow the directions below.

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Post a Hijack This Log in the Hijack This Forum by following the directions in the link below if the program above has not removed ALL malware. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:52 AM

Posted 27 October 2007 - 09:26 PM

now I am being reinfected somehow

What are you reinfected with and what program is telling you that your infected?

The files identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore - the feature that allows you to set points in time to roll back your computer to a clean working state. This folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, your tools cannot access it to delete these files and they sometimes can reinfect your system if you accidentally use an old restore point.

If you turned System Restore off, then you deleted all your restore points and your infection is coming from somewhere else.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 lliztiz

lliztiz
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:52 AM

Posted 29 October 2007 - 12:29 AM

Thank you. I shall follow your instructions. I am assuming I enable system restore since it is after doing so that the infection reappears. I'll let you know what happens. It may take a day or two since my internet is down at work.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:52 AM

Posted 29 October 2007 - 07:03 AM

Ok, just try to provide information like an specific files identified as bad, their location on your system and what program identified them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 lliztiz

lliztiz
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:52 AM

Posted 29 October 2007 - 11:39 AM

The super antispy scan came back completely clean. I ran the home version vs. the professional one. Does that mean that I am home free? I hope so. :thumbsup:

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:52 AM

Posted 29 October 2007 - 11:43 AM

BitDefender originally identified the file in SR according to your first post so I would do another scan with it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 buddy215

buddy215

  • BC Advisor
  • 12,997 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:52 AM

Posted 29 October 2007 - 12:11 PM

There is some info on the web that this is a rootkit. Here is a link to a free AVG Antirootkit program.
http://www.grisoft.com/doc/download-free-a...ootkit/us/crp/0

If you have not have a program similar to Ccleaner, I would suggest you use it.
Remove temporary files, logs, cookies, etc. by using Ccleaner. Do not use "Advanced Settings" or the "Issues" button. Use only the default settings. http://www.ccleaner.com/
During the Ccleaner installation you will be offered the Yahoo Toolbar. UNcheck if you do not want it.

If nothing is found and the malware shows up again in system restore you should definitely post a Hijack This log in the Hijack This Forum.

Post a Hijack This Log in the Hijack This Forum by following the directions in the link below. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Edited by buddy215, 29 October 2007 - 12:25 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 lliztiz

lliztiz
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:52 AM

Posted 31 October 2007 - 02:23 AM

Thanks to both responders-- quietman & buddy. I will run another bitdefender scan and I will download the free AVG root kit software-- sounds like a good thing to have. I ran CcCleaner, so hopefully that got rid of anything that was left. If I find anything else, I will post a log on the Hijack This Forum. It's so nice to know that there are folks like you to help out in these situations. Thanks!

Edited by lliztiz, 31 October 2007 - 02:28 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:52 AM

Posted 31 October 2007 - 07:44 AM

Your quite welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 lliztiz

lliztiz
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:52 AM

Posted 31 October 2007 - 11:07 AM

Bad news. I ran Bitdefender and all the old infected restore points (about 15 of them) that had been deleted by Bitdefender are back again. They were deleted again, but now I know they will be back. I will post a log to Hijack This, but I have a few questions before doing so;
- Should I disable System Restore now, since it is when that is enabled that the re-infection occurs?
- Should System Restore be on or off when I post the log? Do I need to go through all the preparatory steps again before posting the log? I did that before, and none of the other virus programs even detected this pest-- only Bitdefender.

Also, the AVG root kit did not detect any problems, even in the deep scan mode. Seems to be quite a sneaky little bugger. Thank you. :thumbsup:

Edited by lliztiz, 31 October 2007 - 11:08 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:52 AM

Posted 31 October 2007 - 11:18 AM

Should System Restore be on or off when I post the log?

Leave it on for now. Turning System Restore off and then turning it back on has some risk associated with it since that feature does not always work as intended. Further, there is always a possibility of something going wrong during the malware removal process and you end up with more problems. Without a restore point to fall back on, you are then stuck with a limited means of restoring your system such as a Repair Install or Reformat. Although System Restore is not 100% guaranteed to work all the time, it at least gives you another option. When the system is clean, then you can create a new Restore Point and purge the old ones to prevent accidental re-infection.

Do I need to go through all the preparatory steps again before posting the log?

No. Go to step #9 where there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 lliztiz

lliztiz
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:52 AM

Posted 14 November 2007 - 06:44 PM

Quietman,

I posted a hijack this log to the hijack this forum on 10/31-- still no response. Is that normal? I am beginning to wonder of my log fell off the face of the earth. Do you think I need to be concerned about this much delay? Thanks.

lliztiz

#14 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:52 AM

Posted 14 November 2007 - 06:48 PM

Post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

This topic will now be closed, since you have an open log posted.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users