Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two Trojans Identified By Avg


  • Please log in to reply
2 replies to this topic

#1 Chris Bar

Chris Bar

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 16 September 2008 - 10:17 AM

Operating system is XP Home Media Edition with SP1 only.

BACKGROUND:
Recent scan with updated AVG identified two different Trojans, one involving uninstall for PCFriendly which I solved by deleting both the Trojan file and the program since I did not need either! The identical problem found by Netscape search based on the virus type Trojan horse PSW.Generic6.ABBK, the same virus name as I am identifying here, was reported earlier by a different party but final outcome of their issue was indeterminate. As said, I deleted both the program and the trojan so that problem is solved...I report it just for infomation as maybe relates to this next issue, which is my problem.

PROBLEM:
The second Trojan is apparently preventing my restoring the computer to an earlier time to fix a different problem ( ref only: in changing between two different names in Outlook Express but not part of this question). I believe this to be true since the file is A0327396.exe is found as C:\system volume information\restore [XXXXXXX....\RP1925\A0327396.exe. As already stated above, the virus type is Trojan horse PSW.Generic6.ABBK. I would just delete this file as well, but although I cannot perform a restore function right now, if I delete the file, it is probably the base data for the restore conditions and would prevent me from ever restoring to an earlier time than now, or perhaps ever? I am not very computer literate...only know enough to get in trouble.

PERTINENT DRIVEL?: I have a backup plan though....two different images of Norton Ghost, so I could just scrap current data and restore the image...maybe? But again, the Trojan might have been existing six months ago when I made the images, and was just detected by an updated AVG. I run AVG and Spybot and Adaware and Bazooka frequently so I am believing it is a new problem. Since the Trojan is in the vault, I cannot look at the date the file was generated or modified.

WHAT TO DO NOW: Any suggested approaches?

[Moderator edit: post moved to more appropriate forum. jgw]

Edited by jgweed, 16 September 2008 - 10:41 AM.


BC AdBot (Login to Remove)

 


#2 Guest_Abacus 7_*

Guest_Abacus 7_*

  • Guests
  • OFFLINE
  •  

Posted 16 September 2008 - 02:21 PM

Operating system is XP Home Media Edition with SP1 only.

BACKGROUND:
Recent scan with updated AVG identified two different Trojans, one involving uninstall for PCFriendly which I solved by deleting both the Trojan file and the program since I did not need either! The identical problem found by Netscape search based on the virus type Trojan horse PSW.Generic6.ABBK, the same virus name as I am identifying here, was reported earlier by a different party but final outcome of their issue was indeterminate. As said, I deleted both the program and the trojan so that problem is solved...I report it just for infomation as maybe relates to this next issue, which is my problem.

PROBLEM:
The second Trojan is apparently preventing my restoring the computer to an earlier time to fix a different problem ( ref only: in changing between two different names in Outlook Express but not part of this question). I believe this to be true since the file is A0327396.exe is found as C:\system volume information\restore [XXXXXXX....\RP1925\A0327396.exe. As already stated above, the virus type is Trojan horse PSW.Generic6.ABBK. I would just delete this file as well, but although I cannot perform a restore function right now, if I delete the file, it is probably the base data for the restore conditions and would prevent me from ever restoring to an earlier time than now, or perhaps ever? I am not very computer literate...only know enough to get in trouble.

PERTINENT DRIVEL?: I have a backup plan though....two different images of Norton Ghost, so I could just scrap current data and restore the image...maybe? But again, the Trojan might have been existing six months ago when I made the images, and was just detected by an updated AVG. I run AVG and Spybot and Adaware and Bazooka frequently so I am believing it is a new problem. Since the Trojan is in the vault, I cannot look at the date the file was generated or modified.

WHAT TO DO NOW: Any suggested approaches?

[Moderator edit: post moved to more appropriate forum. jgw]



It appears that it is sittling in System Restore.

Temporary Switch off System Restore, then run AVG. It should remove it , after removal Switch back on System Restore then reboot, then run AVG again to make sure it is gone. After that Restore to where you need to go and then run AVG again. If it finds any thing repeat the above steps, then set a New Restore Point when it is clear.

:thumbsup:

Edited by Abacus 7, 16 September 2008 - 02:25 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 18 September 2008 - 09:37 AM

The infected RP***\A00*****.exe/.dll file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point. Also see How antivirus software and System Restore work together.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

Due to the nature of your infection, I also recommend you do the following:

Please download and perform a Quick Scan in normal mode with Malwarebytes Anti-Malware following the instructions provided in that link. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users