Trojan in System Volume Information

By gamc
Feb 28, 2010
  1. Hi, I have some problems with a trojan in the System Volume Information folder

    The Operating system is Windows XP SP2

    Avast 4.8 detects Signs of "Win32:Tiny-ADU [Trj]"
    in "C:\System Volume Information\_restore{481DFA92-F681-4AB6-AAED-E378EE5F009D}\RP15\snapshot\_REGISTRY_MACHINE_SOFTWARE" file.

    However when the C drive is scanned during boot there is no trojan detected.

    I have turned off system restore, rebooted and enabled system restore but avast
    keeps on detecting this trojan.

    A couple of weeks ago the PC was infected by rogue Internet Security 2010 software
    and google searches were also redirected to other websites.
    The infection was cleaned using Malwarebytes,CCleaner and Spybot Search and destroy.
    All user installations were also cleaned (all of them in safe mode).

    Malwarebytes and Spybot do not detect any problem regarding the System Volume Information trojan detected by avast. I have also tested SuperAntiSpyware,Spyware Doctor and a Virus Removal Tool from Kaspersky.
    These tools also fail to detect the trojan in System Volume Information.

    Perhaps there is a residual infection in the PC, maybe in the file system folder:
    system32\config, the relevant software file.

    I would appreciate your help to solve this problem.

    I enclose the relevant logs. The Superantispyware log detects a threat that is due to the
    Kaspersky Virus removal tool that I installed, but neither avast nor Malwarebytes detect a problem
    for the corresponding file.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    FYI: System Volume are where restore point s stored. If malware is only in the restore points, it is not active on the system. But if you should choose to do a System Restore and the date you choose has an infected restore points, then you can reinfect the system. When the cleaning is completed, we have you drop the old restore points and set a new clean one. So if Avast continues to list only "System Volume", that's what it is.

    SAS found a Trojan agent in some files. That program, like Mbam, has a line to check for removal of the entries it finds. So if you checked that, they should have been removed.

    Yoiu need to consider two things:
    First, you have an extraordinary number of processes running. If all of them started on boot, they will continue to run in the background. And no matter how much RAM you have, it will slow the system down.

    Second, you need to make sure that the scan are as accurate as possible. But you have two Real Time Protection programs running. You were asked to temporarily disable these in the removal thread. So I'd like you to do that now:
    AdWatch: Ad-Aware AE Ad-Watch Live!
    • Right click on the Ad-Aware icon in the system tray. [​IMG]
    • Click on Disable Ad-Watch Live!
    • (Once you are clean, you can re-enable Ad-Watch Live! by clicking on Enable Ad-Watch Live!.)
    Tea Timer (in Spybot S&D):
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    I'd like you to run this program which will list all of the security processes you're running:

    You have a large number of these processes and it is possible there are too many running at the same time. This makes it a bit easier on me instead of having to chase down every entry. Results copied to checkup.txt Please include that with your next reply.

    I'm not sure you have any malware problem, but I will have you run 2 other programs after I get this information.
  3. gamc

    gamc TS Rookie Topic Starter


    I have disabled Adware and Spybot S&D resident.
    The only security left active were Avast and Zone Alarm

    I enclose the checkup2.txt file and a fresh HijackThis log.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you have some overkill:

    Antivirus/Firewall Check:
    Windows Firewall Disabled! > keep disabled when using Zone Alarm.
    avast! Antivirus

    This program did not pick up this Kaspersky Virus Removal Tool
    O4 - Startup: setup_9.0.0.722_25.02.2010_22-07.lnk = C:\Documents and Settings\Gustavo Andres\Desktop\Virus Removal Tool\setup_9.0.0.722_25.02.2010_22-07\startup.exe

    This does not run in Real Time> it's for scans on Demand> I recommend you remove it as it is not necessary but is using system resources.

    Anti-malware/Other Utilities Check:
    Spyware Doctor 7.0 > okay, but I'm not big on the PC Tools
    SpywareBlaster 4.2 > Very good!
    SpyHunter> Advise uninstall
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition > this will go when we remove the cleaning tools
    HijackThis 2.0.2

    CCleaner> use this sparingly. You might find this better> TFC

    4 Registry Cleaners! Advice uninstall them all!
    Eusing Free Registry Cleaner
    TweakNow RegCleaner
    AML Free Registry Cleaner 4.19
    COMODO Registry Cleaner

    Adobe Flash Player 10 > okay. Keep current
    Adobe Reader 7.0.8 > please update this to v9.xx >
    Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

    Adobe Reader Japanese Fonts > remove if you aren't using.

    In the firewall section. be sure not to use any other software firewall since you have Zone Alarm running. You can, however, use a router which will give added protection from hardware firewall.

    You have 2 entries loading from temp files, I can't identify either of the,- can you?
    O23 - Service: GAH - Sysinternals - - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\GAH.exe
    O23 - Service: XONXFET - Sysinternals - - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\XONXFET.exe

    You can find Systernals info here:

    Please run the following after you've gone through the above:
    Then please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Microsoft Windows Recovery Console, please allow.
    • If prompter to update, allow
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

    Follow with rescan from HijackThis, leave new log.
  5. gamc

    gamc TS Rookie Topic Starter

    Preparing to Run ComboFix
    UnHackMe (Reanimator) loads a bootwatch anti-rootkit protection called Partizan (Greatis software)
    Do I also need to disable this?

    Do I need to install the XP Recovery Console? (When I need this I always run it from the Windows XP CD)

    The services GAH.exe and XONXFET.exe were installed after running RootkitRevealer
    The RootkitRevealer log did not show existence of Rootkit

    O23 - Service: GAH - Sysinternals - - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\GAH.exe
    O23 - Service: XONXFET - Sysinternals - - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\XONXFET.exe

    The services have been disabled and the files (as well as relevant registry keys) will be deleted
    when I clean the Temp folder

    In the HijackThis log why are there two entries for GoogleToolbarNotifier

    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [Power2GoExpress] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    I know that Power2GoExpress is a Cyberlink program.
    The path is wrong should I change the path to the correct one or delete the key?

    Using Zone Alarm I have not allowed GoogleToolbarNotifier or Updater to connect to the internet.

    I have unsinstalled SpyHunter
    I will carry out your advice later during the clean up

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I would encourage you to get it. Be nice to have if you lose or misplace that CD.

    Go ahead and uninstall RKR. We can remove the Services if they remain.

    Re: the Google entries> Good for you! I missed some- we both did:
    A recheck of the log actually showed 5 entries related to Google:

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [Power2GoExpress] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe>> Related to Power2GoExpress All-Media Disc Burning Software. Note: located in C:\Program Files\CyberLink\Power2Go\

    According to Google, the Google Toolbar Notifier is in the Search Settings. If this is enabled, it's suppose to 'notify' you if other software attempots to change the default search engine without your permission. If you like, the Search Settings Notifier can block these changes, keeping Google as your default search engine. In your case however, AdWatch, which runs in Real Time is going to do the same thing. So I would disable this feature:

    1. Click the Google Toolbar's wrench wrench icon.[​IMG]
    2. On the Search tab, select (or deselect) the 'Set and keep Google as the default search engine' checkbox.
    3. Click Save.

    And you are correct about this entry:I don't know how it even got on the Google string. It should be removed.
    O4 - HKCU\..\Run: [Power2GoExpress] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe>> Related to Power2GoExpress All-Media Disc Burning Software. Note: located in C:\Program Files\CyberLink\Power2Go\

    Abut Google- an aside since most of us use this search engine:
    I find that Google is getting very pushy. I have the toolbar on both Firefox and IE. I don't use or want the 'notifier' or the 'updater' and yet every time I check my startups, both are back on. I don't like this. While I do enjoy a few of the Google Toolbar features (only 3 + Search) I am considering removing the toolbar altogether and just using the search box.

    I suggest you have HijackThis remove all 5 of these entries. Uninstall in Add/Remove Programs if there, delete program folder using Windows Explorer> Local Drive> Programs.Then if you want to reinstall the Toolbar, reload and install, using only the minimum features.

    AdWatch is still running. Please disable. Go ahead and run Combofix after you handle the Google entries, then new scan with HJT. Include reports and new logs.
  7. gamc

    gamc TS Rookie Topic Starter


    I removed Google Toolbar and Google Update (had to disable this in Services Console, HijackThis did not stop it)

    Checked all real time protection was disabled (HijackThis still reported some were running but they were really disabled).

    ComboFix removed several items. What are they?

    I enclose the ComboFix log and 3 HijackThis logs one before, one after ComboFix and one after ComboFix and after reboot.


    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Why do you think you need to keep adding these programs? There is so much overkill with security programs that conflict will be constant, the system is more- not less vulnerable and the system will be slower.

    Do you know what HitmanPro is? Hitman Pro automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet- most without permission from the author of the programs. It currently has the following:
    The new version of Hitman Pro, version 3, uses:
    The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability. Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

    None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

    So why is it that you think you need all of these programs running?
    Threat Expert
    Dr. Web
    RegCompact Pro
    Spybot - Search & Destroy
    Enigma Software Group> Spyhunter
    TweakNow RegCleaner
    Lavasoft Boot Cleaner.
    Spyware Doctor
    Virus Removal Tool(?)
    Browser Defender
    Sophos Rootkit processes: XONXFET.exe and GAH.exe

    All of the above along with the more reasonable Avast AV and ZoneAlarm Firewall
    Plus you have Application Data for each!

    Unless you're willing to let go of some of this, you system continues to be more vulnerable and cleaning it would be a full time job.

    No matter how much security you have on a system, if you do foolish things on the internet, you will get malware. IF you do not practice safe handling of email and attachments, you will get malware. And to continue with the abundance of security programs you have running would be a waste of time.

    So think about it.
  9. gamc

    gamc TS Rookie Topic Starter

    I have previously uninstalled the following
    Hitman Pro
    Dr Web
    Sophos Rootkit processes XONXFET and GAH
    but most likely there are registry keys with information about these items

    Recently uninstalled and cleaned
    Deleted all registry keys for XONXFET and GAH as well as google update
    Virus Removal Tool from Kaspersky

    I will uninstall Spyware Doctor today

    I have not used RegCompactPro
    nor TweakNow RegCleaner to remove anything I have only used the second to confirm what CCleaner was doing. I have only used CCleaner to delete Internet files and cookies.
    Currently Lavasoft is not active I only have active Zone Alarm, Avast and UnhackMe but the real time monitor and Partizan anti-rootkit are disabled. Also TeaTimer (SpyBot) is disbaled.

    Any other suggestions to clean further the system?

    By the way I have also found some of the trojan infection detected by avast 4.8 in the
    registry key

    Class Name: <NO CLASS>
    Last Write Time: 11/02/2010 - 10:06

    with three subkeys containing Binary data

    After deleting this key (and subkeys), exporting
    the MACHINE\SOFTWARE key as a hive file and scanning the hive file
    with avast no trojan was detected. Previously a trojan was detected
    by avast.
    After re-booting the key has not been re-generated.
    However a trojan is still detected by avast in the
    System Volume Information folder (even after flushing the previous restore points).
    The software hive in the system32\config folder is still
    infected. Why?

    Thanks for your help
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I do not recall telling you to go to or do anything in the Registry. Since you have done so, I will end my support now. Combofix removed files from RegCompact Pro. My only suggestion to you now is twofold: stay out of the Registry and make sure you have a Recovery console installed.

    As for malware in the restore points, it's not active in the system.

    This thread is being closed.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...