Trojan in System Volume Information

[gamc]

Hi, I have some problems with a trojan in the System Volume Information folder

The Operating system is Windows XP SP2

Avast 4.8 detects Signs of "Win32:Tiny-ADU [Trj]"
in "C:\System Volume Information\_restore{481DFA92-F681-4AB6-AAED-E378EE5F009D}\RP15\snapshot\_REGISTRY_MACHINE_SOFTWARE" file.

However when the C drive is scanned during boot there is no trojan detected.

I have turned off system restore, rebooted and enabled system restore but avast
keeps on detecting this trojan.

A couple of weeks ago the PC was infected by rogue Internet Security 2010 software
and google searches were also redirected to other websites.
The infection was cleaned using Malwarebytes,CCleaner and Spybot Search and destroy.
All user installations were also cleaned (all of them in safe mode).

Malwarebytes and Spybot do not detect any problem regarding the System Volume Information trojan detected by avast. I have also tested SuperAntiSpyware,Spyware Doctor and a Virus Removal Tool from Kaspersky.
These tools also fail to detect the trojan in System Volume Information.

Perhaps there is a residual infection in the PC, maybe in the file system folder:
system32\config, the relevant software file.

I would appreciate your help to solve this problem.

I enclose the relevant logs. The Superantispyware log detects a threat that is due to the
Kaspersky Virus removal tool that I installed, but neither avast nor Malwarebytes detect a problem
for the corresponding file.

 

[Bobbye]

FYI: System Volume are where restore point s stored. If malware is only in the restore points, it is not active on the system. But if you should choose to do a System Restore and the date you choose has an infected restore points, then you can reinfect the system. When the cleaning is completed, we have you drop the old restore points and set a new clean one. So if Avast continues to list only "System Volume", that's what it is.

SAS found a Trojan agent in some files. That program, like Mbam, has a line to check for removal of the entries it finds. So if you checked that, they should have been removed.

Yoiu need to consider two things:
First, you have an extraordinary number of processes running. If all of them started on boot, they will continue to run in the background. And no matter how much RAM you have, it will slow the system down.

Second, you need to make sure that the scan are as accurate as possible. But you have two Real Time Protection programs running. You were asked to temporarily disable these in the removal thread. So I'd like you to do that now:
AdWatch: Ad-Aware AE Ad-Watch Live!

• Right click on the Ad-Aware icon in the system tray.
  
• Click on Disable Ad-Watch Live!
• (Once you are clean, you can re-enable Ad-Watch Live! by clicking on Enable Ad-Watch Live!.)

Tea Timer (in Spybot S&D):

• Right click the TeaTimer icon in the system Tray
  
• Then click Exit Spybot-S&D Resident
• (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

I'd like you to run this program which will list all of the security processes you're running:
SecurityCheck

You have a large number of these processes and it is possible there are too many running at the same time. This makes it a bit easier on me instead of having to chase down every entry. Results copied to checkup.txt Please include that with your next reply.

I'm not sure you have any malware problem, but I will have you run 2 other programs after I get this information.

 

[gamc]

Thanks

I have disabled Adware and Spybot S&D resident.
The only security left active were Avast and Zone Alarm

I enclose the checkup2.txt file and a fresh HijackThis log.

 

[Bobbye]

Okay, you have some overkill:

Antivirus/Firewall Check:
Windows Firewall Disabled! > keep disabled when using Zone Alarm.
avast! Antivirus
ZoneAlarm
This program did not pick up this Kaspersky Virus Removal Tool 7.0.0.180:
O4 - Startup: setup_9.0.0.722_25.02.2010_22-07.lnk = C:\Documents and Settings\Gustavo Andres\Desktop\Virus Removal Tool\setup_9.0.0.722_25.02.2010_22-07\startup.exe

This does not run in Real Time> it's for scans on Demand> I recommend you remove it as it is not necessary but is using system resources.

Anti-malware/Other Utilities Check:
Ad-Aware
Spyware Doctor 7.0 > okay, but I'm not big on the PC Tools
SpywareBlaster 4.2 > Very good!
SpyHunter> Advise uninstall
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition > this will go when we remove the cleaning tools
HijackThis 2.0.2
CCleaner> use this sparingly. You might find this better> TFC

4 Registry Cleaners! Advice uninstall them all!
Eusing Free Registry Cleaner
TweakNow RegCleaner
AML Free Registry Cleaner 4.19
COMODO Registry Cleaner 1.0.17.23

Adobe Flash Player 10 > okay. Keep current
Adobe Reader 7.0.8 > please update this to v9.xx >
Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

Adobe Reader Japanese Fonts > remove if you aren't using.

In the firewall section. be sure not to use any other software firewall since you have Zone Alarm running. You can, however, use a router which will give added protection from hardware firewall.

You have 2 entries loading from temp files, systernals.com. I can't identify either of the,- can you?
O23 - Service: GAH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\GAH.exe
O23 - Service: XONXFET - Sysinternals - www.sysinternals.com - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\XONXFET.exe
You can find Systernals info here: http://technet.microsoft.com/en-us/sysinternals/default.aspx

Please run the following after you've gone through the above:
Then please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
• Important! Save the renamed download to your desktop.
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
• Double click on the setup file on the desktop to run
• If prompted to download and install the Microsoft Windows Recovery Console, please allow.
• If prompter to update, allow
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

Follow with rescan from HijackThis, leave new log.

 

[gamc]

Preparing to Run ComboFix
UnHackMe (Reanimator) loads a bootwatch anti-rootkit protection called Partizan (Greatis software)
Do I also need to disable this?

Do I need to install the XP Recovery Console? (When I need this I always run it from the Windows XP CD)


The services GAH.exe and XONXFET.exe were installed after running RootkitRevealer
The RootkitRevealer log did not show existence of Rootkit

O23 - Service: GAH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\GAH.exe
O23 - Service: XONXFET - Sysinternals - www.sysinternals.com - C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\XONXFET.exe

The services have been disabled and the files (as well as relevant registry keys) will be deleted
when I clean the Temp folder


In the HijackThis log why are there two entries for GoogleToolbarNotifier

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Power2GoExpress] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

I know that Power2GoExpress is a Cyberlink program.
The path is wrong should I change the path to the correct one or delete the key?

Using Zone Alarm I have not allowed GoogleToolbarNotifier or Updater to connect to the internet.

I have unsinstalled SpyHunter
I will carry out your advice later during the clean up

Thanks

 

[Bobbye]

UnHackMe (Reanimator) loads a bootwatch anti-rootkit protection called Partizan (Greatis software)Do I also need to disable this?

Yes.

Do I need to install the XP Recovery Console? (When I need this I always run it from the Windows XP CD)

I would encourage you to get it. Be nice to have if you lose or misplace that CD.

Go ahead and uninstall RKR. We can remove the Services if they remain.

Re: the Google entries> Good for you! I missed some- we both did:
A recheck of the log actually showed 5 entries related to Google:

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Power2GoExpress] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe>> Related to Power2GoExpress All-Media Disc Burning Software. Note: located in C:\Program Files\CyberLink\Power2Go\

According to Google, the Google Toolbar Notifier is in the Search Settings. If this is enabled, it's suppose to 'notify' you if other software attempots to change the default search engine without your permission. If you like, the Search Settings Notifier can block these changes, keeping Google as your default search engine. In your case however, AdWatch, which runs in Real Time is going to do the same thing. So I would disable this feature:

1. Click the Google Toolbar's wrench wrench icon.

2. On the Search tab, select (or deselect) the 'Set and keep Google as the default search engine' checkbox.
3. Click Save.

And you are correct about this entry:I don't know how it even got on the Google string. It should be removed.
O4 - HKCU\..\Run: [Power2GoExpress] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe>> Related to Power2GoExpress All-Media Disc Burning Software. Note: located in C:\Program Files\CyberLink\Power2Go\

Abut Google- an aside since most of us use this search engine:
I find that Google is getting very pushy. I have the toolbar on both Firefox and IE. I don't use or want the 'notifier' or the 'updater' and yet every time I check my startups, both are back on. I don't like this. While I do enjoy a few of the Google Toolbar features (only 3 + Search) I am considering removing the toolbar altogether and just using the search box.

I suggest you have HijackThis remove all 5 of these entries. Uninstall in Add/Remove Programs if there, delete program folder using Windows Explorer> Local Drive> Programs.Then if you want to reinstall the Toolbar, reload and install, using only the minimum features.

AdWatch is still running. Please disable. Go ahead and run Combofix after you handle the Google entries, then new scan with HJT. Include reports and new logs.

 

[gamc]

Hi

I removed Google Toolbar and Google Update (had to disable this in Services Console, HijackThis did not stop it)

Checked all real time protection was disabled (HijackThis still reported some were running but they were really disabled).

ComboFix removed several items. What are they?

I enclose the ComboFix log and 3 HijackThis logs one before, one after ComboFix and one after ComboFix and after reboot.

Thanks

 

[Bobbye]

Why do you think you need to keep adding these programs? There is so much overkill with security programs that conflict will be constant, the system is more- not less vulnerable and the system will be slower.

Do you know what HitmanPro is? Hitman Pro automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet- most without permission from the author of the programs. It currently has the following:
The new version of Hitman Pro, version 3, uses:

• NOD32 Antivirus
• Avira AntiVir
• Prevx
• G DATA Anti-Virus
• a-squared Anti-Malware

Virus scanners are not installed on the local computer, but in the scan cloud on Internet
Unlimited free scanning and free 30-day version to remove detected malware

While the scans with Hitman are free, removal of the malware can only be done within the 30 trial. So it cost o remove anything after the 30 trial is over. But you can run any of the included 5 programs and scan and remove for free!

Earlier versions had the following:

• 
  [*] Eset NOD32 antivirus system (trial, expires in 30 days)
  [*] Webroot Spy Sweeper (trial, expires in 7 days)
  [*] PC tools Spyware doctor (demo, will not clean anything)
  [*] Lavasoft AdAware SE (freeware)
  [*] Safer Networking Spybot - Search & Destroy (freeware)
  [*] TrendMicro CWShredder (freeware)
  [*] JavaCool Software SpywareBlaster (freeware)
  [*] McAfee VirusScan SuperDAT (virus signature definition updates, McAfee PrimeSupport license required for qualifying product)
  [*] Ewido Micro Scanner (freeware)(AVG)

The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability. Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

So why is it that you think you need all of these programs running?
Threat Expert
AdAware/AdWatch
HitManPro
Dr. Web
RegCompact Pro
Spybot - Search & Destroy
Enigma Software Group> Spyhunter
TweakNow RegCleaner
Lavasoft Boot Cleaner.
UnHackMe
Spyware Doctor
Virus Removal Tool(?)
Browser Defender
Sophos Rootkit processes: XONXFET.exe and GAH.exe

All of the above along with the more reasonable Avast AV and ZoneAlarm Firewall
Plus you have Application Data for each!

Unless you're willing to let go of some of this, you system continues to be more vulnerable and cleaning it would be a full time job.

No matter how much security you have on a system, if you do foolish things on the internet, you will get malware. IF you do not practice safe handling of email and attachments, you will get malware. And to continue with the abundance of security programs you have running would be a waste of time.

So think about it.

 

[gamc]

I have previously uninstalled the following
Hitman Pro
Dr Web
SpyHunter
Sophos Rootkit processes XONXFET and GAH
but most likely there are registry keys with information about these items



Recently uninstalled and cleaned
Deleted all registry keys for XONXFET and GAH as well as google update
Virus Removal Tool from Kaspersky

I will uninstall Spyware Doctor today

I have not used RegCompactPro
nor TweakNow RegCleaner to remove anything I have only used the second to confirm what CCleaner was doing. I have only used CCleaner to delete Internet files and cookies.
Currently Lavasoft is not active I only have active Zone Alarm, Avast and UnhackMe but the real time monitor and Partizan anti-rootkit are disabled. Also TeaTimer (SpyBot) is disbaled.

Any other suggestions to clean further the system?

By the way I have also found some of the trojan infection detected by avast 4.8 in the
registry key

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Y5IQNZ80Y
Class Name: <NO CLASS>
Last Write Time: 11/02/2010 - 10:06

with three subkeys containing Binary data
PJ1
8UPJ1
Y5IQNZ80Y

After deleting this key (and subkeys), exporting
the MACHINE\SOFTWARE key as a hive file and scanning the hive file
with avast no trojan was detected. Previously a trojan was detected
by avast.
After re-booting the key has not been re-generated.
However a trojan is still detected by avast in the
System Volume Information folder (even after flushing the previous restore points).
The software hive in the system32\config folder is still
infected. Why?

Thanks for your help

 

[Bobbye]

I do not recall telling you to go to or do anything in the Registry. Since you have done so, I will end my support now. Combofix removed files from RegCompact Pro. My only suggestion to you now is twofold: stay out of the Registry and make sure you have a Recovery console installed.

As for malware in the restore points, it's not active in the system.

This thread is being closed.