Yet another Win32 Trojan-gen, cannot move to chest problem

[HeartyHar]

Hello David (or other admin.),

I'm having the same problem as some of the others here, it seems. The files in question are:

(C)G:\SystemVolumeInformation\...\binary.ToolbarInstallerEXE

and

(C)G:\WINDOWS\Installer\4eb8a4c.msi\Binary.ToolbarInstallerEXE

- I am following you up to the point of "navigate the location of the file" as I can't find the path for G\WINDOWS\installer or the file name 4eb8a4c.msi from looking at the G- WINDOWS folder or doing a search on local drives. Also, I believe the SystemVolumeInformation folder is locked, but I can't find that anyway.

I'm going to run the boot time scan now, and hopefully that will fix the problem. Deleting all the restore points seems like a drastic and slightly crazy thing to do. If I were writing viruses, that would be exactly what I wanted people to do. 

Thanks for any help.
Stephen

P.S. Is this a relatively new virus, hence all the recent posts?

[DavidR]

I'm not entirely confident that the boot-time scan would be able to extract the suspect file from within the .msi file.

Not so much a relatively new 'virus' (wrong term this isn't a virus) but a trojan detected using a generic signature. The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Personally I'm unsure of this one, considering some of these are supposedly from google, but there is no easy way to extract the suspect file from within the :\WINDOWS\Installer\4eb8a4c.msi file, I do also get the shivers when I see these really meaningful names (NOT) as malware commonly uses randomly generated file names.

You could try to upload the :\WINDOWS\Installer\4eb8a4c.msi file to virustotal for scanning if it isn't too big (how big is it) as there is a 10MB limit.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[FreewheelinFrank]

Try this clean up tool:

http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

[HeartyHar]

Hi David,
Thanks very much for your reply. I ran the boot-time scan, and as you guessed, the suspect file could not be removed at the end of that process. It did give me the full file extension though. You were also right that it was (apparently) from Google. I'm going to wait for the next AVS update and if that doesn't fix the possible false-positive, I'll upload the file to Virus-Total as per your instructions. I will post any results I find here.
Cheers,
Stephen

[DavidR]

No problem, glad I could help.

No need to wait, ensure you have the latest VPS version, right click the avast 'a' icon, select Updating, iAVS Update and scan the windows folder again.

Welcome to the forums.