Author Topic: Virus & decompression bomb  (Read 6696 times)

0 Members and 1 Guest are viewing this topic.

g105b

  • Guest
Virus & decompression bomb
« on: January 30, 2007, 01:08:26 PM »
Hi there, my other computer in the house received a lot of virus warnings the other day.

I had a trojan and some other things, so I scheduled a boot time scan. The boot time scan didn't find all the viruses however, because after it booted up, I was receiving warnings again.

I booted into safe mode to perform a scan. Avast found the viruses and deleted them. There was also an archive that it was unable to scan - I knew what it was, and didn't need it, so I deleted it.

However, the last item in the list was called a "decompression bomb" and it was located in a place on my hard drive that I am unfamiliar with.

Here is the path of the file (note that the E drive does not contain the folder mentioned):
E:\System Volume Information\_restore{A2DF8360-4853-45B9-B89A-51D7E4D4A1BE}\RP162\S0044977.Acl\EXCEL.EXE

What is this mysterious folder on my E drive, and what's with excel being there as a "bomb"? I'm leaving my computer in safe mode, not touching it, until someone replies to this post and I can get rid of the file if necessary.

Thanks in advance,
 - Greg.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Virus & decompression bomb
« Reply #1 on: January 30, 2007, 01:29:12 PM »
I was receiving warnings again.
If a virus is replicant (coming and coming again), you should:

1) Enable/Disable System restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k.

2) Clean your temporary files. You can use the Windows Advanced Care features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run other trojan remover tools: a-squared and/or Free AVG Antispyware (trojan removers). Some users recommend SUPERantispyware or Spyware Terminator.

5) Use the immunization of Windows Advanced Care features of spyware/adware cleaning and removal.

However, the last item in the list was called a "decompression bomb" and it was located in a place on my hard drive that I am unfamiliar with.
Decompression bomb is a file that may be rather small, but decompresses to an enormous amount of data (when processed as a packed archive). Such file are not malicious per se, but they may block an antivirus program when it tries to scan them.
This kind of files is rather hard to detect (and avoid) precisely - so, it is possible that there are some false alarms. It's not a big problem in this case, however - the "decompression bomb" announcement actually means something like "The file has a very high, maybe even suspicious, compression ratio and the AV is not going to scan the archive content".

I'd suggest to ignore these files.
But you can change values into avast4.ini file to configure how avast should work with these files.
Click 'Settings' in my signature for more info  ;)

Here is the path of the file (note that the E drive does not contain the folder mentioned):
E:\System Volume Information\_restore{A2DF8360-4853-45B9-B89A-51D7E4D4A1BE}\RP162\S0044977.Acl\EXCEL.EXE
Maybe it's hidden just...
Follow the rule number 1 as I've posted above.
The best things in life are free.