Author Topic: Win32:Trojan-gen {Other} in System Volume Information folder  (Read 7871 times)

0 Members and 1 Guest are viewing this topic.

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
I'm using avast! 4.8 home edition. XP, SP2. AFAIK, it's up to date -- I always run the updates when the update alert pops up.

Today I received the warning that Win32:Trojan-gen {Other} was found in:

K:\System Volume Information\_restore{5B6D38E2-8C2E-4D3A-958E-0837C45A63FD}\RP1356\A0272267.exe

FWIW, my K drive is an external drive used for backups only. I use DriveImage to back up my data files to the K drive.

I didn't take any action when the warning popped up. Normally, I'd just delete the file, but although I am not a technical person, I know better than to fool with the System Volume Information folder!

What should I do?

TIA!


Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #1 on: July 28, 2008, 09:20:05 AM »
Send the file to VirusTotal and then to avast! if it turns out to be a false positive.

http://forum.avast.com/index.php?board=2;action=display;threadid=7779

If it's a real detection, bear in mind the infected file could be restored if you ever use that restore point.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Waarluaken

  • Guest
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #2 on: July 28, 2008, 08:12:59 PM »
I had pretty much the same problem. You could try disabling system restore, then re-enabling it afterward.

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #3 on: July 28, 2008, 10:37:46 PM »
How would I send the file to Virus Total? It's in the System Volume Information folder, so I get "access is denied" if I click on it. How can I get at the specific file?

If I disable system restore, isn't that going to turn it off for my entire system, not just the K: drive? And will it wipe out my restore points on my other drives? Although to be honest, I don't know what restore points are. I assuming they restore my system to an earlier state and would be used only in catastrophic circumstances. Since I do regular DriveImages, I'm not sure I'd use restore points, but I don't know enough about it (well, I don't know ANYTHING about it) to determine of restore points would be more useful.

What if I reformat my K drive? Since the files are just backups, I can move the backup files to another drive and reformat K. It's a Seagate and there are some Seagate files on it (warranty, EULA, etc.), but I don't think there's anything special about the drive that would preclude my reformatting it.


wyrmrider

  • Guest

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #6 on: July 28, 2008, 11:35:32 PM »
I already have enabled:

"display contents of system folders"

"show hidden files and folders"

and I UNchecked

"hide protected operating system files"

I can see the System Volume Information folder, but the icon is dimmed, and I cannot open the folder, copy it, or attach it to an e-mail.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #8 on: July 29, 2008, 05:29:53 AM »
Thanks for the MSKB link. That worked.

I submitted the file to Virus Total, but I'm not sure I understand what the analysis report means. Apparently 20 out of 32 virus scanners found some sort of cooties in the file -- there were several different names (of malware) listed. But Avast! was blank. (I've saved the report.)

So what does this mean, and what should I do next?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #9 on: July 29, 2008, 08:28:01 AM »
It means the file probably really was a malware file.

Your options are: let avast! delete the file and break that restore point.

Ignore the detections and wait for that restore point to get destroyed as new ones are created. Bear in mind that if you ever use that restore point, you will possibly restore live malware.

Create a new, clean restore point and get rid of all the old ones, including the infected one. Here's how:

Create a clean restore point then delete all previous infected restore points
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #10 on: July 29, 2008, 09:02:06 AM »
Letting Avast! delete the file and break the restore point sounds fine to me. The filedate is October 2007. It's in a folder with hundreds of font files and more .exe files (some as large as 50 MB). No idea what they are. But since this disk has been used only for backups, I'd never bother to restore it. If anything went haywire with the drive, I'd just reformat it (or replace it).

How did the file get infected in the first place? Did I back up an infected file (which would have since been deleted) that in turn caused an infected restore point to be created?

Avast! didn't find any other infected files, just that restore point.

I still don't quit understand how restore points work. I have two folders in System Volume Information, one dated Oct 07 and the other dated July 08. Each has several subfolders, all of which contain just a couple of files, except for the subfolder that contains the infected file and hundreds of other files.

Anyway, if letting Avast! make that restore point walk the plank solves the problem, I'll be happy.

Offline mallomar

  • Jr. Member
  • **
  • Posts: 23
Re: Win32:Trojan-gen {Other} in System Volume Information folder
« Reply #11 on: August 04, 2008, 07:02:49 AM »
I let Avast! delete the infected restore point file, and nothing bad happened, so I'm happy.

Thanks to everyone for the help.