what to do if a trojan is found in system restore?

[DavidR]

Based on the fact it is detecting a .log file alone, which is an inert text file format, I would say it was a false positive by MBAM (which is supported by the VT results). Now that FP has been corrected hence why it is no longer detected.

[samnetx]

Trojan.Downloader found again while scanning all files with SuperAntispyware.
I scan with SAS with MBAM protection and avast resident all shields turned on and detected this (with three scanners at same time).

Earlier it was not detected by scanning all files with avast and MBAM protection turned on.(Not detected by using two scanners at same time)

View the images of detection.

I have quarantined this and what to do next about this.

samnetx

[DavidR]

Well you have to start doing the analysis of what is going on on 'your' system as only you know how it might have got their:

So, do you have Hijackthis installed ?
Is the C:\logs the folder you choose to store your hijackthis logs and called it hijackthis.log  ?
If the are true then there should be no problem.

If any of them aren't true then you should delete the file and be done with it. This is especially true if this file is regenerated after previously having been removed in the MBAM scan and you haven't run Hijackthis since that scan ?

However, I'm still highly suspicious of the detection as a .log file is a text file and as such not a process attempting to start (as the first image states).

All of the above however, is a moot point as this really should be reported on the MBAM forums as we can't do anything about possible false positive detections. So if the false positive isn't corrected then you will continually get this detection.

[samnetx]

Yes, I have HijackThis installed
Yes, C:\logs the folder I choose to store HijackThis logs and called it hijackthis.log

The file HijackThis.log was present in this folder before Quarantine and it was uploaded to avast forum.

edit:
Previously Trojan.Downloader found log file was restored in a folder of C:\Program Files\Trend Micro\HijackThis in which HijackThis is installed and deleted afterwards. This is a new log file in which Trojan.Downloader is found C:\logs, this file was not detected earlier with three scanners running at same time.

I have deleted the recent Quarantined.

samnetx

[DavidR]

Then you need to report this as a probable false positive on the MBAM forums, so they can correct the detection.

What is strange is that this only seems to effect the residen version (paid or trial) of MBAM as I retain a number of my HJT log files and they aren't detected when I do on-demand scans with the free version of MBAM (no resident).

I don't know if the detection happens when you actually run HJT and then save the log, as there is little information in your post as to exactly when this detection/alert happens.

[YoKenny]

@samnetx

The default path for HijackThis is:
C:\Program Files\Trend Micro\HijackThis

MBAM is suspicious of things stored in the root Folder that should not be there:
http://pcsupport.about.com/od/termsr/g/rootfolder.htm

[DavidR]

That may be the default location for HJT but it isn't for the .log which you can place anywhere. The problem is not that simple as MBAM seems to think that the .log file is attempting to start and has blocked all execution attempts from this process, which is plainly rubbish as a .log file is a text file and can't start/execute anything, expand the first image in Reply #31 above.

Check again and you will see nothing is stored in the root folder but the C:\Logs\ folder.

MBAM I fear has got it wrong in this case and they need to investigate it.

[samnetx]

I don't know if the detection happens when you actually run HJT and then save the log, as there is little information in your post as to exactly when this detection/alert happens.

This detection not happens when I actually run HJT and then save the log.
This detection by MBAM only happened on previously saved logs of the last three months (Detected only when running three scanners SAS-scanning all files, MBAM Protection and avast shields turned on at this time this alert happens). It was not detected by scanning with avast and MBAM Protection turned on (not detected using two scanners at same time).

First time it was detected in the HijackThis Folder in Programfiles, the log was saved a month ago. Then I restored and posted result shown by VirusTotal which was clean and then deleted that log file.

Second time it was detected in the C:\logs folder, the log was saved a three months ago. This file was not detected as infected at First Time scan using three scanners at same time.(scanning with SAS, MBAM Protection and avast at same time)

Both files were from the same HijackThis Software installed four months ago.

samnetx

[Shubham]

there are trojans found in my system restore when i scanned my drive from avast home edition
the name of trojans are

win32: Swizzor [trj]
win32: Trojan-gen {other}
win32: Agent-EID [trj]
win32: Spyware-gen [trj]

what to do next?

Move them to chest

[samnetx]

Another detection of Trojan.Downloader was found on my office computer (Detected only when running three scanners (SAS-scanning all files with MBAM Protection and avast shields turned on). I take files from Home Computer to Office Computer regularly. I think it is transferred from my home computer to Office computer while file transfer. This time it was detected in the DOS version of FOXPRO which I never used. The detected file was something like 12345678.tmp. the extension of file was .tmp (a temporary file of DOS version of FOXPRO) on Windows xp sp2. I use this computer only for work and it has no internet connection and screen capture software like my home computer.  

samnetx

[samnetx]

Trojan and other malware detected by Microsoft Security Essentials (Full scan with archive scanning turned on). These Trojans and other malware are not detected by avast, MBAM and SAS. All these are active in my computer when detected by MSE. All these detections are found in .exe, .rar, .zip (in system restore folder and download folder), all are having active status as shown by MSE.

View the image of detections

I have quarantined all of them by not selecting the recommended option by MSE.

samnetx

[DavidR]

I'm afraid the image is not very useful as it doesn't give the file names or locations, so we're having to take MSE's word for it and I never do that.

So as always I would suggest confirmation of the detections at virustotal.

[samnetx]

1.PWS:Win32/Fignotok.A
Category: Password Stealer

Description: This program is dangerous and captures user passwords.

Recommendation: Remove this software immediately.

Items:
containerfile:C:\System Volume Information\_restore{C2C689FC-6E64-4B37-BADC-F42CE2090FC5}\RP3\A0007367.exe
file:C:\System Volume Information\_restore{C2C689FC-6E64-4B37-BADC-F42CE2090FC5}\RP3\A0007367.exe->(WExtract)->NEO0~1.EXE

http://www.virustotal.com/analisis/208312dc739116cd01e8a54a792129122e6d1bdd172d54b024c3986768c8f39b-1255883644

2. TrojanClicker:Win32/Yabector.gen
Category: Trojan Notifier

Description: This program connects to the Internet in the background.

Recommendation: Remove this software immediately.

Items:
containerfile:C:\Download\Sound\dxplayer_setup.exe
file:C:\Download\Sound\dxplayer_setup.exe->(inno#000007)->(nsis-1-eBayShortcuts.exe)
(file is downloaded over a year ago but never detected by avast boot timescan with archieve scan turned on)

3. VirTool:Win32/VBInject.gen!BG
Category: Tool

Description: This program is used to create viruses, worms or other malware.

Recommendation: Remove this software immediately.

Items:
containerfile:C:\Download\kaspersky\Ka_IS2010_900459_-_Final.rar
file:C:\Download\kaspersky\Ka_IS2010_900459_-_Final.rar->kis 9.0.0.459EN.exe
(downloaded from pirated website – not detected by Avast boot time scan with archive scan turned on in 3 months)


4. Trojan:Win32/Bumat!rts
Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Permit this detected item only if you trust the program or the software publisher.

Items:
containerfile:C:\Download\hacks\Hotmail hack\mbhttpbf.zip
file:C:\Download\hacks\Hotmail hack\mbhttpbf.zip->mbhttpbf.exe
(downloaded from pirated website- not detected by Avast boot time scan with archive scan turned on – file is with me for over 3 years never detected by avast scan)



samnetx

[DavidR]

1. The suspect _restore points are also inert, unless you happened to use system restore to take your system back to a point where there were in system folders. Effectively these were previously deleted files saved by system restore.

That said - Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

2. Archive files, .rar, zip aren't scanned by default as theu are inert, you have to open them, extract the files and run any executable before they present an immediate risk. Before that happens the on-access scanner would scan them. Though if you have been scanning archives, they should have at least been scanned by, avast, MBAM and SAS.

3. The only true way to investigate further, given the lack of detection by the other three applications is by uploading to virustotal as I mentioned.

[Lisandro]

The suspect _restore points are also inert, unless you happened to use system restore to take your system back to a point where there were in system folders. Effectively these were previously deleted files saved by system restore.

What I can't believe is why Windows allows changing that folder... If they have made an antimalware tool (MSE), why don't they detect more attention to this? And solve (period).