External Hard Drive Infected - SystemVolumeInformation\System.exe

[digitalxni]

I recently reinstalled Windows and managed to get a worm (julychina) within hours and now believe I got the infection from my external hard drive. Whilst using Filezilla, I noticed two very similar folders: 'SystemVolumeInformation' and 'System Volume Information'. I clicked on the former and got an "Access Denied Error" and then my anti-virus alerted me to a Trojan called Delf.ELK. So I'm guessing this Trojan is causing the julychina worm (not sure exactly what it is) to be downloaded.

I've tried running OTL but it only seems to look at the system drive and folders and I don't know how to use it properly so I couldn't enter a search string!

Anyone got any ideas on how to remove this Trojan?

Oh and I just noticed an Autorun.inf file on the external drive and inside it has the following lines:

[Autorun]
Shellexecute=\SystemVolumeInformation\system.exe

Not sure if that helps. Any advice would be much appreciated!

Thanks!

[!Donovan]

Maybe this is what you got. Read about it here:
http://archives.cnn.com/2001/BUSINESS/asia/07/20/hk.codered/index.html
"2001 ... A new Internet virus of allegedly Chinese origins has launched a worldwide assault on Microsoft."

I have no clue. Maybe you could tell us the direct location of the file.

Do you have Microsoft updated or did you have internet access while it was updating?

Was the firewall functioning properly and what firewall were you using (if any)?

[Tarq57]

Why did you reinstall Windows?
Was it a full re-install with a format, or a repair install?

Could it be related to this (fairly old) thread?

Not using the same old infected flash drives, are you?

[digitalxni]

The file that is flagged as a trojan is located at J:\SystemVolumeInformation\System.exe

I did a full format of the computer before installing Windows and I only had the internet on whilst updating Windows. A reboot seems to have gotten rid of this Julychina thing which I got rid of on another computer thanks to essexboy in a previous thread. I'm just assuming that I'm getting julychina on the other pc because of the Trojan on my external hard drive although it's been connected to my pc without it being noticed for possibly a few weeks and I've not noticed anything untoward.

[DavidR]

Well that should be J:\System Volume Information\, is that what it actually is ?

If so that is strange as the file naming in system restore controls this area and the file names are changed from the original but keeping the file type, e.g. A1234567.exe.
They also normally have _restore (and another reference) after the J:\System Volume Information\ folder and before the file name, so in this folder/file format there is something strange.

What is your J: drive/partition ?

[digitalxni]

There is both a 'System Volume Information' and 'SystemVolumeInformation'. When I clicked on the second one I my anti-virus flagged up a Trojan in the System.exe file inside that folder. The J:\ Drive is an external hard drive.

[DavidR]

I think that the second one is no more than a fake trying to look the part, the real system volume information folder is normally a hidden folder.

This is what is the problem

Code: [Select]

[Autorun]
Shellexecute=\SystemVolumeInformation\system.exe
So it looks like you at some time have an infected USB stick that creates autorun.inf files in hard disk partitions (including external ones if hooked up at the time). That is setting the execute process you use the system.exe file in place of the normal shell execute command.

So I would suggest that you remove this J:\System Volume Information\ folder and its contents. Look for an autorun.inf file (most likely hidden) and remove that also, they shouldn't be on hard disks.

 Flash Drive Disinfector
Information and Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Mirror download site, http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

[digitalxni]

So I should just manually delete SystemVolumeInformation and NOT 'System Volume Information'? Will running that Flash Drive Disinfector be an issue as in Windows this external hard drive appears as a normal hard drive rather ran removable storage?

[DavidR]

Well I don't believe windows doesn't differentiate between a flash stick and an external USB hard disk, they are just external storage. So I don't believe it would be any different for flash disinfector would treat it any different. At worst I would think you may have to save the file to the external drive and run it from there rather than running it from the fixed hard disk.

The real system volume information folder is most likely a protected folder as it is under the control of system restore, but no you shouldn't try to remove it.

[digitalxni]

Sorry about the late reply. Tried running Flash Drive Disinfector from the desktop and also from the external hard drive and no luck as far as I can tell. Here is a screenshot of Filezilla which alerted me to the problem in the first place:



As you can see, the folder is still there but currently showing as empty.

[DavidR]

I don't know what you mean by no luck so far, it isn't an active tool, more one of inoculation, read the information I posted and that on the page where you got the tool, it outlines what it does.

I don't know what it is that you hope it was going to do ?
The fake systemvolumeinformation folder was created by malware and that won't have changed and it isn't something covered by flash disenfector as the information in the link you got the too from, that is why I said you will have to remove it.

So I would suggest that you remove this J:\System Volume Information\ folder and its contents. Look for an autorun.inf file (most likely hidden) and remove that also, they shouldn't be on hard disks.

Did you check for a hidden autorun.inf file before and after running flash disinfector on your external drive ?
The file should be gone and a folder called autorun.inf created and that prevents the future creation of an autorun.inf 'file'