"TROJAN" in System Volume Information folder

From: lazaruslong (lazaruslong_at_discussions.microsoft.com)
Date: 10/29/05 

Date: Sat, 29 Oct 2005 11:50:03 -0700

We sent the following tech support request, and system information, to our
Anti Virus Software provider, Grisoft (AVG). We got the reply (immediately
below). We have followed the instructions in the reply to our request, (the
SAME procedure outlined by BRUCE CHAMBERS and DOUG KNOX in an 11/15/04 post
re the NETSKY virus in the same folder, i.e. System Volume Information), and
we have performed ALL the procedures outlined by DAVID H. LIPMAN, i.e.
loading/running McAfee’s STINGER and Trend Micro’s SYSCLEAN (in the same
11/15/04 post) to the letter, but Earthlink’s SPYAUDIT program CONTINUES to
find a “Trojan Horse” virus, reporting it as a “DP Trojan” and indicates its
IMMEDIATE REMOVAL is CRITICAL.

Contact with Earthlink produces NO useable information (surprise, surprise).
 AVG’s “Virus Vault” lists the program as a “Generic Downloader BXP” Trojan
Horse, but the reply to the tech support request mentioned above tells us it
is “IMPOSSIBLE” to access the file directly for deletion. AVG no longer
locates the file since we deleted it from the Virus Vault, but Earthlink’s
SPYAUDIT STILL reports the “DP TROJAN”.

In addition, the Windows Security Center continually tells me my AVG 7.1
reports it is OFF. I have configured and RE-configured the program, and RUN
it several times but Security Center CONTINUES to report the Anti Virus
software that it IDENTIFIES is OFF.

Can anybody help?

AVG’s TECH SUPPORT REPLY:

Dear Sir/Madam,

Thank you for your email.
According to your information the file is stored in System Volume
information folder. Also according to the file name it really is a virus
itself and not a correct file that has been infected.
Files placed in the System_volume_information folder are source files for
the system restore function that is available in Windows XP operating system.
Files that were healed were moved in their original INFECTED state into this
folder and it is necessary to DELETE them by following these steps:

1) Close all open programs. Then right-click My Computer on the Windows
desktop
2) Click on Properties
3) Click on the System Restore tab
4) Check Turn off System Restore on all drives
5) Restart the system
6) Go through the first four steps again and uncheck the item mentioned in
step 4.

Also please note that if the file is stored in this location it is not
possible for you to manipulate it. It is denied by your operating system. The
only way to remove the virus is described in the procedure above.

OUR ORIGINAL REQUEST FOR AVG TECH SUPPORT:

>The last AVG scan reported a "Trojan Horse Downloader" with a path of:
>"C:\System Volume
>Information\_restore{60C4F85F-FA27-457A-A148-4E83D6FC2482}\RP346\A00450
>23.exe"
>This is the SAME Trojan that had previously been identified by Earthlink's
>"SPYAUDIT" , and that we tried to get help from AVG to eradicate back on
>5/11/05 (Ref: G#05213308)
>The "Trojan" is now in the virus vault. We wanted to send it to AVG for
>analysis, but are unable to figure out how to save it to an encrypted ZIP
>file
>
>System Report generated by AVG Report System
>---------------------------------------------
>
>Operating System
>OS Type: Microsoft Windows XP Home Edition
>Version: 5.1
>Build No.: 2600
>Service Pack: Service Pack 2
>
>System Date and Time
>Date: 28.10.2005
>Time: 16:14:26
>Zone: GMT-8 (480 minutes westward from UTC)
>Name: Pacific Standard Time
>DLST: YES
>
>System Locale and Country Code
>System Country: United States (USA)
>System Locale: English
>User Country: United States (USA)
>User Locale: English (United States)
>
>AVG Anti-Virus
>Language: English
>App Version: 7.1.362
>AVI Version: 267.12.5/150
>
>License Information
>License No.: *****************************
>License Type: Full
>Product Type: AVG 7.1 Professional
>
> ALL FURTHER SYSTEM INFORMATION INTENTIONALLY OMITTED

Relevant Pages

  • Re: Trojan horse Downloader.Generic.ML
    ... I would also download and run HiJackThis and post your results to one ... 'restore as' in AVG continues to hang. ... >> AVG 718 06.14.2005 no virus found ... >>> Yes but then there's that sudden detection that appears NOT to>>> correspond to any event related to that theory. ...
    (comp.security.firewalls)
  • Re: Trojan horse Downloader.Generic.ML
    ... I would also download and run HiJackThis and post your results to one ... 'restore as' in AVG continues to hang. ... >> AVG 718 06.14.2005 no virus found ... >>> Yes but then there's that sudden detection that appears NOT to>>> correspond to any event related to that theory. ...
    (alt.computer.security)
  • Re: Trojan horse Downloader.Generic.ML
    ... Hi Ron - No, if you've already let A2 clean things, then ... But of course running this and using the HiJackThis ... At www.virustotal.com the AVG was the day's before AVG ... AVG 718 06.14.2005 no virus found ...
    (comp.security.firewalls)
  • Re: Trojan horse Downloader.Generic.ML
    ... Hi Ron - No, if you've already let A2 clean things, then ... But of course running this and using the HiJackThis ... At www.virustotal.com the AVG was the day's before AVG ... AVG 718 06.14.2005 no virus found ...
    (alt.computer.security)
  • Re: AVG false positve
    ... None of the scanners flagged it as a virus. ... Strange because one of them was an AVG scan. ... When you get the report, please post back the exact results. ... Then you should attach the "Zip32.dll" file to AVG via the following email URL; ...
    (alt.comp.anti-virus)