[BTDCU422]

Avira Anti-Virus alerted me that it found TR/Trash.Gen - Trojan in the system volume directory. I Googled this trojan and I couldn't find much info on it. Before I do the usual scans is this a high risk trojan or something minor?

[evilfantasy]

Quote:

Trojan in the system volume directory.

What OS are you using?

[BTDCU422]

Windows XP Media Center Edition 2005.

[evilfantasy]

C:\System Volume Information

This is your System Restore points. Clearing the old ones and creating a new fresh one will take care of it.

Set a New Restore Point to prevent possible reinfection from an old one

• Go to Start > Programs > Accessories > System Tools and click System Restore
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
• Click OK
• Click the More Options Tab.
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

[BTDCU422]

OK took care of that. Anything else I need to do?

[evilfantasy]

It definitely would not hurt to run an online scan to make sure everything is OK. Have you had a malware problem recently? I ask because it seems odd for a threat to just appear in system restore. It had to come from somewhere.

This scan will take a while but it's very thorough and will let us know if anything is lurking.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
• Click Accept.
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
• In the File name area use KScan, or something similar.
• In Save as type: click the drop arrow and select: Text file [*.txt]
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[BTDCU422]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 27, 2008 02:43:45
Records in database: 1149792
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Files scanned: 252861
Threat name: 2
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 04:36:17


File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Administrator\Local Settings\temp\DRDld\AVSVideoEditorTrial.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1
D:\I386\APPS\APP18921\src\CompaqPresario_Spring06. exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP18921\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

[evilfantasy]

We won't do anything with these:
D:\I386\APPS\APP18921\src\CompaqPresario_Spring06. exe
D:\I386\APPS\APP18921\src\HPPavillion_Spring06.exe

Those deal with your recovery console and Weather Bug is not malware, spyware or anything else bad. It is adware but that isn't malicious.

Quote:

Is WeatherBug Spyware?

According to their website, Weatherbug is not spyware, however it is adware. It does not monitor, collect data or 'spy' on its user base, however the program is considered adware since the free version is ad-supported. You can read more about why Weatherbug is not considered spyware by clicking here.

http://www.pchell.com/support/weatherbug.shtml

Download OTMoveIt2 by OldTimer

• Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

• Double-click OTMoveIt2.exe to run it.
• Copy the lines in the codebox below.

Code:

[kill explorer]
C:\Documents and Settings\Compaq_Administrator\Local Settings\temp\DRDld\AVSVideoEditorTrial.exe
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
• Close OTMoveIt2

[BTDCU422]

Explorer killed successfully
File/Folder C:\Documents and Settings\Compaq_Administrator\Local Settings\temp\DRDld\AVSVideoEditorTrial.exe not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\etilqs_0yd7b3Kj F788K8Sj4k2k scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_71c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT05311.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06220.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08242008_004215

Files moved on Reboot...
File C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\etilqs_0yd7b3Kj F788K8Sj4k2k not found!
File C:\WINDOWS\temp\Perflib_Perfdata_71c.dat not found!
File C:\WINDOWS\temp\ZLT05311.TMP not found!
File C:\WINDOWS\temp\ZLT06220.TMP not found!

I think the reason that some of these files weren't found was because my computer froze during the first run of OTMoveIt so after I re-started it I ran OTMoveIt again.

[evilfantasy]

Looks good.



Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

----------

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one

• Go to Start > Programs > Accessories > System Tools and click System Restore
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
• Click OK
• Click the More Options Tab.
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

----------

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

----------

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out So how did I get infected in the first place? By Tony Klein for tips and free tools to help keep you safe in the future.

Also see this Maintenance Guide for free cleaning and maintenance tools to help keep your computer running smooth.

[BTDCU422]

Thanks again for all your help

[evilfantasy]

No problem.

Safe surfing.....

[arjean90]

Quote:

Originally Posted by evilfantasy

What OS are you using?

ummm if i do that does it delete all my files on drive C
im sorry i just want to be safe
and i dont know much with these stuffs

[Jovica]

Can u help me out with this to.I have the TR/Trash.Gen but another one appears.I was recently infected with this rogue.Fake XP Internet Security 2012.IT was blocking my malwarebytes.I tried to run it from safe mode,but no good,Then i did a system restore,and it worked i was able to use malwarebytes.I run a scan deleted the virus and all was good until.My avira started catching These Malware in System restore.Should i do the same thing as he did?

[Jovica]

Help me Please it seams i have the same problem,but im not 100% sure if its the same.

[Albert Lionheart]

not here you steaming great pillock