Trojans in External Drive System Volume Information

[Tatterdemalion]

If an anti-virus software such as Avira tells you that it has detected Trojans in the System Volume Information of an external USB hard drive and gives you the opportunity to quarantine them - if you agree to do that will you still be able to open the drive and access your data properly ? I don't want to take a rash decision and lose access to my information.

Please advise.

[SuperDave]

Quarantining the infections shouldn't affect your ability to access the drive. Why is there a System Volume on that drive?

[Tatterdemalion]

I don't know why there is a System Volume on the drive.  I have read that Windows will put them on all drives if you haven't instructed it not to. The drive that has shown this is connected to the XP machine that you were helping me with recently.

I had some initial trouble with that computer yesterday when I couldn't get Control Panel to display anything when I wanted to install a program. A second try let me and I thought it was a temporary glith and that everything was OK.

Later on, when the Firefox browser was getting unresponsive and complaining about Silverlight, I decided I would try to uninstall that plug-in. Control Panel was very slow and then I couldn't get the list of installed programs to display. I wanted to select the Silverlight plug-in from there to get rid of it.

I then tried to turn off the machine but couldn't get it to switch off even when I asked via Task Manager.

In the end I had to long-press the physical computer power button.

I re-booted and it got to the log-in screen but my cursor was inoperative (this happens a LOT with both of my Lenovo T61s so I don't know if it is just a Lenovo quirk). I plugged a mouse in to request that the machine shut down again.

It said something about br_funcs.exe (0XC000142) function failed something and then closed.

I re-booted and decided to log in as a different user to see if Control Panel and program removal would be functional under another profile. They were. I removed Silverlight from that profile and deleted some media files that I don't need. Then I took the dog for a walk and thought the machine had settled.

When I got home Avira was reporting that it had blocked access to a file in G:\SystemVolumeInformation

the file is A0068235.exe containing the virus or unwanted program TR/Drop.TDss.aeag

I am not familiar with what A0068235.exe is but the named Trojan is the same one that was identified as being linked to HoldemIndicatorSetup.exe

This is the Windows XP machine you were helping me with in an earlier thread. Avira's Real Time Protection is offering the Action "Move to quarantine". My choices are "Apply now" or "Cancel".

What do you recommend ?

Could I have been infected by a Trojan last week that got in via my mail program on drive F and then changed itself into a fake Dr Watson that is trying to regenerate itself via the System Volume Information on the G drive?

Googling System Volume Information made it look as though it is something that Windows places on all drives by default and that it is to do with Restore Points. I don't know why anyone would want restore points or unemptied trash cans on EXTERNAL drives.

Some of the random  forum posts I have found regarding the topic of System Volume Information on external drives make it look like they are a route for lurgies and that they are hard to eliminate. Some people were talking about using Linux CDs to access the System Volume Information Folders in order to delete them and to stop them constantly regenerating with the same virus.

[SuperDave]

Avira's Real Time Protection is offering the Action "Move to quarantine". My choices are "Apply now" or "Cancel".

What do you recommend ?

Apply now.

Some of the random  forum posts I have found regarding the topic of System Volume Information on external drives make it look like they are a route for lurgies and that they are hard to eliminate. Some people were talking about using Linux CDs to access the System Volume Information Folders in order to delete them and to stop them constantly regenerating with the same virus.

Infections are usually placed in the System Volume so that when someone run System Restore they get infected again. You can delete all your Restore Points by going to My Computer, right-click Disk Cleanup and click other options. You can also scan the external drive with your AV, MBAM and AdwCleaner.

[Tatterdemalion]

Why did Avira see the rogue file in the System Volume Information of an external drive when I wasn't doing anything ?

Is it normal for external drives to be accessed from time to time?

I have a USB key where the initial infection was spotted by Avira and "Denied Access" before the Dr Watson files were "Allowed Access" by the same AV software.
It has a light on it so I can see when it is communicating with the computer. Since the problem, I have stopped actively using it but, from time to time, its light flashes so SOMETHING is going on.

Is that normal ?

[SuperDave]

Why did Avira see the rogue file in the System Volume Information of an external drive when I wasn't doing anything ?

The infection doesn't have to be active in order for it to be detected.

Is it normal for external drives to be accessed from time to time?

It will scan any drive that is connected.

It has a light on it so I can see when it is communicating with the computer. Since the problem, I have stopped actively using it but, from time to time, its light flashes so SOMETHING is going on.
Is that normal ?

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

[Tatterdemalion]

Thank you so much for all of your help.

I wonder if I may have been hit by a browser hi-jacking of some kind when the peculiarities with this Windows XP machine began with the file detected on drive F and then the alteration (?) of the Dr Windows file(s).

What do you think ?

I noticed that when I was re-starting Firefox periodically when it got very slow as RAM allocations became extremely high and/or the Silverlight plug-in stopped working - I would be brought back to a screen that lets you "Restore" your last session.

At the top right of the Firefox browser screen there is a downward pointing arrow that indicates downloads - it would animate turning green and descending.

This was happening with no TABS open except the one inviting you to restore your tabs from last time - where it lets you select from a list of pages that might have crashed.

I observed this occur repeatedly after the infection.

I have since managed to uninstall Silverlight.

I ran CCleaner and opened Firefox again. The arrow came down again.

I uninstalled Firefox, ran CCleaner and installed a fresh copy of Firefox but kept all my settings.

The arrow came down again.

I uninstalled Firefox - told it to FORGET ALL MY SETTINGS AND PREFERENCES, ran CCleaner and then reinstalled Firefox.

It opened with no peculiar download animations.

How foolish is it to continue to connect to the internet with Windows XP at all ?

I have read some reports that say you really shouldn't do it. This would mean an old machine couldn't even be used to watch YouTube videos or stream from Spotify - and that's a real shame.

[SuperDave]

I wonder if I may have been hit by a browser hi-jacking of some kind when the peculiarities with this Windows XP machine began with the file detected on drive F and then the alteration (?) of the Dr Windows file(s).

What do you think ?

I seriously doubt it but it's impossible for me to say for sure.

How foolish is it to continue to connect to the internet with Windows XP at all ?

MS and a lot of other experts say it's a bad idea but I'm using it myself and I haven't seen any uptakes in infections in XP. One thing I would recommend is that you don't use MSE as your AV. I'm using Avira at the moment.

[Tatterdemalion]

As MSE is no longer updated for XP, do you mean you recommend against choosing MSE on more modern OSes like Windows 7 ?

[SuperDave]

As MSE is no longer updated for XP, do you mean you recommend against choosing MSE on more modern OSes like Windows 7 ?

MSE is perfectly ok on any OS above XP such as Vista, Windows 7, Windows 8 and 8.1

[az_shyguy]

and how experienced are you Efodagin you said WE.. I do not see you as a malware specialist? not much I would say.. just let malware specialist deal with his problem. thank you!