Hi.

I have a BAAD case of Trojan.Dropper.VB.Q

I'm currently using BitDefender Pro (UpToDate) that says that it found Trojan.Dropper.VB.Q in C:\systrm volume information\... (whole path cann't fit the message window) and that my system has NOT been infected (Yeah...right....sysem volume information...Hell, even I am not allowed there!)

Tried scaning via windows explorer right-click menu...nothing
Tried scaning via BD scan (whole disk)...shutdown (software type)
Tried again...shutdown
Tried again, but only dir in question....you guess right..shutdown.
Tried safe-mode but BD won't work in safe mode (at least, mine won't)

Anyway, I'm open to suggestions of which scaner shell I use to get rid of this little bugger. (bare in mind the location)

Hi, well sounds like a nasty lil guy ;). Give ewido a whirl (www.ewido.net). It is a pretty good scanner.

Also

Download HijackThis (current verison is v1.99.1)

Make a new folder to put your HijackThis.exe into.

(Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:

* C:\HijackThis\
* C:\Programs\hijackthis\
* C:\Windows\My Documents\HJT\

but feel free to use any name.)

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. (This is to ensure it makes the necessary backups for recovery if fixes are made) Then, doubleclick HijackThis.exe, and click Scan.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents in your reply. Most of what it lists will be harmless or even essential, don't try to fix anything yourself.

Make sure to post your ewido log to :).

thx

By the way, my BD almost died. All the sudden I wasn't able to turn on firewall (!) nor update.
I looked up in event viewer and foud this:

The BitDefender Scan Server service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Rebooted couple of times and updated. DB is back to normal.

:surprised
Freaky.

Wasn't able to scan system volume information. I'll try safe mode.

Posting a HJT log may shed some lights on some more infections, making the cleaning process easier, as we would no exactly how to "attack" it.

My system is pretty much clean. By BD and ewido - nothing in reg. nor mem. nor system files. Except for that one in SVI dir.

What I need is a tool that will work in repair mode (the closest thing to DOS mode). I can access SVI dir by a certain procedure. (rather, strange set of circumstances). I doubt that any AV software can access SVI while XP is fully running.

If you know of such a tool, post it pls.

P.S. I'll do the hijack thing later. I'm kind of in the middle of something right now.

P.S. I'll do the hijack thing later. I'm kind of in the middle of something right now.

Good, that's what I was about to ask for :)

But ya, if it's in the System Volume Information (a.k.a System Restore)...the easiset way to clean it is to flush out the System Restore points.

For directions with this, simply post back.

Thanks.

commented: I salute you. +1

Please do.

Is it, maybe, system prop./system restore/turn off system restore on all drives? (kind of answers it's self, doesn't it)

I'm not doing anything 'till you post your answer, jhay.

This will flush restore points...

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

I'm not doing anything 'till you post your answer, jhay.

Will my answer suffice :)

Problem solved.

Ya, what he said :)

And ya, after doing that, a new HJT would be incredible.

Thanks.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.