Large Number of Infections Detected!!!!! LARGE!

I have a dual boot system, XP and 7. Scanning in 7 takes about 6 hours and produced some 66,000 infections; all the same (I forgot to make a note of the file but it was a JS exploit). The number of infections doubles for each subsequent scan. It began with a small number of infections and has now grown to an unmanageable number. It took 12 1/2 hours to delete all the infections today. The interesting thing is that this does not happen in XP. If they are detected in XP they are deleted and not detected again until I boot into 7.

Yes, everything in 7 is up to date. Any help would be greatly appreciated.

Try running malwarebytes free and hitman pro. See what they find/remove

Report back with the results.

malwarebytes found nothing, hitman found tracking cookies only.

Can you post your cis antivirus logs?

File is much too large-30Mb

Here is a representation of the log:

G:\System Volume Information\_restore{F37E73DC-70A6-42FA-944D-C7D71F5FDCE5}\RP1346\A0387150.data|G:\System Volume Information\_restore{F37E73DC-70A6-42FA-944D-C7D71F5FDCE5}\RP1346\A0387150.data Exploit.JS.Blacole.BB[at]289339066 Detect Success

I could email it to you perhaps.

are the infections only in system restore?

Yes.

Did you used to have an infection on your computer in the past, which is now cleaned?

If so then what you’re seeing are older malware which were backed up during system restores. You can safely remove the older restore points to get rid of the malware.

Honestly I can’t remember having an infection but CIS must have thought it found something at some point.

I thought that was probably the case but I wanted to check with someone here before I deleted them. I’ll give it a try and check back in.

Thanks

So, I deleted the older restore points ran a scan and no infections. Then my scheduled scan completed this morning and the same infections appeared: more than 66,000. This renders Win 7 useless to me.

None of my personal data have been compromised so I wondering if this could be a false positive. I’m stumped. How do I get rid of this?

Thanks for the help.

I guess those 66,000 all have the same name. Is that correct? What is the name of the infection? In what folders does it occur? Are there files in Windows system folders infected?

Could you please post one or more screenshots of the AV results screen or AV logs to give us an impression about what your problem is.

We need to know more information about the infection; be it name(s) and a gross understanding of which folders are are reported being infected. It is not clear whether we are looking at an infection or possible false positive.

Given the big amount of alleged infections it is likely that Windows System Files are also being reported as infected. I want you to run System File Checker to let Windows check the integrity of its system files: Use the System File Checker tool to repair missing or corrupted system files - Microsoft Support . Please let us know if it reported if any system files were not legit.

They all have the same name and are detected in the system restore folder. If you look at post 6, you’ll see a copy & paste I did from the log file. They are all the same. Tonight I will boot into 7 and run the system file checker and report back.

Thanks

Could you upload the offending file to Virus Total, Valkyrie and post the links to the report?

When on Virus Total ask to rescan instead of having it shown the result of the last time they scanned (that is the default option).

How are your settings for Heuristics?

Keep us posted.

Going to be difficult to upload the file. I cannot gain access to the restore folder; keeps telling me access is denied. I turned off restore points which deletes all restore points. I could turn it back on and do another scan but I still can’t get to the folder.

sfc reported no problems. Heuristics is set to Low.

Thanks

You can open the system restore folders in XP following this MS knowledgebase article.

Once opened AV programs can then also remove viruses caught in system restore.

I am very interested to see the Virus Total and Valkyrie analysis of the offending file.

I’m using Win 7. I’ll run a new scan tonight and upload the offending file as soon as I can gain access the SVI folder.

First thing is I discovered I was using ver 5.8 of CIS (it used to update automatically) so I upgraded to the current version and did a scan. Same results so I uploaded only one file (all 66000 are the same) using the CIS upload feature. I don’t know where it went and I was not notified of any analysis of the file.

This new version of CIS is VERY slow. That first scan was well into 14 hrs when I interrupted it just to use my system. Updating database files takes more than an hour and the old ver was WAY faster than this one. I did not do a clean install in 7 but did in XP and the XP install is much faster, much.

Apparently one cannot access the SVI folder in 7 as easily as it is done in XP. I have read about a few utilities that allow users access to this folder. So, I will further research these with the ultimate goal of uploading a copy of the infection.

Thanks again.

The slowness you are experiencing on Win 7 is not normal.

Please try a clean install of CIS. When reinstalling CIS please follow Most Effective Way to Reinstall CIS to Avoid/Fix Problems by my colleague Chiron. It will provide a reliable and clean starting point.

Don’t forget to export your active configuration to folder that is not part of the CIS installation folders if you are considering to use it again. However don’t start with the previous config. First run with the default configuration and when that works try the previous one.

Apparently one cannot access the SVI folder in 7 as easily as it is done in XP. I have read about a few utilities that allow users access to this folder. So, I will further research these with the ultimate goal of uploading a copy of the infection.

Thanks again.

As long as you can send a copy to Virus Total an Valkyrie I would be happy for the moment. You can then use the Virus Total or Valkyrie link for submitting the file here at the forums and have it analysed whether it is malicious or not.

Thanks EricJH, I’ll take your suggestion and do a clean install following chiron’s guide.

About this infection thing. I guess I don’t completely understand the Valkyrie thing. What is it? I understand Virus Total but still have not gained access to the SVI folder yet. Where did the file I uploaded to CIS go? Is that enough or should I pursue the Virus total method?

Thanks again…always receive great assistance here.