Detected Trojan:HTML/Phish!pz

[johnwhelan]

Windows backup halts saying a virus has been found.

file: \Device\HarddiskVolumeShadowCopy32\Users\c\AppData\Local\Mozilla\Firefox\Profiles\qb4jiill.default-release\cache2\entries\004CA419A9D82B945F497CF7C9BB7D5559710F0A

A full scan detects nothing.

I re-imaged c:\ drive from a image file written in October so well before this.

Any suggestions?

Thanks John

 

[RetroRails12]

take the computer to a shop and have it looked at... Microsofts defender can't clean up that kind of virus but ones that the PC Repair place has will clean it up...

 

[johnwhelan]

take the computer to a shop and have it looked at... Microsofts defender can't clean up that kind of virus but ones that the PC Repair place has will clean it up...

Unfortunately that isn't a practical solution. I don't have a car and it's too big to fit in the pannier on the bike.

Any other suggestions?

What puzzles me is I reimaged the c:\ drive which would have cleaned off anything on the C: drive so where is

Device\HarddiskVolumeShadowCopy32\Users\c\AppData

Thanks John

 

[ricomon35]

Unfortunately that isn't a practical solution. I don't have a car and it's too big to fit in the pannier on the bike.

Any other suggestions?

What puzzles me is I reimaged the c:\ drive which would have cleaned off anything on the C: drive so where is

Device\HarddiskVolumeShadowCopy32\Users\c\AppData

Thanks John

Hi John:

This thread should be helpful > Infection on HarddiskVolumeShadowCopy

This one as well > Windows Backup

Explaining shadowcopy > Sophos Endpoint Security and Control: Resolve malware detection on pagefile.sys or hiberfil.sys

This one for purging the shadowcopy > Purge the Volume Shadow Copies after a malware infection

There are more sites with other info on the issue > This the google search link > Device\HarddiskVolumeShadowCopy32\ Search results



Rico

 

[johnwhelan]

Thanks for the input.

It does seem to persist though. I'll continue to play.

John

 

[ColPrice2002]

Hi John,
try the Trend Micro website - ok the main idea is to get you to buy their anti-virus - they have a free on-line virus checker (includes trojans etc). We use their product on our PCs, Android and iPad with a multi user subscription.
edited to give ful name of company for searching!

 

[Forester1]

Malwarebytes has a very good free version (for scanning, not full time monitoring), but can be tricky to get the free version and not the trail version that wants payment after a month. I am not sure about the shadow copy stuff though.

 

[johnwhelan]

I found it on both win 10 and win 11.

Currently I'm reinstalling Windows. That seems to work on win 11. Reimaging did not. It only shows on a backup which is interesting.

It's also a pain in the neck moving things over to the new win 11 machine but it's been sitting gathering dust for a month or two and I'd been putting it off for weeks now.

Once the software an data have moved then it's transfer the GPU and we should be there.

Cheerio John

 

[JCitron]

Hi John,
try the Trend Micro website - ok the main idea is to get you to buy their anti-virus - they have a free on-line virus checker (includes trojans etc). We use their product on our PCs, Android and iPad with a multi user subscription.
edited to give ful name of company for searching!

I used their product for years and it works very well. When I ran the IT department at an old company, now closed since 2009, we used their Neate Suite antivirus package which also had real-time server scanning and MS Exchange scanning as well.

 

[JCitron]

I've never run into this in the past, but that doesn't say it's not going to happen. This is something we all need to be aware of and there has to be an easier way to remove the infection other than by reinstalling the OS.

 

[JCitron]

Here's an article about the Shadow Copy with a link to a utility that allows you to restore files from it if you need to. The built-in previous-versions function in Windows is awkward and this utility is easier to use.

How to recover files and folders using Shadow Volume Copies

This tutorial will walk you through recovering deleted, modified, or encrypted files using Shadow Volume Copies. This guide will outline using Windows Previous Versions and the program Shadow Explorer to restore files and folders as necessary.

www.bleepingcomputer.com

 

[johnwhelan]

I think the annoying thing is it only shows when trying to do a back up and a restore from an image didn't clear it. I do a weekly backup and the system image file was from a couple of months ago.

I had to move everything to the new machine sometime so it's not too much extra work.

Cheerio John

 

[JCitron]

Yeah, that is annoying. The scary part is somehow that file got placed there hopefully not through some kind of malware script. Setting up a new machine isn't too bad but it's time-consuming.

You need to be aware of Windows 11 putting the Documents folder and relations up on the One-Drive. I'll email you a document I found on how to solve that.

 

[pcas1986]

...

You need to be aware of Windows 11 putting the Documents folder and relations up on the One-Drive. I'll email you a document I found on how to solve that.

Could you send me that as well please? Microsoft seem to have lost their way in recent years and think we all need a Surface gadget with all our stuff in/on the "cloud". Those with real PCs are getting ignored.

 

[KotangaGirl]

You need to be aware of Windows 11 putting the Documents folder and relations up on the One-Drive. I'll email you a document I found on how to solve that.

Seriously, - my move to Linux is looking better and better all the time.

 

[JCitron]

Seriously, - my move to Linux is looking better and better all the time.

It sure does. If I didn't have other software that requires Windows, I'd be gone as well. The sad part is some of the scripted malware can attack across platforms, making them really nasty critters.

 

[JCitron]

Could you send me that as well please? Microsoft seem to have lost their way in recent years and think we all need a Surface gadget with all our stuff in/on the "cloud". Those with real PCs are getting ignored.

Will do, Paul. I'll put it up on my One-Drive, HA! and PM you the link.
I agree, using cloud storage is fine for devices with a 256 GB SSD, but for us, it's a mess. Imagine if we put our Trainz content in our documents folder.