Removing trojans from "System Volume Information" folder

[Goi]

Hi,
I just upgraded from Ad-Aware SE 1.05 to 1.06 and did a full system scan. When it was scanning my F:\System Volume Information\_restore{.... folder, my BitDefender 8 Anti-virus flagged the folder as containing a trojan and blocked access to it immediately. Ad-Aware would then hang at that point, and the only way would be to cancel the scan. After googling a while, I found out that the indicated folder was a system restore point, and that disabling System Restore would automatically delete the folder.

So anyway, I tried disabling System Restore and running the Ad-Aware scan again. I get the exact same result. I thought maybe I needed a reboot, so I did that and also got the same result. So, I decided to reboot, enable system restore, reboot, disable it, reboot again, disable my anti-virus, and run Ad-Aware again. The same thing happens again!!(without the anti-virus warning of course). Ad-Aware is still detecting that folder and scanning it and hanging there.

What's the deal with that? Doesn't disabling System Restore also deletes all system restore points and relevant folders?

How can I get rid of this trojan?

 

[joinT]

damn, was going to say "disable system restore" that always worked for me..

did you try just deleting the folder with system restore disabled?
can your AV app not remove the bug with system restore disabled? don't use ad-aware to remove it, try using ur AV app if you haven't.

 

[mechBgon]

Also, scan and/or do the manual removal in Safe Mode perhaps. If you have a second computer, another option is to put the hard drive into the second computer as a slave and then it should be at your mercy :evil:

 

[biostud]

How to gain access to system volume

 

[Goi]

I can't access the "System Volume Information" folder regardless of the system restore status. I get an access denied message whether I try to access it in explorer or command prompt, so I can't delete the folder in question. I don't think my AV app can remove the trojan since all it did was detect it and block all access to it. From my google finds, I read that AV software cannot access the system volume information folder, which is why trojans like to hide there. I'm not sure how true that is but perhaps it explains something.

mechBgon, the harddrive in question isn't my main boot drive. It's F:, which is another harddrive, so essentially, it's already a "slave"(although I have it connected to secondary master). I guess I'll try safe mode, and heck, maybe even a boot disk. Thanks for the link biostud I'll read it.

 

[Goi]

Thanks biostud, that worked. I was able to gain access to the folder as well as related subfolders. I deleted all my system restore points except for one - the offending one. It turns out one of the files in the subfolder(_restore{.....\RP225\A0068484.exe) cannot be deleted. I got a "Cannot delete A0068484.exe: Cannot read from the source file or disk." error message when I tried to do so. I then ran my AV on that subfolder and it picked up that file as the trojan and moved it to quarantine. I immediately deleted all my quarantined files. Hope that solved the problem.

Thanks again to all that helped!