Virus in my 'System Volume Information' folder

[rpc64]

I'm using AVG anti virus and it comes up with a message box saying I have a virus and it's located within my System Volume Information. However, when I run a virus scan it finds nothing and I can't get into the System Volume Information folder even in safe mode as Administrator. Sneaky little ah heck. Anyone know how I can get rid of this thing? Thanks.

 

[shadowfaX]

silly question of me to ask... but are you able to turn off system restore? usually that deletes the stuff in the system volume information folder. but i could be wrong, of course.

 

[OZEE]

Yup, you're going to have to turn off the system restore... It's been infected. Most of the active viruses right now attack the sys-restore files, so you keep reinfecting yourself.

 

[rpc64]

Oooohhhhhh, so that's what that damn folder is for! System restore! Thanks. If I turn off system restore and it deletes all that stuff, will I be able to turn it back on again and not be infected?

 

[mechBgon]

Do you actually need System Restore for anything? I de-virused someone's Dell a while back, and of the 43GB of data on the 60GB hard drive, guess what 37GB of it was...? Yes. If it were me, I'd leave it turned off but it's your rig so think it over.

 

[rpc64]

I actually have used system restore before. I thought it was a pretty neat little gizmo. But then again, I don't know how much space it was taking up. And I don't anticipate FUBARing my computer enough to need it any time soon. Meh, I guess I'll leave it off for now.

 

[imported_Phil]

Actually, you can get into System Volume Information with XP Home like this:

cacls <folder> /e /g <user>:<permission>

Eg.

cacls "c:\system volume information" /e /g dopefiend:r
Grants Read (r) access to the user "dopefiend" and edits (/e) the Access Control Lists rather than replacing them.

That'll let you into the folder. Use permission "f" for Full Control if you need it.

 

[rpc64]

Hey that's really cool. I'll have to save that info. Thanks.

 

[AkumaX]

hey how do you stop processes in cmd? tia

 

[imported_Phil]

I don't know about processes, but you can stop a service by issuing the "net stop <service name>" command.
The Knowledge Base @ Microsoft should provide some clues

 

[GunDog]

DopeFiend

M4H: In other news, Thomas Pabst was seen entering several Intel factories armed with Vaseline and kneepads.

ROFLMAO

 

[Mem]

Issue
There is a virus in the folder System Volume Information .


--------------------------------------------------------------------------------

You'll have to manually delete the infected files found in the c:\System Volume Information\_Restore folder, they are part of the Win Xp backup (those backup files were created when the system was infected).
The System Volume Information folder is a hidden, system folder that the System Restore service uses to store its information and restore points.
There is a System Volume Information folder on every partition on your computer. No application except the System Restore service is allowed to access this folder.
In order to delete the infected content of _restore please follow the steps:
1. Right click the My Computer icon on the Desktop and click on Properties;
2. Click on the System Restore tab;
3. Select each drive and:
a) click Settings;
b) Move the ruler to miniminum;
c) Press OK and confirm the eventual confirmation;
4. Put a check mark next to 'Turn off System Restore on All Drives';
5. Click the 'OK' button;
6. You will be prompted to restart the computer. Click Yes.
When System Restore is disabled the content of the folder is deleted, the infected files included.
Afterwards you can re-enable the System Restore service should you want to use it