Re: Accessing "sys vol info" on NTFS

From: Peter Rossiter (not_me_at_mail.com)
Date: 04/07/04

• Next message: Stephen K. Gielda: "Re: Can my ISP see my NNTP traffic?"
• Previous message: Gabriele Neukam: "Re: Is RTF in Word still prone to viruses?"
• In reply to: Gregg Cattanach: "Re: Accessing "sys vol info" on NTFS"
• Next in thread: FromTheRafters: "Re: Accessing "sys vol info" on NTFS"
• Reply: FromTheRafters: "Re: Accessing "sys vol info" on NTFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 07 Apr 2004 17:56:23 +0100

"Gregg Cattanach" <gcattanach-SKIP-@prodigy.net> wrote:

>> Thanks for the info about ownership. I had thought that as
>> administrator that I would not need to enter my name in the
>> security tab.
>>
>> I need to gain access because my AV software (AVG) says there
>> is a trojan program there.
>>
>> Do you or anyone else know about the sort of virus or trojan
>> that can hide in the System Volume Information folder?
>>
>> Peter
>>
>
> What happens is 1) you are infected with a virus, 2) Windows
> creates a restore point and stores the infected files in the
> system volume information folder, 3) your anti-virus software
> sees the virus in SysVolInfo. The best solution is to turn
> off system restore, reboot, and turn system restore back on.
> This will delete all the restore points along with the one
> that is infected. You don't want to risk using any of those
> restore points anyway, because at least one of them contains
> the virus and you really don't know which one it is.

Thanks for the info.

I probably got the virus from downloading binaries from the
newgroups.

Would that virus program have been installed or executed (if you
see what I mean) for it to get picked up by XP's restore point in
the way you describe?

I am wondering if I was somehow so careless as to run the virus
program.

---

• Next message: Stephen K. Gielda: "Re: Can my ISP see my NNTP traffic?"
• Previous message: Gabriele Neukam: "Re: Is RTF in Word still prone to viruses?"
• In reply to: Gregg Cattanach: "Re: Accessing "sys vol info" on NTFS"
• Next in thread: FromTheRafters: "Re: Accessing "sys vol info" on NTFS"
• Reply: FromTheRafters: "Re: Accessing "sys vol info" on NTFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: !URGENT, Computer Internet problems!:-( ... Switch off System Restore ... Run a complete virus check. ... Turn System restore back on and create a Restore Point ... (microsoft.public.windowsxp.general) Re: Disabling System Restore Points after a successful restore. ... System Restore and malware removal - what is best practice? ... computer's restore points contain a copy of the virus is greater than ... Disabling System Restore should be done only ... (microsoft.public.windowsxp.perform_maintain) Re: Disabling System Restore Points after a successful restore. ... System Restore and malware removal - what is best practice? ... Therefore, if you are fairly certain that you have a virus, you ... after all infection cleanup is completed. ... (microsoft.public.windowsxp.perform_maintain) Re: XP Cleaner virus ... | I have since learned that this is itself a virus. ... | Someone told me to restore to an earlier date which I did. ... Temporarily disable System Restore ... Logs. ... (microsoft.public.windowsxp.general) Re: Accessing "sys vol info" on NTFS ... > sees the virus in SysVolInfo. ... > off system restore, reboot, and turn system restore back on. ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > alt.computer.security  > 2004-04