Re: System Volume Information...WTF



Max Wachtel wrote:
Nope@xxxxxxx AKA Catamount on 12/15/2005 in
<uuTvBkXAGHA.220@xxxxxxxxxxxxxxxxxxxx> after much thought,came up with
this jewel:

Catamount wrote:
David H. Lipman wrote:
From: "Catamount" <Nope@xxxxxxx>

 Ok, so I got this machine that HAD a virus.  I am not sure
which one as  I only found parts of a virus that seem to be
parts of several virus'.   One of my users did something right
and noticed something strange and  disconnected from the
Internet right away.  So anyway, I have this  re.exe that
Symantec Corp Edition keeps finding as a  "Hacktool.HideWindow"
in the system volume information folder and  leaves  it alone.
Why does it leave it alone?  Who knows, its set to delete  such
things.  I do know that the folder is set so only the system
can  access it, but I can change that.  I am concerned however
that this  might break something if I go into that folder and
mess with it.   Anyone  know if its safe for me to go in and
just delete it?
You are using WinXP -- Right ?

Hacktool.HideWindow --
http://securityresponse.symantec.com/avcenter/venc/data/hacktool.h
idewindow.html

Under the folder System Volume Information is _restore
c:\System Volume Information\_restore

This is the WinXP System Restore cache.  Malware can't be removed
from  this location as it is protected by the OS.  If you don't
want to get re-infected by  restoring it, you need to flush the
System Restore cache by disabling System Restore, rebooting  the
PC and then re-enabling the System Restore.  It would be a good
idea to create a  new restore point after the System Restore
cache has been re-enabled.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200111191
2274039?OpenDocument&src=sec_doc_nam

Thats what I thought and so I turned off system restore, but didn't
re-enable.  I will re-enable it and see if that clears it up.  I
will  let you know.  Thanks David!
Nope. Still there. Any other suggestions?
******************Reply Separator*************************

when you turned off system restore did you reboot?

max

Yes. I even went through the steps again just to make sure. .



Relevant Pages

  • Re: Accessing "c:system volume information...
    ... >I downloaded a virus, ... > Access is denied when I navigate to that folder. ... temporarily disable system restore, then using windows explorer, unhide ... folder, select Properties, security tab, press Advanced button. ...
    (microsoft.public.windowsxp.general)
  • Re: Taskmgr Virus
    ... There are anti virus News Groups specifically for this type of discussion. ... Dump the contents of the IE Temporary Internet Folder cache ... Download SYSCLEAN.COM and place it in that directory. ... Re-enable System Restore and re-apply any System Restore preferences, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Admin rights gone - Help needed fast
    ... Disabling System Restore does not grant access to the System Volume Information folder. ... How do I fix my Adobe CS and other programs? ... > Virus scan found nothing, and spyware scan removed some tracking> cookies. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Virus cant be deleted
    ... The virus is cabbed in your System Restore files--turn off SR, ... "Dick" wrote in message ... I cannot find such a file or folder on my "H" partition. ...
    (microsoft.public.windowsxp.general)
  • Re: Pixelsrvr.exe wont load on bootup
    ... Sounds like you got yourself a virus,. ... Adds the following line to the [windows] section of the Win.ini file: ... antivirus products, including the Symantec AntiVirus and Norton AntiVirus ... Disabling System Restore ...
    (microsoft.public.windowsxp.video)