Viri hiding in 'System Volume Information' on WinXP

MikeHunt79

MikeHunt79

MikeHunt79

Soldato
Joined
4 Jan 2004
Posts
20,802
Location
¯\_(ツ)_/¯
Here's my AV log:
1/20/2010 4:32:26 PMDetect
C:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP1\A0000034.exeApplication.Win32.Nircmd.~@16774100
Success1/20/2010 4:32:26 PMDetect
C:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP1\A0000047.pifApplication.Win32.Nircmd.~@16774100Success1/20/2010 4:32:26 PMDetect
C:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP1\A0000049.exeApplication.Win32.Nircmd.~@16774100Success1/20/2010 4:32:28 PMDetect
C:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP1\A0000138.exeApplication.Win32.Nircmd.~@16774100Success1/20/2010 4:32:28 PMDetect
C:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP1\A0000136.exeApplicUnsaf.Win32.Hide.~AB@5325787Success1/20/2010 4:32:28 PMDetect
C:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP1\A0000145.pifApplication.Win32.Nircmd.~@16774100Success1/20/2010 4:32:28 PMDetect
C:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP1\A0000147.exeApplication.Win32.Nircmd.~@16774100Success1/20/2010 4:32:32 PMDetectC:\System Volume Information\_restore{E1CA8956-809D-4D15-89D3-F19FAEC00308}(2)\RP9\A0003724.exeApplication.Win32.Nircmd.~@16774100Success
Click to expand...
Now, I cannot delete this folder, and I have System Restore turned off, so how can I delete it?
 
Last edited:
Just tried safe mode, said the same thing, access denied. Cannot even open the folder!

ohnoessssss.jpg
 
Someone will say it so I might as well get it out of the way: a format and reinstall is the best option.

However, you could try downloading a Linux live CD. Stick that in the drive and boot from it and you should be able to mount the filesystem on the hard drive and delete the files and folders that way.
 
Do you have restore disks enabled? I think I remember something about having to disable that for each drive otherwise you won't have access. Not sure if my terminology is right but its in system properties somewhere from memory.

Edit: Make sure you have SYSTEM RESTORE turned off for all drives. Knew it had something to do with restore it in somewhere.
 
Last edited:
Trun system restore back on, create a new restore point, delete old ones using disk cleanup, turn it back off again.

You cannot delete the system volume information folder.
 
theheyes said:
Someone will say it so I might as well get it out of the way: a format and reinstall is the best option.

However, you could try downloading a Linux live CD. Stick that in the drive and boot from it and you should be able to mount the filesystem on the hard drive and delete the files and folders that way.
Click to expand...
Most Linux Live CD's I've used do not allow NTFS write access, but I'll try the latest Ubuntu disk once I've downloaded it.
ringo747 said:
Do you have restore disks enabled? I think I remember something about having to disable that for each drive otherwise you won't have access. Not sure if my terminology is right but its in system properties somewhere from memory.

Edit: Make sure you have SYSTEM RESTORE turned off for all drives. Knew it had something to do with restore it in somewhere.
Click to expand...
System restore is disabled, as has been disabled since I installed XP.
Dano said:
Trun system restore back on, create a new restore point, delete old ones using disk cleanup, turn it back off again.

You cannot delete the system volume information folder.
Click to expand...
I just want to delete the contents of the folder, not the folder itself.

I'm surprised a Virus managed to write things into this folder when I cannot however.

I'll try the system restore thing, I think it's my best bet right now. :)

My head has gone blank, where abouts is the disk cleanup thingy?
 
MikeHunt79 said:
Most Linux Live CD's I've used do not allow NTFS write access, but I'll try the latest Ubuntu disk once I've downloaded it.

System restore is disabled, as has been disabled since I installed XP.

I just want to delete the contents of the folder, not the folder itself.

I'm surprised a Virus managed to write things into this folder when I cannot however.

I'll try the system restore thing, I think it's my best bet right now. :)

My head has gone blank, where abouts is the disk cleanup thingy?
Click to expand...


My computer - right click c drive - properties - disk cleanup - more options - system restore cleanup
 
Dano said:
That would probably be because the virus was running as a system process which has access, unlike you as a user.
Click to expand...
Gotcha, I am logged on as admin, which is why I was surprised.
SimonC said:
My computer - right click c drive - properties - disk cleanup - more options - system restore cleanup
Click to expand...
I cannot see it in Properties anywhere, I seem to remember it being in the blank space on this screen:
ohnoessssss2.jpg

If anyone else is still on XP like me, could you post a screenie of where disk cleanup is?

I'm going to hunt for my original XP cd, I think there are a few files missing as I slimmed down my XP cd before installing.
 
Dano said:
It's under the general tab on that window :)
Click to expand...
No disk cleanup icon there, I think I must have not installed it when installing XP. :)
bledd. said:
start, run, cleanmgr (I tihnk, for system restore points)
Click to expand...
Cheers, I managed to expand cleanmgr.ex_ from my original XP disk and ran it - it works now. :)
bledd. said:
this is why I always disable it!
Click to expand...
I actually made nLite choose the option on disabling System Restore when I install XP, so to find stuff in the SVI dir was a little strange. I never ever use system restore, I'm not a fan of it at all! :)
subbass said:
I think SLAX and Linux Mint allow NTFS write access by default.
Click to expand...
Cheers, Ubuntu 9.10 has downloaded now, which Mint is based on, so I'll keep the disk handy for things like this. :)

ringo747 said:
http://support.microsoft.com/default.aspx?scid=kb;en-us;309531

Does that help?
Click to expand...
Yes! yes it does, I ended up using the cacls command, and I wiped everthing in the SVI folder.

Now my virus scanner shows no threats found... Thanks! :)
 
I had a similar cant access this folder issue in the past
Right click folder -> properties -> security
Add either full access to either everyone or just your current user account
Go inside the folder and delete what ever you want

Currently I can go inside any System Volume Information folders on my PC
and delete what ever I want
 
derkaderka said:
I had a similar cant access this folder issue in the past
Right click folder -> properties -> security
Add either full access to either everyone or just your current user account
Go inside the folder and delete what ever you want

Currently I can go inside any System Volume Information folders on my PC
and delete what ever I want
Click to expand...

I was gonna suggest either this or just take owership of the folder. As far as I know you shouldnt have any issues deleting the contents of it then
 
You must log in or register to reply here.
Back
Top Bottom