I Have A Virus In "system Volume Information", How to clean it... Options

[Cris]

The System Volume Information is a system folder, where Windows keeps track of the changes that took place on a partition. This folder exists on every partition on your HDD (it is hidden, but you can see it by showing the hidden files and folders).
The information stored in these folders is used by Windows to revert to an earlier state, when you use the System Restore tool.
What is stored in these folders?
- important registry changes
- information about installed applications (and the changes that were made by installing them)
- important files that were deleted (mainly executables or DLL files)

There are times when some malware files get in the System Volume Information folder. This happenes either because the malware wants to get there (so it is in a safe place where the user doesn't have access to delete it and from where it can restore itself in case it is deleted from somewhere else), either because some malware file gets deleted and Windows decides that the file was important and it automatically stores it there, in case you ever want it back.

When a malware gets in this special folder, it will be detected by BitDefender (or other AV scanner) as having the path similar to:

CODE

C:\System Volume Information\_restore{E9DF52E4-6601-4F09-BFD7-04F6D3CB8194}\RP206\A0016149.exe

Usually, BitDefender 2008 can remove the infected files in System Restore Points (previous BD versions didn't have this possibility). But, in case the infection is archived, cleaning will fail:

CODE

D:\System Volume Information\_restore{E9DF52E4-6601-4F09-BFD7-04F6D3CB8194}\RP206\A0016149.exe=](NSIS o)=]lzma_solid_nsis0005 <virus name> Delete Failed (file was in an archive)

In this case, you have to make a manual clean of the infection.


For Windows XP
The easiest method:
First method is the easiest, and should solve the problem in most of the cases.
First of all, disable BitDefender's Realtime Protection, so that it won't block the access to the infected files, preventing you from deleting them. Warning! Be careful not to open any infected file(s) while BD's protection is disabled, because you'll get infected.
Right click on My Computer, then go to Properties -> System Restore. In that tab, enable the option Disable System Restore on all drives and click Apply. This should erase all System Restore Points, including the infected file(s).
After this, disable that option and press Apply again, so that you'll re-enable System Restore. Also, remember to re-enable BD Realtime Protection.

Don't worry about loosing the system's restore points, because new ones will be created whenever needed. (IMG:style_emoticons/default/wink.gif)

Now make another scan, to make sure the infection is gone.

This post has been edited by Cris: Jan 13 2010, 08:51 AM

[Cris]

Second method

Sometimes, from whatever reasons, the first method (disabling System Restore) doesn't do the trick. In this case, you have to take a more aggressive approach.

In short, you have to:

1. Disable BD's Realtime Protection (the warning in the previous post still applies!)
2. Open the System Volume Information folder
3. Find the infected file(s)
4. Delete it/them (be sure to delete them also from Recycle Bin, or use the SHIFT+Delete key combination, which will delete the file(s) directly, without sending them to Recycle Bin)
5. Re-enable BD Realtime Protection

This sounds easy, right? Well, in case that the partition is formatted as FAT32, it is (you just have to go to that folder, open it, delete the files, and you're done).
But the hard part comes if the partition is formatted as NTFS. And most probably, it is formatted as NTFS, because this is the default file system for Windows operating systems, starting from Windows NT, to Windows Vista (of course, Windows XP is included here). In this case, that folder is protected by the operating system against any access and/or modifications made by the user or other programs. In other words, only the system has access to those files... in theory, anyway (IMG:style_emoticons/default/tongue.gif)


The following method cannot be applied on Windows XP Home Edition, because it doesn't support all the necessary options.

So...to be able to delete the infected files, you have to give yourself permission to access/modify this folder. This is done quite easily:

1. Be sure you are the administrator of the computer you are working on! You need full administrative rights to complete the operations below. If you are not the administrator of your computer, please contact the person who is in charge of maintenance of the infected computer.
2. After the previous condition is fulfilled, open Windows Explorer
3. Click on Tools -> Folder options... -> View
4. Find the option Use simple file sharing (Recommended) and un-check that option.
5. Click Apply and OK.
6. Now browse to the folder that contains the infected file(s)
7. Right click on it, and select Properties -> Security
8. In the list you'll see (named Group or usernames), there should be only one entry: SYSTEM. Be careful not to change any permissions related to the user SYSTEM, otherwise you'll have problems! The permissions for this user should be Full Control (so all checkboxes are set to Allow).
9. Now you have to add your user in that list. Click on Add -> Advanced -> Find now
10. In the list below, you'll see listed all the users/groups from your computer. Don't worry if there are many entries in that list, because it's normal. Even if you only have one user that you can log on with, the system creates many user groups, groups which have different privileges over the system's resources. But this is not the place to explain them (IMG:style_emoticons/default/wink.gif)
11. Find your user in that list, select it, and click OK twice.
12. You'll get back in the System Volume Information Properties. Besides the SYSTEM user, your user appeared in that list.
13. Select your user, and give it full control over the folder.
14. Now click OK, disable BD's Realtime Protection, enter the folder (now nothing will stop you from browsing it), find the infected files and delete them.
15. After that, re-enable BD's Realtime Protection.

It is highly recommended that you undo the previous changes after you're done!

1. Open the folder's Properties, go to Security
2. Select your user from that list and click Remove
3. Be careful not to remove the SYSTEM user!
4. Click OK

And now, you're done. Make another system scan to assure you're clean. (IMG:style_emoticons/default/smile.gif)


If you need any clarifications or help about the steps presented above, don't hesitate to contact me through PM. Also, if you have some suggestions/remarks about the above steps, contact me through PM. (IMG:style_emoticons/default/smile.gif)

This post has been edited by Cris: Aug 10 2008, 05:45 AM

Reason for edit: Added "WinXP Home" info

[Cris]

For Windows Vista/Seven

1. temporarily disable BitDefender Realtime protection, so it won't interfere with the steps below
2. Right click on My Computer and select Properties
3. on the left side of the window, click on System protection
4. select the drive on which BitDefender detected threats in System Volume Information, click Configure and then click Delete
    System_protection.png ( 97K ) Number of downloads: 12
   
5. This is will delete all system restore points from that drive. Any necessary files will be recreated again by the system, if/when needed.
6. repeat the steps 2-5 for all drives with threats detected in the System Volume Information.
7. Re-enable BitDefender Realtime Protection, and rescan your system to make sure the threats were removed.

Cris.