Infection on HarddiskVolumeShadowCopy

Discussion in 'ESET NOD32 Antivirus' started by regg00, Mar 13, 2012.

Thread Status:
Not open for further replies.
  1. regg00

    regg00 Registered Member

    Joined:
    Mar 13, 2012
    Posts:
    2
    Location:
    Canada
    Hi,
    Since a week or so I receive a threat alert from nod32 saying that the following file is infected: \Device\HarddiskVolumeShadowCopy172\Public\LT_2011_EFIGSB_WI

    Even if I delete the folder and all his files, the same message appear the next morning.
    Nod32 can't solve the problem by itself and there's no way to exclude \Device since it's a kernel path (i think :doubt: ).

    Anyone here can help?
    Thanks
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
  3. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    That usually from some malicious files being caught in a system state snapshot. Open the disk cleanup utility, choose the option to cleanup system files, then under the More Options tab choose the option to clean up system restore and shadow copies.

    I would only do this after you are sure there is no active infection on your system. Some malware will inject itself in to old system restore snapshots and what you are seeing could be a symptom of that.
     
  4. regg00

    regg00 Registered Member

    Joined:
    Mar 13, 2012
    Posts:
    2
    Location:
    Canada
    Thanks guys, problem solved.
    The volumeshadowcopy folder was created by BackupExec, which use this service.
    The infection was a keygen someone put on the file server.
     
Thread Status:
Not open for further replies.