Infections restored to System Volume Information?

Discussion in 'other anti-virus software' started by Firefighter, Nov 5, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Hi everyone! I downloaded some trojan from an other discussion forum to restore that in "My Infections" CD.

    I had my resident scanner off when I downloaded that trojan (123...xyz.exe) to my WinXP Home system and D:\My Downloads folder and archived that immediately with WinRAR zipper. After that I restored that trojan to "My infections" CD and deleted the original infected file from my PC. After that, I scanned that CD to check if my scanner was able to detect that trojan what it did.

    Some hours later, when my resident scanner was on, I noticed that my scanner had detected the same trojan from my D:\System Volume Information's folder and I have to open my Nero Burning ROM to find that infected file in D:\System Volume Information, and after that I deleted that file inside the NERO program's interface.

    How did I get infected without executing that trojan file?


    Best regards,
    Firefighter!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Firefighter,

    You most likely did not get infected. System Restore makes backups of everything you delete. It needs to do that to be able to restore the system to a previous point and stores them in that folder.
    Using the method you did you probably damaged the Restore Point(s).

    Turn off system restore, then reboot and turn System Restore back on, and create a manual Restore Point.
    If you don't know how:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    Regards,

    Pieter
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Pieter_Arntz from Firefighter!

    Thanks very much. If I scanned that "my infections" CD with my eXtendia AVK Pro and deleted those quarantined files that eXtendia made, were they also gone to System Volume Information's folder?


    Best regards,
    Firefighter!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Firefighter,

    I'm afraid I have to pass on that one. It depends on how that scanner handles it's quarantained files. I don't think they would, since the AV should prevent that from happening.

    I think the normal procedure would be that the files do not get deleted, but are stored out of Windows' sight.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.