Malware & System Volume Information Restores

Discussion in 'malware problems & news' started by TheKid7, Jul 25, 2009.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    If you want to clean out System Volume Information Restore points on a backup hard drive, how do you go about doing it?

    The reason I ask is that I think that I am getting Malware false positive(s) on one of my two backup hard drives on one of my PC's. Whether or not it is a false positive is still under investigation. A few days ago NOD32 4.x said that it identified a "possible" Trojan in a System Volume Information Restore exe file. I quarantined it and sent it for analysis. This happened again about an hour later on a different System Volume Information Restore exe on the same hard drive. Each time NOD32 said that svchost had modified this file. No action was taken on the second alert.

    Today, I did a full scan with the AVIRA Rescue CD (latest virus definitions) and got the same problem (same hard drive) but I have taken no action. The Trojan was stated by AVIRA to be TR/FLUX.CF. How can you make these System Volume Information Restore exe's visible so that you can upload them to VirusTotal? What other action would you recommend? The AVIRA did not report any Malware on the System Partition.

    Thanks in Advance.
     
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I am pretty sure that the problem is coming from a very old version of a software that I have (Total Recorder). About one third of the VirusTotal scanners either said that it was a Trojan or labeled it Suspicious. I have a tendency to save older versions of software. I decided to consider it a false positive and I deleted all of the older versions.

    Again, what is the best way to make sure that any traces of this older version is eliminated from the System Volume Restore exe? Do I just remove all but the most recent restore point today and repeat this in a couple of days?

    Thanks in Advance.
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,936
    Location:
    U.S.A.
    TheKid7, perhaps the best way to delete all but the most recent restore point, is to use Disk Cleanup (Start > Accessories > System Tools > Disk Cleanup > Select Drive > More Options tab) and under the System Restore section, click the Clean Up button.

    The System Volume Information folder is normally hidden from view and you should not delete the restore points manually because I read somewhere that some restore points will contain pointers to earlier restore points and the contents of each are not complete. Deleting at will can yield useless data. However, if you want to see what you have, prior to using Disk Cleanup, read this: How to gain access to the System Volume Information folder.

    If you want to decrease the amount of disk space that System Restore uses (12% default) on a drive, go to Control Panel > System > System Restore tab. Select the appropriate drive and click the Settings button. I have my backup drive set at 1%. Hope the info helps.
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Thanks.

    I restored the Quarantined System Volume exe file. Then I cleared out all but the latest Restore Point and performed scans of that hard drive with NOD32, a-squared Free & SuperAntiSpyware Free and there were no reports of any Malware. I am assuming that the hard drive is clean.
     
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,936
    Location:
    U.S.A.
    TheKid7, you're welcome! Good work. Take care.
     
Loading...
Thread Status:
Not open for further replies.