unable to detect virus, or how to search inside my "c:\system volume information" fol

Discussion in 'malware problems & news' started by earnest, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. earnest

    earnest Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    2
    hello,

    I ran a scan using Kaspersky Antivirus to search through the "c:\system volume information" folder which is also called "system backup storage" and it found a virus:"c:\system volume information\_restore{775e3619-1f84-4c9c-bc6a-1a387f32765b}\rp727\a0176656.dll", , the virus is: "detected: Trojan program Trojan-Downloader.Win32.Busky.gen File: C:\System Volume Information\_restore{775E3619-1F84-4C9C-BC6A-1A387F32765B}\RP727\A0176656.dll
    "is there a way to set NOD32 to check and clean these areas as well?

    thanks very much
     
  2. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
  3. earnest

    earnest Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    2
    Re: unable to detect virus, or how to search inside my "c:\system volume information"

    Thanks GF for the kind and valuable help,
    I now want to ask a different question:
    suppose I wouldn't have used Kaspersky scan at all, I wouln't have known I have a virus enjoying the comforts of the "system volume information" folder, I mean, my NAV32 configuration as it seems, will not check these areas at all,
    I was wondering if there is a way to set NOD to check these areas?
    I understand now that if I will cancel the "System Restore" option I would have access to the "system volume information" folder and also would be able to scan or clean the infected files contained there, did I understand it correctly?
    and a last question from a mere layman, I wanted to know if there is another way out of it as well, how come that some antivirus programs do have access to the "system volume information" areas while others do not?
    thanks for the precious help!
     
  4. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Concerning NAV32, the System Volume Information folder is excluded by default in Norton. HOWEVER, all you need to do is go into the scanning options and remove this exclusion. Personally I remove ALL exclusions that show up in Norton's default settings so that everything is always scanned...all files, folders, and extensions.

    This does not mean that Norton will be able to clean infections in the System Volume Information folder after it detects them. The standard way to clean out this folder is to temporarily turn off System Restore. That is why if you look at the Symantec web pages concerning cleaning infections, they almost invariable state to turn off System Restore and then turn it back on. I feel it is best to turn it off, reboot the computer, and then turn it back on.
     
  5. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Re: unable to detect virus, or how to search inside my "c:\system volume information"

    This new NAV32 will be tested in the next AV comparative test ;) :eek:
     
    Last edited: Dec 15, 2006
  6. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Not quite earnest .... disabling sys restore *delete's* ALL previous snapshot's, thereby *flushing* any holdout's (sm01's final comment's sum it up correctly). Now I've no experience with the scanning option's of either nod or kis, but I do know (if it's XP your on) you would need to make an access adjustment on the folder itself, safe-mode being the easiest if it's Home. This should allow scanning (with any av) individual restore folder's in an effort to determine which is infected. When you finally reach that point it become's a bit of trial and error on your part as to what nod can or cannot clean, this I am unsure.

    FYI .... all but the latest restore point may be removed.


    GF
     
Loading...
Thread Status:
Not open for further replies.