Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tricky Problem....


  • Please log in to reply
23 replies to this topic

#1 Trellion

Trellion

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 May 2009 - 03:35 AM

Hey guys, I'm hoping I can get this bit resolved. I've been working on this problem for the past week or so and haven't found many solutions, so here's to hoping that help can still be found!

My anti-virus is the NOD32 system. I do an in-depth analysis every now and then just to keep tabs on my system, make sure no viruses and such have cropped up, etc. Now normally, nothing comes up, but just the other day, I was scanning and NOD32 alerts me to an "infected file" in my System Volume Information folder on one of my two drives. I utilize two hard-drives, C and D. C has all program files and my OS installation, and D is only used for storage of pictures, music, and the like. I've managed to take a look in this folder after granting myself admin. rights, and found the exact file that is supposedly infected - it is apparently some form of Nero installation. I do not have Nero installed, but apparently this is the .exe launcher for an installation, possibly left in a restore point. NOD32 states that it is infected with a toolbar.asksbar application of some sort - some form of malware?

Now then, perhaps this is nothing to worry about, but for ease of mind I would rather the matter be taken care of while it's not much of a problem. I've tried shutting down system restore on both drives to clear the restore points and in turn the suspected file, but it still appears in my scans and lo and behold, the files are all still there when I take a look in the directory itself. The strange thing is, I've been doing scans of my computer since installing Vistax64 in January, and this file never cropped up, yet according to the Nero launcher, it was created in late January, very confusing indeed. If the problem can't be taken care of, I quite tempted to wipe the whole drive and start over, recovering as much of my information before doing so as I can.

Anywho, sorry this turned into such a long post. As you can imagine, this problem has been driving me mad for the past week and I certainly do not want to cause a fuss. Any help on the matter is truly appreciated in advance, and thank you for taking the time to read my post!

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:12 PM

Posted 04 May 2009 - 08:50 AM

System Volume Information folder is for System Restore
You have an infected restore point. Delete it and create a new one

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.



If you have any more trouble we'll move you to Am I Infected?

Edited by garmanma, 04 May 2009 - 08:58 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 May 2009 - 07:15 PM

Alright, I tried disk cleanup, as well as turning System Restore on and off again, yet both times the files - I'm assuming they are restore points or shadow copies - remain in my System Volume Information folder. In fact, I can actually go into the folder and find the exact file that is supposedly the culprit, but for reasons unknown to me, I cannot delete the little blighter. I have myself admin. rights as well as full priviledges to the file and all it's subfolders, just to get rid of that one Nero .exe that is supposedly infected, but to no avail. Thank you for the quick reply of course, but it appears I am still at square one for the time being.

#4 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 May 2009 - 12:45 AM

I think it might be best if this post were moved to the Am I Infected? forum. I am not sure what else I can do here, but I am thinking that getting rid of those shadow copies/restore points is merely a problem with Vista, not a virus.

#5 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:01:12 PM

Posted 05 May 2009 - 01:14 AM

Moved to AII, as requested.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 05 May 2009 - 07:59 AM

NOD32 alerts me to an "infected file" in my System Volume Information folder on one of my two drives

Exactly where? Provide the full path (location) and file name.

Restore points in the SVI folder are identified as _restore{GUID}\RP***\A00*****.xxx file(s) where the *** after RP represents a sequential number. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension.

In addition to System Restore points, the SVI folder is where the operating system stores other important information such as:
  • Registry configuration information for application, user, and operating system settings.
  • Windows File Protection files in the dllscache folder.
  • COM+ Database; Windows Management Instrumentation Database.
  • IIS Metabase configuration.
  • Distributed Link Tracking Service databases used to automatically repair and maintain links, such as Shell Shortcuts and OLE links, to files on NTFS volumes.
  • Content Indexing Service databases for fast file searches.
  • Information used by the Volume Shadow Copy Service (also known as "Volume Snapshot") so you can back up files on a live system.
  • Files with extensions listed in the Monitored File Extensions list and Local Profiles.
Inside the SVI folder there is a sub-folder named "_restore{75FEF8DD-9121-4963-A5E8-46DB4BB6F162}" (the CSLID will vary) and usually two files:
MountPointManagerRemoteDatabase <- 0 byte system file associated with Dynamic Disks/Volumes
tracking.log <- maintenance information stored by the DLT Client service

Inside the sub-folder _restore, there will be another directory called snapshot where you will find a complete registry dumping including a file called _REGISTRY_MACHINE_SAM which is the SAM file for the machine.

The SVI folder also stores other important information such as:
  • Tracking.log files created by the Distributed Link Tracking Service to store maintenance information.
  • Efs0.log files created by the Encrypting File System (EFS) generated during the encryption and decryption process.
  • Drivetable.txt which holds the System Restore drive letters list, and stores other configuration information such as System Restore space allocation information for each drive.
  • Sr-reg.txt which contains the System Restore registry settings.
  • Rstrlog.txt which contains the restore log file for the last completed restore.
  • Fifo.log which contains the FIFO (first in first out) restore points if there are any.
  • Rp.log or SP-RP.log which contains the list of restore points (name/type/time).
  • SR-chglog.log which contains the change log of file operations on each drive for all restore points.
  • SR-filelist.log which contains a list of all the files that were collected by Srdiag.exe.
The reason the SVI folder is protected is to prevent programs from using or manipulating the files that are inside. These files are inactive while in the data store and are not used by any utility other than System Restore.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 May 2009 - 06:26 PM

Alright then, the full path is as follows:

D:\System Volume Information\_restore{7BE20986-B006-48E1-8BEC-0BCDC21F013F}\RP164\A0052645.exe

The file was created some time ago, before Christmas. I had been doing scans of my system routinely though, even then. Could this be an infection from recently? I never had a virus crop up though, atleast as far as I know. The file is obviously some kind of Nero installation judging from its icon. It is infected with an application known as toolbar.asksbar - any thoughts as to what exactly that is? Is it a form of spyware, malware, or some mistake by NOD32? Thank you for all the help so far, of course.

#8 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 May 2009 - 06:34 PM

Okay, an idea came upon me just a moment ago - considering the virus definitions are always updating for NOD32, could is classify this old program as a virus when technically it isn't? I will admit, awhile back I needed a program to burn DVDs with (family movies, long story, hah) and my brother lent me that CD. I ended up installing it, but removing it I believe. I think I used the Windows DVD maker when I found there was one, hmph. Anywho, could that be the problem? And if so, how can I remove the file or should I just leave it be and tell NOD32 to ignore it? If that is the case, I am going to be shocked that I essentially ripped apart my computer and lost a week worth of work of a silly little thing like this, hah!

#9 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 May 2009 - 12:41 AM

Bumping to keep this visible, in hopes of a reply from quietman7. Sorry for any inconvenience.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 06 May 2009 - 08:41 AM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. As I said before, the *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a malicious file was detected in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), as garmanma already indicated, the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

considering the virus definitions are always updating for NOD32, could is classify this old program as a virus when technically it isn't?

Yes, it could be a "false positive" and it may not show in future scans when the database is updated. If it does, then I would would report the detection to NOD32 Technical Support so they can investigate.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 May 2009 - 10:37 PM

Well, when I found that the System Volume Information folder was the home for System Restore, I assumed I had an infected restore point, so I disengaged System Restore, wiping all previous points, and reenabled it. The infection still pops up. I have cleared all previous restore points. So wouldn't creating a new restore point with this supposedly infected file still there only put me back at square one anyway? All I am trying to do is get rid of this one file. It may not even truly be a threat, but for ease of mind, I would like to keep clean scan results with routine diagnostics.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 07 May 2009 - 08:25 AM

If the Nero program (and responsible file) is still on your system, then its probably being backed up in System Restore when the new restore points are created. If that's the case, then it will continue to be re-created and detected until the program is removed from your system or you contact NOD32 Support so they can investigate and correct the detection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 07 May 2009 - 08:02 PM

Ah, okay. Well, that's all good and well then, but how do I delete the files? I've scoured Eset's forums and it doesn't look like anyone else has had this type of problem thus far. How exactly can I delete these files? I have admin. access and priviledges to the folder itself, but I am not able to delete anything. I have cleared all of my restore points in the past and it was still there, anyway, so something tells me it might not be a restore point that is the problem. The full location path is as follows:

D:\System Volume Information\_restore{7BE20986-B006-48E1-8BEC-0BCDC21F013F}\RP164\A0052645.exe

Now, do those numbers appear to mark any other sub-system besides system restore? If not, then how can I delete the bloody thing and move on? Thank you very much for your help thus far, of course.

#14 Trellion

Trellion
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 08 May 2009 - 10:18 AM

Hello again, bumping for a reply from quietman7, sorry for any inconvenience, of course.

Also, I've tried the disk clean-up method, the vssadmin method (as much as I could figure), and the "uncheck drives in system protection" method of deleting restore points. Granted, some files do indeed disappear, but the infected file is always there. I'm assuming that those folders, the RP### are restore points, no? Those are what I need to clean, so what exactly are they? I assumed RP stood for restore point, and they are indeed numbered in a convincing fashion so as to be restore points from various dates.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 08 May 2009 - 01:47 PM

Reread post #6 and post #10 where I explained what RP and the numbers after them represent. The links I provided for Restore Point Forensics and Forensic Analysis of System Restore Points in Microsoft Windows XP provide detailed information.

So yes you are dealing with a restore point in the SVI folder. And as I already explained, if the Nero program (and responsible file) is still on your system, then its getting backed up in System Restore when the new restore points are created even after purging the old ones It will continue to be re-created and detected until the program is removed from your system so it is no longer backed up in System Restore, you turn System Restore off (which I do not recommend) or you contact NOD32 Support so they can investigate and correct the detection.

Since you know the responsible Nero file that is creating the backup in SR, have you submitted that file to Jotti's virusscan or VirusTotal for a second opinon? In the "File to upload & scan" box, browse to its location and submit (upload) it for scanning/analysis.

Keep in mind that I am going on the information that you have provided about the detection being related to a legitimate Nero file. I have used NOD32 for a long time and in every case I had to contact support, they responded in a timely manner with an answer. You can also contact and advise Nero Support who may be able to push things along in order to find out why that file is being detected after its backed up in SR.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users