Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird files in SVI/_restore after reformatting


  • Please log in to reply
5 replies to this topic

#1 drool

drool

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 05 August 2009 - 12:14 AM

Hello!

I am coming here with a virus problem that I have been battling for the last couple of very frustrating weeks.

It all started as usual with a double click on a wrong exe... :thumbsup:

After some researches, I have found the files german.exe, winupgro.exe, and a lot of others, commonly associated with the Bagle rootkits.
And after 1 week of trying to get rid of it, I've decided to reformat, since my OS was getting heavy anyway (I run WIN XP 64x PRO), and the rootkits kept coming back.

Since the format, all has been going ok, till yesterday, when I started seeing my PC completely freeze for 30secs-1min with no apparent cause, every 5-10 mins or so. The freeze would be total, no mouse, no keys, no CTRL-ALT-DEL working.

After a bit of looking around, I have found very weird files in the folder:

F:\System Volume Information\_restore{0E95DAF6-B540-486E-9E20-2AD5075484A2}

There are some RPXX folders created when I restart, and they contain weird files, like change.log.1, A0007524.ini, and lots of A000xxxx.exe files, which, weirdly enough, display icons of the programs running in my taskbar.

I have tried to delete the files, disable system restore, scan with Malwarebytes, but with no luck, the files keep coming back after each restart, safe mode just crashes, and the thing still freezes every 5 mins or so. There is no trace of the old Bagle files tho, no winupgro.exe running, nothing in the Run registries, no /down folder in system32, etc.

I've got HijackThis installed, and I am waiting for your instructions on what to do.

Until then, the PC will stay offline...

Thank you a lot in advance for the help!

Drool

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:58 AM

Posted 05 August 2009 - 10:23 AM

_restore{GUID}\RP***\A00*****.xxx file(s) in the System Volume Information Folder (SVI) are a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

In addition to System Restore points, the SVI folder is where the operating system stores other important information such as:
  • Registry configuration information for application, user, and operating system settings.
  • Windows File Protection files in the dllscache folder.
  • COM+ Database; Windows Management Instrumentation Database.
  • IIS Metabase configuration.
  • Distributed Link Tracking Service databases used to automatically repair and maintain links, such as Shell Shortcuts and OLE links, to files on NTFS volumes.
  • Content Indexing Service databases for fast file searches.
  • Information used by the Volume Shadow Copy Service (also known as "Volume Snapshot") so you can back up files on a live system.
  • Files with extensions listed in the Monitored File Extensions list and Local Profiles.
Inside the SVI folder there is a sub-folder named "_restore{75FEF8DD-9121-4963-A5E8-46DB4BB6F162}" (the CSLID will vary) and usually two files:
MountPointManagerRemoteDatabase <- 0 byte system file associated with Dynamic Disks/Volumes
tracking.log <- maintenance information stored by the DLT Client service

Inside the sub-folder _restore, there will be another directory called snapshot where you will find a complete registry dumping including a file called _REGISTRY_MACHINE_SAM which is the SAM file for the machine.

The SVI folder also stores other important information such as:
  • Tracking.log files created by the Distributed Link Tracking Service to store maintenance information.
  • Efs0.log files created by the Encrypting File System (EFS) generated during the encryption and decryption process.
  • Drivetable.txt which holds the System Restore drive letters list, and stores other configuration information such as System Restore space allocation information for each drive.
  • Sr-reg.txt which contains the System Restore registry settings.
  • Rstrlog.txt which contains the restore log file for the last completed restore.
  • Fifo.log which contains the FIFO (first in first out) restore points if there are any.
  • Rp.log or SP-RP.log which contains the list of restore points (name/type/time).
  • SR-chglog.log which contains the change log of file operations on each drive for all restore points.
  • SR-filelist.log which contains a list of all the files that were collected by Srdiag.exe.
The reason the SVI folder is protected is to prevent programs from using or manipulating the files that are inside. These files are inactive while in the data store and are not used by any utility other than System Restore. You should not be tampering with this folder. Doing so could cause problems with proper system functioning.

By design System Restore runs in the background and will automatically create a new restore point every 24 hours (system checkpoints). Restore points can also be manually created by the user at any time.

In order to remove these file(s), the easiest thing to do is this:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a New Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 drool

drool
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 05 August 2009 - 10:37 AM

I have done the procedure you indicated, but the files are still there. XP created a new _restore folder right next to the old one, but cleanmgr didn't clean up the one with the files I thought were looking suspicious.

I have done full scans with BitDefender, and other online scans, plus Malwarebytes, and they found nothing, so I will consider that those files were normal. I will keep an eye on everything, but for now I think everything is OK.

Thank you again for the help!

Drool

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:58 AM

Posted 05 August 2009 - 11:03 AM

Disk Clean up cleans the junk from your primary (C:\) drive only.

The path in those restore points you are concerned about is F:\

The System Restore tab in System Properties will show the status of drives it is monitoring or that are turned off. Since you need to remove files from a different drive, you can simply turn off that drive, then turn it on again as follows:
  • Right click on the My Computer icon on your desktop and select Properties.
  • Click on the System Restore tab.
  • Click on the drive you want to disable to highlight it and choose Settings.
  • Check the box that says "Turn off System Restore on this drive" and click OK.
  • Click Yes when prompted with "Do you want to turn off System Restore on this drive?.
  • Click Ok twice and Reboot.
  • To re-enable System Restore on that drive, follow steps 1-4, but in step 4, uncheck the "Turn off System Restore" check box and click Ok twice.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 drool

drool
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 05 August 2009 - 01:22 PM

Yes, that is what I thought too. But enabling or disabling System Restore, on any or all hard disks doesn't seem to affect the folder in question, it's just always there.

Once I get home, I will try what you suggested, see if the folder dissapears, and post what I find.

Thank you again for your suggestions, hopefully it is truly just a Restore point and nothing else.

Drool

#6 jedmitter

jedmitter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 26 July 2010 - 12:34 AM

Hi
I had the same problem-3.5 gb of stuff in the SVI folder on my C drive.
I searched for a long time and found this program that got rid of the file for me. It also got rid of 1.5 gb of some hidden cache files of Windows update and totally cleared 5.885 gb worth of junk.
After cleaning , i restarted and ran defrag, the PC seems to be working just fine. I am not a PC savvy chap but I was totally confused on why my C Drive was filling up when I was not saving anything there and many other cleaner programs
were just not doing it
: Amazing nifty little program
http://software.addpcs.com/tfc/index.php




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users