Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG, forced removal.


  • Please log in to reply
3 replies to this topic

#1 LauraCah

LauraCah

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 20 March 2010 - 12:32 AM

Hi,
I have Spyware Terminator, AVG Free, and Malwarebytes dled. Spyware Terminator scans are clean, but when I run AVG I'm getting two results for 'Spyware'. One is "C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP346\A0112493.exe";"Adware Toolbar.CJ";"Potentially dangerous object"
and the other is "C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP346\A0112493.exe:\ns_00567";"Adware Toolbar.CJ";"Potentially dangerous object"

Both are Adware Toolbar.CJ
Typically I would remove these by clicking 'remove all unhealed infections'. But when I do, a warning pops up saying that forced removal could cause system instability or crash, and it gives me an option to remove anyway. Is it safe to forcably remove these infections?
And what kind of infection is that anyway? Thanks!

Edited by LauraCah, 20 March 2010 - 12:33 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,959 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 PM

Posted 20 March 2010 - 07:05 AM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

Note: A Potentially Unwanted Program (PUP) is a very broad threat category that can include any number of different programs to include those which are benign as well as malicious. They may also be defined somehwat differently by various security vendors.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 LauraCah

LauraCah
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 20 March 2010 - 05:22 PM

Ran the scan again after emptying the virus vault and it didn't detect any infections. If the problems happens again I'll try what you said. Thanks!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,959 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 PM

Posted 21 March 2010 - 06:37 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users