system volume information

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a backdoor prorat.16 in C:\system volume information, it is
quarantine by ad-aware. Now i wan't to have a look at it... like where that
rat send all the information. My problem is I can't find my system volume
information folder. It should be in C:\ , but it isn't. Does anyone have an
answare?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

heikki wrote:
> I have a backdoor prorat.16 in C:\system volume information, it is
> quarantine by ad-aware. Now i wan't to have a look at it... like where that
> rat send all the information. My problem is I can't find my system volume
> information folder. It should be in C:\ , but it isn't. Does anyone have an
> answare?



The System Volume Information is the hidden, protected operating
system folder in which WinXP's System Restore feature stores
information used to recover from errors. It's really not a good idea
for you, or an antivirus application, to directly access the contents
of that folder, unless you expect to have no future use for the
restore points, in which case it would be simpler just to turn off the
System Restore feature.

To clear viruses or other malware from the "System Volume
Information," simply turn off the System Restore feature (Start > All
Programs > Accessories > System Tools > System Restore, System Restore
Settings), reboot, then re-enable System Restore, and reboot one last
time. This will delete all of your Restore Points, including the
corrupted one(s), and allow you start with a clean slate.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You'll need to turn-off System Restore, reboot, then turn it back on.
The virus has infected your System Restore folder (system volume information).

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405&Product=winxp

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

"heikki" wrote:

| I have a backdoor prorat.16 in C:\system volume information, it is
| quarantine by ad-aware. Now i wan't to have a look at it... like where that
| rat send all the information. My problem is I can't find my system volume
| information folder. It should be in C:\ , but it isn't. Does anyone have an
| answare?

 

[GTS]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

To answer the question you actually asked - See How to gain access to the
System Volume Information folder
http://support.microsoft.com/default.aspx?scid=kb;en-us;309531

It is generally best to leave this folder, which is used by System Restore,
alone but I understood your purpose of doing some forensic analyses. I
would strongly recommend that after you do what you need to do you change
rights back to the original status and disable/re-enable system restore to
clear the contents.
--

"heikki" <heikki@discussions.microsoft.com> wrote in message
news:71EA241C-55F7-4F08-95A0-CE262BEC1AD9@microsoft.com...
>I have a backdoor prorat.16 in C:\system volume information, it is
> quarantine by ad-aware. Now i wan't to have a look at it... like where
> that
> rat send all the information. My problem is I can't find my system volume
> information folder. It should be in C:\ , but it isn't. Does anyone have
> an
> answare?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sat, 18 Jun 2005 08:11:27 -0600, Bruce Chambers
>heikki wrote:

>> I have a backdoor prorat.16 in C:\system volume information, it is
>> quarantine by ad-aware. Now i wan't to have a look at it... like where that
>> rat send all the information. My problem is I can't find my system volume
>> information folder. It should be in C:\ , but it isn't. Does anyone have an
>> answare?

From Bart's PE, copy the file out and rename the .EXE to something
else so that it doesn't run. Then follow the advice about how to
purge SR. If you disabled SR on some volumes and/or reduced the
duhfault huge space allocation it grabs, then remember to check these
settings and re-apply them when enabling SR again.

> The System Volume Information is the hidden, protected operating
>system folder in which WinXP's System Restore feature stores
>information used to recover from errors. It's really not a good idea
>for you, or an antivirus application, to directly access the contents
>of that folder, unless you expect to have no future use for the
>restore points, in which case it would be simpler just to turn off the
>System Restore feature.

Hence Copy and Rename, not Move, or Rename and Copy.



>------------------------ ---- --- -- - - - -
Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!
>------------------------ ---- --- -- - - - -