system volume information

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a backdoor prorat.16 in C:\system volume information, it is
quarantine by ad-aware. Now i wan't to have a look at it... like where that
rat send all the information. My problem is I can't find my system volume
information folder. It should be in C:\ , but it isn't. Does anyone have an
answare?
4 answers Last reply
More about system volume information
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    heikki wrote:
    > I have a backdoor prorat.16 in C:\system volume information, it is
    > quarantine by ad-aware. Now i wan't to have a look at it... like where that
    > rat send all the information. My problem is I can't find my system volume
    > information folder. It should be in C:\ , but it isn't. Does anyone have an
    > answare?


    The System Volume Information is the hidden, protected operating
    system folder in which WinXP's System Restore feature stores
    information used to recover from errors. It's really not a good idea
    for you, or an antivirus application, to directly access the contents
    of that folder, unless you expect to have no future use for the
    restore points, in which case it would be simpler just to turn off the
    System Restore feature.

    To clear viruses or other malware from the "System Volume
    Information," simply turn off the System Restore feature (Start > All
    Programs > Accessories > System Tools > System Restore, System Restore
    Settings), reboot, then re-enable System Restore, and reboot one last
    time. This will delete all of your Restore Points, including the
    corrupted one(s), and allow you start with a clean slate.


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You'll need to turn-off System Restore, reboot, then turn it back on.
    The virus has infected your System Restore folder (system volume information).

    How to Turn On and Turn Off System Restore in Windows XP
    http://support.microsoft.com/default.aspx?scid=kb;en-us;310405&Product=winxp

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User
    Microsoft Newsgroups

    Get Windows XP Service Pack 2 with Advanced Security Technologies:
    http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

    -------------------------------------------------------------------------------------------

    "heikki" wrote:

    | I have a backdoor prorat.16 in C:\system volume information, it is
    | quarantine by ad-aware. Now i wan't to have a look at it... like where that
    | rat send all the information. My problem is I can't find my system volume
    | information folder. It should be in C:\ , but it isn't. Does anyone have an
    | answare?
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    To answer the question you actually asked - See How to gain access to the
    System Volume Information folder
    http://support.microsoft.com/default.aspx?scid=kb;en-us;309531

    It is generally best to leave this folder, which is used by System Restore,
    alone but I understood your purpose of doing some forensic analyses. I
    would strongly recommend that after you do what you need to do you change
    rights back to the original status and disable/re-enable system restore to
    clear the contents.
    --

    "heikki" <heikki@discussions.microsoft.com> wrote in message
    news:71EA241C-55F7-4F08-95A0-CE262BEC1AD9@microsoft.com...
    >I have a backdoor prorat.16 in C:\system volume information, it is
    > quarantine by ad-aware. Now i wan't to have a look at it... like where
    > that
    > rat send all the information. My problem is I can't find my system volume
    > information folder. It should be in C:\ , but it isn't. Does anyone have
    > an
    > answare?
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Sat, 18 Jun 2005 08:11:27 -0600, Bruce Chambers
    >heikki wrote:

    >> I have a backdoor prorat.16 in C:\system volume information, it is
    >> quarantine by ad-aware. Now i wan't to have a look at it... like where that
    >> rat send all the information. My problem is I can't find my system volume
    >> information folder. It should be in C:\ , but it isn't. Does anyone have an
    >> answare?

    From Bart's PE, copy the file out and rename the .EXE to something
    else so that it doesn't run. Then follow the advice about how to
    purge SR. If you disabled SR on some volumes and/or reduced the
    duhfault huge space allocation it grabs, then remember to check these
    settings and re-apply them when enabling SR again.

    > The System Volume Information is the hidden, protected operating
    >system folder in which WinXP's System Restore feature stores
    >information used to recover from errors. It's really not a good idea
    >for you, or an antivirus application, to directly access the contents
    >of that folder, unless you expect to have no future use for the
    >restore points, in which case it would be simpler just to turn off the
    >System Restore feature.

    Hence Copy and Rename, not Move, or Rename and Copy.


    >------------------------ ---- --- -- - - - -
    Forget http://cquirke.blogspot.com and check out a
    better one at http://topicdrift.blogspot.com instead!
    >------------------------ ---- --- -- - - - -
Ask a new question

Read More

Security Microsoft Windows XP