system volume information

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a backdoor prorat.16 in C:\system volume information, it is
quarantine by ad-aware. Now i wan't to have a look at it... like where that
rat send all the information. My problem is I can't find my system volume
information folder. It should be in C:\ , but it isn't. Does anyone have an
answare?

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

heikki wrote:
> I have a backdoor prorat.16 in C:\system volume information, it is
> quarantine by ad-aware. Now i wan't to have a look at it... like where that
> rat send all the information. My problem is I can't find my system volume
> information folder. It should be in C:\ , but it isn't. Does anyone have an
> answare?



The System Volume Information is the hidden, protected operating
system folder in which WinXP's System Restore feature stores
information used to recover from errors. It's really not a good idea
for you, or an antivirus application, to directly access the contents
of that folder, unless you expect to have no future use for the
restore points, in which case it would be simpler just to turn off the
System Restore feature.

To clear viruses or other malware from the "System Volume
Information," simply turn off the System Restore feature (Start > All
Programs > Accessories > System Tools > System Restore, System Restore
Settings), reboot, then re-enable System Restore, and reboot one last
time. This will delete all of your Restore Points, including the
corrupted one(s), and allow you start with a clean slate.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sat, 18 Jun 2005 08:11:27 -0600, Bruce Chambers
>heikki wrote:

>> I have a backdoor prorat.16 in C:\system volume information, it is
>> quarantine by ad-aware. Now i wan't to have a look at it... like where that
>> rat send all the information. My problem is I can't find my system volume
>> information folder. It should be in C:\ , but it isn't. Does anyone have an
>> answare?

From Bart's PE, copy the file out and rename the .EXE to something
else so that it doesn't run. Then follow the advice about how to
purge SR. If you disabled SR on some volumes and/or reduced the
duhfault huge space allocation it grabs, then remember to check these
settings and re-apply them when enabling SR again.

> The System Volume Information is the hidden, protected operating
>system folder in which WinXP's System Restore feature stores
>information used to recover from errors. It's really not a good idea
>for you, or an antivirus application, to directly access the contents
>of that folder, unless you expect to have no future use for the
>restore points, in which case it would be simpler just to turn off the
>System Restore feature.

Hence Copy and Rename, not Move, or Rename and Copy.



>------------------------ ---- --- -- - - - -
Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!
>------------------------ ---- --- -- - - - -