[pchelpers] Re: Protected infection in system volume folder
- From: "Ekhart GEORGI (last name last)" <Ekhart.GEORGI@xxxxxxxxxxx>
- To: pchelpers@xxxxxxxxxxxxx
- Date: Sun, 25 Oct 2009 22:42:07 +0200
>>> Did you know that the System Volume folder is where your system's
>>> Restore Points are stored? I apologize for not realizing this before
>>> now. The simplest way to handle this would have been to turn off System
>>> Restore temporarily, turn it back on, and then create a new Restore
>>> Point of your freshly cleaned system.
>>
>> You mean the System Volume Information folder, whereas John was talking
>> about a folder called simply "system" located in d:\system.
>>
>> On the other hand, i just now noticed that John wrote in the subject of
>> the thread a different name, "system volume folder"
>>
>> I also just remembered that the folder called "system" is in the Windows
>> folder and not the root folder in XP (which i seem to remember John is
>> using though he didn't say).
>>
>> Just what folder are you talking about, John?
>>
>>
> D:/System volume information
> C:/System volume information
> (the folder on C: claims to be empty)
OK, then besides the (still) erroneous forward slashes instead of
backslashes, we now found another reason why you got error messages when
running the attrib command, John: You also need to put (double i.e. " ")
quotation marks around the path name in DOS commands when using names
longer than 8 characters or with spaces.
George, you're indeed right that the fastest and simplest way to get rid
of malware in that folder is to temporarily turn off System Restore.
However, many malware experts advise against removing all restore points
in the situation that most computers are in when attacked by malware for
the following reason:
Even a malware-infected restore point is better than none at all, at
least for most users. Instead of deleting all restore points, it's best
to simply ignore malware found by antivirus scans in System Volume
Information (because malware in there is completely harmless unless you
use an old restore point) and to simply not use the restore points
(unless you don't have any choice - and then you can get rid of the
"resurrected" malware the normal way). The infected restore points are
automatically removed when enough new ones have been made automatically
or manually.
As Scott has pointed out before, antivirus programs that do not know how
to access and clean restore points are simply badly written. They should
either use the method Scott described to automatically access System
Volume Information or shut up and not blurt out their incompetence and
not simultaneously worry users unnecessarily :-) The very least they
could do is explain to users that their computer has been cleaned of and
is in no danger from the malware whose copy is in some restore point,
but that they should not use restore points unless absolutely necessary.
They should then advise users to make a new restore point and then use
Disk Cleanup to remove all but the most recent restore point once the
computer has run well for a few days.
--
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at //www.freelists.org/cgi-bin/lsg2.cgi
List archives at //www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.
Other related posts:
