Can't Delete Viruses in C:\System Volume Information

Hello. I have two viruses and they're located in C:\System Volume Information\_restore and I can't get rid of'em. I've tried turnin off System Restore on all drives and then turnin it back on, but they're still there. The odd thing is no other scanners are pickin'em up except for Kaspersky Online Scanner and Panda Activescan. Here's my HijackThis log, Kaspersky Online Scanner and Panda Activescan reports:

 

Hi Wham!
Welcome to Major Geeks!

We use a standard set of tools to help people. Please follow the set of instructions and links in the box and post the logs we request back to us. Please make sure to look at the add/remove programs list and also to rename HijackThis as per the instructions. Also, the order of the instructions in the READ ME is important.

​

abri

 

I did everythin as outlined in the "READ & RUN ME FIRST Before Asking for Support" Sticky thread as well as installin and runnin HijackThis per instructions. Afterwards, I did another scan with Kaspersky Online scanner and got the same two viruses and seven infected files. I've attached all the necessary logs for further support, thanx.

 

Here are the other 3 reports/logs.

 

Hi Wham!

Please go to add/remove programs and uninstall Viewpoint Media Player.

Can you post a log of what you're getting from the Kaspersky online scan?

Are you running your computer only with online scans, but without your own antivirus and firewall?

abri

 

Yea, while runnin the online scans I disabled my firewall and antivirus program. If you look at the Panda Activescan you'll see that it's detectin the same two viruses as Kaspersky, which I mentioned in my initial post. Hope you can help.

 

Hi Wham!
Please make sure System Restore is disabled on all drives according to these instructions and do NOT turn it back on.

While system restore is turned off, please run Panda and Kaspersky online scans. With the restore points turned off while you are running the scans, those antivirus programs should be able to get rid of the viruses. Whether they are able to remove them or not, do NOT turn back on system restore. I will need to see the logs of these two scans. If this does not take them out, we will delete them manually. We will not have you reenable system restore until we're sure they're gone.

abri

 

It won't let me attach the Panda Activescan despite changin the name several times, but the results are the same as the previous one. Kaspersky also rendered the same results even with System Restore turned off.

 

Hi Wham!

Your thread is taking time than I would like, because the problem you're having is unusual. Normally, when you turn off your system restore, reboot and turn it back on, it flushes all previous restore points and sets a clean one. This doesn't seem to be working for you. I don't know if you can do this in Safe Mode, but you could try it.

A second thing you can try is to go to start and then run and type in cleanmgr. See if you get a tab which says "other options". If so, click on that and choose the option to clean all restore points. I started to recommend this to you, but when I tried it on my own computer, I don't get this tab with other options. Please try this and tell me if it works for you.

The restore points are stored in C:\System Volume Information\_restore as you mentioned in your first post. Getting into this folder at all is not easy, and even if you do, I don't know if you can simply delete the restore points.

The final possibility of removing restore points involves a change in the registry and if we end up having to go that far, I want some backup.

Thanks for your patience.

Thanks!
abri

 

wham,

First, we need to set permissions for this directory.

1. Click Start > Run > Type control folders
   
2. Go to the View Tab and uncheck "Use simple file sharing (Recommended)"
   
3. Click OK and exit Folder Options.
   
4. Now navigate to C:\ and locate System Volume Information. Right click on this folder and select properties.
   
5. Click on the Security Tab and click the button "Add". In the box type "Everyone" and click OK.
   
6. Once complete, click on Everyone and at the bottom check the box at the top next to "Full Control".
   
7. Click Apply and OK.

Next, we need to kill the Service.

1. Click Start > Run > type services.msc
   
2. Locate "System Restore Service" and double click to open it.
   
3. Click the STOP button, set it to disabled for now and click OK.

Finally, we will attempt to delete the bad SR points.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt
• Once complete please attach this log to your next post.

 

There was an error on the initial attempt to produce a log upon reboot. However, it was successful in producin one the second time around. I was just curious as to why it wasn't able to do so on the first try. Also, should this procedure have been done in Safe Mode? Awaitin further instructions...

 

It seems they were successfully removed, now before doing anything else run another Kaspersky scan and attach the fresh log.

 

The same files were detected but NOT in System Volume. Rather, they were detected in the archived backup files in C:\avenger. I assume that folder should be deleted, but I'll wait for your response.

 

Yes! you can now delete the C:\avenger folder and you should be clear.

Now we need to re-enable SR. Click Start > Run > type services.msc

1. Locate "System Restore Service" and double click to open it.
   
2. Once opened click on "Start" and set it to Automatic. Click OK and exit.
   
3. Next, Click Start > Run > type sysdm.cpl ,4 and press ENTER.
   
4. Check the box to enable SR and then restart.

Once complete, run ATF-Cleaner below to cleanup any junk/temp files.

 

I ran every online scan imaginable, includin Kaspersky of course, and they all came up clean. A big thanx to abri for stickin with me and bjgarrick for finishin it off. Just a few more things, though. Can I re-enable "Use simple file sharing (Recommended)" and should I delete "Everyone" under "Group or user names:" in C:\System Vol...? Or would it be good enough to just uncheck "Allow"? Thanx again, y'all.

 

You can just uncheck "Allow" under full control or remove Everyone, your choice. Be sure you leave "SYSTEM" as is.

You can also re-enable "Use simple file sharing", this is the default setting.

 

Hi wham!
I know your thread is long finished, but I had been looking for information at another forum to try and find out why you weren't able to disable and re-enable your restore points. What was suggested there was the following:

I'm not sure now that your system restore was reset manually if it would be possible to check this anymore, as it may be changed now, but if you would like, you could see if the Dword value at this registry key is set to 0000001. To do this, click on Start/Run and type in regedit. Scroll down (carefully) to the above key and highlight the word SystemRestore, which will open a list on the right side. See if DisableSR is set to 0000000 or 0000001.

Thanks!
abri