Virus in no access, hidden file

[Guest]

The virus W32.SillyP2P has made a home in my System Volume Information
folder. The anti-virus program (Norton) stops it when it tries to come out,
but can't kill or delete it because access is denied. Windows won't allow me
to gain access and I don't remember enough DOS commands even if I could get
to it that way. Any ideas?

 

[code_wrong]

The virus W32.SillyP2P has made a home in my System Volume Information
folder. The anti-virus program (Norton) stops it when it tries to come
out,
but can't kill or delete it because access is denied. Windows won't allow
me
to gain access and I don't remember enough DOS commands even if I could
get
to it that way. Any ideas?

You need to disable system restore reboot and then re-enable system restore
.... Your restore points will be erased though so hopefully your system is in
a stable condition.

start > control panel > system > system restore > choose disable > apply
then reboot
re-enable system restore

 

[Pennywise]

|>The virus W32.SillyP2P has made a home in my System Volume Information
|>folder. The anti-virus program (Norton) stops it when it tries to come out,
|>but can't kill or delete it because access is denied. Windows won't allow me
|>to gain access and I don't remember enough DOS commands even if I could get
|>to it that way. Any ideas?

Killbox
http://www.bleepingcomputer.com/files/killbox.php
--

 

[David H. Lipman]

From: "tmehl" <[email protected]>

| The virus W32.SillyP2P has made a home in my System Volume Information
| folder. The anti-virus program (Norton) stops it when it tries to come out,
| but can't kill or delete it because access is denied. Windows won't allow me
| to gain access and I don't remember enough DOS commands even if I could get
| to it that way. Any ideas?

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

What you describe is a virus found in c:\System Volume Information\_restore folder which is
the WinXP System Restore Cache.
To remove it, dump the cache, reboot the computer, then re-enable the cache. The suggested
size of the cache is ~600MB.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

To make sure the rest of the system is clean, you can use the following tool which provides
scanners for; McAfee, Trend Micro and Sophos.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Ken Blake]

The virus W32.SillyP2P has made a home in my System Volume Information
folder. The anti-virus program (Norton) stops it when it tries to
come out, but can't kill or delete it because access is denied.
Windows won't allow me to gain access and I don't remember enough DOS
commands even if I could get to it that way. Any ideas?

You have a virus in a restore point. First of all, note that any virus (or
any other kind of malware) in a restore point is completely innocuous and
can't hurt you in any way *unless* you do a System Restore from that restore
point.

If the virus is only in the restore point, presumably you recently removed a
virus from your system. The virus remains in restore points made before the
virus removal, but isn't present in restore points made afterwards.

Unfortunately, you can't selectively delete restore points. Your only
choices are to delete them all, all but the most recent, or none.

One choice is to delete them all (turn off System Restore, then turn it back
on again), but that choices throws out the clean restore points too. Another
choice is to do nothing (keep the infected restore points), but make sure
that you keep track of when you did the virus removal and be sure never to
restore from any restore point before then. If you choose that option,
within the next several weeks, the infected restore poits will disappear by
themselves, because older restore points are automatically removed to make
room for newer ones.

 

[Guest]

The previous email led me to the same thing, but I appreciate the
explanation. Appreciate It, thanks.

 

[Guest]

Thanks for the explanation and multiple options. I greatly appreciate it.
--
tmehl

From: "tmehl" <[email protected]>

| The virus W32.SillyP2P has made a home in my System Volume Information
| folder. The anti-virus program (Norton) stops it when it tries to come out,
| but can't kill or delete it because access is denied. Windows won't allow me
| to gain access and I don't remember enough DOS commands even if I could get
| to it that way. Any ideas?

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

What you describe is a virus found in c:\System Volume Information\_restore folder which is
the WinXP System Restore Cache.
To remove it, dump the cache, reboot the computer, then re-enable the cache. The suggested
size of the cache is ~600MB.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

To make sure the rest of the system is clean, you can use the following tool which provides
scanners for; McAfee, Trend Micro and Sophos.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Bruce Chambers]

The virus W32.SillyP2P has made a home in my System Volume Information
folder. The anti-virus program (Norton) stops it when it tries to come out,
but can't kill or delete it because access is denied. Windows won't allow me
to gain access and I don't remember enough DOS commands even if I could get
to it that way. Any ideas?

The System Volume Information is the hidden, protected operating
system folder in which WinXP's System Restore feature stores
information used to recover from errors. It's really not a good idea
for you, or an antivirus application, to directly access the contents
of that folder, unless you expect to have no future use for the
restore points, in which case it would be simpler just to turn off the
System Restore feature.

To clear viruses or other malware from the "System Volume
Information," simply turn off the System Restore feature (Start > All
Programs > Accessories > System Tools > System Restore, System Restore
Settings), reboot, then re-enable System Restore, and reboot one last
time. This will delete all of your Restore Points, including the
corrupted one(s), and allow you start with a clean slate.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH