System Volume Information file suspect

[dmcc313]

Hi

I have had a file on my computer for awhile now that has been causing problems. It was first identified by my av, saying it was a backdoor program, but gave me no option to remove it. When it is operating, my internet activity is contsant, even when I have no internet programs active. It seems to be related to my system restore, as when I disable system restore, it is no longer present, and the constant activity stops. When I enable system restore again, the file comes back (I have a process explorer program, where I can see it come and go), and the constant activity begins again. My other problem with system restore is, when I enable it, it never sets a restore point, the restore point is always today.
At the moment, I am also having trouble enabling system restore, I have tried through the control panel, and also the accessories, and they tell me system restore cannot protect my computer at the moment, please reboot and try again, and when I do, I just get the same message.
My question is, is there a way for me to get into the System Volume information folder and delete the problem file (I always get access denied, even though I have changed the file view to show hidden folders etc), and also, do you have any other ideas for me to enable system restore again?
The suspect file is :

C:\SystemVolumeInformation\-restore{4BAE78A9.A03E.4C8A.A330.6A3CC753B032}\RP25 3\change.log

There was also a similar file flagged by my av with a .exe at one stage, although I didn't get to write it down.
Thanks for your help
DM

[vidster]

Make sure system restore is switched off. Now, run any antivirus system you have. Also run www.trendmicro.com/housecall along with http://www.windowsecurity.com/trojanscan/ .
Now download and install 'Ad-aware' and 'Spybot search and destroy'. These are free and can be found at www.majorgeeks.com .
Make sure you update both programs before running them. Let both programs fix all the spyware they find.

Next go to your start up list in msconfig, Start/run/ type: msconfig. Look under startup for anything that looks suspicious in any way and uncheck it. Reboot your pc.

Turn system restore back on again. System restore should create it's own restore point, if it does'nt, create one manually.

Keep us informed as to how you get on!

[Sgood1971]

An alternative (and better IMHO) way than msconfig to check startup programs is Mike Lin's great little app Startup Control Panel It simplifies things, is nice and neat and tidy and best of all doesn't cost anything.

[dmcc313]

Hi
Thanks for the quick reply.
I should have given you a bit more info in my post, I have run every piece of spyware known to man, both in normal and safe mode, and have cleaned all kinds of crap off my computer. When I do the housecall, as well as the windows trojan scanner you recommended, they come up clean, but tell me couldn't scan system volume information, access is denied. I think this is why I originally became suspicious about that file. I have also run hijack this and posted it on spyware forums, which have fixed a couple of things. I have startup inspector for windows, which is also a good way to check your startup processes, and it is all ok.
Ultimately, I have still got the two problems, a. the file which cannot be seen by the scanners because access is denied, and b. I can't enable system restore at the moment, so can't create a system restore point manually. While system restore is disabled, this file is not active anyway, but I would rather have my system restore on. As long as that file is on my computer though, I don't think I will be able to create a restore point, as I tried to do it before with no success.

My questions are still, is there anyway of accessing system volume information, or any other way of enable system restore?

Sorry to be a pain
DM

[vidster]

It may sound silly but have you deactivated the hidden folders?
You should 'show' all folders for any search to find certain files.

[dmcc313]

Yup!
The folder shows up, in that paler yellow colour, but nothing is in it.
Grrrrrr

[Sgood1971]

Can you boot into safe mode and get rid of it? How about a DOS disk or Knoppix?

[dmcc313]

I don't get any further in safe mode than in normal, ie I can't see anything in the system volume information folder, and can,t turn system restore back on. I'm not sure about the DOS idea, not really a DOS person, but my husband is, so will get him to check it out. Out of interest, if you show hidden folders and go to system volume information, can you see anything, or is access denied for you as well (just wondering if this is a normal windows thing, or whether its just me!)?
Cheers

[Stumpy842]

Quote:

Originally Posted by dmcc313

I don't get any further in safe mode than in normal, ie I can't see anything in the system volume information folder, and can,t turn system restore back on. I'm not sure about the DOS idea, not really a DOS person, but my husband is, so will get him to check it out. Out of interest, if you show hidden folders and go to system volume information, can you see anything, or is access denied for you as well (just wondering if this is a normal windows thing, or whether its just me!)?
Cheers

1. Click Start, click Run, type cmd, and then click OK.

2. Make sure that you are in the root folder of the partition for which you want to gain access to the System Volume Information folder. For example, to gain access the C:\System Volume Information folder, make sure that you are in the root folder of drive C (at a "C:\" prompt).

3. Type the following line, and then press ENTER:

cacls "driveletter:\System Volume Information" /E /G username:F

Make sure to type the quotation marks as indicated. This command adds the specified user to the folder with Full Control permissions.

4. Double-click the System Volume Information folder in the root folder to open it.

5. If you need to remove the permissions after troubleshooting, type the following line at a command prompt:

cacls "driveletter:\System Volume Information" /E /R username

This command removes all permissions for the specified user.