Computer Security - Re: Accessing "sys vol info" on NTFS

04-07-2004, 07:35 AM

Thanks for the info about ownership. I had thought that as
administrator that I would not need to enter my name in the
security tab.

I need to gain access because my AV software (AVG) says there is a
trojan program there.

Do you or anyone else know about the sort of virus or trojan that
can hide in the System Volume Information folder?

Peter

[groups widened for relevace]

CS <> wrote:
>
> You have to take ownership of the "System Volume Information"
> folder on an NTFS partition before it will allow you to have
> access. Go back to the MSKB and read how to take ownership.
>
> Also, since this folder houses the system restore information
> for that drive (drive c), why do you need to access it? If
> you're having problems with system restore, just turn it off
> and turn it on again. The folder will be cleared along with
> all restore points.
>

> On Wed, 07 Apr 2004 00:57:55 +0100, Peter Rossiter
> <> wrote:
>
>>How do I access the "System Volume Information" folder on XP
>>PRO?
>>
>>I want to access this folder on one of my other partitions (or
>>"drives"). The partition I want to access is an NTFS
>>partition and so is the C: partition.
>>
>>I have tried what is in
>>http://support.microsoft.com/default.aspx?kbid=309531
>>but it does not work. This is what i did:
>>
>>I log on to XP Pro as administrator. I go to:
>>Windows Explorer > Tools > Folder Options > View tab
>> select "Show hidden files and folders"
>> unselect "Hide protected operating system files
>> (Recommended)" select "Use Simple File Sharing".
>>
>>I double-click the System Volume Information folder in the
>>root folder to open it but it denies me access.
>>
>>I cvan access the SVI on other partition which are in FAT32.
>>But I can't access either the C: drive's SVI or the other
>>partition's SVI.
>

Peter Rossiter

04-07-2004, 01:52 PM

"Peter Rossiter" <> wrote in message
news:94C44D3A6E6C4471AE@130.133.1.4...
> Thanks for the info about ownership. I had thought that as
> administrator that I would not need to enter my name in the
> security tab.
>
> I need to gain access because my AV software (AVG) says there is a
> trojan program there.
>
> Do you or anyone else know about the sort of virus or trojan that
> can hide in the System Volume Information folder?
>
> Peter
>

What happens is 1) you are infected with a virus, 2) Windows creates a
restore point and stores the infected files in the system volume information
folder, 3) your anti-virus software sees the virus in SysVolInfo. The best
solution is to turn off system restore, reboot, and turn system restore back
on. This will delete all the restore points along with the one that is
infected. You don't want to risk using any of those restore points anyway,
because at least one of them contains the virus and you really don't know
which one it is.

Gregg C.

04-07-2004, 05:56 PM

"Gregg Cattanach" <gcattanach-SKIP-@prodigy.net> wrote:

>> Thanks for the info about ownership. I had thought that as
>> administrator that I would not need to enter my name in the
>> security tab.
>>
>> I need to gain access because my AV software (AVG) says there
>> is a trojan program there.
>>
>> Do you or anyone else know about the sort of virus or trojan
>> that can hide in the System Volume Information folder?
>>
>> Peter
>>
>
> What happens is 1) you are infected with a virus, 2) Windows
> creates a restore point and stores the infected files in the
> system volume information folder, 3) your anti-virus software
> sees the virus in SysVolInfo. The best solution is to turn
> off system restore, reboot, and turn system restore back on.
> This will delete all the restore points along with the one
> that is infected. You don't want to risk using any of those
> restore points anyway, because at least one of them contains
> the virus and you really don't know which one it is.

Thanks for the info.

I probably got the virus from downloading binaries from the
newgroups.

Would that virus program have been installed or executed (if you
see what I mean) for it to get picked up by XP's restore point in
the way you describe?

I am wondering if I was somehow so careless as to run the virus
program.

04-07-2004, 07:20 PM

"Peter Rossiter" <> wrote in message news:94C4B67E4F8D8471AE@130.133.1.4...

> I probably got the virus from downloading binaries from the
> newgroups.

That is one good way to collect malware. ;o)

> Would that virus program have been installed or executed (if you
> see what I mean) for it to get picked up by XP's restore point in
> the way you describe?

Not necessarily. When your AV program first encountered it, it
probably tried to delete it. Before it got deleted, the OS kindly
decided that you might want to have it backed up in a restore
point just in case to had momentarily lost your mind.

> I am wondering if I was somehow so careless as to run the virus
> program.

If that was the only affected file your AV alerted to, then it is very
likely that it never ran on your machine.

04-09-2004, 07:01 PM

> I need to gain access because my AV software (AVG) says there is a
> trojan program there.

Yep, and it is a nasty one too. What you have is an ftp
server pushing mp3s to the world. You were not patched,
and the Danes got you. I just hope you are not on DSL
or faster, because if you are, sooner or later the Music
cops are going to hand you a summons !!!!! and that
is not funny. Do a search on *.mp3, or let your AV
run on that folder and see if it sees mp3s. If it does,
pull off data, etc, and wipe your drive !!!! Get a good
disk imaging program, and a big drive. That is the
easy way to recover back to a known state ... if the
first install was done off line !! I reimage about once
a month, and that has worked fine. Generally I can
totally crash and be back up in about an hour running
clean. Another thing ... if you do have that "mp3 server",
you also have a whole lot of friends out there, and
they will come calling. This is the one time that a
firewall might help, or you are going to be scanned
to pieces.

johns

04-20-2004, 12:37 PM

Hello,

> Yep, and it is a nasty one too. What you have is an ftp
> server pushing mp3s to the world. You were not patched,
> and the Danes got you.

S.T.F.U.!! Your idiotic "contribution" is of no use here.

> scanned
> to pieces.

Is this a technical term?

The best thing you can do is stop posting in this group.

--
Regards, Ian.

-------------------------------------------------------------------------------------------------------------

English
Adjective
ultracrepidarian

1. Of a critic, giving opinions on something beyond his or her
knowledge.

04-07-2004, 01:52 PM	#2
Gregg Cattanach Posts: n/a	Re: Accessing "sys vol info" on NTFS "Peter Rossiter" <> wrote in message news:94C44D3A6E6C4471AE@130.133.1.4... > Thanks for the info about ownership. I had thought that as > administrator that I would not need to enter my name in the > security tab. > > I need to gain access because my AV software (AVG) says there is a > trojan program there. > > Do you or anyone else know about the sort of virus or trojan that > can hide in the System Volume Information folder? > > Peter > What happens is 1) you are infected with a virus, 2) Windows creates a restore point and stores the infected files in the system volume information folder, 3) your anti-virus software sees the virus in SysVolInfo. The best solution is to turn off system restore, reboot, and turn system restore back on. This will delete all the restore points along with the one that is infected. You don't want to risk using any of those restore points anyway, because at least one of them contains the virus and you really don't know which one it is. Gregg C.

04-07-2004, 05:56 PM	#3
Peter Rossiter Posts: n/a	Re: Accessing "sys vol info" on NTFS "Gregg Cattanach" <gcattanach-SKIP-@prodigy.net> wrote: >> Thanks for the info about ownership. I had thought that as >> administrator that I would not need to enter my name in the >> security tab. >> >> I need to gain access because my AV software (AVG) says there >> is a trojan program there. >> >> Do you or anyone else know about the sort of virus or trojan >> that can hide in the System Volume Information folder? >> >> Peter >> > > What happens is 1) you are infected with a virus, 2) Windows > creates a restore point and stores the infected files in the > system volume information folder, 3) your anti-virus software > sees the virus in SysVolInfo. The best solution is to turn > off system restore, reboot, and turn system restore back on. > This will delete all the restore points along with the one > that is infected. You don't want to risk using any of those > restore points anyway, because at least one of them contains > the virus and you really don't know which one it is. Thanks for the info. I probably got the virus from downloading binaries from the newgroups. Would that virus program have been installed or executed (if you see what I mean) for it to get picked up by XP's restore point in the way you describe? I am wondering if I was somehow so careless as to run the virus program.

04-07-2004, 07:20 PM	#4
FromTheRafters Posts: n/a	Re: Accessing "sys vol info" on NTFS "Peter Rossiter" <> wrote in message news:94C4B67E4F8D8471AE@130.133.1.4... > I probably got the virus from downloading binaries from the > newgroups. That is one good way to collect malware. ;o) > Would that virus program have been installed or executed (if you > see what I mean) for it to get picked up by XP's restore point in > the way you describe? Not necessarily. When your AV program first encountered it, it probably tried to delete it. Before it got deleted, the OS kindly decided that you might want to have it backed up in a restore point just in case to had momentarily lost your mind. > I am wondering if I was somehow so careless as to run the virus > program. If that was the only affected file your AV alerted to, then it is very likely that it never ran on your machine.

04-09-2004, 07:01 PM	#5
johns Posts: n/a	Re: Accessing "sys vol info" on NTFS > I need to gain access because my AV software (AVG) says there is a > trojan program there. Yep, and it is a nasty one too. What you have is an ftp server pushing mp3s to the world. You were not patched, and the Danes got you. I just hope you are not on DSL or faster, because if you are, sooner or later the Music cops are going to hand you a summons !!!!! and that is not funny. Do a search on *.mp3, or let your AV run on that folder and see if it sees mp3s. If it does, pull off data, etc, and wipe your drive !!!! Get a good disk imaging program, and a big drive. That is the easy way to recover back to a known state ... if the first install was done off line !! I reimage about once a month, and that has worked fine. Generally I can totally crash and be back up in about an hour running clean. Another thing ... if you do have that "mp3 server", you also have a whole lot of friends out there, and they will come calling. This is the one time that a firewall might help, or you are going to be scanned to pieces. johns

04-20-2004, 12:37 PM	#6
Ian JP Kenefick Posts: n/a	Re: Accessing "sys vol info" on NTFS Hello, > Yep, and it is a nasty one too. What you have is an ftp > server pushing mp3s to the world. You were not patched, > and the Danes got you. S.T.F.U.!! Your idiotic "contribution" is of no use here. > scanned > to pieces. Is this a technical term? The best thing you can do is stop posting in this group. -- Regards, Ian. ------------------------------------------------------------------------------------------------------------- English Adjective ultracrepidarian 1. Of a critic, giving opinions on something beyond his or her knowledge.

04-07-2004, 07:35 AM	#1
	Re: Accessing "sys vol info" on NTFS Thanks for the info about ownership. I had thought that as administrator that I would not need to enter my name in the security tab. I need to gain access because my AV software (AVG) says there is a trojan program there. Do you or anyone else know about the sort of virus or trojan that can hide in the System Volume Information folder? Peter [groups widened for relevace] CS <> wrote: > > You have to take ownership of the "System Volume Information" > folder on an NTFS partition before it will allow you to have > access. Go back to the MSKB and read how to take ownership. > > Also, since this folder houses the system restore information > for that drive (drive c), why do you need to access it? If > you're having problems with system restore, just turn it off > and turn it on again. The folder will be cleared along with > all restore points. > > On Wed, 07 Apr 2004 00:57:55 +0100, Peter Rossiter > <> wrote: > >>How do I access the "System Volume Information" folder on XP >>PRO? >> >>I want to access this folder on one of my other partitions (or >>"drives"). The partition I want to access is an NTFS >>partition and so is the C: partition. >> >>I have tried what is in >>http://support.microsoft.com/default.aspx?kbid=309531 >>but it does not work. This is what i did: >> >>I log on to XP Pro as administrator. I go to: >>Windows Explorer > Tools > Folder Options > View tab >> select "Show hidden files and folders" >> unselect "Hide protected operating system files >> (Recommended)" select "Use Simple File Sharing". >> >>I double-click the System Volume Information folder in the >>root folder to open it but it denies me access. >> >>I cvan access the SVI on other partition which are in FAT32. >>But I can't access either the C: drive's SVI or the other >>partition's SVI. > Peter Rossiter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search