Re: Accessing "sys vol info" on NTFS

Discussion in 'Computer Security' started by Peter Rossiter, Apr 7, 2004.

  1. Thanks for the info about ownership. I had thought that as
    administrator that I would not need to enter my name in the
    security tab.

    I need to gain access because my AV software (AVG) says there is a
    trojan program there.

    Do you or anyone else know about the sort of virus or trojan that
    can hide in the System Volume Information folder?

    Peter



    [groups widened for relevace]

    CS <> wrote:
    >
    > You have to take ownership of the "System Volume Information"
    > folder on an NTFS partition before it will allow you to have
    > access. Go back to the MSKB and read how to take ownership.
    >
    > Also, since this folder houses the system restore information
    > for that drive (drive c), why do you need to access it? If
    > you're having problems with system restore, just turn it off
    > and turn it on again. The folder will be cleared along with
    > all restore points.
    >



    > On Wed, 07 Apr 2004 00:57:55 +0100, Peter Rossiter
    > <> wrote:
    >
    >>How do I access the "System Volume Information" folder on XP
    >>PRO?
    >>
    >>I want to access this folder on one of my other partitions (or
    >>"drives"). The partition I want to access is an NTFS
    >>partition and so is the C: partition.
    >>
    >>I have tried what is in
    >>http://support.microsoft.com/default.aspx?kbid=309531
    >>but it does not work. This is what i did:
    >>
    >>I log on to XP Pro as administrator. I go to:
    >>Windows Explorer > Tools > Folder Options > View tab
    >> select "Show hidden files and folders"
    >> unselect "Hide protected operating system files
    >> (Recommended)" select "Use Simple File Sharing".
    >>
    >>I double-click the System Volume Information folder in the
    >>root folder to open it but it denies me access.
    >>
    >>I cvan access the SVI on other partition which are in FAT32.
    >>But I can't access either the C: drive's SVI or the other
    >>partition's SVI.

    >
    Peter Rossiter, Apr 7, 2004
    #1
    1. Advertising

  2. "Peter Rossiter" <> wrote in message
    news:94C44D3A6E6C4471AE@130.133.1.4...
    > Thanks for the info about ownership. I had thought that as
    > administrator that I would not need to enter my name in the
    > security tab.
    >
    > I need to gain access because my AV software (AVG) says there is a
    > trojan program there.
    >
    > Do you or anyone else know about the sort of virus or trojan that
    > can hide in the System Volume Information folder?
    >
    > Peter
    >


    What happens is 1) you are infected with a virus, 2) Windows creates a
    restore point and stores the infected files in the system volume information
    folder, 3) your anti-virus software sees the virus in SysVolInfo. The best
    solution is to turn off system restore, reboot, and turn system restore back
    on. This will delete all the restore points along with the one that is
    infected. You don't want to risk using any of those restore points anyway,
    because at least one of them contains the virus and you really don't know
    which one it is.

    Gregg C.
    Gregg Cattanach, Apr 7, 2004
    #2
    1. Advertising

  3. "Gregg Cattanach" <> wrote:

    >> Thanks for the info about ownership. I had thought that as
    >> administrator that I would not need to enter my name in the
    >> security tab.
    >>
    >> I need to gain access because my AV software (AVG) says there
    >> is a trojan program there.
    >>
    >> Do you or anyone else know about the sort of virus or trojan
    >> that can hide in the System Volume Information folder?
    >>
    >> Peter
    >>

    >
    > What happens is 1) you are infected with a virus, 2) Windows
    > creates a restore point and stores the infected files in the
    > system volume information folder, 3) your anti-virus software
    > sees the virus in SysVolInfo. The best solution is to turn
    > off system restore, reboot, and turn system restore back on.
    > This will delete all the restore points along with the one
    > that is infected. You don't want to risk using any of those
    > restore points anyway, because at least one of them contains
    > the virus and you really don't know which one it is.



    Thanks for the info.

    I probably got the virus from downloading binaries from the
    newgroups.

    Would that virus program have been installed or executed (if you
    see what I mean) for it to get picked up by XP's restore point in
    the way you describe?

    I am wondering if I was somehow so careless as to run the virus
    program.
    Peter Rossiter, Apr 7, 2004
    #3
  4. "Peter Rossiter" <> wrote in message news:94C4B67E4F8D8471AE@130.133.1.4...

    > I probably got the virus from downloading binaries from the
    > newgroups.


    That is one good way to collect malware. ;o)

    > Would that virus program have been installed or executed (if you
    > see what I mean) for it to get picked up by XP's restore point in
    > the way you describe?


    Not necessarily. When your AV program first encountered it, it
    probably tried to delete it. Before it got deleted, the OS kindly
    decided that you might want to have it backed up in a restore
    point just in case to had momentarily lost your mind.

    > I am wondering if I was somehow so careless as to run the virus
    > program.


    If that was the only affected file your AV alerted to, then it is very
    likely that it never ran on your machine.
    FromTheRafters, Apr 7, 2004
    #4
  5. Peter Rossiter

    johns Guest


    > I need to gain access because my AV software (AVG) says there is a
    > trojan program there.


    Yep, and it is a nasty one too. What you have is an ftp
    server pushing mp3s to the world. You were not patched,
    and the Danes got you. I just hope you are not on DSL
    or faster, because if you are, sooner or later the Music
    cops are going to hand you a summons !!!!! and that
    is not funny. Do a search on *.mp3, or let your AV
    run on that folder and see if it sees mp3s. If it does,
    pull off data, etc, and wipe your drive !!!! Get a good
    disk imaging program, and a big drive. That is the
    easy way to recover back to a known state ... if the
    first install was done off line !! I reimage about once
    a month, and that has worked fine. Generally I can
    totally crash and be back up in about an hour running
    clean. Another thing ... if you do have that "mp3 server",
    you also have a whole lot of friends out there, and
    they will come calling. This is the one time that a
    firewall might help, or you are going to be scanned
    to pieces.

    johns
    johns, Apr 9, 2004
    #5
  6. Hello,


    > Yep, and it is a nasty one too. What you have is an ftp
    > server pushing mp3s to the world. You were not patched,
    > and the Danes got you.


    S.T.F.U.!! Your idiotic "contribution" is of no use here.

    > scanned
    > to pieces.


    Is this a technical term?

    The best thing you can do is stop posting in this group.

    --
    Regards, Ian.

    -------------------------------------------------------------------------------------------------------------

    English
    Adjective
    ultracrepidarian

    1. Of a critic, giving opinions on something beyond his or her
    knowledge.
    Ian JP Kenefick, Apr 20, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bay

    NTFS permission question

    Bay, Oct 5, 2003, in forum: MCSE
    Replies:
    2
    Views:
    460
    Richard Hensley
    Oct 8, 2003
  2. Joshua

    Question about NTFS

    Joshua, Oct 8, 2003, in forum: MCSE
    Replies:
    12
    Views:
    636
    Marlin Munrow
    Oct 15, 2003
  3. Bay
    Replies:
    4
    Views:
    9,065
    Kjell
    Oct 23, 2003
  4. Tech
    Replies:
    3
    Views:
    678
    Plato
    Apr 6, 2004
  5. Paul Blarmy

    Accessing NTFS drive

    Paul Blarmy, Jan 10, 2009, in forum: Computer Support
    Replies:
    2
    Views:
    431
    Paul Blarmy
    Jan 11, 2009
Loading...

Share This Page