Author Topic: virus I cannot remove in System Volume Information  (Read 6017 times)

0 Members and 1 Guest are viewing this topic.

dr

  • Guest
virus I cannot remove in System Volume Information
« on: December 16, 2009, 08:43:32 PM »
First of all,  I do not know much english
Hope I can explane my problem and get help anyway

it looks like I have a virus on my pc but  Avast can't repair or remove it to chest

what i find in the report is

C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP58\A0020607.exe\HD.RES [E] Il file è una bomba a decompressione. (42110)

(I guess bomba a decompressione means logic bomb)

I cannot find this file in System Volume Information
so I cannot remove it in any other way
what can I do? is it dangerous?
thank you and sorry fo my english

(if it can help in the same scan AVAST found also this file/virus

C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP54\A0019341.exe [L] Win32:Malware-gen (0)

and removed it in the chest with no problem)

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: virus I cannot remove in System Volume Information
« Reply #1 on: December 16, 2009, 10:16:42 PM »
welcome dr to the forum. your english is not bad. I suggest you download install and update MBAB and/or SAS and do a scan and see what they come up with.

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

good luck and write back if you getting any problems.
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: virus I cannot remove in System Volume Information
« Reply #2 on: December 16, 2009, 10:27:30 PM »
1. - Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system, also see http://forum.avast.com/index.php?topic=15389.msg131213#msg131213.
 
The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn't know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

If you can give some examples of those file names, the locations and reason given why it can't be scanned might help us further ?

So no action required.

The second was actually a detection and as such will be moved to the chest successfully, as the first is only being reported as a file that can't be scanned and the reason why.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dr

  • Guest
Re: virus I cannot remove in System Volume Information
« Reply #3 on: December 16, 2009, 11:00:12 PM »
I'm not sure I did understand
DavidR do you mean that I should not care about the file

C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP58\A0020607.exe\HD.RES [E] Il file è una bomba a decompressione. (42110)   ?

I know that there are some file that AVAST can not scan because of the password that protect them (like boot files ....hope i write it right in english)

but this time AVAST did not says "can not open" (or cannot check/access...in italian "file protetto da password" -  "file evitato a causa impostazioni esclusione" - "impossibile accedere file in utilizzo da altro processo") - and did not put the files in the chest but the alarm sound, ask me to cancel or put the file in the chest and then show me a message saying that put it in the chest or remove it was not possible

and this is what worry me
but if you know that this kind of file is not dangerous I will quit tray to find it
(I can find it anywhere on my pc - he is not in the System volume Information even if AVAST says so - and it is nowhere else for what i can see)

one question also on the program mikaelrask suggest me
if I download them shoul I disable AVAST before run them?

again sorry for my english but there is no italian forum for AVAST so I have to use this even if I have never studied it  ... I write it "play by ear"

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: virus I cannot remove in System Volume Information
« Reply #4 on: December 17, 2009, 12:51:58 AM »
That is exactly what I mean, avast isn't telling you it is infected, just that it can't/hasn't been scanned and gives the reason why it wasn't scanned. It isn't an indication it is infected or suspicious, just a damn stupid name which scares users half to death.

It is a special folder hidden and controlled by system restore.

There really is no need to go and find it, what are you going to do when you do find it.

There shouldn't be any issue with the two programs mentioned, though I used to pause the Standard Shield when scanning with other security programs, this limits the small potential of conflict and reduces the overall scan duration as avast wouldn't be scanning the files that they open to scan.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dr

  • Guest
Re: virus I cannot remove in System Volume Information
« Reply #5 on: December 17, 2009, 03:59:57 PM »
just to let you know what I did to remuve the file (read "the file is a bomb" made me mad)

I try to explain it in my poor english

I have disabled System Restore to clean  the infected file that was in the system restore files.
Rebooted the system.
Re-enable System Restore
Re-scanned the pc with AVAST
and all the infected file desappeared

thank you all anyway

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: virus I cannot remove in System Volume Information
« Reply #6 on: December 17, 2009, 05:11:13 PM »
Yes, that is a consequence of disabling system restore, it not only removes the infected restore point, but all restore points, clean included.

So it isn't a good option if you are only trying to remove one infected restore point, which it appears to have done, as you say it was sent to the chest.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dr

  • Guest
Re: virus I cannot remove in System Volume Information
« Reply #7 on: December 17, 2009, 09:21:06 PM »
but AVAST was NOT able to put the infected file in the chest...maybe you did not understad it because of my english ... but the problem was that: AVAST indicated me the presence of a virus but was not able to remove, put in the chest or cancel it
anyway now everything works


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: virus I cannot remove in System Volume Information
« Reply #8 on: December 17, 2009, 09:43:17 PM »
OK, I was only repeating what you said in your first post:

Quote from: dr
(if it can help in the same scan AVAST found also this file/virus
C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP54\A0019341.exe [L] Win32:Malware-gen (0)
and removed it in the chest with no problem)

Trying to send this file (which isn't reported as infected) would fail:

Quote from: dr
C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP58\A0020607.exe\HD.RES [E] Il file è una bomba a decompressione. (42110)

Given that it is a very large file it is likely to exceed the maximum size file to send or the total size for the chest and you would/should get an error like that.

Again there would have been no need to do anything with that file as the message is why it 'hasn't been scanned' not that it is infected.

So unless there is another file that you haven't mentioned there was only:
1 infected file, which you said was sent to the chest with no problem.
1 file reported as a decompression bomb, which isn't an indication that this is infected for certain, just that it is very large and would be even larger if avast were to unpack it to be able to scan the contents.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security