Author Topic: virus I cannot remove in System Volume Information  (Read 2953 times)

Offline dr

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
virus I cannot remove in System Volume Information
« on: December 16, 2009, 06:43:32 PM »
First of all,  I do not know much english
Hope I can explane my problem and get help anyway

it looks like I have a virus on my pc but  Avast can't repair or remove it to chest

what i find in the report is

C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP58\A0020607.exe\HD.RES [E] Il file è una bomba a decompressione. (42110)

(I guess bomba a decompressione means logic bomb)

I cannot find this file in System Volume Information
so I cannot remove it in any other way
what can I do? is it dangerous?
thank you and sorry fo my english

(if it can help in the same scan AVAST found also this file/virus

C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP54\A0019341.exe [L] Win32:Malware-gen (0)

and removed it in the chest with no problem)

Offline mikaelrask

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1299
  • Gender: Male
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #1 on: December 16, 2009, 08:16:42 PM »
welcome dr to the forum. your english is not bad. I suggest you download install and update MBAB and/or SAS and do a scan and see what they come up with.

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

good luck and write back if you getting any problems.
new computer
windows 8 Intel core I-3 64 bit
6 gb ram 500 gb hardrive. avast 9 MBAM

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #2 on: December 16, 2009, 08:27:30 PM »
1. - Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system, also see http://forum.avast.com/index.php?topic=15389.msg131213#msg131213.
 
The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn't know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

If you can give some examples of those file names, the locations and reason given why it can't be scanned might help us further ?

So no action required.

The second was actually a detection and as such will be moved to the chest successfully, as the first is only being reported as a file that can't be scanned and the reason why.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline dr

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #3 on: December 16, 2009, 09:00:12 PM »
I'm not sure I did understand
DavidR do you mean that I should not care about the file

C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP58\A0020607.exe\HD.RES [E] Il file è una bomba a decompressione. (42110)   ?

I know that there are some file that AVAST can not scan because of the password that protect them (like boot files ....hope i write it right in english)

but this time AVAST did not says "can not open" (or cannot check/access...in italian "file protetto da password" -  "file evitato a causa impostazioni esclusione" - "impossibile accedere file in utilizzo da altro processo") - and did not put the files in the chest but the alarm sound, ask me to cancel or put the file in the chest and then show me a message saying that put it in the chest or remove it was not possible

and this is what worry me
but if you know that this kind of file is not dangerous I will quit tray to find it
(I can find it anywhere on my pc - he is not in the System volume Information even if AVAST says so - and it is nowhere else for what i can see)

one question also on the program mikaelrask suggest me
if I download them shoul I disable AVAST before run them?

again sorry for my english but there is no italian forum for AVAST so I have to use this even if I have never studied it  ... I write it "play by ear"

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #4 on: December 16, 2009, 10:51:58 PM »
That is exactly what I mean, avast isn't telling you it is infected, just that it can't/hasn't been scanned and gives the reason why it wasn't scanned. It isn't an indication it is infected or suspicious, just a damn stupid name which scares users half to death.

It is a special folder hidden and controlled by system restore.

There really is no need to go and find it, what are you going to do when you do find it.

There shouldn't be any issue with the two programs mentioned, though I used to pause the Standard Shield when scanning with other security programs, this limits the small potential of conflict and reduces the overall scan duration as avast wouldn't be scanning the files that they open to scan.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline dr

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #5 on: December 17, 2009, 01:59:57 PM »
just to let you know what I did to remuve the file (read "the file is a bomb" made me mad)

I try to explain it in my poor english

I have disabled System Restore to clean  the infected file that was in the system restore files.
Rebooted the system.
Re-enable System Restore
Re-scanned the pc with AVAST
and all the infected file desappeared

thank you all anyway

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #6 on: December 17, 2009, 03:11:13 PM »
Yes, that is a consequence of disabling system restore, it not only removes the infected restore point, but all restore points, clean included.

So it isn't a good option if you are only trying to remove one infected restore point, which it appears to have done, as you say it was sent to the chest.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline dr

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #7 on: December 17, 2009, 07:21:06 PM »
but AVAST was NOT able to put the infected file in the chest...maybe you did not understad it because of my english ... but the problem was that: AVAST indicated me the presence of a virus but was not able to remove, put in the chest or cancel it
anyway now everything works


Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: virus I cannot remove in System Volume Information
« Reply #8 on: December 17, 2009, 07:43:17 PM »
OK, I was only repeating what you said in your first post:

Quote from: dr
(if it can help in the same scan AVAST found also this file/virus
C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP54\A0019341.exe [L] Win32:Malware-gen (0)
and removed it in the chest with no problem)

Trying to send this file (which isn't reported as infected) would fail:

Quote from: dr
C:\System Volume Information\_restore{23A631DA-32E2-4B30-94A8-B1F821767DE4}\RP58\A0020607.exe\HD.RES [E] Il file è una bomba a decompressione. (42110)

Given that it is a very large file it is likely to exceed the maximum size file to send or the total size for the chest and you would/should get an error like that.

Again there would have been no need to do anything with that file as the message is why it 'hasn't been scanned' not that it is infected.

So unless there is another file that you haven't mentioned there was only:
1 infected file, which you said was sent to the chest with no problem.
1 file reported as a decompression bomb, which isn't an indication that this is infected for certain, just that it is very large and would be even larger if avast were to unpack it to be able to scan the contents.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now