Author Topic: "C:/System VOlume Information/_restore" Important??  (Read 18028 times)

Offline bellicose

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
"C:/System VOlume Information/_restore" Important??
« on: January 04, 2010, 05:50:44 AM »
Not a clue where to post this, but I hope you guys can help me out.

While running my first ever scan of my system with my brand new Avast System, I was given this warning:



C:/System Volume Information/_restore{C9029514-088E-40a0-B53D-CD2607F4BB94}/RP524/A0131308.exe
Has been infected with:
win32:spyware-gen [Spy]



With options 0 to 9
Delete


Repair
Repair All
Some other's I really don't remember
Ignore
Ignore All

I planned to write it down, investigate it, and then go back and take care of it properly, however....
Me being the dumb Windows user I am, I use my down arrow in attempt to select an option, this results (as many of you know) in it being deleted.

I have had no ill effects as of yet, however I would like to know if I can put it back it, if it is an important file (I see restore in there, which leads me to believe it has to do with backups, but what do I know...).

I will be investigating this myself, but if any of you can help me out, I would greatly appreciate it.


EDIT; Sorry guys, just realized the title was not helping me at ALL.
« Last Edit: January 04, 2010, 05:57:30 AM by bellicose »

Offline CharleyO

  • avast! Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7102
  • Gender: Male
  • Be alert for error code - ID 10T
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #1 on: January 04, 2010, 10:22:35 AM »
***

Welcome to the forums, bellicose.   :)

You are right in that it was a restore point for your computer. If infected, it is not a restore point you want to use nor keep. Do not worry about having deleted it.


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #2 on: January 04, 2010, 02:53:32 PM »
Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

Welcome to the forums.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline bellicose

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #3 on: January 04, 2010, 09:03:09 PM »
Thank you both for the reply! Just because of the great tech support here, I think I will be staying.

Would it be safe to say that files in Systems Volume information are not as important as System Folders? Would it be a good idea to delete any infected files right off the bat? Or are there some kinds of files I should keep my eye on?

Is there a way to manually set a restore point, or does MS do it automatically? Is there a possibility for me to see when the latest point was set, just to see?

Thank you guys so much for helping out this newbie!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #4 on: January 04, 2010, 09:21:02 PM »
In a way yes, because the system folders contain the active files, where what is in the Systems Volume information folder (restore points) was previously in system files, etc. but removed or updated.

However, they are there to serve a purpose recovering from problems and for that reason alone they are still important.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate. Infected restore points are somewhat of an exception to the rule, if you sent those to the chest and subsequently tried to restore them, windows would block this, so to all intents and purposes, having sent them to the chest they are history, dead.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

It depends on why a restore point is necessary, if a file is deleted from a system folder, windows system restore would create one automatically. If you were going to do something which might carry some risk, like installing a large Service Pack, you could set a restore point manually as set out below.

Create a clean System Restore point:
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline gieyah27

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #5 on: August 14, 2010, 04:47:25 AM »
I think this is the exact same problem I am having.

After a nasty attack and a day spent reformatting, I installed Avast and ran a thorough scan. it, too, detected the sality.y virus inside the system volume information/restore. although i know this is just a restore point and will not affect my computer much if i opt to delete it, i found myself a little bit hesitant to do it. I moved it to chest--just what Avast suggested. I also hit the repair button however, the report came back as "an error occurred.." but it was successfully moved to the chest.

now I am seriously considering about deleting it as i need to do some online payment activities soon. I need to be very sure if this spyware is completely out of the picture or still lurking somewhere.

please advise me of what to do.. thanks.  :-\

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #6 on: August 14, 2010, 11:50:37 AM »
Sality is a very dangerous virus.
I suggest you scan your system with avast (boot scan) and with Dr. Web or Avira Rescue CDs.
gieyah27, if you're not secure, I'll backup documents and data and, sorry, think on reformating...
The best things in life are free.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #7 on: August 14, 2010, 11:55:57 AM »
What to do - start by reading my previous comments in Reply #2 & #4
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline assist please

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #8 on: June 26, 2013, 07:23:49 PM »
You are wonderful !!  I searched the following message on Google and got to your website. In fact, I am using Avast and was about to place this in the Virus Chest when I noticed the word “restore.” 

The Message is:   “file C:\system volume information\_restore{12920FA-BOAC-49B3-96B2-DEB8B91E727B}\RP235\AOO64249.msi|>Data.cab|>E┐showSpyAbout.exe|>[UPX] si infected by Win32: Malware-gen”
I feared deleting it might DISABLE my ability to USE the restore program.  I was afraid I would no longer be able to create a new restore point or go back to an earlier date.

Since reading your postings I believe that this may be just one specific point that will no longer be able to be used and the rest will remain as they are within a functioning restore program.  IS THIS CORRECT?

I’ve never done this before so I hope I sent this correctly by clicking reply on the  topic. 

And… how do you know so much? Do you work with computers or work with Avast?  I’m impressed.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: "C:/System VOlume Information/_restore" Important??
« Reply #9 on: June 26, 2013, 07:29:29 PM »
You're welcome.

Yes removing that infected restore point means that only that restore point will be unavailable for use.

I'm just an avast user like yourself, but I have been using it and helping out where I can in the forums for nine years.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now