Windows Defender

[kalexeff]

Windows Defender found what it calls a Trojan, listed as CmdLineCM.  The location is C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP164\A0014551.dll

I think it is the restore file created by avast!  Should I tell Windows Defender to ignore it?  I couldn't find anything about this on line.

[DavidR]

I'm unaware of any restore file created by avast, what makes you think that ?

The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, so avast can't create restore points, that is a function of system restore. Even if it were to create a restore point it shouldn't be infected with anything. This looks like it is a dll file that have may been deleted from one of the system folders, these are also protected by system restore, so deletions are saved to _restore points and the file name is usually changed to what you see but the file type (.dll) usually remain the same.

The only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

[kalexeff]

I thought this may be part of the Virus Recovery Database (VRDB) feature in avast!  Doesn't it use some sort of "restore" type process to recover files from a virus it can't fix?  I thought I remembered the installation set-up asking me something about creating a restore point for this feature.

Do you use Windows Defender?

[DavidR]

The VRDB is totally unrelated to the system restore _restore points, the VRDB data is kept in the C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int file.

If the installation asks if you want to create a restore point is it so that in theory you can go back to before avast was installed no good for files that can't be fixed. However, I have so much confidence in the System Restore function hat mine is permanently disabled and I use my own means of recovery, in the form of weekly partition/drive images and daily back-ups.

I don't use windows defender, didn't want to be an unpaid beta tester for MS and now it doesn't do so well in comparative tests with other anti-spyware/malware, I think it came last in PC worlds tests. Other paid for options to consider, SpySweeper, CounterSpy that regularly come in the top few in various tests.

If you haven't already got this software (freeware), download, install, update and run it.
1. Ewido anti-spyware If using winXP. or a-Squared free if using win98/ME.
2. Ad-Aware
3. Spybot Search and Destroy
4. Spywareblaster Don't install this until you are clean.

[kalexeff]

Thanks for your input.  I already use Spybot Search and Destroy.  I just use Windos Defender Beta as a second spyware tool.  (I guess I thought that the MS guys might find a few things that the Open Source guys don't)

I guess I'll let Windows Defender remove the file and see what happens.  I don't use Windows' system restore either.

By the way, I recently removed Norton Internet Security to install avast!  In my opinion, Norton IS is very slow and klunky.  Live Update, which I paid a 1-year subscription for, stopped working after 6 months.  I tried four different fixes supplied by Norton.  After corresponding with Babgalore, India service center for a month, their solution was to BUY an upgrade to my 18 month old software.  WHAT A RIP-OFF!

Now, I recommend to anyone who'll listen not to buy Norton products.

[Lisandro]

By the way, I recently removed Norton Internet Security to install avast!  In my opinion, Norton IS is very slow and klunky.  Live Update, which I paid a 1-year subscription for, stopped working after 6 months.  I tried four different fixes supplied by Norton.  After corresponding with Babgalore, India service center for a month, their solution was to BUY an upgrade to my 18 month old software.  WHAT A RIP-OFF!
Now, I recommend to anyone who'll listen not to buy Norton products.

Eh eh... We're more or less the same... after being a Symantec user, now, never more 

[DavidR]

Thanks for your input.  I already use Spybot Search and Destroy.  I just use Windos Defender Beta as a second spyware tool.  (I guess I thought that the MS guys might find a few things that the Open Source guys don't)

I guess I'll let Windows Defender remove the file and see what happens.  I don't use Windows' system restore either.

By the way, I recently removed Norton Internet Security to install avast!  In my opinion, Norton IS is very slow and klunky.  <snip>

Now, I recommend to anyone who'll listen not to buy Norton products.

Well I'm not sure windows defender will be able to remove it from that location as it is a windows protected storage area, if it can remove it, then MS have been holding out on this information from other AVs.

If you have disabled system restore and done a reboot, the C:\System Volume Information folder should be empty (see image) as in the info in my first post.

The only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points.

So I would confirm that system restore is in fact disabled, if you have more than one partition/drive you have to disable all.