help me please

[mauserme]

This is something of a guess but the 2 files listed appear to me to be legitimately pre-installed "junk-ware" that comes with HP/Compaq computers (yeah, I know "legitimately pre-installed "junk-ware"" is an oxymoron).

These files are part of a single application (APP17392 in the path) and you have a single program, Weatherbug, listed in the pre-installed programs that is often considered adware.

With no backups of any kind and no symptoms of true infection I'll reiterate my concerns about breaking the recovery option and advise against removing these files.

[ryan445]

I always delete weatherbug, it sucks anyway. However, what do I do about the virus in the system volume information/restore? I just noticed that every time I reformat avast finds this virus, and then when I delete it and later try a system restore, none of them work regardless of if they were made before or after deleting.

[mauserme]

When you reformat/reinstall Weatherbug will be in 2 places - on the C: drive as an installed program and on the D: drive as a recoverable program.  When you uninstall it, you remove it from C: but it remains on D: and will eventually show up in the D: restore points as well.  Its not a virus - its just an adware program from the computer manufacturer.  It cannot reinstall from C: to D: unless you tell it to do so.

If you uninstall it and then reset your restore points as I outlined earlier you should get rid of the C: drive detections.  And I'm not sure there's a real need to scan D: on a regular basis.  Its well protected.

If you want to make very sure you're OK scan with the free version of SuperAntispyware

http://www.superantispyware.com/

Doing this weekly along will keep your computer very clean and is a good supplement to your antivirus scans (AVG Antispyware is also very good).

[Lisandro]

A0003359.exe C:\\System Volume Information\_restore[bunch of numbers]
A0013978.exe D:\\System Volume Information\_restore[bunch of numbers]
A0013979.exe D:\\System Volume Information\_restore[more numbers]

For sure these ones are not needed and can be moved to Quarantine.

CompaqPresario_Spring06.exe D:\\I386\Apps\APP17392\src
HPPavillion_Spring06.exe D:\\I386\Apps\APP17392\src

Can you check this files in VirusTotal?
I respect the opinion of mauserme but I see no reason to 'restore' an adware application each time you restore your computer from D. Is there any way to be sure that removing this files will affect the recovery capabilities?

[mauserme]

... I see no reason to 'restore' an adware application each time you restore your computer from D. Is there any way to be sure that removing this files will affect the recovery capabilities?

I would recommend removal too if a copy of the recovery partition or some sort of back up could be made.  But with out backup and no guarantee of a functional recovery option that I know of ...

I'm not saying recovery won't work - I just don't know that it will.

Well, its just my conservative nature showing 

[ryan445]

I seriously doubt it will affect anything, because it isn't a core windows system file, but then I am not totally sure. I didn't even think a virus could get in D in the first place. My computer won't even let ME in there.

[Lisandro]

I'm not saying recovery won't work - I just don't know that it will.

You're right to be prudent... I don't know either.
What I know is that I won't trust in a backup partition application that won't work if you remove one file from it: neither if it makes a single archive file nor if they copy file-by-file... It won't be a backup solution for me for sure

[Lisandro]

My computer won't even let ME in there.

Are you an user with administration rights?
Even though, there are access rights that the system can reach/do and you, the Administrator, can't. I won't be surprised if a virus uses this situation.

[ryan445]

No, i mean there is a program which prevents you from going into the D drive. This is a compaq failsafe to make sure curious users don't go in there and delete things.

[Lisandro]

No, i mean there is a program which prevents you from going into the D drive. This is a compaq failsafe to make sure curious users don't go in there and delete things.

Is it encrypted? I don't think so, as avast can scan the partition.
If it is not encrypted, low level programs could access the partition. It's only hidden to 'common' users and applications. Maybe not to a virus or advanced users...

I won't trust in the Compac tool... really.

[ryan445]

I can disable the program with msconfig anyway. Should I just delete the viruses?

[Lisandro]

It's better and safer send them to Chest instead of just deleting.
Maybe you could save the files to and USB drive and then try to restore to see if it works without that files...

[ryan445]

is it possible these are just false positives?

[DavidR]

There is one way to check.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

However from what you have said if this partition is protected t mightn't allow you access, if you happened to send any of the ones from that partition to the chest, you could Extract them to a temporary location so they can be uploaded for checking. You may need to pause the standard shield when you extract and upload them to avoid an alert by the standard shield (enable immediately you upload though).

[Lisandro]

is it possible these are just false positives?

I don't think so... but you should follow David's advices to be sure.