Beagle found in System Volume Information

[Deb]

Hi,

I'm new to Avast and I'm afraid I really may have just messed up my computer.  I did a boot scan which found about 9 viruses - win32:Beagle-AS and Beagle-AH all in my System Volume Information folder.  (I'm on XP Home).  I did not see the information on the site about disabling the System Restore before doing the scan (don't know if that's related or not).  The Avast could not clean the first virus and because this looked like a very important file I did not want to just delete it so I chose to MOVE it which I assumed would be to the folder Avast stores moved files to.  But these moved files are not there and now I'm afraid to reboot my computer because some very important files could now be missing from it.  I don't know where they went to.  All the infected files were like this:

C:\System Volume Information\restore_{47E7117B-18F3-4A10-B47C-105BED1BFF98}\RP444\A0075657.cpl

The last part of the file name changes to things like this:

\A0075658.com
\A00755659.scr

etc.

Instead of these moved files in the Avast Virus Chest, I have:

kernel32.dll
winsock.dll
wsock.32.dll

all in the System Files folder in Avast.  The other folders are empty so I cannot even returned the files I thought I moved to the Chest.  Also, the fact that the above 3 files are very important I'm at a loss as to what to do.  I'm afraid if I reboot my computer will not boot up with these files missing.  

Anyone have any ideas how I can go about fixing what might be a major problem?

Thank you,
Deb

[DukeNukem]

The 3 files

kernel32.dll
winsock.dll
wsock.32.dll

are put in the chest by default by avast and were not virus infected.

You need to disable system restore in order to remove the viruses. By disabling system restore windows will delete the entire contents of the folder called system volume information.

Once you have disabled system restore do a full system scan.

If everything is clean you can enable system restore again.

[Lisandro]

To disable System Restore:

Start > Control Panel > System > System restore > Disable
Click Apply
Enable it again
Click Ok

[Deb]

By disabling system restore windows will delete the entire contents of the folder called system volume information.

Are these System Volume Information files actually the Restore Points from System Restore?  Does Windows actually delete these files or just "hide" them?

Either way there seems to me to be some issues.

1) If Windows truly deletes the System Volume Information when one disables it and these files are directly related to being able to do a System Restore - seems one would loose the ability to restore to all points previously available to restore to.

2) If in fact Windows just hides these files when disabling in order to protect previous restore points and there are viruses in mine ... they then will not be found when doing a scan.  Once I re-enable the System Restore feature will not these (if only hidden) files be returned to their location able to cause trouble for me again?

3) Where did the files that I *moved* go to if not to the Chest?  If they have just been moved, then are they not still somewhere on my computer and need to be moved back so that I can disable System Restore to do a proper scan?

Thank you,
Deb

[neal62]

Deb, The way I understand it is this: If and when you disable System Restore, and then restart the pc that purges the files that were in system restore out of the restore system. When you restart the system restore, the infected files in the restore system are forever gone. You can then turn on System restore which then will create a set of new restore dates. This sometimes is the only way to get rid of malware that has been in the restore system files.

[Deb]

Thank you, Neal.  I guess since right now my computer is acting fine, this would be a good time to do this since it appears I'm going to lose all previous restore points.  I very much appreciate your explanation, it helps me to understand.

Deb

[CharleyO]

*

By the way, Deb ... welcome to the forums!      

*

[Deb]

Thank you, Charley!  

Deb

[DukeNukem]

Are these System Volume Information files actually the Restore Points from System Restore?

Yes

Does Windows actually delete these files or just "hide" them?

Deletes them

Either way there seems to me to be some issues.

1) If Windows truly deletes the System Volume Information when one disables it and these files are directly related to being able to do a System Restore - seems one would loose the ability to restore to all points previously available to restore to.

Correct. You will need to create new restore points.

3) Where did the files that I *moved* go to if not to the Chest?  If they have just been moved, then are they not still somewhere on my computer and need to be moved back so that I can disable System Restore to do a proper scan?

You didnt move any files. Files in the system volume information folder are protected by windows. All programs will be denied access to any files in the the system volume information folder. This is why the only way to remove viruses in this folder is to disable system restore.

[Eddy]

All programs will be denied access to any files in the the system volume information folder. This is why the only way to remove viruses in this folder is to disable system restore.

Not exactly correct. You can gain access to the system restore folder and move/delete files. If the user who is using Avast has this access, Avast can delete/move individual files from there. If you do so and Avast deletes/moves a file from there, one or even multiple restore points won't work anymore.

Note: I do not recommend to obtain access to that folder, unless there is really a need for it.

[Deb]

Just for info - I followed the instructions and all worked ok.  When I did the full scan through Windows (not the boot scan) the moved files did get found.  I don't remember the exact folder now, but it had "Avast" and "Data" in the folder name.  I don't have time to hunt this down now but it looks like they have been deleted.

Thought ya'all might like to know.

Deb

[Eddy]

It could be x:\program files\alwil software\avast4\data\chest
If that is the place, they are in the chest and you can see them if you start Avast > Menu > Virus Chest

[jhiker]

No - it's not that path. If you schedule a boot scan from the Avast menu and choose (via the advanced option) for any infected files to be moved automatically they go to:
Program Files/Alwil Software/Avast4/data/moved

This puzzled me too for a short while - I expected them to be moved automatically to the chest - seemed logical!

[Lisandro]

No - it's not that path. If you schedule a boot scan from the Avast menu and choose (via the advanced option) for any infected files to be moved automatically they go to:
Program Files/Alwil Software/Avast4/data/moved

This puzzled me too for a short while - I expected them to be moved automatically to the chest - seemed logical!

Move and Move to Chest are different possibilities of handling a file. It's seems logical use two different folders  

[jhiker]

That seems reasonable - except you don't have the'Move to Chest' option in the Home Edition....