Virus in no access, hidden file

Status
Not open for further replies.
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

The virus W32.SillyP2P has made a home in my System Volume Information
folder. The anti-virus program (Norton) stops it when it tries to come out,
but can't kill or delete it because access is denied. Windows won't allow me
to gain access and I don't remember enough DOS commands even if I could get
to it that way. Any ideas?
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

"tmehl" <tmehl@discussions.microsoft.com> wrote:

|>The virus W32.SillyP2P has made a home in my System Volume Information
|>folder. The anti-virus program (Norton) stops it when it tries to come out,
|>but can't kill or delete it because access is denied. Windows won't allow me
|>to gain access and I don't remember enough DOS commands even if I could get
|>to it that way. Any ideas?

Killbox
http://www.bleepingcomputer.com/files/killbox.php
--
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

tmehl wrote:

> The virus W32.SillyP2P has made a home in my System Volume Information
> folder. The anti-virus program (Norton) stops it when it tries to
> come out, but can't kill or delete it because access is denied.
> Windows won't allow me to gain access and I don't remember enough DOS
> commands even if I could get to it that way. Any ideas?


You have a virus in a restore point. First of all, note that any virus (or
any other kind of malware) in a restore point is completely innocuous and
can't hurt you in any way *unless* you do a System Restore from that restore
point.

If the virus is only in the restore point, presumably you recently removed a
virus from your system. The virus remains in restore points made before the
virus removal, but isn't present in restore points made afterwards.

Unfortunately, you can't selectively delete restore points. Your only
choices are to delete them all, all but the most recent, or none.

One choice is to delete them all (turn off System Restore, then turn it back
on again), but that choices throws out the clean restore points too. Another
choice is to do nothing (keep the infected restore points), but make sure
that you keep track of when you did the virus removal and be sure never to
restore from any restore point before then. If you choose that option,
within the next several weeks, the infected restore poits will disappear by
themselves, because older restore points are automatically removed to make
room for newer ones.

--
Ken Blake
Please Reply to the Newsgroup
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

The previous email led me to the same thing, but I appreciate the
explanation. Appreciate It, thanks.
--
tmehl


"Ken Blake" wrote:

> tmehl wrote:
>
> > The virus W32.SillyP2P has made a home in my System Volume Information
> > folder. The anti-virus program (Norton) stops it when it tries to
> > come out, but can't kill or delete it because access is denied.
> > Windows won't allow me to gain access and I don't remember enough DOS
> > commands even if I could get to it that way. Any ideas?
>
>
> You have a virus in a restore point. First of all, note that any virus (or
> any other kind of malware) in a restore point is completely innocuous and
> can't hurt you in any way *unless* you do a System Restore from that restore
> point.
>
> If the virus is only in the restore point, presumably you recently removed a
> virus from your system. The virus remains in restore points made before the
> virus removal, but isn't present in restore points made afterwards.
>
> Unfortunately, you can't selectively delete restore points. Your only
> choices are to delete them all, all but the most recent, or none.
>
> One choice is to delete them all (turn off System Restore, then turn it back
> on again), but that choices throws out the clean restore points too. Another
> choice is to do nothing (keep the infected restore points), but make sure
> that you keep track of when you did the virus removal and be sure never to
> restore from any restore point before then. If you choose that option,
> within the next several weeks, the infected restore poits will disappear by
> themselves, because older restore points are automatically removed to make
> room for newer ones.
>
> --
> Ken Blake
> Please Reply to the Newsgroup
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "tmehl" <tmehl@discussions.microsoft.com>

| The virus W32.SillyP2P has made a home in my System Volume Information
| folder. The anti-virus program (Norton) stops it when it tries to come out,
| but can't kill or delete it because access is denied. Windows won't allow me
| to gain access and I don't remember enough DOS commands even if I could get
| to it that way. Any ideas?

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

What you describe is a virus found in c:\System Volume Information\_restore folder which is
the WinXP System Restore Cache.
To remove it, dump the cache, reboot the computer, then re-enable the cache. The suggested
size of the cache is ~600MB.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

To make sure the rest of the system is clean, you can use the following tool which provides
scanners for; McAfee, Trend Micro and Sophos.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Thanks for the explanation and multiple options. I greatly appreciate it.
--
tmehl


"David H. Lipman" wrote:

> From: "tmehl" <tmehl@discussions.microsoft.com>
>
> | The virus W32.SillyP2P has made a home in my System Volume Information
> | folder. The anti-virus program (Norton) stops it when it tries to come out,
> | but can't kill or delete it because access is denied. Windows won't allow me
> | to gain access and I don't remember enough DOS commands even if I could get
> | to it that way. Any ideas?
>
> There are anti virus News Groups specifically for this type of discussion.
>
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
> What you describe is a virus found in c:\System Volume Information\_restore folder which is
> the WinXP System Restore Cache.
> To remove it, dump the cache, reboot the computer, then re-enable the cache. The suggested
> size of the cache is ~600MB.
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
>
> To make sure the rest of the system is clean, you can use the following tool which provides
> scanners for; McAfee, Trend Micro and Sophos.
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
> (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
> remove
> viruses, Trojans and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

"tmehl" <tmehl@discussions.microsoft.com> wrote in message
news:63280D8E-51C9-4109-9855-B61F14781156@microsoft.com...
> The virus W32.SillyP2P has made a home in my System Volume Information
> folder. The anti-virus program (Norton) stops it when it tries to come
> out,
> but can't kill or delete it because access is denied. Windows won't allow
> me
> to gain access and I don't remember enough DOS commands even if I could
> get
> to it that way. Any ideas?

You need to disable system restore reboot and then re-enable system restore
.... Your restore points will be erased though so hopefully your system is in
a stable condition.

start > control panel > system > system restore > choose disable > apply
then reboot
re-enable system restore
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

tmehl wrote:
> The virus W32.SillyP2P has made a home in my System Volume Information
> folder. The anti-virus program (Norton) stops it when it tries to come out,
> but can't kill or delete it because access is denied. Windows won't allow me
> to gain access and I don't remember enough DOS commands even if I could get
> to it that way. Any ideas?


The System Volume Information is the hidden, protected operating
system folder in which WinXP's System Restore feature stores
information used to recover from errors. It's really not a good idea
for you, or an antivirus application, to directly access the contents
of that folder, unless you expect to have no future use for the
restore points, in which case it would be simpler just to turn off the
System Restore feature.

To clear viruses or other malware from the "System Volume
Information," simply turn off the System Restore feature (Start > All
Programs > Accessories > System Tools > System Restore, System Restore
Settings), reboot, then re-enable System Restore, and reboot one last
time. This will delete all of your Restore Points, including the
corrupted one(s), and allow you start with a clean slate.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 

chips_81

Distinguished
Aug 20, 2008
1
0
18,510
I am assuming that you already have a virus-clean OS and that a previous copy of the virus is just being detected at your Systems Restore folders.

When this happened to me, I only did the following:

a. Logged on as user "administrator" to the workstation.
b. Followed the procedure set in http://support.microsoft.com/default.aspx?scid=KB;en-us;q309531
c. I gave full control to the user "administrator" on the system volulme information folders
d. I run again my virus scanner but only to the the System Volume Information folder of ALL drives.
e. This allowed the virus cleaner to clean and delete the virus from System Volume Information.
f. I then removed all rights of the user "administrator" from the system volulme information folders.
 

gomerpile

Distinguished
Feb 21, 2005
2,292
0
19,810
1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options.
3. On the View tab, click Show hidden files and folders.
4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
5. Clear the Use simple file sharing (Recommended) check box.
6. Click OK.
7. Right-click the System Volume Information folder in the root folder, and then click Properties.
8. Click the Security tab.
9. Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. Click OK, and then click OK again.
10. Double-click the System Volume Information folder in the root folder to open it.
You can now delete the file name if you know it
 

LGM extreme

Distinguished
Aug 27, 2010
1
0
18,510
ok to anyone who comes across this issue where on start up a run box pops up asking you to run a application which for me was located in c:users/george/appdata/roaming/hidserv.exe.
most of you will not be able to find this file no matter how much you look.
i followed what one of the previous posts on opening folder options and allow system hidden files un-tick and save.
now go to the location that the file was supposed to be and hopefully you will see the file whith the ghosted hidden file look on the icon. DELETE THE MOFO!!
as long as you never run the app it should of done no damage to the system files or mirrored its self.
just for safe keeping make a new system restore point after removing it from your bin and clean the system with whatever you please.

Hope this helps anyone in the future.

LGM

http://www.youtube.com/user/lordgeorgemaster?feature=mhum
 
Status
Not open for further replies.