Jump to content

Please add C:\System Volume Information\_restore to quick scan


Recommended Posts

  • Staff

When I did IT for a living these were the steps I did whenever a system was infected :

Clear malware

Confirm system stability

Clear system restore and set a new restore point

IMO doing anything malware cleanup related in system restore is at best pointless and at worst dangerous (as screen317 has mentioned) . To be honest unless you are using it to restore or clearing it to set a new clean start point there is no reason to ever touch it .

Keep in mind that malware is not alive and wont run on its own . Once you relocate the infected files to a location where they cant run (like system restore or quarantine) they are effectively crippled as there is no longer anything telling them to execute .

Link to post
Share on other sites

So these files:

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP694\A0112216.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115159.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115329.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115493.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115656.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP722\A0118938.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

cannot execute from the _restore directory?

I also noticed that MBAM identified about 8 of my VB6 test projects (all executables named Project1.exe) as (Trojan.Downloader). I assume this was flagged strictly by filename and not by file contents.... but as a VB6 programmer, cleaning up all selected would have deleted all of these files even though they aren't malware....

Link to post
Share on other sites

So these files:

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP694\A0112216.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115159.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115329.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115493.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115656.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP722\A0118938.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

cannot execute from the _restore directory?

I also noticed that MBAM identified about 8 of my VB6 test projects (all executables named Project1.exe) as (Trojan.Downloader). I assume this was flagged strictly by filename and not by file contents.... but as a VB6 programmer, cleaning up all selected would have deleted all of these files even though they aren't malware....

About those restore points...

If you decide to take the risk, you can erase all your restore points by doing this:

Start -> Control panel -> System -> System restore- tab -> Uncheck the first little box about disabling System Restore. Those restore points will be erased when you do that. Then just check the box again and save.

(I recommend you to do a full scan for your computer just to make sure that your first restore point won't be infected)

Link to post
Share on other sites

  • 1 year later...

So these files:

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP694\A0112216.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115159.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115329.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115493.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP714\A0115656.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{035ECB19-E361-4A02-9D2B-6067518989F7}\RP722\A0118938.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

cannot execute from the _restore directory?

I also noticed that MBAM identified about 8 of my VB6 test projects (all executables named Project1.exe) as (Trojan.Downloader). I assume this was flagged strictly by filename and not by file contents.... but as a VB6 programmer, cleaning up all selected would have deleted all of these files even though they aren't malware....

No they cannot. It's best to just clear them and make a new one. :)

I'm developer myself and see these all the time. The md5 hash was probably was similar to something it detects. False Positives are common for project files.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.