topic Re: Found a kuang2 file in pc off internet for the past 3 years. in Tech Outpost

Found a kuang2 file in pc off internet for the past 3 years.

desperatando — Thu, 19 Jan 2012 11:35:15 GMT

Hello, I always had strong intrusion problems with all my systems surfing in the net, mainly with trojans. Always used firewall, antivirus, anti-malware, non-signature anti-malware and they found nothing but I was finding and erasing trojans with online downloaded scanners such as Adaware, Spyware doctor etc. In 2009 I disconnected my desktop with lots of problems, remote shut down, calendar date and time randomly changing, vertical bars of browsers, notepad and wordpad dancing up and down stopping me from writing and reading etc. I kept it off-line since then and incidentally, the calendar stopped to change randomly immediately and up to now works all right. Now I scanned with a 2010 antivirus, and found among other things I erased, a kuang2 file in system volume information folder. I hesitated to erase cause the antivirus instruction manual says if something erased destabilizes windows maybe 'll have to reinstall them. Did not know if system volume information folder is part of the operating system of windows and searched a little in the net where I found https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080421114858EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb. I believe I read before that, IF YOU CANNOT DELETE A VIRUS , FROM SYSTEM VOLUME INFORMATION FOLDER then follow instructions as follows. So my question is should I first take the option "delete" of my antivirus (it proposes only two, erase and locate) and see what happens, or go straight to shutting down and reopening system restore? Is it possible to destabilize windows or corrupt whole system volume information folder if I erase infected file with antivirus? I asked the antivirus support but they never answered to me. I consider that shutting down and reopening the system restore will result to not being able to undo this, if anything goes wrong... Tks for any answer asap

Re: Found a kuang2 file in pc off internet for the past 3 years.

SUBASH_PRABU — Thu, 19 Jan 2012 14:04:02 GMT

Removing a file in the System Volume information will only affect your computer from restoring to a previous date and it will not destabilize the system. After a viral infection recommended is to turn off the system restore then turn it back on to delete the volume information data then scan your computer with a latest version of the AV.

Re: Found a kuang2 file in pc off internet for the past 3 years.

SendOfJive — Thu, 19 Jan 2012 19:03:52 GMT

Hi desperatando,

Any threat that has been backed up into a System Restore point is harmless unless you perform a System Restore operation using that restore point. Windows does not allow files in System Volume Information to be modified, so attempting to remove anything will be either unsuccessful, or will possibly corrupt the restore point. Your options are:

1. Ignore it. If you do ever restore to that point Norton Auto-Protect will detect any restored threats and remove them.

2. Turn off System Restore and turn it back on to remove all restore points.

3. Remove all but the most recent restore point as explained here:

http://support.microsoft.com/kb/555367

Re: Found a kuang2 file in pc off internet for the past 3 years.

huwyngr — Thu, 19 Jan 2012 22:46:07 GMT

SoJ,

As a matter of interest, when one says:

2. Turn off System Restore and turn it back on to remove all restore points.

is it like other deletes where the reference to the file or its location is removed but the file itself can still be on the disk?

So that although one could no longer find an entry to go back to that condition in the control for System Restore the infected file would still be present ..... and does it matter from a security point of view?

Re: Found a kuang2 file in pc off internet for the past 3 years.

SUBASH_PRABU — Thu, 19 Jan 2012 23:07:02 GMT

Hi Hugh

System Restore is a snapshot of the status of the Computer at a particular instance. So if the Computer is infected at that instance, then when you are doing the restore the Computer will restore all the files irrespective of good/bad files. Which might make the situation worse. So that's why people suggest to turn off system restore and turn it back on when the computer is infected, Because you might not know since when the infection is there. Thought of adding some info.

EDIT: once the files in sys volume info gets deleted you will lose your restore points as the files will get purged once you turn off the system Restore

Re: Found a kuang2 file in pc off internet for the past 3 years.

huwyngr — Thu, 19 Jan 2012 23:54:07 GMT

Subash,

I understand the background and so on but my question related to physical files that would be called up with a given System Restore in order to recreate the snapshot.

System Restore is as I see it like a script that will issue a series of commands. Delete the System Restore entries and you delete the instructions but does it not still leave infected files?

Like deleting a library catalog still leaves the books on the shelf!

Re: Found a kuang2 file in pc off internet for the past 3 years.

SendOfJive — Fri, 20 Jan 2012 02:20:01 GMT

If a restore point containing a virus is deleted, the virus will be gone. If it were lurking in other areas, the scan that spotted it in SVI would have detected it in the other folders, as well.

Also, it is best not to turn off System Restore prior to removal of an active infection. Once the system is cleaned up, then the restore points should be cleared. Things can go horribly wrong during malware removal and you are better off having a restore point you can use if necessary - even if it is infected - than no restore points at all.

Re: Found a kuang2 file in pc off internet for the past 3 years.

huwyngr — Fri, 20 Jan 2012 02:35:19 GMT

SoJ

Thanks -- so the Restore Point actually contains files and not just pointers to them?

Good point about "better than nonw".

Re: Found a kuang2 file in pc off internet for the past 3 years.

SUBASH_PRABU — Fri, 20 Jan 2012 03:31:52 GMT

Hi Hugh

Sorry for the late reply. The files in the volume info are protected by Windows File protection and once the restore points gets deleted by turning the sys restore OFF, the files associated with the older restore points will get deleted automatically once the allocated size for the system restore exceeds. Other Programs cannot play with the system restore files when they are under the protection of WFP and once their Restore points get deleted they can be modified by other programs, So that the AV Program can remove the nasties in that folder. By default the system will make a snapshot of the Computer randomly for the Last Known Good Configuration at those times these orphaned files will get removed and cleaned up by the Windows itself.

You can recover those files without the restore point entry using the recovery console in the command mode. But it should be done within a less interval before the Windows cleans-up those files.

Re: Found a kuang2 file in pc off internet for the past 3 years.

huwyngr — Fri, 20 Jan 2012 16:18:04 GMT

Subash,

So if I understand correctly, my analogy with deleting a library catalog is valid and deleting Restore Points leaves files that might be infected; it is not a remedy for the infection but would stop one from using the Restore Point system and still having an infected system, just like the books are still on the shelves in the library.

In other words -- if you do delete the Restore Points you need to run a full system scan .....

Re: Found a kuang2 file in pc off internet for the past 3 years.

desperatando — Fri, 20 Jan 2012 20:16:49 GMT

It is as I said a pc I kept off line since 2009. Restore points available are from now and back to 4 months only. But it 's impossible that the infection occurred during the last 4 months off the net and not 3 years ago, besides kuang2 is an old trojan comparatively.

So it's rather sure that the infected restore point is prior to the 4 months available to restore now, and thus I can never return there.

The problem that arises it's I want to install a new AV and before that I scanned for infections, given that I know there were such.

Do not want to install AV on infected system.

As for the rest, I see that everybody that argued before, afterwards accepted the first answer, that is delete infected file through AV, shut down and reopen system restore and rescan.

I only do not understand why AV did not detect the infected file itself but the address of it so to speak in system volume information folder.

Re: Found a kuang2 file in pc off internet for the past 3 years.

SUBASH_PRABU — Fri, 20 Jan 2012 21:03:15 GMT

Hi Hugh

You got it correctly.

Hi desperatando

The windows will create System Restore points automatically by taking snapshot of the windows files, disregard of good/bad or virus files. And those files were protected by WFP (Windows File Protection) , which will not allow other softwares or AV's to modify or remove them. That's why they are pointing their hands towards sys volume info if a threat has been detected.

Re: Found a kuang2 file in pc off internet for the past 3 years.

huwyngr — Fri, 20 Jan 2012 23:53:21 GMT

Phew!