Found a kuang2 file in pc off internet for the past 3 years.

desperatando · ‎10-15-2009

Hello, I always had strong intrusion problems with all my systems surfing in the net, mainly with trojans. Always used firewall, antivirus, anti-malware, non-signature anti-malware and they found nothing but I was finding and erasing trojans with online downloaded scanners such as Adaware, Spyware doctor etc. In 2009 I disconnected my desktop with lots of problems, remote shut down, calendar date and time randomly changing, vertical bars of browsers, notepad and wordpad dancing up and down stopping me from writing and reading etc. I kept it off-line since then and incidentally, the calendar stopped to change randomly immediately and up to now works all right. Now I scanned with a 2010 antivirus, and found among other things I erased, a kuang2 file in system volume information folder. I hesitated to erase cause the antivirus instruction manual says if something erased destabilizes windows maybe 'll have to reinstall them. Did not know if system volume information folder is part of the operating system of windows and searched a little in the net where I found https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080421114858EN&lg=engl... I believe I read before that, IF YOU CANNOT DELETE A VIRUS , FROM SYSTEM VOLUME INFORMATION FOLDER then follow instructions as follows. So my question is should I first take the option "delete" of my antivirus (it proposes only two, erase and locate) and see what happens, or go straight to shutting down and reopening system restore? Is it possible to destabilize windows or corrupt whole system volume information folder if I erase infected file with antivirus? I asked the antivirus support but they never answered to me. I consider that shutting down and reopening the system restore will result to not being able to undo this, if anything goes wrong... Tks for any answer asap

SUBASH_PRABU · ‎05-31-2011

Hi

Removing a file in the System Volume information will only affect your computer from restoring to a previous date and it will not destabilize the system. After a viral infection recommended is to turn off the system restore then turn it back on to delete the volume information data then scan your computer with a latest version of the AV.

SendOfJive · ‎02-07-2009

Hi desperatando,

Any threat that has been backed up into a System Restore point is harmless unless you perform a System Restore operation using that restore point. Windows does not allow files in System Volume Information to be modified, so attempting to remove anything will be either unsuccessful, or will possibly corrupt the restore point. Your options are:

1. Ignore it. If you do ever restore to that point Norton Auto-Protect will detect any restored threats and remove them.

2. Turn off System Restore and turn it back on to remove all restore points.

3. Remove all but the most recent restore point as explained here:

http://support.microsoft.com/kb/555367

huwyngr · ‎04-13-2008

SoJ,

As a matter of interest, when one says:

2. Turn off System Restore and turn it back on to remove all restore points.

is it like other deletes where the reference to the file or its location is removed but the file itself can still be on the disk?

So that although one could no longer find an entry to go back to that condition in the control for System Restore the infected file would still be present ..... and does it matter from a security point of view?

Hugh

SUBASH_PRABU · ‎05-31-2011

Hi Hugh

System Restore is a snapshot of the status of the Computer at a particular instance. So if the Computer is infected at that instance, then when you are doing the restore the Computer will restore all the files irrespective of good/bad files. Which might make the situation worse. So that's why people suggest to turn off system restore and turn it back on when the computer is infected, Because you might not know since when the infection is there. Thought of adding some info.

EDIT: once the files in sys volume info gets deleted you will lose your restore points as the files will get purged once you turn off the system Restore

huwyngr · ‎04-13-2008

Subash,

I understand the background and so on but my question related to physical files that would be called up with a given System Restore in order to recreate the snapshot.

System Restore is as I see it like a script that will issue a series of commands. Delete the System Restore entries and you delete the instructions but does it not still leave infected files?

Like deleting a library catalog still leaves the books on the shelf!

Hugh

SendOfJive · ‎02-07-2009

If a restore point containing a virus is deleted, the virus will be gone. If it were lurking in other areas, the scan that spotted it in SVI would have detected it in the other folders, as well.

Also, it is best not to turn off System Restore prior to removal of an active infection. Once the system is cleaned up, then the restore points should be cleared. Things can go horribly wrong during malware removal and you are better off having a restore point you can use if necessary - even if it is infected - than no restore points at all.

huwyngr · ‎04-13-2008

SoJ

Thanks -- so the Restore Point actually contains files and not just pointers to them?

Good point about "better than nonw".

Hugh

SUBASH_PRABU · ‎05-31-2011

Hi Hugh

Sorry for the late reply. The files in the volume info are protected by Windows File protection and once the restore points gets deleted by turning the sys restore OFF, the files associated with the older restore points will get deleted automatically once the allocated size for the system restore exceeds. Other Programs cannot play with the system restore files when they are under the protection of WFP and once their Restore points get deleted they can be modified by other programs, So that the AV Program can remove the nasties in that folder. By default the system will make a snapshot of the Computer randomly for the Last Known Good Configuration at those times these orphaned files will get removed and cleaned up by the Windows itself.

You can recover those files without the restore point entry using the recovery console in the command mode. But it should be done within a less interval before the Windows cleans-up those files.

huwyngr · ‎04-13-2008

Subash,

So if I understand correctly, my analogy with deleting a library catalog is valid and deleting Restore Points leaves files that might be infected; it is not a remedy for the infection but would stop one from using the Restore Point system and still having an infected system, just like the books are still on the shelves in the library.

In other words -- if you do delete the Restore Points you need to run a full system scan .....

Hugh