Arrrgh! Spybot Worm!


  #1  
Old 10-26-03, 08:23 AM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 587
Received 0 Votes on 0 Posts
Arrrgh! Spybot Worm!

After recently upgrading from ME to XP, installing a new hard drive and cleaning up everything (I thought), I apparently have, what is described by my AVG Virus Checker, a Worm/Spybot.

I know where it is -- C:\System Volume Information -- but I and AVG are denied access to that directory.

I tried opening a DOS window but the directory does not display.

Do I need to boot to DOS from a floppy? If so, what is the syntax for changing the attributes of that directory so that it becomes accessible?
 
  #2  
Old 10-26-03, 08:32 AM
C
Member
Join Date: Nov 2001
Location: Taylors, SC
Posts: 9,483
Received 0 Votes on 0 Posts
In XP, select start, type run, type 'command', press enter, to generate a dos window.

In the file path 'attrib -h -a <filename>' will turn off the hidden and archive bits on a file so that you can see them and manipulate them.

Hope this helps.
 
  #3  
Old 10-26-03, 08:44 AM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 587
Received 0 Votes on 0 Posts
Thanks Chris but as I said, I can't see the directory 'System Volume Information in the DOS window so I can't change the attributes -- if I could I would, since you told me how :-)
 

Last edited by SafeWatch; 10-26-03 at 02:24 PM.
  #4  
Old 10-26-03, 10:07 AM
C
Member
Join Date: Nov 2001
Location: Taylors, SC
Posts: 9,483
Received 0 Votes on 0 Posts
C:\attrib -h -a \System Volume Information
will turn off the hidden and archive bits for the directory in question.

Hope this helps.
 
  #5  
Old 10-26-03, 10:39 AM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 587
Received 0 Votes on 0 Posts
Ok Chris, I tried what you suggested but I keep getting Parameter Format Not Correct.

(I tried a bunch of other combinations too but no go)

Chris
 
  #6  
Old 10-26-03, 05:06 PM
C
Member
Join Date: Nov 2001
Location: Taylors, SC
Posts: 9,483
Received 0 Votes on 0 Posts
Editor,

I forgot to remind you about the 8.3 naming convention that applies to DOS. DOS names are limited to a file name of eight characters with an extension of three characters. Long File Names do not work under DOS. Under 8.3, the name of the file is c:\System~1
Here is the exercise again:

Start, Run 'Command'
(DOS box opens)
c:\whatever> cd\
c:\>
C:\attrib c:\System~1
SH C:\System Volume Information
(This is a System file and is Hidden)
C:\attrib -s -h c:\System~1

(this will remove the System File attribute and the Hidden File attribute)

Be sure to reset the attributes, when you finish.
 
  #7  
Old 10-29-03, 08:05 AM
Forums Admin
Visiting Guest
Posts: n/a
On Win2K, WinXP, & Win2003 each drive contains the System Volume Information directory; the directory is used for various OS functions. By default, nobody but the OS (this includes the administrator) has access to the System Volume Information directory.

It would be in your best interest not to change directory permissions or remove the directory. Altering or modifying the directory could lead to loss of data and could lead to corrupting the OS.

The System Volume Information directory contains NTFS metadata & the Encrypted File System to name a few and used by the Index Server service. On WinXP & Win2003 the directory is also use by the System Restore service.

The Virus is most likely in the System Restore files which can be removed by turning of System Restore.

Go to Control Panel > System > System Restore Tab- click on 'Turn off System Restore on all drives', reboot, then re-able SR and re-boot again.

This will delete all of your Restore Points, including any corrupted or virus infected one(s), and allow you start with a clean slate.
 

Last edited by Forums; 10-29-03 at 01:26 PM.
  #8  
Old 10-29-03, 02:42 PM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 587
Received 0 Votes on 0 Posts
I turned off System Restore a little while ago, following advice from a worm removal site I came across. I didn't know about the NTFS thing until I tried to boot to a DOS disk--no C: drive! A co-worker explined that my drive was still there but it couldn't be recognised by the DOS boot. In any case, I never got around to changing the attributes of the directory. If I did, I was only going to allow my virus checker access to it.

The virus warning hasn't been showing up since then but I wasn't sure if it was gone. So you are saying that just turning System Restore back on will eliminate the bad file? (I hope so :-)

Chris
 
  #9  
Old 10-30-03, 12:11 PM
Forums Admin
Visiting Guest
Posts: n/a
When you turn off System Restore and reboot the computer when the system restarts all of your restore points are deleted.

When you restart the System Restore service the next time Windows is started, new restore points are created.

Turning the System Restore service back on is not a absolute requirement to fix the problem.
 
  #10  
Old 10-30-03, 03:13 PM
E
Member
Thread Starter
Join Date: Mar 2002
Location: Ontario, Canada
Posts: 587
Received 0 Votes on 0 Posts
Thanks Robert :-)

Chris
 
 

Thread Tools
Search this Thread
 
Ask a Question
Question Title:
Description:
Your question will be posted in: