Solved

C:\System Volume Information\_restore

Posted on 2006-06-12
14
15,347 Views
Last Modified: 2012-05-05
Anytime I run a scan (ewido, AVG, /ad-ware,  really any scanner) I notice a TON of files of C:\System Volume Information\_restore followed by a lot of letters and numbers... i d/l the new WindowsDefender and ran a scan and it found some threats that none of my other scanners found, like, for example, MarketScoreRevlanevent,  something like that, and some others, the alert level on some of these was Severe, and some were high...

What are these files...?i've looked and looked for this folder where these files are and I can't find 'em, i did the "show hidden files thing" and all that, still no luck...

Also one more thing, while I wuz' runnin' Windows Defender, my AVG viurs program popped up a few times saying it detected trojans, so i cleanted them...

So what's the deal?
0
Comment
Question by:Monkeyrod
  • 4
  • 3
  • 3
  • +4
14 Comments
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
Please take a look at:

http://www.theeldergeek.com/system_volume_information_folder1.htm

In short:

If you've done much wandering around in Windows Explorer you might have noticed a folder called System Volume Information and wondered what purpose it serves. It's actually a part of System Restore; the tool that allows you to set points in time to roll back your computer. The System Volume Information folder is where XP stores these points and associated information that makes them accessible. If you have System Restore enabled but don't see this folder, go into [Tools] [Folder Options] [View] and click the radio button next to [Show Hidden Files and Folders] and it will be visible.

All information can be found there, don't want to copy& paste it complety.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
This is some more information about virii residing in that folder:

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000092513515106

Norton AntiVirus detected a virus in the _RESTORE or the System volume information folder, but it cannot repair, quarantine, or delete the infected file.

Solution:
About System Restore
Windows uses System Restore to restore files on your computer in case they become damaged. System Restore is enabled by default. Windows Me keeps the restore information in the _RESTORE folder. Windows XP stores this information in the System volume information folder. These folders are updated when the computer restarts. If the computer is infected with a virus, the virus could be backed up in these folders.

Repairing System Restore
By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by Norton AntiVirus will fail. To work around this, you must disable System Restore, and restart the computer. This will purge the contents of the _RESTORE or System volume information folder. You must then run a full system scan. To do this, find your operating system in the list below and follow the steps. Click the icon to the left of your version to either expand ( ) or collapse ( ) that section. (If you cannot expand a section, then read the document Cannot expand sections in a Symantec Knowledge Base document.)

Tolomir
0
 

Author Comment

by:Monkeyrod
Comment Utility
Ok I understand system restore (it's saved me a hundred times!), but it seems like I should delete the really old ones...is this safe??
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 100 total points
Comment Utility
yes of cause, all you loose is the ability to restore back to those old "backups"

0
 

Author Comment

by:Monkeyrod
Comment Utility
I cannot find the folder that system volume info. is in, I have XP Home Edition SP2...I looked at the first link you gave me and it says if you have NTFS file system you have to use msconfig and all that crap, or use safe mode...

Before I do that, where should this folder be located?
0
 
LVL 10

Assisted Solution

by:GuruGary
GuruGary earned 200 total points
Comment Utility
I don't know of a way to selectively delete restore points.  I think you have 2 choices: Delete ALL the restore points, or delete all restore pointes except for the most current restore point.  Here are instructions:

To delete all restore points except the latest one, use the Disk Cleanup utility. Click Start, All Programs, Accessories, System Tools, and then Disk Cleanup. Click on the more options tab and then select Clean up in the System Restore dialog box.

To delete all the restore points on your computer, disable and re-enable system restore on the system. Click Start, Control Panel, and then the System icon. Click on the System Restore tab in the dialog box, select the Turn off System Restore check box, and click Apply. Clear the check box again to re-enable System Restore and then click OK.
0
 
LVL 6

Assisted Solution

by:DCreature
DCreature earned 100 total points
Comment Utility
These folders are usually hidden, you probably have virus / adwares in the past where your System Restore saved it together with restore data in case your computer ever need to be restored to previous state.

However, beause your restore data has those nasties, you wouldn't want to keep the previous restore data.

Basically what you have to do is to turn off System Restore following these steps:

1) Go to System Properties, click on System Restore tab, click on Turn off System Restore (or it may appear as Turn off System Restore on All drives) checkbox. Clik Apply, click OK.

2) If it asks you to restart computer, save all your works, and restart yoru computer.

3) once you logon to Windows again, the restore data would have been deleted together with those nasties.

4) You now want to go back into System Properties, and uncheck the checkbox in order to turn the System Restore back on again, restart your computer.

5) To be safe, once you logon on to Windows, go to System Restore (Start > All Program > Accessories > System Tools > System Restore) tool. Then save restore data if possible to keep yourself safe guarded from future failures.

Though System Restore has saved your many times in the past, I would recommend taking a Ghost image of your drive every two weeks or so, as a secondary measure, its well worth it.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Assisted Solution

by:Booda2us
Booda2us earned 100 total points
Comment Utility
Here is a link to help you gain access to,  ' C:/system volume information' folder:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q309531
Here is a workaround to view SVI for Win XP Professional using  NTFS File System on  Standalone Computer:
 1. Click Start, and then click My Computer. 2. On the Tools menu, click Folder Options. 3. On the View tab, click Show hidden files and folders. 4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change. 5. Clear the Use simple file sharing (Recommended) check box. 6. Click OK. 7. Right-click the System Volume Information folder in the root folder, and then click Properties. 8. Click the Security tab. 9. Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. Click OK, and then click OK. 10. Double-click the System Volume Information folder in the root folder to open it.

There is a SVI file on every partition on HDD....Hope this helps ya out.....Booda2us
0
 

Author Comment

by:Monkeyrod
Comment Utility
I tryed GuruGary's idea of using disk cleanup(because it looked the most simple), and i think that took care of it
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
When running any kind of antivirus/spyware on a windows XP machine...it is recommended to turn off system restore.  Otherwise your system restore will make backup copies of deleted files, even if they are viruses.  Then everytime you run a scan, you will get notified of these files in _restore directory.

If you plan on restoring to a previous point anytime soon...you should not disable system restore...but rather....boot into safe mode, by pressing F8 on startup....then run your antivirus/spyware scan.
0
 

Author Comment

by:Monkeyrod
Comment Utility
OK now i'm confused, when I run my antivirus program (AVG), Ewido, or ad-ware, does it put these backup copies in the same place that I would create my own restore point manually, or when windows makes a restore point when uninstall some programs... I would like to know this so when I delete old restore points usinng disk cleanup, it will delete all these files...
0
 
LVL 10

Expert Comment

by:GuruGary
Comment Utility
From the Disk Cleanup utility, click on the "more options" tab and then select Clean up in the System Restore dialog box.
0
 
LVL 10

Accepted Solution

by:
GuruGary earned 200 total points
Comment Utility
Or if you are trying to make sure all the bad files from all the programs get deleted, then clear your AntiVirus vault from AVG, then clear your Ewido quarantine, then clear your Ad-Aware quarantine, then clean up your old restore points.
0
 
LVL 10

Expert Comment

by:bbrunning
Comment Utility
Disable systems restore:
Right-Click my computer/Properties/System Restore

Click the check box to disable system restore.

Reboot in safe mode and run all your scans.

Reboot in normal mode and enable system restore

Right-Click my computer/Properties/System Restore

Uncheck the box to re-enable restore.

Create a restore point from the current point. If the scan found all the spyware then you should be okay and not find anymore spyware in that directory.

Search Google for these for scanning
Spybot
adaware
scanspyware - not free but finds a ton the other 2 don't
and of course windows defender
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now