Strange problem with System Volume Information folder

So NAV, all of a sudden, keeps detecting (and fixing) a trojan in
there. And everytime I try to access that folder to look in it I get
the old: "access denied" message.

Even though I have said SHOW hidden files, DO NOT Hide protected
operating system files (Recommended) ... still the system won't let me
in.

Anyone have any clues what's up?

THanks

SergioQ wrote:
So NAV, all of a sudden, keeps detecting (and fixing) a trojan in
there. And everytime I try to access that folder to look in it I
get the old: "access denied" message.

Even though I have said SHOW hidden files, DO NOT Hide protected
operating system files (Recommended) ... still the system won't let
me in.

Anyone have any clues what's up?

Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

On Nov 25, 2:32*am, "Shenan Stanley" wrote:

Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)

As we speak MalwareBytes is running, will take awhile. But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.

Also as a side note, I use Nortan Ghost...should I even bother turning
back on Windows Sys Rest? Anything it covers that Ghost doesn't?

THanks for your help so far.

SergioQ wrote:
On Nov 25, 2:32 am, "Shenan Stanley" wrote:

Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)

As we speak MalwareBytes is running, will take awhile. But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.

Yes, that is right, by default only the System account has access to
this folder. Use the CACLS command to grant yourself access to the folder:

cacls "c:\System Volume Information" /E /G "User Name":F

http://support.microsoft.com/kb/309531
How to gain access to the System Volume Information folder

John

On Nov 25, 6:51*am, SergioQ wrote:
On Nov 25, 2:32*am, "Shenan Stanley" wrote:

Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)

As we speak MalwareBytes is running, will take awhile. *But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.

Also as a side note, I use Nortan Ghost...should I even bother turning
back on Windows Sys Rest? * Anything it covers that Ghost doesn't?

THanks for your help so far.

If you don't already know, turning off/on SR will delete all your RPs,
and you will still not be able to access the SVI folder when you are
done with that (as you can see) and running MBAM will not grant you
access either.

If you have had a malicious software attach, it may be best to delete
all your RPs anyway since they may contain the affliction.

You are not "supposed" to access the SVI folder so there is nothing
wrong and it is right.

That is the way is is supposed to work. You will not access it using
the conventional methods in Explorer unless you circumvent recommended
settings, so it would be prudent to put things back when are done.
The settings are the way they are for a reason.

You can access the folder with cacls if you are compelled to do so (as
indicated) but once you get there, what will you do? You would
probably want to be sure to uncacls your system when you are done so
some mistake doesn't happen later.

Since you have NAV installed, trying to use SR to restore to a
previous point is likely to fail anyway (try it), so you might also
want to read this:

http://service1.symantec.com/SUPPORT...05113009323013

If you think you might ever want to use SR, make yourself a RP, reboot
and then restore to that last RP just to make sure the mechanism works
and you understand the process (aka practice).

On Nov 25, 6:03*am, Jose wrote:

If you think you might ever want to use SR, make yourself a RP, reboot
and then restore to that last RP just to make sure the mechanism works
and you understand the process (aka practice).- Hide quoted text -

- Show quoted text -

Sorry if am confused, but using Norton GHOST, does it matter if I turn
off SR? I mean they're independent of each other, yes or no?

Thanks

On Nov 25, 1:53*pm, SergioQ wrote:
On Nov 25, 6:03*am, Jose wrote:



If you think you might ever want to use SR, make yourself a RP, reboot
and then restore to that last RP just to make sure the mechanism works
and you understand the process (aka practice).- Hide quoted text -

- Show quoted text -

Sorry if am confused, but using Norton GHOST, does it matter if I turn
off SR? *I mean they're independent of each other, yes or no?

Thanks

They are independent but do two different things.

You also said you have NAV which to me means Norton Anti Virus. A
typical installation of NAV will usually (by design) thwart attempts
to restore your system to an earlier date using the Windows System
Restore function. None of your RPs will work - infected or not.

NAV will not let you restore your system to an earlier date using even
a clean RP until you follow their directions in the provided link.

Folks will sometimes report "Help! SR is broken!", so the next
question (sometimes much later) is "Do you have NAV installed?" If
yes, the read this link:

http://service1.symantec.com/SUPPORT...05113009323013

That will probably not give relief to their probably infected system
though but it is something they can try, and SR might work now.

If NAV (or any other malicious software tool) says even one of your
RPs is infected, I would consider them all compromised, clean up your
system, whack all the old RPs, make a new (clean one), then attempt to
restore your system using the new RP just for the fun of it to test
the entire System Restore function from end to end and fix it if it
doesn't work.

If you want to use Ghost, that is fine. I would use both. However,
if you are going to put some faith in Ghost (or SR), you should really
test it to restore your system at least once to see if it really
works. It may appear to be Ghosting just fine, but have you ever
tried to use it? Could be surprising.

If SR or Ghost doesn't work the way you expect, it would be better to
find out before you really need it.

On Nov 25, 1:53*pm, SergioQ wrote:
On Nov 25, 6:03*am, Jose wrote:



If you think you might ever want to use SR, make yourself a RP, reboot
and then restore to that last RP just to make sure the mechanism works
and you understand the process (aka practice).- Hide quoted text -

- Show quoted text -

Sorry if am confused, but using Norton GHOST, does it matter if I turn
off SR? *I mean they're independent of each other, yes or no?

Thanks

....the day you need it is not the day to find out it doesn't work

On Nov 25, 3:55*pm, Jose wrote:

...the day you need it is not the day to find out it doesn't work

The day I bought Ghost, I also bought an identical HD and made sure
that it worked.

But this infected SRP is still buggin me. Came out of the blue, I ran
the MalwareBytes advice above, it found no threat, etc.

If I have SR OFF...why can't I get into that volume?

On Nov 25, 4:38*am, John John - MVP wrote:

Yes, that is right, by default only the System account has access to
this folder. *Use the CACLS command to grant yourself access to the folder:

cacls "c:\System Volume Information" /E /G "User Name":F

I tried it and got:

No mapping between account names and security IDs was done.

And yes, used the right drive letter and the current user name.. tried
with the username in quotes and without.

Any thoughts?

SergioQ wrote:

If I have SR OFF...why can't I get into that volume?

You do not have the necessary permission for your account (ACL) to gain
access to the folder.

I believe John John has already given you this information.

How to gain access to the System Volume Information folder
http://support.microsoft.com/kb/309531/en-us


--
William Crawford

SergioQ wrote:
On Nov 25, 4:38 am, John John - MVP wrote:

Yes, that is right, by default only the System account has access to
this folder. Use the CACLS command to grant yourself access to the folder:

cacls "c:\System Volume Information" /E /G "User Name":F

I tried it and got:

No mapping between account names and security IDs was done.

And yes, used the right drive letter and the current user name.. tried
with the username in quotes and without.

Any thoughts?

Try the other methods he

http://support.microsoft.com/kb/309531
How to gain access to the System Volume Information folder

John

John John - MVP wrote:
SergioQ wrote:
On Nov 25, 4:38 am, John John - MVP wrote:

Yes, that is right, by default only the System account has access to
this folder. Use the CACLS command to grant yourself access to the
folder:

cacls "c:\System Volume Information" /E /G "User Name":F

I tried it and got:

No mapping between account names and security IDs was done.

And yes, used the right drive letter and the current user name.. tried
with the username in quotes and without.

Any thoughts?

Try the other methods he

http://support.microsoft.com/kb/309531
How to gain access to the System Volume Information folder

John

And he still can't resolve the trojan issue by gaing access, another
solution is to simply to turn OFF (and then later back on) System Restore,
to start afresh. THAT will, of course, delete the prior System Restore
points, and start clean from there.

SergioQ wrote:
So NAV, all of a sudden, keeps detecting (and fixing) a trojan in
there. And everytime I try to access that folder to look in it I
get the old: "access denied" message.

Even though I have said SHOW hidden files, DO NOT Hide protected
operating system files (Recommended) ... still the system won't let
me in.

Anyone have any clues what's up?

Shenan Stanley wrote:
Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)

SergioQ wrote:
As we speak MalwareBytes is running, will take awhile. But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.

Also as a side note, I use Nortan Ghost...should I even bother
turning back on Windows Sys Rest? Anything it covers that Ghost
doesn't?

THanks for your help so far.

That *is* right. The System Volume folder is for holding system restore
points. You have no need to gain access to these files and even if you had
full access (which is possible just by taking ownership/changing
permissions) - your AV software will be unable to actually clean the files
inside the system restore points.

By having you turn off System Restore and reboot - you lost all the restore
points and thus the corrupted/infested/infected files you were finding
inside the images. The bad side effect is that you cannot use those to
restore the system files to an earlier point - but since some of the earlier
points were infested/infected - my contention is you would not have wanted
to use those anyway. ;-)

The MalwareBytes scan I suggested was to better ensure you were clean of
malware infestations.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

I believe John John has already given you this information.

How to gain access to the System Volume Information folderhttp://support.microsoft.com/kb/309531/en-us

I could be wrong but thought I mentioned that this did not work for
me. it's the simplest method, and went no where