Jump to content
OldOzzi51

What do I need to do to enable SAS to delete a trojan from System Volume Information Folder?

Recommended Posts

SAS detects Trojan.Agent/Gen-FakeAlert in the System Volume Information Folder but it is unable to delete it. The OS is Windows 7 Home Premium. The SAS program says that the infected file is quarantined but even if I delete this from quarantine the Trojan is still detected if the folder is scanned again. I have turned off system protection for the drive but SAS is still unable to delete this Trojan from this folder. I have tried to access the folder so that I can manually delete this .dll file but I have been unable to open the folder. I have searched the net and I have tried all the suggested methods for opening this folder, including the C:\>cacls “c:\system volume information” /E /G username:F command in cmd.exe. However I still receive the message “access denied”. Can someone advise me either how to open the System Volume Information Folder or what to do so that SAS can access this folder?

Share this post


Link to post
Share on other sites

When you turned off System Protection for the drive in question, did you also click on 'Configure' and then on 'Delete'? Apparently, if you do that it deletes all restore points, which includes system settings and previous versions of files. This should get rid of everything currently in the SVI folder. You should then reboot, turn System Protection back on and create a new restore point. I'm not sure that SAS could get into the SVI folder anyway.

Share this post


Link to post
Share on other sites

Thank you Madeline for your suggestion but yes I have done this. My understanding of Windows 7 though is that it deletes all but the last restore point so doing this will always leave one. Thus the trojan remains. This is why I wanted to try and manually delete all restore points but I am still unable to open the folder. Is the only solution to reformat and re-install windows?

Share this post


Link to post
Share on other sites

OldOzzi51 ,

You will not be able to delete All restore points as Windows will always keep at least one (sometimes hidden from view and usually the most recent) for security reasons.

Is this on an external drive ?

What tips other than cacls have you tried ?

Share this post


Link to post
Share on other sites

Sorry to disagree with both of you, but what I said in post #2 should delete all restore points. Have a look at the following 2 links, which both say much the same thing:

From Microsoft:

http://windows.microsoft.com/en-GB/windows7/Delete-a-restore-point

The above site shows you

1. How to delete all restore points

2. How to delete all but the most recent restore point

From Windows 7 Forums:

http://www.sevenforums.com/tutorials/336-system-protection-restore-points-delete.html

This site gives the same details as the 1st link.

Share this post


Link to post
Share on other sites

I forgot to say that the 2nd link gives a couple more possibilities - CCleaner and System Restore Explorer. There are links to both on the site.

Share this post


Link to post
Share on other sites

Thank you for your interest GuiltySpark. No, this is not an external drive that is infected. I'm sorry but I can't remember all of the methods that I have tried to open the SVI folder. All I know is that after Googling "how to open System Volume Information folder in Windows 7" I have tried every suggested method that I could find. However none were successful.

Share this post


Link to post
Share on other sites

Thank you for your continued help Madeline. Whether the methods discussed remove all of the restore points or not, I have tried ALL the methods offered, including using CCleaner and System Restore Explorer , and none of them remove the infected restore.dll file. Every time I run SAS it detects a restore.dll file infected with Trojan.Agent/Gen-FakeAlert.

Share this post


Link to post
Share on other sites

I'm sorry that I couldn't be more helpful - this certainly seems to be an intractable problem at the moment. I don't know what else to suggest other than going to SAS Customer Service and Product Support:

https://www.superantispyware.com/support.html

You can also get there by clicking the link in the SAS program.

I hope that you find a solution soon.

Share this post


Link to post
Share on other sites

@ OldOzzi51 ,

What AV do you use ?

Does it pick up the same file/issue ?

If not it could just be a FP.

Share this post


Link to post
Share on other sites

Thank you for your continued help GuiltySpark. I use MS Security Essentials and neither this nor Malwarebytes detects any infection. I suspected it may be a false positive and so I used the SAS link to report it as a suspected FP. That was 5 days ago and I have received no feedback from them, and the SAS program continues to detect it, and so I assume it wasn’t a FP.

Share this post


Link to post
Share on other sites

You could always send SASCS a private message, maybe they can pass it on to the right people and you'll get your answer.

Share this post


Link to post
Share on other sites

Thank you Madeline and GuiltySpark for your assistance and concern. After talking to Michael at customer service I discovered that the SAS program that was installed was a version that was no longer supported. Uninstalling this and installing the latest version confirmed that the problem was indeed a false positive. What surprised me was that I had never received advice from SAS that either there was a newer version of the program available or that the version I was using was no longer supported. I would always click the update button before scanning but I never received a message other than one confirming that my database was up to date. Which as it turned out was actually incorrect. I'm still none the wiser as to how to open the SVI folder but now this is immaterial.

Share this post


Link to post
Share on other sites

When you turned off System Protection for the drive in question, did you also click on 'Configure' and then on 'Delete'? Apparently, if you do that it deletes all restore points, which includes system settings and previous versions of files. This should get rid of everything currently in the SVI folder. You should then reboot, turn System Protection back on and create a new restore point. I'm not sure that SAS could get into the SVI folder anyway.

Madeline,

In your post that I quoted above, you said, "I'm not sure that SAS could get into the SVI folder anyway."

I'm not sure why you would say that, but SAS is set by default to scan the System Restore/Volume Information folders,

so obviously, it can get into those folders.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...