Cannot Remove Trojan Win32:Trojan-gen from "System Volume Information"

Hi! Can anyone help me. Avast has picked up the Win32:Adware-gen virus in the “System Volume Information” folder. However regardless of whether I scan in safe mode, in a boot-time scan or just within normal windows-XP AVAST reports that it cannot delete, move or rename the file

The file locaton is

C:\System Volume Information\restore{07AAAC-1E84-4982-B148-C6D063D1AA98\A0003837.msi\icon.icon.exe

The error message is
The Operation is not supported for this type of Archive
Cannt process "C:\System Volume Information\restore{07AAAC-1E84-4982-B148-C6D063D1AA98\A0003837.msi\icon.icon.exe "

I have tried turning off “system restore” and again, the file seems to be protected from deletion or moving to the chest. I have also scanned with Malware Bytes and SUPERAntispyware. Neither were successful in picking up the icon.icon.exe file
Guys I would be grateful for your help… but unfortunately now… I must sleep. Its 12.30 am. I’ll pick it up tomorrow.

hi… try a complete scan with dr.web cureit …

To clean System Restore:

Create a clean restore point then delete all previous infected restore points

The problem comes from avast can’t extract the suspect icon.icon.exe from within the .msi installation archive that is the actual restore point. The only thing you could do would be to remove the complete restore point, but avast doesn’t take that action.

So your best bet it to do as FWF suggests create a clean restore point, deleting previous restore points.

Dear DavidR, FreewheelinFrank and Thathagat
Many thanks for your help. Unfortunately I work as an engineer in the mining industry and get called away for days at a time.
If you stick with me I will try your suggestrions over the next couple of days and post the outcome.

FWF & DavidR : - I previously tried to create a clean restore point by swithching restore on and off but it seems as if the virus continues to establish itself in
C:\System Volume Information\restore{07AAAC-1E84-4982-B148-C6D063D1AA98\A0003837.msi\icon.icon.exe

However I will try again and follow the instructions closely. A couple of questions

  1. I presume I should try to create the clean restore points in Safe Mode? Yes / No?
  2. I see in your info on “Create a clean restore point” that I can change my access permission to “System Volume Information” and thereby delete stuff. Do you know if its safe to delete "C:\System Volume Information\restore{07AAAC-1E84-4982-B148-C6D063D1AA98\A0003837.msi\icon.icon.exe " ?

Cheers, Shorty08

It might be worth checking out this link and trying the removal tool:

Though avast is normally able to remove infected restore points and the only reason it can’t is as I said before it can’t extract a file from with in an installation archive (the A0003837.msi which is the actual restore point file).

The virus isn’t continuing to establish itself in the System Volume Information folder (it is a protected area) and the restore point is the same identity number as it the file that comprises the restore point, A0003837.msi is this was recreated, both of these would be different. I believe it is simply because you didn’t clear the restore points or the action failed.

You don’t have to be in safe mode to create a clean restore point.

I don’t know the steps you took or if you followed the info on FWF’s links so I will reproduce the steps again.

Create Clean Restore Point - Clear old Restore Points.

To create a clean System Restore point:

  1. Click Start, All Programs, Accessories, System tools, System Restore.
  2. In the pop-up that appears fill in the radio button to Create a Restore Point
  3. Click NEXT
  4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
  5. Click CREATE

You now have a clean restore point, you should clear the old ones:

  1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
  2. Click OK on the C: drive
  3. Click the More Options tab
  4. In the System Restore section click the Clean Up button

Hi DavidR
I followed your instructions but Avast still detects this file
“C:\System Volume Information_restore{075FAAAC-1E84-4982-B148-C6D063D1AA98}\RP34\A0003861.msi\Icon.Icon.exe”

Does this make any sense to you? - SHORTY08

So lets get this right, you have previously disabled system restore (on all drives) and enabled it again didn’t clear ALL restore points ?

I don’t know if you threw in a reboot between disabling system restore and re-enabling it, but that is what I usually recommend, though some say a reboot isn’t required, personally I feel it is better to do this as I haven’t seen that fail to clear ALL restore points.

So basically there is something wrong with system restore if both methods failed to remove either ALL or Old restore points, unfortunately outside of these options I’m not sure what else to suggest.

Were you logged on to an account with administrator privileges when you were trying these options ?

It is possible to manyall go into system volume information and delete the {075FAAAC-1E84-4982-B148-C6D063D1AA98}\RP34\A0003861.msi restore point.

I never was any good at cryptic crosswords, so I haven’t got a clue what your question relates to, the contents of the post or your SHORTY08.

[size=8pt][size=8pt]Hi DavidR
Finally cracked it. Thanks so much for your help…although the final answer was a bit unexpected. I am sure you would like to know the outcome.

After reading your last remarks I checked my user status : Yes I’m the Administrator.

Next : As you say, it appeared that the restore points containing virus remained. So I finally decided to alter my access permission and look on the inside of the system volume information folder. I did this with the help of the Microsoft support page
“How to gain access to the System Volume Information folder”;en-us;q309531

I had to use the DOS based cacls command (see MS page) as I operate under Windows XP-Home edition.

At that point the problem became clear. There were 2 system restore folders with a date of 30/5/08 that seemed to be unnafected when “System Restore” was switched off. So you were correct. There was something wrong. System Restore should have been able to remove all old restore points but for some reason didn’t seem to recognise the ones dated 30/5/08.

The virus files were obviously dormant and not normally scanned when the SVI (System volume information) folder was hidden. I only picked them up when I had a Trojan infection (easilly removed) and then wrongly thought that these old restore points were part of the same problem. I run a RAID 0 system which failed in May and was rebuilt by a friend. I suspect the “invisibility” of those restore points dated 30/5/08 had something to do with that rebuild.

In any case , I was able to delete the restore points manually in explorer and then change permissions back with the DOS command

cacls “driveletter:\System Volume Information” /E /R username

I am now completely free of the virus and have learnt something about system restore.

So once again, thankyou for your help. I would not have been able to do it without you. Also many thaks to others who have contributed.

Best Regards JeffB (aka SHORTY08) Australia

You’re welcome, I’m glad that you finally cracked it and thanks for the feedback, hopefully it might help others.

I have system restore completely disabled on my system as I don’t have confidence that it will work as expected when the chips are down. But you can’t just disable it and not take action to replace it with something more reliable/predictable so if needs be you can recover (roll back) from a problem. For that I use a hard disk imaging tool Drive Image 7.1 no longer available but there are other tools, Acronis True Image, Ghost, etc. etc.

Whilst certain Raid configuration give redundancy protection, they do have a slight flaw in that it is an exact copy that potentially would have the same problem on the 2nd raid drive.