Hybris worm in "System volume information..."

New user of trial Pro version running XP Pro SP1 with critical patches applied.

I have received 8 (so far) warnings about the Winn32:Hybris work being in files that are all C:\System Volume Information_restore{…

This really doesn’t make a lot of sense to me.
So far I’ve taken comfort that they seem to be in RESTORE-related data, giving me hope that as long as I don’t need to restore I shouldn’t have any problem.

The question is: Does this make any sense and what am I supposed to do for these cases?

Just disable the system restore feature (Control Panel > System > System restore), click apply and after all, enable it again.

This will delete the restore points (and with one of them, the infection) and enable it again. You don’t have even to boot beetween the disable/enable operation 8)

Thanks, and I will do that.

But does it makes sense that these would even be “infected”, especially given that no other file has been reported (one would assume that something ELSE would have to have messed with these) nor have I knowingly had any infections ever on my system?
The full scan done first time only reported these and no others.

I’m not an expert on virus infection… Maybe you should ask to whocares, raman or anybody from Alwil team. You can be lucky to just one file infected… Maybe the virus, knowing that, infects only files on that folder :stuck_out_tongue:

Other possibility, automatic actions took place while you were running the antivirus (Silent Mode?)

It is just the way some files are encoded in that folder that is causing this. And you do need to reboot after disabling system restore before all changes take efect.

Hi Eddy,

If I understand you correctly you are saying that most likely these files are NOT “infected”, but the information they are storing and how they store it causes them to look like they are infected. Is that correct?

I just had another such warning 5 minutes ago, even though my VRDB went through all files overnight last night. AND I haven’t had any cause to cause a new restore point to have been written (though possibly Avast! has, since it auto-downloaded a new file today).
NOTE: I have not yet deleted the restore points because I want to observe more first.

The system restore alarms are generally not false positives. They mean that historically, your computer hit the worm (doesn’t really mean the computer was ever infected, it can e.g. mean that you have received an email with an attachment infected by this worm).

The reason the System Restore files are hard to access is that by default, Windows sets quite strict access rights to the folder. Namely, even the Administrator cannot read the data in the folder. This may sound strange but that’s the fact. The reason avast on-access scanner can access the folder is that it uses low-level APIs and system process context for file access.

What you can also do is right click the System Volume Information folder in Explorer, and edit its ACL (Access Control List) - ie. the thing on the Security tab. Simply grant access to the folder to your account. You will then be able to see the contents of the folder (and so the avast on-demand scanner will).

Hope this clears it a bit,
Vlk

Namely, even the Administrator cannot read the data in the folder.
A little correction/addition. You can access the folder if you want. [url=http://www.tweakxp.com/tweak2086.aspx]HERE[/url] is how to do it.

Correction/addition? This is exactly the procedure that I posted, right? :slight_smile:

even the Administrator cannot read the data in the folder
Was just correcting that part. It is possible to read/view the data. But we are on the same line here Vlk ;)

I blame it on the fact that neither of our natural language is English. ;D

Thank you BOTH, Eddy and Vlk!

I have lots o throuble with English myself and it’s my native language!

I think virtually everyone here does a fantastic job with the English language, all things considered.

cheers

PS to Technical: The author of MONTAGE will soon, I anticipate, supply some information HERE about the program.

I just went to the System Restore dialog to delete the entries.
But, to my great surprise, I found that there were NO “restore points” recorded for today.
This has me perplexed to the extreme because the reason I went there was because I had just received ANOTHER ALARM about a virus and again it was a restore file!?

I’d like to understand what is going on here… there was no restore point created today yet 20 minutes ago I got another warning. What would have made Avast! even look at that file?? ESPECIALLY since I let the system run overnight to create a VRDB (which I assume looks at EVERYTHING and which did in fact wake me 3 times with alarms).

I’m delighted to protect my system but this situation really has me asking what is going on???

Is there somewhere that documents WHEN the system does it’s determinations? Is there somewhere might explain why I am seeing this?
I know there are explanations above, but these relate to the virus and not to what is GOING ON.
I simply do not believe that what are being reported are viruses/worms given the action that have occurred on my system vis-a-vis Avast!

Any help appreciated

Thanks… I’m anxious for that :wink:

Jimn, I suggest to browse and search on Microsoft webpages…
Anyway, neither Windows nor the System Restore are deterministics softwares 8)
Wellcome to Windowsland ;D

If you want a really System Restore, try Symantec GoBack DeLuxe :wink:

Hi Technical,

Searching MS will not tell me what Avast! is doing with these files and when it is doing it.

I just got another alarm. This time, when I looked at the log, I expanded it so that I could see the full file name. Turns out the more recent warnings were all for PREVIOUSLY WARNED ABOUT fies where I had told Avast! to rename the file (seemed safest alternative at the time).

The last warning in fact, after I told it to rename, has a name ending in .vir.vir! I assume you know that Avast!, when “Rename” is specified as the action on an alarm, adds the suffix “.vir” to the end.

Given that Avast! has a log it might be VERY HELPFUL if it checked the log first before issuing SOME alarms. Specifically in the case of a file name ending in “.vir” it seems logical that it could forego warning again. And certainly renaming “.vir” to “.vir.vir” seems a bit odd.

Windowsland is almost Wonderland except that a whole lot of people are getting very wealthy because of Windows < s >

As regards System Restore, it’s not that I want/need a better one, but that Avast! is looking at its files when it seems there is no real need to be doing so. I’d like to understand the timing of these warnings as well as their cause.

I’m NOT “blaming” Avast! for anything, just wanting to understand it AND avoid unnecessary alarms.

Well… this is not a bug, it’s a feature. :slight_smile:

Rename is just rename. If you want to move it from the system but still keep the file, that’s what Move To Chest is for. It removes the file with the possibility to put it back later.

Cheers,
Vlk

Fair enough about rename.

Do you know why Avast! is looking at those files AGAIN when they are not even “active” and have not been all day?

Because the System Restore service is touching them. Unless you disable system restore, the service will access them (you can use FileMon http://www.sysinternals.com/ntw2k/source/filemon.shtml to find out which process when accesses which file(s)).

Thanks
Vlk

Amazing what Windows will do when you aren’t looking!

I caught Windows doing something else that is very aggravating. Since Win2000 apparently it will do an auto-defrag every 3 days or so if there is idle time observed! Since the applications I write benefit from fragmentation, this is a real PITA. There is no notification of this at all and worse there is no way to turn it off!

Thanks