Deleting System Volume Information(or Files inside the folder) ?

Discussion in 'Windows 7' started by Ra1d, Aug 22, 2011.

  1. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
    #1 Ra1d, Aug 22, 2011
    Last edited: Aug 22, 2011
    Hello,

    Today,i foolishly downloaded a program that contained infected files and upon me running the program spread lots of infected files in my System Volume Information folder,i did a full scan with my Kaspersky,which detected around 47 of them and deleted them.

    But after the scan i entered the folder,and found still some random .exe files that start with A004,it's on my disc "D" which contains only games,music and videos,so i won't die if something happens to my files on that partition.

    I searched a lot,i found a way to enter the folder but i couldn't find a way to delete it or the files inside,the System Restore is disabled for that partition.

    I tried some commands that i found,but still no use.

    Even tried that program which unlocks/forcibly deletes files,but no luck.

    Any help would be appreciated.

    Thanks.

    Screwed.jpg
     
  2. evlad

    evlad MDL Member

    May 23, 2011
    225
    175
    10
    System Volume Information is system folder. It contains all system backups and restore points. Don't worry you loose only backup of previous state of your system (because it contains virus).

    You can empty this folder with live distribution of linux/winpe ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    712
    116
    30
    you can delete anything in this folder at any time providing you have the necessary permissions.

    right click the folder, go to security and click add, then type your user name and check full control, then apply. this should give you full control--not ownership which is absolutely never necessary and hardly ever works as intended regardless of all the useless tutorials on how to do so. the problem is system will always re-take ownership because it has the permission to changer owner and permissions...

    after you have full control you should be able to delete any file in the folder. if not do the same thing for each file and then delete it. if that doesn't work because the exe is in use, then make sure and terminate the process that's using it or it itself and then delete.

    peace
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
    I have a full control over the folder,and i tried taking full control of the files inside seperately and still when i press "Delete" nothing happens... ;/
     
  5. 60cent

    60cent MDL Senior Member

    May 31, 2011
    437
    513
    10
    #5 60cent, Aug 22, 2011
    Last edited: Aug 22, 2011
    Have you tried restarting your pc and then deleting this folder?
    Normally when you enter safemod it can be deleted
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
    Tried in safe mode,doesn't work ;o
     
  7. 60cent

    60cent MDL Senior Member

    May 31, 2011
    437
    513
    10
    #7 60cent, Aug 22, 2011
    Last edited: Aug 22, 2011
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. evlad

    evlad MDL Member

    May 23, 2011
    225
    175
    10
    #8 evlad, Aug 22, 2011
    Last edited: Aug 22, 2011
    if you boot your computer from local hdd:
    you can delete system volume information only if your file system is fat32, if it is ntfs you can't do this !!!
    you must boot system from different location (cd/dvd/usb) and then you can delete those files.
    <eos>

    or
    1. disable system restore (monitorig drive)
    2. restart
    3. check status of system restore (monitoring drive off)
    4. take ownership and full access
    5. delete
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
    I have NTFS :/

    @nero100,i don't want to reformat,although will probably do as my last option.

    Tried a few tools to get rid of the files like ComboFix and still nothing...
     
  10. evlad

    evlad MDL Member

    May 23, 2011
    225
    175
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. 60cent

    60cent MDL Senior Member

    May 31, 2011
    437
    513
    10
    Sorry to hear that,but if you donĀ“t find any program you will have to format.
    Look for some more programs,but i doubt they will help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
  13. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    712
    116
    30
    well, sounds to me like you should go back to the first response and delete the folder from a live cd. the system will re-create it next boot.

    i would run a scan with malewarebytes' and maybe another spyware program just to be sure you are really "disinfected"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
    Yeah i did a scan with Spybot S&D(found 317 threat level 1 and 5 infectd files),Malwerbytes(found 3 trusted objects),downloaded Winpatrol and Spywareblaster to increase security as they are highly suggested.
     
  15. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    712
    116
    30
    and let me guess the files are now gone and/or can be deleted?

    i wouldn't install any of those programs honestly. i've used them and they are worthless compared to spybot and malwarebytes' and any good AV such as Avira or Avast. i have spybot installed and rarely use it. and by rarely i mean i only use it to "immunize" my browsers and host file. Avira will not let you download anything that has any type of questionable content (whether good or bad) if you have heuristics set on high (that is unless the file/archive is password protected, in which case it can't be scanned of course).

    no need for those programs you mentioned eating up resources. best policy is to stay away from questionable sites and "unknown" uploaders. though i know it's hard, it's the best way to stay clean. use malwarebytes' and spybot in emergencies and let your free (or paid if you feel necessary which i don't ever think it is) AV program do the realtime and snoop work unless you suspect it missed something, ie. high cpu usage at idle...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
    I'm usually careful,this s**t happened accidentally you can say ;o

    And the files that were in the System Volume Information are still there and still can't be deleted xD,so I assume they're supposed to be there.
    I dunno some people suggested and said that winpatrol and spywareblaster sometimes managed to detect something their other security programs couldn't detect...
     
  17. urie

    urie Moderator
    Staff Member

    May 21, 2007
    8,725
    3,091
    300
    #17 urie, Aug 23, 2011
    Last edited by a moderator: Apr 20, 2017
    you can try takeownership

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\*\shell\runas]
    @="Take Ownership"
    "NoWorkingDirectory"=""
    
    [HKEY_CLASSES_ROOT\*\shell\runas\command]
    @="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
    "IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
    
    [HKEY_CLASSES_ROOT\Directory\shell\runas]
    @="Take Ownership"
    "NoWorkingDirectory"=""
    
    [HKEY_CLASSES_ROOT\Directory\shell\runas\command]
    @="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
    "IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
    Save as: InstallTakeOwnership.reg

    Code:
    Windows Registry Editor Version 5.00
    
    
    [-HKEY_CLASSES_ROOT\*\shell\runas]
    
    [-HKEY_CLASSES_ROOT\Directory\shell\runas]
    Save as: RemoveTakeOwnership.reg

    Personally i would boot from a LIVE cd to delete those files as already stated.
     
  18. Ra1d

    Ra1d MDL Novice

    Aug 26, 2009
    31
    0
    0
    I took ownership already,it won't let me delete still,i even took ownership of the files inside it separately,still won't let me.
    And i don't know how to delete them using the Live CD... xD