Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Why Windows developers maske it easy for Trojans?  (Read 3972 times)

0 Members and 1 Guest are viewing this topic.

Geek-9pm

    Topic Starter

    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Why Windows developers maske it easy for Trojans?
« on: November 12, 2013, 11:40:02 AM »
Really,  that is t is not my question.  Somebody else said it and it  has been echoed on many other sites.

Key phrase: "Can not delete System Volume Information"
Articles apply to Windows XP, 7 and 8.
Just one of many such...

System Volume Information can be write protected in suvh a way that even Linux has a hard time.It is almost impossible to destroy it. Why did they do that? Simple answer is that the thing part of system restore.

Granted, users should not be deleting important files or folders. Yest they often cam. However, the "System Volume Information" is some kind of sacred thing that can only be destroyed by a partition format. Or so it seems.

Some have said you have to destroy lit with Linux. I read that on a forum run by Microsoft.  Otherwise, you have to edit then registry, they said.

Well, I found out how to destroy it. Format the partition.
Still, I would like to know more about this --
if it can be explained in 200 words or less.

patio

  • Moderator


  • Genius
  • Maud' Dib
  • Thanked: 1769
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: Why Windows developers maske it easy for Trojans?
« Reply #1 on: November 12, 2013, 12:06:30 PM »
And how does this make it easy for Trojans... ? ?
" Anyone who goes to a psychiatrist should have his head examined. "

Geek-9pm

    Topic Starter

    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Why Windows developers maske it easy for Trojans?
« Reply #2 on: November 12, 2013, 12:22:59 PM »
And how does this make it easy for Trojans... ? ?
Using Avast I got some items in 'System Volume Information' and could not be deleted. It seems others have had this kind of issue also.
Quote
....Avast has picked up the Win32:Adware-gen virus in the "System Volume Information" folder. However regardless of whether I scan in safe mode, in a boot-time scan or just within normal windows-XP AVAST reports that it cannot delete, move or rename the file
The file locaton is
C:\System Volume Information\restore{07AAAC-1E84-4982-B148-C6D063D1AA98\A0003837.msi\icon.icon.exe
The error message is
The Operation is not supported for this type of Archive
Cannt process "C:\System Volume Information\restore{07AAAC-1E84-4982-B148-C6D063D1AA98\A0003837.msi\icon.icon.exe "  ...
Cannot Remove Trojan Win32
The Avast forum did not, IMO, give a quick and easy answer to the problem. It would seem  the Trojan creators have got Windows by the tail. Just put it into the 'System Volume Information' and nobody can get rid of it.
What do you think?


BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1140
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 11
Re: Why Windows developers maske it easy for Trojans?
« Reply #3 on: November 12, 2013, 02:32:02 PM »
Using Avast I got some items in 'System Volume Information' and could not be deleted. It seems others have had this kind of issue
You already answered the question of how it got there. The Trojan did not put it into the System Volume Information Folder; The System Restore Service did.

System Restore checkpointed and a Trojan was in one of the monitored locations, so it got saved as part of the checkpoint.

Avast can view the contents of the folder, just as you can; run a command prompt as administrator and you can easily view the contents of the folder. You can even change or delete the contents of the folder. I don't know why Avast would have issues deleting the files.

Quote
Cannot Remove Trojan Win32

The Error message makes it pretty clear. It has NOTHING to do with the file being in System Volume Information at all:

Code: [Select]
The Operation is not supported for this type of Archive
Cannt process "C:\System Volume Information\restore{07AAAC-1E84-4982-B148-C6D063D1AA98\A0003837.msi\icon.icon.exe "[b][/b]

The Error is because Avast does not support deleting files from .MSI installers. IT has nothing to do with System Volume Information.

the .msi is probably an installer for a piece of software that installs adware in addition to it's typical complement. Why they decided to mention anything about a Trojan I haven't a clue, considering they quite mention it is a Win32:Adware-gen that is causing the issue.

Quote
The Avast forum did not, IMO, give a quick and easy answer to the problem.

Uh, actually, it gives several.
Quote
It would seem  the Trojan creators have got Windows by the tail. Just put it into the 'System Volume Information' and nobody can get rid of it.
It failed to delete the file because it's inside an MSI file and Avast's MSI support does not include removing files, only reading them.

I was trying to dereference Null Pointers before it was cool.

Geek-9pm

    Topic Starter

    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Why Windows developers maske it easy for Trojans?
« Reply #4 on: November 12, 2013, 04:59:15 PM »
Thanks, BC.
That Avast thread was hard for me to follow. It seems others had the same problem. The solution is to remove, the virus, make a new checkpoint, delete all older checkpoints. Avast does  slot delete checkpoints, you have to do it.

After checkpoints are gone you  may remove the infected file. All this means you must have another way of doing a restore of something further back in time.

But if there is a abetter way, I would like ton know.

BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1140
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 11
Re: Why Windows developers maske it easy for Trojans?
« Reply #5 on: November 12, 2013, 06:06:56 PM »
After checkpoints are gone you  may remove the infected file. All this means you must have another way of doing a restore of something further back in time.
Fact is the Infected file is something that would be recovered and used only if System Restore is activated and used. Random executables inside msi files saved by System Restore don't run themselves- they will pose no danger unless System Restore is used. These MSI files are also only activated and 'restored' for the Actual System Restore- they are basically the installer scripts and data for restoring an Application.

Which Brings to bear another point:

Since the infected file is inside an MSI, and since these MSI files are checkpointed data for reinstalling a Application that is installed at the time of the checkpoint, this means that an infected Application was installed. That infected Application will only "run" if that Restore point is restored. Otherwise, nothing happens. In the same scenario I wouldn't even bother to try to clean it. Eventually it will be deleted as new Checkpoints are created.
I was trying to dereference Null Pointers before it was cool.