SillyDog701

[Fulvio]

This may be a glitch with my Anti-Virus, Avast 6, but I am a bit puzzled. Starting yesterday, the daily scan indicated that I had no viruses, but that a number of files could not be scanned as they were password protected.
All of them belonged to some Adobe programs, and were reported to be located in C://System Volume Information/_restore/several letters and numbers.exe.
As far as I know I don't have any password-protected folder, and I can't find any System Volume Information folder.
A Search came up with nothing. I have had nothing like this on Friday, and days before, for years. I don't scan on Saturday. I may have update Adobe Reader, on Friday, but there is nothing strange in the Adobe Folder.
Before going to the Avast forum, does this ring any bell?

UserAgent: Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20100101 Firefox/7.0

[Don_HH2K]

System Volume Information is a protected system folder, where Windows keeps things like System Restore points and file indexes for Windows Search. It looks like Avast is picking up some infected files that got backed up via System Restore.

If you really want to see the directory, go to Control Panel -> Folder Options -> View, then uncheck the box for "Hide protected operating system files (Recommended)". Despite being able to see it, I don't think you'll be able to delete anything from there manually though.

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0) Gecko/20110820 Firefox/6.0-x64 PaleMoon/6.0-x64

[Fulvio]

Avast lists a number of files which cannot be scanned. It does not say that they are infected.
When I unchecked the box which you mentioned, I was able to see a System Volume Information folder. Right clicking on it, told me that it was empty, but left clicking said that SVI is not accessible, access denied.
Something fishy may be going on, but it is impossible to tell anything. The unscannable files are mostly of Adobe something (over 80 of them), and I detected, at least, half a dozen _host files.
I had updated a few adobe files, since the issue appeared.
This is bizarre, because none of files appear to be system files.

UserAgent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110820 Firefox/6.0 SeaMonkey/2.3.1

[PaulD]

You also will need to select 'Show hidden files, folders, and drives'.

As Don says, you cannot do anything with it via Explorer.

XP only - don't know about Vista -
But if you are comfortable in the Command environment, you can use commands to access and manipulate the files and folders. I recommend against it, however; each Restore Point is spread across multiple objects.
(Experimenting just now in Windows 7, I find that the SVI is protected against this method of access.)

If the 'bad' files are not in the latest Restore then one can use Ccleaner to remove all older Restore Points.

The easiest way to remove ALL Restore Points is to turn off System Restore for the drive(s).
Reboot (optional). Then turn System Restore back on again.
(Windows 7 has a native capability to clear all RPs.)

Caveats:
- I don't know if / what AV conflict may have.
- The (alleged?) password-protection is curious and may indicate some other corruption. (What Adobe products and versions may be involved?)
- It is conceivable that cleverly written malicious software could hide in a RP. I would cautiously suggest that this might have to implicate a root-kit of some kind - but I'm way out of my depth here.

If the files are password protected then Avast program cannot get into them to inspect.
Do check with Avast to see if they have other reports.

Suggestions - possibly overkill
Disconnect from network. AV off. Hibernation off. Uninstall Adobe. System Restore off.
Reboot. Defrag. AV on, and full scan. System Restore on. Hibernation on (if used). Create a Restore Point. Network reconnect.
Operate as long as feasible. When required, re-install Adobes.

IF there is malicious material, it could have infected any USB/thumb drives too.

Be alert for ANY unusual/unexpected presentations or interactions with the system.

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

[Fulvio]

You also will need to select 'Show hidden files, folders, and drives'.

I have had that setting from Day 1. Anyway, I right clicked SVI folder to which access was denied, and Avast scanned over 10 GB of files. However, the same files which were "password protected" could not be scanned. So, Avast can do more than I can, but, somehow some files are "password protected".
By the way, I did a search and there is a ton of hits, for the same which I have reported, and with several AV programs. I did a Trend Micro Housecall scan, and it reported no malware. I had removed Adobe Reader.

UserAgent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0

[PaulD]

Yes, Access Denied is for us users, even Administrators. The AV programs run under other credentials and can get in. I believe that some Registry change(s) would allow us also to go there, but I'm not that interested in possibly breaking my system. A hand slap is one thing; a dart in the temple is more serious.
From the research you have done it sounds like Avast is throwing a false alert.

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

[Fulvio]

Yes, Access Denied is for us users, even Administrators. The AV programs run under other credentials and can get in. I believe that some Registry change(s) would allow us also to go there, but I'm not that interested in possibly breaking my system. A hand slap is one thing; a dart in the temple is more serious.

Agreed 100%

From the research you have done it sounds like Avast is throwing a false alert.

My Searches went as far back as 2007, and they involve other AV, like BitDefender and Kaspersky. I am not sure if the interpretations that there is malware are correct. I could roll back to an earlier Restore Point, like on Friday. when the scan had no issue. I did no scan on Saturday, but Sunday through today failed to scan several files.
Maybe I will leave things as they are, and see if the removal of Adobe Reader makes any difference. I have had Foxit for quite a while, as default, and the installation of the new Adobe Reader took back default, no question asked.

UserAgent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1

[powerwalk]

Deleting all but last restore point may help:

Start/Accessories/System Tools/ Disk Cleanup

When Cleanup is finished Scanning and presents you with another dialog window,
click on the More Options tab and choose the third (last option) "removing all but the most recent restore point." Click OK. Now you're left with only the last restore point which, hopefully, doesn't contain the culprit, if one does exist.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.21) Gecko/20110830 Firefox/3.6.21 (.NET CLR 3.5.30729)

[Fulvio]

Avast scanned with no problem, yesterday. Today it scanned zero files, and I had to create a new custom scan and tried a Quick Scan. In both cases the scan gave me the same problem as before. I will let you know if I care to figure out the issue. At this point, nothing makes sense. But, thank you for your suggestions.

UserAgent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110820 Firefox/6.0 SeaMonkey/2.3.1

[Fulvio]

I removed all restore points, but unchecking the box in Computer|System Restore. Then, I did a registry cleanup which concludes with creation of one restore point. This morning the virus scan went normally. If everything will continue working properly, I will not add to this thread.

UserAgent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20110830 Firefox/6.0.1 SeaMonkey/2.3.1

[Ghostman 1]

After you removed the check mark in system restore, Did you reboot your computer, then put back in the check mark ?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.20) Gecko/20110806 Firefox/3.6.20 (Palemoon/3.6.20)

[Fulvio]

I did, and got back several GB of hard drive.
Interestingly, yesterday's scan went well, while today's one file in All Users gave me the same response as the system restore files. It was the Cache file of a gadget, which I have had for several months, to store and play music. I don't know what's going on.

UserAgent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20110830 Firefox/6.0.1 SeaMonkey/2.3.1

[PaulD]

Send that music file to Avast for analysis. If they are raising a false positive they would want to fix that problem.

Unless your gadget is spying on you!

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

[Fulvio]

The music file is gone, in today's scan. I reported the issue to Logitech, but I got several more files showing up.
At this point, I am very puzzled. I may send the files to Avast, or give up on Avast.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.21) Gecko/20110830 Firefox/3.6.21