DMR 152 Wombat At Large Team Colleague

Recently we've had a number of questions regarding Anti-Virus programs finding infected files in the C:\System Volume Information\_restore folder, but not being able to delete or fix those files.

One of our members (thanks dlh6213!) suggested that we post instructions for removing those files someplace permanent rather than having to retype or cut-n-paste the instructions into each individual thread on the matter, so here you have it:


The problem:

Windows XP and ME have a tool called System Restore, which works by making automatic scheduled backups ("restore points") of critical windows components, including the registry. That way, if your system becomes corrupted you can ideally "roll back" to a previous, working configuration. The backup files for these restore points are kept in the C:\System Volume Information\_restore folder, which is a hidden system folder.

Unfortunately, if your system is already infected at the time when Windows takes a given restore "snapshot", the infected files get backed up along with everything else. Obviously, this also means that the infections will be reinstalled with everything else if you choose to restore from that snapshot point.

Because the Restore folder is a protected system folder, most anti-virus and anti-spyware programs don't have permission to delete the infected files stored there. To erase the contents of the _restore folder, you need to turn off the System Restore function. When you turn off System Restore, Windows will automatically delete the contents of the _restore folder.

Note that because disabling System Restore deletes all data in the restore folder, you'll want to re-enable System Restore once you're sure that your system is clean.


The Fix

For Windows XP:

Disable System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You may experience a slight delay as your change is applied; the Properties window will close automatically when the operation is complete.

5. Run another full scan with your anti-virus/anti-spyware programs to verify that the infected files have been deleted.


Once your system is clean: reactivate System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab, uncheck the box next to the "Turn off System Restore" option, and hit the "OK" button. There will be a slight delay as Restore reactivates; the Properties window will automatically close when the operation is complete.


For Windows ME:

1. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

2. On the Performance tab, click File System.

3. Click "OK" twice, and then click "Yes" when you are prompted to restart the computer.

4. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the "Disable System Restore" check box.