How to delete a virus within _restore folder?

by Melati Hitam / July 28, 2004 10:56 PM PDT

I have two HD, 1 Master (NTFS) and 1 Slave (FAT32).

During an online scan (Bitdefender), it found a virus on my SLAVE drive >> D:\System Volume Information\_restore{string of numbers}

Bitdefender unable to remove it (its only reporting there is a virus on my HD)

How do I remove the virus? -- (I'm unable to find the folder .. eventhough I choose to show all file and folder)

Thank You

I believe once you have a virus, system restore is useless
by LarryD / July 28, 2004 11:11 PM PDT

and should be disabled and then reenabled (thus wiping out all your restore points). Please don't do that until of the experts here concurs, as I don't want to be the cause of you deleting anything of potential value, although I am 99.5% sure of my answer

Virus?
by A-kash / December 29, 2008 11:08 AM PST

i keep getting a bunch of pop ups i never got before, and i noticed two files i never saw in my c drive that i cant delete. i rebooted my computer twice and the 2 files are still there and i keep getting all these pop ups. any suggestions?

Re: How to delete a virus within _restore folder?
by R. Proffitt Forum moderator / July 29, 2004 12:01 AM PDT

"I wouldn't advise anyone to turn off system restore. It can save your system when a problem arises.

When a file in the System Volume Information is infected, Windows does not allow any software, including an antivirus program, to delete the file. This is why all antivirus programs typically recommend turning off ?System Restore? when a virus was found.

By turning it off, all infected files in the System Volume Information folder will be automatically deleted.

Turn system restore on after your system is clean and create a restore point.
Ron"

- http://www.wilderssecurity.com/showthread.php?t=37850&goto=nextnewest

Selective Restore Points deletion in Winodws XP ?
by Cetin Denislam / July 29, 2004 1:29 AM PDT

Perform the following steps:

1 Gain access to the System Volume Information folder. For details read the following MS KB article:

Q309531 -"How to Gain Access to the System Volume Information Folder"

Note

System Volume Information folder is a hidden folder. In order to see it, open Windows Explorer, goto Tools, Options, View Tab. Set "Show hidden files and folders" option.


2: From Windows Explorer, expand the System Volume Information folder. You'll find _restore{CLSID} subfolder. Example:

_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}

Under it, there are subfolders starting with RPxxx names. These folders are the restore points. Search for the offending file(s) inside the RPxxx folders. After you found it, just delete the corresponding RPxxx folder.


Good Luck,

Cetin


I can afford to turn off the restore point, but
by Melati Hitam / July 29, 2004 4:21 AM PDT

as Cetin Denislam said about viewing the folder.. I'm curious on how to do it.

I already set to show all fies, but still I can't see it.

and also, since the virus is on the SLAVE drive, does turning off the system restore also affecting the drive (slave)?

By the way my OS is Windows Xp Pro.

Thank you very much for all the help and information.

I guess I have found the answer for my own question
by Melati Hitam / July 29, 2004 5:01 AM PDT

I found out that I can turn off the system restore for any drive.

And I also found out that I have to uncheck hide system files .... in the tools, option, view ....

Thank you for all the help.

All right since you managed it ?
by Cetin Denislam / July 29, 2004 8:49 PM PDT

?and were able to see your Restore Points, Melati. Did you find the offending RPxxx, deleted it and later checked if the AV won't complain ?


You are welcome and "Good Luck",

Cetin


Re: Selective Restore Points deletion in Winodws XP …
by Harv / July 29, 2004 9:36 AM PDT

Just out of curiosity, in case I need to use this procedure in the future, I tried to gain access to
the System Volume Information folder and was denied access. Confused My OS is WinXP Home Edition.

Harv, look at the MSKB, provided by Cetin
by Melati Hitam / July 29, 2004 2:13 PM PDT

I copied below,

"Gain access to the System Volume Information folder. For details read the following MS KB article:

Q309531 -"How to Gain Access to the System Volume Information Folder"

In short, you have to create or ADD permission for your username (even if you are the admin) for the folder.

Re: Selective Restore Points deletion in Windows XP ?
by Cetin Denislam / July 29, 2004 8:49 PM PDT

The article from my previous post shows how to gain access for all windows XP Home (FAT32, NTFS) and XP Pro(FAT32 or NTFS (local, workgroup or domain)).
In your situation, it's Home Edition with NTFS. The procedure is described at "Using CACLS with Windows XP Home Edition Using the NTFS File System" section and below it.

I'd suggest at least reaching the System Volume Information folder access. That should satisfy your curiosity ;-).

However, the shown procedure it's more than selective deleting some Restore Points. It reveals the underground structure of this feature in windows XP.


Good Luck,

Cetin


Re: Selective Restore Points deletion in Windows XP …
by Harv / July 30, 2004 6:32 AM PDT

Thanks Melati and Cetin for your help. I hope that curiosity doesn't kill this cat. Wink

