Saturday, April 5, 2008

How to remove System Restore infections in Windows XP

1. Disable the on-access protection of your antivirus solution.
2. Disable System Restore. If you don't know how to do that, please click here.
3. Enable the viewing of hidden and system files and folders:
- Click the Start button, then go to Settings > Control Panel
- Go to Folder Options
- In the View tab, check the "Show hidden files and folders" option
- Uncheck the "Hide protected operating system files" option
- Click Apply and OK

4. Change permissions to access System Restore files:
- Click the Start button, then choose Run
- Type cmd and click OK to confirm
- In the Command Prompt window that opens next, please type in:


cacls "C:\System Volume Information" /P Administrators:F
- Confirm by pressing the Y key.

You are now able to open the folders used by System Restore and browse through the path C:\System Volume Information.

- Locate the infected files and delete them by selecting them and pressing Shift+Delete on the keyboard.

- Open the Command Prompt window again (first 3 steps above) and type in:


cacls "C:\System Volume Information" /P System:F
- Confirm again with Y to replace the changed permissions.
5. Re-enable the on-access protection of your antivirus solution.
6. Turn System Restore back on.