|
DADDY BOB'S COMPUTER Q & A
December 17, 2006
Q.
Sometimes, when I run a virus scan I get a
hit on a file in a folder called _restore
that cannot be cleaned, deleted or
guaranteed. What's this all about?
A. There
is a folder on each drive called _restore.
This folder is hidden by default, so you may
not be able to see it. This folder
contains the files saved when a System
Restore Point is created. System Restore is
part of the operating systems that allows
you to restore your system files, registry
keys, installed programs, etc., to a
previous condition should you encounter a
serious problem.
The
System Restore feature is accessed from the
Start menu. Click Start/All
Programs/Accessories/System Tools/System
Restore. (You can also access it by clicking
Start, Run, and entering restore/rsrtrui.exe)
From there, the user may either create a new
restore point manually, roll back to an
existing restore point, or change the System
Restore configuration. A System Restore
Point can be created under any of the
following conditions:
1. when a piece of software
is installed (if it is well
behaved)
2. when Windows Update are
installed
3. when the user installs a
driver that is not digitally
signed
4. every 24 hours of
computer use, or
5. every 24 hours of
calendar time, whichever
happens first
6. when the computer boots
after being turned off for
more than 24 hours
7. when the user manually
creates one
If there was some malware (virus, spyware,
adware, etc.) on your computer when a System
Restore Point was created, there is a good
probability that it was included with some
of the other files. Your antivirus program
is detecting a form of malware in one of
these incremental restore point files. Since
these restore point files are protected by
the operating system, your anti-virus
program cannot remove it.
Any malware in a restore point file is not
likely to do you harm as is, where is, but
if you do a System Restore to return your
computer to a previous state, it is very
likely that you would re-activate the
malware. So, when a anti-virus or
anti-spyware program detects a problem in a
Restore Point file, it should be
removed.
However, the best, and probably the only way
to get rid of malware in a System
Restore Point file is to delete the System
Restore Point files. Since the Restore Point
files cannot be deleted in the normal way as
they are locked out be Windows, we have to
use Windows to delete them for us. Here's
how to easily do this.
Open the System Properties dialog by
pressing the Windows/Pause key combination,
or by right clicking My Computer, selecting
Properties and then clicking the System
Restore tab. This dialog will open.
Check the box in front of "Turn off System
Restore on all drives" and click the Apply
button, (NOT the OK button) and you will get
warning similar to this:
NOTE: Of course, since
deleting all Restore Points will prevent you
from restoring your computer to a previous
state, this is not something you should do
if you computer is not currently in a stable
condition and you are anticipating
performing a system restore in an attempt to
correct the unstable condition.
When you click Yes, there will be a pause
while all the System Restore Points are
deleted. As soon as the deletion has
completed, go back and uncheck the box in
front of "Turn off System Restore on all
drives", and click the Apply button again.
There will be another delay as a new System
Restore Point is created. When this process
has completed, click OK.
Now, the only System Restore Point that will
be available is the one just created, and
any previous restore point files that may
have contained malware are gone. |
