Can't Clear System Restore Files. System Check Virus the Cause?

earthwormjim

New member
Local time
9:30 PM
Messages
3
About a month ago I managed to get the infamous System Check virus on my computer. I was shocked that it happened, I was at the time doing a google image search.

Anyway I managed to remove the virus, unhide my files, and restore all my start menu shortcuts. During the removal process, I cleared all of my previous system restores as an extra precaution.

Lately I've been noticing that I have been running quite low on disk space for no known reason. After investigating I saw that my System Volume Information folder is quite large (15GB). Further investigating shows specifically the System Restore folder inside the System Volume Information folder is taking up most of the space. System restore is disabled, there shouldn't be anything in that folder.

It appears the virus attempted to copy the entire contents of my C drive and hide it in the system restore folder. Obviously there isn't enough space on my drive to have everything duplicated, but it did duplicate 15GB of data. I desperately need to reclaim this drive space but no matter what I do, I cannot clear the contents of this folder.

I've tried toggling system restore on and off (it's currently off).

I've tried running an elevated command prompt resizing shadowstorage.

I've tried taking ownership of the folder then simply deleting the files and folders, nothing happens. The files and folders remain where they were.

I've tried disk cleanup, it is unable to find any System Restores and thinks all the data is cleaned up.

I've tried CCleaner, it also thinks there's currently no System Restores.

I've also tried sticking the drive into another Windows 7 computer and deleting them from there, that didn't work either.

Basically I've tried every step listed here, to no avail: http://www.sevenforums.com/tutorials/336-system-protection-restore-points-delete.html

Any help would be greatly appreciated.
 

My Computer My Computer

At a glance

Windows 7 Professional x64
OS
Windows 7 Professional x64
Try rebooting after each enabling and disabling of system restore. See if they get deleted. Is 15 GB within the top limit for your hard drive?
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
OS
Windows 7 Ultimate x64
Try rebooting after each enabling and disabling of system restore. See if they get deleted. Is 15 GB within the top limit for your hard drive?

No, I have it set to 1% when I do enable system restore, so that's around 1GB.

It's a ~120GB SSD, so space is pretty valuable.
 

My Computer My Computer

At a glance

Windows 7 Professional x64
OS
Windows 7 Professional x64
Well, I actually meant if it had been set to the max size the dialog box would allow.

Have you tried rebooting between the toggle of the enable/disable checkbox, to see if that deletes the files?

If you can't get rid of them through normal means, there are relatively easy ways to do whatever you want with those files if you boot off of various bootable CD's.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
OS
Windows 7 Ultimate x64
A couple of follow-up questions, if I may.

1. How did you remove the initial virus?
2. Are you sure all of the virus was removed? (No anti-malware product is 100% effective 100% of the time. If there was such a thing we'd all be using it.)
3. Did you do supplemental scanning with any of the free on-demand scanners like Malwarebytes, Superantispyware, Hitman Pro, Eset, Comodo Cleaning Essentials, Windows Defender Offline, etc?

The virus may have damaged or corrupted your system files. If you scan your system with a few supplemental scanners and your computer comes back clean, you could try running a System File Checker scan from an elevated command prompt (option two, this tutorial.) If any problems are found run the scan 3 times rebooting in between each scan.

http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html
 

My Computer My Computer

At a glance

Win 7 Pro 64-bitIntel i5 2.4 Ghz8GB DDR3Intel HD 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Sony Vaio VPCEB47GM Laptop
OS
Win 7 Pro 64-bit
CPU
Intel i5 2.4 Ghz
Memory
8GB DDR3
Graphics Card(s)
Intel HD 3000
Sound Card
IDT High Definition
Monitor(s) Displays
15.6 WGXA Anti-Glare LED
Screen Resolution
1280x800
Hard Drives
640Gb 7200rpm
Antivirus
MSE
Browser
Opera (primary) with IE9 backup
A couple of follow-up questions, if I may.

1. How did you remove the initial virus?
2. Are you sure all of the virus was removed? (No anti-malware product is 100% effective 100% of the time. If there was such a thing we'd all be using it.)
3. Did you do supplemental scanning with any of the free on-demand scanners like Malwarebytes, Superantispyware, Hitman Pro, Eset, Comodo Cleaning Essentials, Windows Defender Offline, etc?

The virus may have damaged or corrupted your system files. If you scan your system with a few supplemental scanners and your computer comes back clean, you could try running a System File Checker scan from an elevated command prompt (option two, this tutorial.) If any problems are found run the scan 3 times rebooting in between each scan.

http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

I used malware bytes in safe mode, with the mbam.exe renamed to something gibberish. It seems to have cleaned the system.

I then went through and manually deleted the files the virus had created and the registry entries.

After that I again ran malware bytes.

Lastly I used the TDSSKiller from kaspersky.

I also did a scan of system files using sfc like you had suggested.

I'm pretty positive the virus is completely gone. The computer doesn't run slow at all, CPU useage idling is 1% or under and boots up in about 10 seconds total.

Well, I actually meant if it had been set to the max size the dialog box would allow.

Have you tried rebooting between the toggle of the enable/disable checkbox, to see if that deletes the files?

If you can't get rid of them through normal means, there are relatively easy ways to do whatever you want with those files if you boot off of various bootable CD's.

I've rebooted after toggling. I'm guessing maybe since these files aren't really valid system restore files, they're literally just straight copies of the contents of my C drive, Windows probably doesn't even recognize that they're there.

I'll try booting up using a portable linux distro.
 

My Computer My Computer

At a glance

Windows 7 Professional x64
OS
Windows 7 Professional x64
I'm pretty positive the virus is completely gone. The computer doesn't run slow at all, CPU useage idling is 1% or under and boots up in about 10 seconds total.

That sounds real good. :thumbsup:
 

My Computer My Computer

At a glance

Win 7 Pro 64-bitIntel i5 2.4 Ghz8GB DDR3Intel HD 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Sony Vaio VPCEB47GM Laptop
OS
Win 7 Pro 64-bit
CPU
Intel i5 2.4 Ghz
Memory
8GB DDR3
Graphics Card(s)
Intel HD 3000
Sound Card
IDT High Definition
Monitor(s) Displays
15.6 WGXA Anti-Glare LED
Screen Resolution
1280x800
Hard Drives
640Gb 7200rpm
Antivirus
MSE
Browser
Opera (primary) with IE9 backup
Enable system restore in the registry:

1 Click "Start.type regedit into the search bar, press "Enter" and click "OK."
2 Navigate to the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT" registry key.
3 Click "Edit," "New," "Key" and then type "SystemRestore" as the key name.
4 Click "Edit," "New," "DWORD Value" and then type "DisableConfig" as the key name.
5 Double-click on the "DisableConfig" value and set the value to "0" to ensure that the System Restore application is not disabled. Click "OK" to save your settings.


You could also run an online scan with ESET.

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the
    esetOnline.png
    button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on
      esetSmartInstall.png
      to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the
      esetSmartInstallDesktopIcon.png
      icon on your desktop.
  4. Check
    esetAcceptTerms.png
  5. Click the
    esetStart.png
    button.
  6. Accept any security warnings from your browser.
  7. Check
    esetScanArchives.png
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
    esetListThreats.png
  11. Push
    esetExport.png
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the
    esetBack.png
    button.
  13. Push
    esetFinish.png
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Back
Top