WindowsME restore problem

[Eonfire]

Hi there,

I thought i'd make a thread about this in here as it seems to be a pretty big security problem with the WindowsMe OS. It's the folder C:\_RESTORE\TEMP

I've even followed the instructions for removal of this from a Microsoft site and have still not solved it. Even the official guide on how to delete this doesn't work.

I'm pretty sure that some of you people know how to do this though. I've had this problem for months now and i can't delete the files at all that include : Bonzibuddy, eAccelorator, eZula, Cydoor, Backweblite, easysearch, you name it. It's a nice convenient place where all of the junk can gather, infect my PC, slow it down AND probably add numerous spyware trackers at the same time.

I made this thread in the hope that some of you know the solution, because i've yet to see one.


Information taken from : http://support.microsoft.com/default...NoWebContent=1


WARNING: Using the following steps will completely remove all restore points from the data store. Do not use this method if this will cause problems. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer.
Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Performance tab.
Click File System, and then click the Troubleshooting tab.
Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK.
Restart the computer when you are prompted to do so. When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.

- - - - -


This doesn't work. Also this : Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK.

Just sounds like it's asking me to do the same thing twice. I followed the instructions anyway and the problem was still there, then i left it on disabled (it's left on disabled now.) and still nothing cleared out of the system.

Actually i can even imagine a good few of you people getting wound up with it, unless, you know a way of ripping the damn restore files out with some type of homemade shredding program?!? Over to you people anyway in the hope that some of you are smiling at this post because you already know the answer.

However, and with no offence intended, please only reply if you have actually done this yourselves or have seen it done, because despite the guides and advice, the restore\temp files seem to evade many written solutions.


eonfire

[nihil]

OK mate, lets try this:

1. Leave system restore "off"
2. Boot into safe mode
3. Run AdAware, SpyBot S&D and your AV

The _Restore folder should not be object locked, so they should be able to kill the bad guys?

Let me know what happens.

Cheers

[Falcon21]

I am also using WinME and this is what I always do when I find viruses and spyware in the Restore folder:

1) Right click on "My Computer" and select "Properties"
2) Go to the "Performance" tab and click on the "File System..." button.
3) Now go to the "Hard Disk" tab and set the "System Restore disk space use" to the minimum (200 mb)
4) Go to the "Troubleshooting" tab to disable system restore.
5) Wait for some time and reboot. (The data in the Restore folder is being removed)

I am not sure if it works for you :P

[Eonfire]

Nah, i tried them both and no success.

System restore was turned off when i went onto safe mode, i scanned with spybot and AVG 6.0 and still got nothing. (frustrated because spybot shows the things at the bottom as it runs through them!)

Also i tried to change the hard disk tab Falcon, but it's disabled, i can't click on it.

I really don't know if i'm being hacked or not because my sygate firewall blocked 24 incoming at severity 15 within a minute, is that someone hacking or just people all over scanning ip's?

+ i sometimes hear things running in my comp and the sygate tab in the system tray is always flashing on red. It's doing it right now. Is this maybe all of those things from the restore tray operating and sending out stuff to different companies etc which are then trying to get back to all of the junk?

Thanks for trying anyway, it's good to know i'm still going through different options, maybe i'll get there soon.

(if the firewall blocking sounds bad, i can give you the IP addresses)

[nihil]

Hang on,

I've had this problem for months now and i can't delete the files at all that include : Bonzibuddy, eAccelorator, eZula, Cydoor, Backweblite, easysearch,

If you actually have those things, then SpyBot and AdAware will find them. Problem is that they cannot delete them, if Restore is switched on. Also, they don't run from the restore files.............you actually have to do a restore. How do you know that they are really there?

Have you checked your restore? can you actually see any restore points? Try deleting them?

Get CWShredder and HijackThis. Run CWShredder with NO browser windows open. Then run HijackThis and post the log here.

Cheers,

[Eonfire]

It's ok, problem solved, i got some updates from microsoft and the hard disk option was enabled.

I think it's clear now anyway.

I feel like the stupid n00b i was when i first got here all over again...............

(shouts to himself : "come on eonfire, wake up!")

[nihil]

OK...............I have suggested this tool to you...............be careful!!!

Winfile (just type it in at the "run" prompt)

Go into the _restore folder and select all sub-folders then hit the delete key..........answer "all" or "OK" to any prompts.

I have just done this on one of my ME machines and it still seems to work

I would not recommend deleting the main folder though

Good luck

Just had a thought.........go into SpyBot and AdAware and make sure that you delete the "restore/quarantine" files...............that is where they might really be, complete with restore path? wot a pillock......should have spotted that earlier

[Eonfire]

Well i think i'm ok for now, it seems to be ok, but thanks for taking the time to check that out for me and if i get any more problems i'll look forward to following those instructions.

oh well, back to reading the tutorials...............