How do I disable system restore, or delete the restore points after the computer has been infected ?

answered in other thread

http://social.answers.microsoft.com/Forums/en-US/vistarepair/thread/55789502-2ca7-40aa-afa2-f264bb62c078

Rob - Bicycle - Mark Twain said it right.

Hi,

Look in the Event Viewer to see if anything is reported about those reboots.

http://www.computerperformance.co.uk/vista/vista\_event\_viewer.htm

Also do this so you can see the likely bluescreens.

Windows Vista automatically restarts if your PC encounters an error that causes it to crash.

http://www.winvistatips.com/disable-automatic-restart-t84.html

Here are some methods to possibly fix the blue screen issue. If you could give the Blue Screen info that would

help. Such as the BCC and the other 4 entries on the lower left. And any other error information such as STOP

codes and info such as IRQL_NOT_LESS_OR_EQUAL or PAGE_FAULT_IN_NONPAGED_AREA and similar messages.

As examples :

BCCode: 116

BCP1: 87BC9510

BCP2: 8C013D80

BCP3: 00000000

BCP4: 00000002

or in this format :

Stop: 0x00000000 (oxoooooooo oxoooooooo oxooooooooo oxoooooooo)

tcpip.sys - Address 0x00000000 base at 0x000000000 DateStamp 0x000000000

This is an excellent tool for posting Blue Screen Error Information

BlueScreenView scans all your minidump files created during 'blue screen of death' crashes, and displays the

information about all crashes in one table - Free

http://www.nirsoft.net/utils/blue\_screen\_view.html

Many BlueScreens are caused by old or corrupted drivers, especially video drivers however there are other causes.

You can do these in Safe Mode if needed or from Command Prompt from Vista DVD or Recovery Options if your

system has that installed by the maker.

This tells you how to access the System Recovery Options and/or from a Vista DVD

http://windowshelp.microsoft.com/Windows/en-US/Help/326b756b-1601-435e-99d0-1585439470351033.mspx

You can try a System Restore back to a point before the problem started if there is one.

How to Do a System Restore in Vista

http://www.vistax64.com/tutorials/76905-system-restore-how.html

Start - type this in Search Box ->  COMMAND   find at top and RIGHT CLICK  -  RUN AS ADMIN

Enter this at the prompt - sfc /scannow

How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program

generates in Windows Vista cbs.log

http://support.microsoft.com/kb/928228

The log might give you the answer if there was a corrupted driver. (Does not tell all the possible driver issues).

Also run CheckDisk so we can rule out corruption as much as possible.

How to Run Check Disk at Startup in Vista

http://www.vistax64.com/tutorials/67612-check-disk-chkdsk.html

Often updating drivers will help, usually Video, Sound, Network Card  (NIC), WiFi, 3rd party keyboard and

mouse, as well as other major device drivers.

Manually look at manufacturer's sites for drivers - and Device Maker's sites.

http://pcsupport.about.com/od/driverssupport/ht/driverdlmfgr.htm

How to Install a Device Driver in Vista Device Manager

http://www.vistax64.com/tutorials/193584-device-manager-install-driver.html

How To Disable Automatic Driver Installation In Windows Vista - Drivers

http://www.addictivetips.com/windows-tips/how-to-disable-automatic-driver-installation-in-windows-vista/

http://technet.microsoft.com/en-us/library/cc730606(WS.10).aspx

How to fix BlueScreen (STOP) errors that cause Windows Vista to shut down or restart unexpectedly

http://support.microsoft.com/kb/958233

Troubleshooting Vista Blue Screen, STOP Errors

http://www.chicagotech.net/vista/vistabluescreen.htm

Understanding and Decoding BSOD (blue screen of death) Messages

http://www.taranfx.com/blog/?p=692

Windows - Troubleshooting Blue Screen Errors

http://kb.wisc.edu/page.php?id=7033

In some cases this might be required.

StartUp Repair from Recovery Options or Vista disk

How to do a Startup Repair

http://www.vistax64.com/tutorials/91467-startup-repair.html

This tells you how to access the System Recovery Options and/or from a Vista DVD

http://windowshelp.microsoft.com/Windows/en-US/Help/326b756b-1601-435e-99d0-1585439470351033.mspx

Hope this helps.

Rob - Bicycle - Mark Twain said it right.

Hi,

Disable System Restore in Windows 7 or Vista

http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

Cookie? I should get a whole cake!

BlueScreenView scans all your minidump files created during 'blue screen of death' crashes, and displays the

information about all crashes in one table - Free

http://www.nirsoft.net/utils/blue\_screen\_view.html

Look in the Event Viewer.

http://www.computerperformance.co.uk/vista/vista\_event\_viewer.htm

Boot into Safe Mode - repeatedly tap F8

PEV.exe is a Root-kit so use Root-Kit Revealer and UnHackMe (see below) : (be sure to check thoroughly as PEV.exe

often has other malware in its infection package.

Download malwarebytes and scan with it, run MRT, and add Prevx to be sure it is gone. (If Rootkits run UnHackMe)

Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN

Malwarebytes - free

http://www.malwarebytes.org/

Run the Microsoft Malicious Removal Tool

Start - type in Search box -> MRT  find at top of list - Right Click on it - RUN AS ADMIN.

You should be getting this tool and its updates via Windows Updates - if needed you can download it here.

Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN

(Then run MRT as above.)

Microsoft Malicious Removal Tool - 32 bit

http://www.microsoft.com/downloads/details.aspx?FamilyID=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Microsoft Malicious Removal Tool - 64 bit

http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

also install Prevx to be sure it is all gone.

Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN

Prevx - Home - Free - small, fast, exceptional CLOUD protection, works with other security programs. This is

a scanner only, VERY EFFECTIVE, if it finds something come back here or use Google to see how to remove. 

http://www.prevx.com/   <-- information

http://info.prevx.com/downloadcsi.asp  <-- download

PCmag - Prevx - Editor's Choice

http://www.pcmag.com/article2/0,2817,2346862,00.asp

If needed here are some online free scanners to help

http://www.eset.com/onlinescan/

http://www.kaspersky.com/virusscanner

Other Free online scans

http://www.google.com/search?hl=en&source=hp&q=antivirus+free+online+scan&aq=f&oq=&aqi=g1

Also do these to cleanup general corruption and repair/replace damaged/missing system files.

Run DiskCleanup - Start - All Programs - Accessories - System Tools - Disk Cleanup

Start - type this in Search Box ->  COMMAND   find at top and RIGHT CLICK  -  RUN AS ADMIN

Enter this at the prompt - sfc /scannow

How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program

generates in Windows Vista cbs.log

http://support.microsoft.com/kb/928228

Run checkdisk - schedule it to run at next start and then Apply OK your way out then restart.

How to Run Check Disk at Startup in Vista

http://www.vistax64.com/tutorials/67612-check-disk-chkdsk.html

==========================================

For Root-kits :

SpyDLL Remover - Free

http://securityxploded.com/spydllremover.php

Advanced Windows Service Manager

http://securityxploded.com/winservicemanager.php

Run Rootkit Revealer - Free

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

UnHackme - trialhttp://www.greatis.com/unhackme/

This tells you how to use UnHackme and has a link to version 2.5 - use it as a guideline and the currentversion available as above is 5.5http://safecomputing.umn.edu/guides/scan\_unhackme.html

IceSword - Free

http://www.antirootkit.com/software/IceSword.htm

Instructions and Pictorial

http://securityxploded.com/icesword.php

Tutorial for using IceSword

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://soft.zol.com.cn/2004/0803/145163.shtml&prev=/search%3Fq%3Dicesword%26hl%3Den%26lr%3D

Hope this helps.

Rob - Bicycle - Mark Twain said it right.

Hello, I've recently run into an issue with a virus.  This one disabled all removal programs, I tried 9 or so. System restore tab was missing from the system protection menu.  After a quick search on google, I found this from microsoft:

   1. Click Start, click Run, type regedit, and then click OK.

   2. In Registry Editor, locate the following registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

   3. Under Windows NT, create a new key:

         1. On the Edit menu, click New, and then click Key.

         2. For the name of the new key, type SystemRestore.

   4. Create a new DWORD value:

         1. On the Edit menu, click New, and then click DWORD Value.

         2. Double-click the new key to open the Edit DWORD Value dialog box.

         3. Under Value name, type DisableConfig, under Value data, type 1, and then click OK

I backed up the key, and added the data. It did not seem to do anything as I was still able to open system restore.  Is there a service I can turn off or disable? Or perhaps a different registry key I can add or modify.  If this is not possible, is there a way that I can delete the restore points ?.  As far as I can tell, the virus would disable any and all anti-virus/anti-malware software I tried. I could not prevent Pev.exe from starting.  I could delete the files, however upon restart or any attempt to run a scanner the screen would flash (if i was quick I could watch the files come back) and the files would return. pev.exe would start up and kill the scanner.  That is why I believe it was utilizing the system restore feature to protect it's self.  Also, would using the repairing the windows installation replace/remove the system restore points ?? Any suggestions would be greatly appreciated.

And as a bonus, I'll give a cookie to the person that tells me how to view bsod error codes in vista (i don't really want to use the debugger if possible)

Thanks in advance

-Mike