Every internet-connected computer gets infected by malware at some point, and I’ve yet to find a single Windows user of more than a year on the same computer user who can honestly say that they’ve never had any malware infection. Windows is targeted by most malware: That’s the simple fact.

Fortunately there are a number of programs; some paid-for and some free, that disinfect malware infections, remove spyware and viruses, root out rootkits, and generally clean up an infected system. Although you can never be 100 percent sure that your system has been fully restored to its original infection-free, pristine state, after a malware infection; there’s always a good chance that it’s fairly close to being so.

There is one place, though, that malware likes to lurk on a Windows system in the hope of re-activation at a later date; and it’s a place where many programs find it hard to capture the malware and eradicate it: That place is in the System Volume Information folders.

The System Volume Information folders record a snapshot of the system state and the registry whenever a System Restore Point is created by either automatically by the system, or manually by the user. If there’s malware on your system at the time a System Restore Point is created; then its registry key will be recorded, along with details of the process, and stored for possible future reactivation in the System Volume Information folder.

System Restore is a process rather than an intelligence: It doesn’t discern between programs, it doesn’t have a preference, it has no ability to think “That’s malware: I won’t include that in the restore point.”; it just does what it’s programmed to do. – To take a snapshot of your system at a given time and record it. Therefore any malware that’s resident on your disk will be recorded along with everything else. Its registry key will be recorded along with all other registry keys of entries in your disk’s file-system.

At times an anti-virus or anti-malware program might notice that a registry key of a malware process that is known to it and that it recognises is residing in a System Volume Information folder. It might also see the same key in your actual registry too. It deletes the key in your registry; but has trouble accessing the copy of the key stored in your System Volume Information folder. It reports that it can’t eliminate that entry, and may ask you to reboot the computer so that it can get to the entry before Windows locks it again. This may or may not be effective: Your anti-malware program may report that it was unable to delete the infection in C:\System Volume Information…

Well naturally the last thing you want is a malware infection hanging around waiting to reactivate itself in the case that you ever need to do a system restore. Your regular anti-malware program won’t clear it. You might try an online scan; but that might not clear it either; and so you’re left with a potential malware-infection on your system – triggered and reactivated whenever you do your next system restore. Fan-bloody-tastic!

But there’s good news and bad news: There is a way to get rid of it, and it’s pretty simple. The bad news is that you’ll lose all your restore points that you or your system have generated along they way up until then. unfortunately it’s the price you’ll have to pay: -

How to do it:

The following was done in Windows XP

Right-click on the My Computer icon and click Properties in the drop-down box that appears.

Click on the System Restore tab. Check which drive the anti-malware program found the malware on inside the System Volume Information folder and single-click on the appropriate drive letter in the Available drives window inside the dialog box. Click  the Settings button to the right. Put a check in “Turn off system Restore on this drive”.

Before you do anything else you’ll notice that the slider below is set by default to use 12% of your drive. That’s a ridiculous amount of space to store restore-points if you ask me. 6% is probably quite enough, so set the slider to 6%.

Click OK. Windows will instantly warn you that “You have chosen to turn off System Restore on this drive. If you continue, you will not be able to track or undo harmful changes on this drive.”

“Do you want to turn off System Restore on this drive?”

You have no choice under the circumstances: Click Yes.

Now highlight the same drive in the Available drives window in the dialogue box and click the Settings button. Remove the check from the Turn off System Restore on this drive checkbox and click OK.

Click OK again at the bottom of the dialog box. Windows should immediately create a Restore Point for the contents of that drive; but without the malware in it, provided that you or your anti-malware program removed the malware infection from your system and the malware infection’s key from the registry.

Target neutralised: The malware is no more. You have only one very recent Restore Point for that drive, or for those driveS if you had to do it on more than one drive; but the malware is dead, eradicated, exterminated, removed totally.

Any comment(s)?