Unable to remove Win32/Toolbar from system restore.

[fry hole]

 Hi, another forum has been helping me remove Win32/Toolbar with the use of ComboFix, AdwCleaner, RogueKiller, Malwarebytes, HijackThis!, ESET online, and of course I used Avast. As far as I can tell they've helped me remove most of it, but seem to be unable to remove it from system restore.

 Avast continually picks this up on a boot time scan.

File C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001480.rbf|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen, Delete: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001480.rbf|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 0xC0000034 {Object Name not found.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
Number of searched folders: 33326
Number of tested files: 757317
Number of infected files: 2


 The uninstallation of Combofix doesn't seemed to have gotten rid of it when the new restore point was created. Deleting the old system restore points, and then running the boot time scan again also didn't help, nor did turning off system restore, and trying again.

 I would appreciate any help you can offer me. Thanks.

[DavidR]

Why can't it be removed, e.g. what error is given ?

The boot-time scan isn't something to be used for routine scans.

There is nothing stopping you from doing a manual clear out of the system restore restore points, this however, would clear all restore points.

- The C:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only really effective way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
Windows XP - How to disable http://www.howtogeek.com/forum/topic/how-to-disable-the-system-restore
Windows Vista, win7 Disable System Restore http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/.

[fry hole]

 Hi David,

 I used the normal scan initially, but afterwards, Avast prompts me to do a boot time scan, which I did. The normal scan picks up nothing, but the boot time scan picks up what I posted earlier.

 The errors given are: Delete: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.} for both files, from within the boot time scan.

 I've tried to disable system restore, and reboot, this clears the old restore points out, but when I run Avast again, it recommends a boot time scan, after the initial scan, and the boot time scan finds those two infected files in system restore each time. In other words, even when I disable system restore and reboot, a new scan still finds those files.

[DavidR]

The problem is that avast can't extract the infected file from within the archive and put it back together without the likelihood of corrupting the whole archive. System Restore being disabled should have removed those two files, I don't know why it hasn't, something else you can try, see #### below.

You can change the settings in your scan so if avast can't extract from the archive it does nothing, move to the second option, 'Try to remove the packed file; if it fails, remove the whole containing archive' see image.

Only true viruses can be repaired, e.g. the small part injected into an executable file, trojans and non-virus infections can't be repaired as the whole content is considered malicious.

What is avast recommending a boot time scan for (after you have disabled system restore and rebooted), e.g that must mean you have had a detection, what was that ?

####
Create a clean System Restore point (System Restore has to be enabled obviously):
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE

You now have a clean restore point, you should clear the old ones:
1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button

[fry hole]

 Avast did pick up an infection during a normal scan called a0000022.exe, and labeled as Win32:Malware-gen. It deleted that, and then recommended a boot time scan. It found the two files I mentioned earlier on the boot time scan. I then tried to clear out the old system restore points by turning off system restore, and rebooting. I then ran another boot time scan, and Avast picked up the two files again. I then tried to clear out the old system restore points by making a new system restore point, and using disk cleanup to remove the old ones, as mentioned in your last post. After that, I ran another boot time scan, but Avast still finds those same two files. It appears as if the old system restore points are not being removed?

[DavidR]

That looks like a restore point, system restore renames files in that way and retains the original file type (.exe in this case).

There is certainly something wrong on your system as restore points shouldn't survive either of the methods suggested.

What operating system do you have ?
I don't know if this might be a permissions thing not allowing you to do it, so you could try clearing them from an account that has administrator privileges.

Edit: Check out this search and see if anything relating to your operating system helps, uk.search.yahoo.com/search?p=system+restore+points+not+cleared+when+system+restore+disabled

[fry hole]

 I've actually been doing all of this them from the Administrator account, and always get the same results. Operating system is Vista. I don't see anything in that search that stands out for me. This is starting be become very frustrating. It makes me not want to use my computer until this is fixed. It's been about a week now.

[DavidR]

You didn't answer the question on your OS ?

I don't understand why it 'clearly' isn't working, now I know there is a system restore 'system volume information' folder for each drive, I don't know if that also extends to for each user (but I rather think not).

Have you done as suggested before and change the avast settings so that it will remove the archive if it can't extract the file (reply #3 above and see attached image) ?

I don't know where you were getting help for the Win32/Toolbar from system restore. So I don't know if these tools may have messed up the system restore function.

[fry hole]

 OS is Windows Vista.

 I changed the settings in the scan to remove the archive if it can't extract the file, but this setting appears to only be available for a normal scan, not a boot time scan?

 Avast no longer finds any infection during a regular scan, whether I tell it to remove the archive or not. It DOES however, find the same infected files in system restore when I run a boot time scan.

 The infected files are found each time I run a boot time scan.

[fry hole]

 Here is the link to the thread on the other forum that helped me. I followed these instructions exactly.

http://www.bleepingcomputer.com/forums/topic482598.html

[DavidR]

OS is Windows Vista.

 I changed the settings in the scan to remove the archive if it can't extract the file, but this setting appears to only be available for a normal scan, not a boot time scan?

 Avast no longer finds any infection during a regular scan, whether I tell it to remove the archive or not. It DOES however, find the same infected files in system restore when I run a boot time scan.

 The infected files are found each time I run a boot time scan.

But didn't you run a normal scan and this is where they were first found, weird that they aren't detected now ?

Still my biggest concern is why system restore fails to clear all restore points when disabled or clear old restore points when told to do so. I don't know why that is and I have never used Vista.

Here is the link to the thread on the other forum that helped me. I followed these instructions exactly.

http://www.bleepingcomputer.com/forums/topic482598.html

Sorry I'm not a malware removal specialist, so I can't say one way or another and the malware removal specialists that help on this forum wouldn't want to be crossing sites to gather information.

[DavidR]

I have asked a malware removal specialist to have a look at this topic and see if he can get to the bottom of the inability to remove these restore points.

[essexboy]

Hi could you run an OTL scan for me please

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post  both logs

[fry hole]

 Hi, here are the logs you've requested.

[essexboy]

OK when this run has completed disable system restore on all drives.
Reboot and then reset system restore

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
[2013/01/21 20:35:34 | 000,365,568 | ---- | M] () -- C:\Users\2GuNz4U\Desktop\pekt1lzv.exe
[2011/06/05 19:36:46 | 000,000,160 | ---- | C] () -- C:\ProgramData\~32366328r
[2011/06/05 19:36:45 | 000,000,136 | ---- | C] () -- C:\ProgramData\~32366328
[2011/04/24 03:40:24 | 000,014,198 | -HS- | C] () -- C:\Users\2GuNz4U\AppData\Local\257dc5kfcah0k7mbio37

:Reg
[HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-3904332279-1765060928-1334948763-1000\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.