Once the system is clean your still infected I'll tell you why!!

[Oh NO!!!]

XP's system restore appears to restore these files after
it has swept the system and "removed" baddies.

If the files are within System directories if they are
removed by AntiSpyware programs of ANY type next time you
restart your machine they will come back.

MAKE SURE - You either turn system restore off > right
click my computer properties, system restore or restart
your machine in safe mode before running the program.

Your machine will never be clean if you don't do this!

Hope this is helpful!

 

[Bill Sanderson]

NO--DO NOT do this.

I can imagine the evidence that is leading you to this conclusion, but it is
absolutely not true.

Files in the System Restore data store are not executable unless you choose
to restore them via the System Restore user interface on your machine.
Virus, spyware, etc, are absolutely no threat whatsoever in that storage
area, unless you choose to restore an infected store point.

If your machine crashes in a way requiring the use of System Restore to
regain control,. wouldn't you prefer a restore point, spyware and all, to a
complete reinstall, perhaps involving a format and loss of all user data, as
would be the case with the recovery CD's available to many OEM customers?

If you are seeing persistent reinfection, please restart in safe mode, and
do full scans until one comes through clean.

 

[OhNo...]

Obviously Bill I meant turn it back on when you have
finished. ;0) but from the things that I have done
certainly do seem to lead me to this conclusion...... I
have used MS Anti Beta, Adaware Pro and Hijackthis along
with manual viewing of the registry and killing processes
off using sysinternals process explorer and even tho my
system is clean (and clean of viruses) they still come
back even when I have restarted the machine unconnected to
the internet.... sorry if my conclusion is incorrect but
it seemed to resolve my problem turning the system restore
off for the purposes of the scan then turn it back on
again... works for me... but as we have both mentioned
Safe Mode is definately the best bet.

Cheers Bill,

Rich

 

[Bill Sanderson]

Yes--I do understand how you might think that, but turning SR off deletes
all restore points, leaving you without a safety net.

The best course of action I think is to get the machine clean and stable,
and THEN delete the old (probably infected) restore points and create a new
one.

Infections coming back after what looks like a successful cleaning are
definitely a problem--both in terms of the program giving confusing message
(it said it was clean, but.....) and in terms of the user knowing what to do
to get clean. Safe mode is the next step--something has been left uncleaned
because it was "in use" which should have been cleaned, and safe mode makes
it easier to get at that stuff in many, but not all cases.