sytem restore infected - cleaned, but have a question

[niteowl]

Hi all,

My anti virus program detected an virus on my system, in my Program Files,
and in the System Restore Information folder.

I manually deleted the infected files and associated program, and when I
tried to access the System Restore Information folder, got an error message
saying it was accessible.

I went into the folder properties, added "Everyone" temporarily, and gained
access, deleted the offending files, but now have a couple of questions.

All other "RP**" folders appear in blue font color, except for the one that
had the infected files. What does that signify?

Is it safe to, and/or should I just delete the entire folder that I removed
these files from? (RP43) the previous folder is RP38. Up to that point all
folders are numbered sequentially.. how come it skipped from RP38 to RP 43??

thanks,
niteowl

 

[Malke]

Hi all,

My anti virus program detected an virus on my system, in my Program
Files, and in the System Restore Information folder.

I manually deleted the infected files and associated program, and when
I tried to access the System Restore Information folder, got an error
message saying it was accessible.

I went into the folder properties, added "Everyone" temporarily, and
gained access, deleted the offending files, but now have a couple of
questions.

All other "RP**" folders appear in blue font color, except for the one
that
had the infected files. What does that signify?

Is it safe to, and/or should I just delete the entire folder that I
removed
these files from? (RP43) the previous folder is RP38. Up to that
point all folders are numbered sequentially.. how come it skipped from
RP38 to RP 43??

See the "After the machine is clean" section here for how to deal with
System Restore after removing malware:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke

 

[Bert Kinney]

Hi all,

My anti virus program detected an virus on my system, in my Program Files, and
in the System Restore Information folder.

I am assuming you are refering to the (SVI) System Volume Information folder
where the restore points are stored.

I manually deleted the infected files and associated program, and when I tried
to access the System Restore Information folder, got an error message saying
it was accessible.

Yes, this is a super hidden folder, for good reason.

I went into the folder properties, added "Everyone" temporarily, and gained
access, deleted the offending files, but now have a couple of questions.

This is not a good idea because is will most likely cause restore point
corruption.

All other "RP**" folders appear in blue font color, except for the one that
had the infected files. What does that signify?

The blue color folders are compressed. The most recent restore point folder(s)
may not normally be compressed right away.

Is it safe to, and/or should I just delete the entire folder that I removed
these files from? (RP43) the previous folder is RP38. Up to that point all
folders are numbered sequentially.. how come it skipped from RP38 to RP 43??

Once the system is clean of infection it is time to purge the restore points. A
good way to do this is to create one new restore point then use Disk Clean-up
with the System Restore option. This will purge all existing except the most
recent restore point, the one you just created.

How to using Disk Clean-up to remove restore points:
http://bertk.mvps.org/html/diskclean.html

 

[Niteowl]

Thanks,

will let you know how it goes..

niteowl

 

[Niteowl]

thanks,

I do most of the things suggested from this link, but did learn a few new
things.. will try them out and let you know how it goes.

niteowl