Virus in system restore

[Guest]

How do I remove a file infected by a virus from within the system restore
directory?

I recieved an email the other day that was a .zip file. I downloaded it to
my PC and virus scanned it using Sophos. It said that it had scanned 3 items
and they were OK. So I unzipped the file. It unzipped 5 files and immediately
told me that one of the files was a .exe that was infected with a virus. I
immediately deleted all the files, without running any of them and cleared my
wastebasket. It can't have been on my disk for more than a minute. I thought
I had sorted the problem.

The next day, the scheduled disk scan kicked in, and said I had a copy of
this virus in the directory that stores my restore points. I tried to go to
the directory, but even though I am an administrator on that PC, it wouldn't
let me go into the directory.

I was unsure what to do, but was determined to get rid of this thing.
Therefore, I switched off system restore, so it deleted all the files in the
directory. I scanned the directory and it said it was OK. I then switched
system restore back on, and when it had done that, I scanned the whole disk,
and it said I was OK.

But system restore is there for precisely this sort of situation - where
your PC is damaged and you want to go back to an undamaged state.

What should I have done, that would have got rid of this file, without
getting rid of all my restore points?

Cheers

Eric

 

[Alias]

How do I remove a file infected by a virus from within the system restore
directory?

I recieved an email the other day that was a .zip file. I downloaded it to
my PC and virus scanned it using Sophos. It said that it had scanned 3 items
and they were OK. So I unzipped the file. It unzipped 5 files and immediately
told me that one of the files was a .exe that was infected with a virus. I
immediately deleted all the files, without running any of them and cleared my
wastebasket. It can't have been on my disk for more than a minute. I thought
I had sorted the problem.

The next day, the scheduled disk scan kicked in, and said I had a copy of
this virus in the directory that stores my restore points. I tried to go to
the directory, but even though I am an administrator on that PC, it wouldn't
let me go into the directory.

I was unsure what to do, but was determined to get rid of this thing.
Therefore, I switched off system restore, so it deleted all the files in the
directory. I scanned the directory and it said it was OK. I then switched
system restore back on, and when it had done that, I scanned the whole disk,
and it said I was OK.

But system restore is there for precisely this sort of situation - where
your PC is damaged and you want to go back to an undamaged state.

What should I have done, that would have got rid of this file, without
getting rid of all my restore points?

Cheers

Eric

You should have used your AV program to delete it and you should have
done it in Safe Mode.

Alias

Use the Reply to Sender feature of your news reader program to email me.
Utiliza Responder al Remitente para mandarme un mail.

 

[Malke]

How do I remove a file infected by a virus from within the system
restore directory?

I recieved an email the other day that was a .zip file. I downloaded
it to my PC and virus scanned it using Sophos. It said that it had
scanned 3 items and they were OK. So I unzipped the file. It unzipped
5 files and immediately told me that one of the files was a .exe that
was infected with a virus. I immediately deleted all the files,
without running any of them and cleared my wastebasket. It can't have
been on my disk for more than a minute. I thought I had sorted the
problem.

The next day, the scheduled disk scan kicked in, and said I had a copy
of this virus in the directory that stores my restore points. I tried
to go to the directory, but even though I am an administrator on that
PC, it wouldn't let me go into the directory.

I was unsure what to do, but was determined to get rid of this thing.
Therefore, I switched off system restore, so it deleted all the files
in the directory. I scanned the directory and it said it was OK. I
then switched system restore back on, and when it had done that, I
scanned the whole disk, and it said I was OK.

But system restore is there for precisely this sort of situation -
where your PC is damaged and you want to go back to an undamaged
state.

What should I have done, that would have got rid of this file, without
getting rid of all my restore points?

You did the right thing, although you could have made a new clean
Restore Point and then just deleted all the previous Restore Points
from Disk Cleanup's More Options tab.
Start>Run>cleanmgr [enter]

Malke

 

[Steve N.]

You should have used your AV program to delete it and you should have
done it in Safe Mode.

Alias

Use the Reply to Sender feature of your news reader program to email me.
Utiliza Responder al Remitente para mandarme un mail.

A/V scans are unable to delete/disinfect viruses from restore points,
even in Safe Mode.

Steve N.

 

[Alias]

A/V scans are unable to delete/disinfect viruses from restore points,
even in Safe Mode.

Steve N.

Avast! does it.

Alias

Use the Reply to Sender feature of your news reader program to email me.
Utiliza Responder al Remitente para mandarme un mail.

 

[Guest]

Thanks - the disk cleanup thing was the thing I was missing.

I really wanted to list all the restore points that I had, and just delate
the one(s) that had been created subsequent to this happening. Does disk
cleanup let me do this? Also, is it not listed on the 'programs' option?

How do I remove a file infected by a virus from within the system
restore directory?

I recieved an email the other day that was a .zip file. I downloaded
it to my PC and virus scanned it using Sophos. It said that it had
scanned 3 items and they were OK. So I unzipped the file. It unzipped
5 files and immediately told me that one of the files was a .exe that
was infected with a virus. I immediately deleted all the files,
without running any of them and cleared my wastebasket. It can't have
been on my disk for more than a minute. I thought I had sorted the
problem.

The next day, the scheduled disk scan kicked in, and said I had a copy
of this virus in the directory that stores my restore points. I tried
to go to the directory, but even though I am an administrator on that
PC, it wouldn't let me go into the directory.

I was unsure what to do, but was determined to get rid of this thing.
Therefore, I switched off system restore, so it deleted all the files
in the directory. I scanned the directory and it said it was OK. I
then switched system restore back on, and when it had done that, I
scanned the whole disk, and it said I was OK.

But system restore is there for precisely this sort of situation -
where your PC is damaged and you want to go back to an undamaged
state.

What should I have done, that would have got rid of this file, without
getting rid of all my restore points?

You did the right thing, although you could have made a new clean
Restore Point and then just deleted all the previous Restore Points
from Disk Cleanup's More Options tab.
Start>Run>cleanmgr [enter]

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Malke]

Thanks - the disk cleanup thing was the thing I was missing.

I really wanted to list all the restore points that I had, and just
delate the one(s) that had been created subsequent to this happening.
Does disk cleanup let me do this? Also, is it not listed on the
'programs' option?

No, you can't be selective about removing Restore Points. You can delete
them all by disabling System Restore (System applet in Control Panel,
System Restore tab), rebooting, enabling again. Or you can delete all
but the most recent Restore Point with Disk Cleanup. System Restore is
really best for fixing little immediate glitches. I wouldn't go back
longer than a week anyway. System Restore is no substitute for good
backups.

See MVP Bert Kinney's site about System Restore for more information:
http://bertk.mvps.org/index.html

Malke

 

[Stuart]

Have you deleted the original email. If you haven't deleted it's contents
then you may find that your virus checker can only see the infected items
but not delete them.

 

[Bert Kinney]

How do I remove a file infected by a virus from within the system
restore directory?

Disabling System Restore on all partitions/drives should remove all
stored files, including the files containing infection. Using Disk
Cleanup to remove all but the latest restore point may not be the best
approach. The latest restore point is most likely where the infected
file will be located.

I recieved an email the other day that was a .zip file. I downloaded
it to my PC and virus scanned it using Sophos. It said that it had
scanned 3 items and they were OK. So I unzipped the file. It unzipped
5 files and immediately told me that one of the files was a .exe that
was infected with a virus. I immediately deleted all the files,
without running any of them and cleared my wastebasket. It can't have
been on my disk for more than a minute. I thought I had sorted the
problem.

The next day, the scheduled disk scan kicked in, and said I had a
copy of this virus in the directory that stores my restore points. I
tried to go to the directory, but even though I am an administrator
on that PC, it wouldn't let me go into the directory.

I was unsure what to do, but was determined to get rid of this thing.
Therefore, I switched off system restore, so it deleted all the files
in the directory. I scanned the directory and it said it was OK. I
then switched system restore back on, and when it had done that, I
scanned the whole disk, and it said I was OK.

But system restore is there for precisely this sort of situation -
where your PC is damaged and you want to go back to an undamaged
state.

System Restore was not designed to be an antivirus or malware removal
tool and should not be depended on to do so. A good up to date antivirus
application should have caught the virus before the email was opened. A
good antivirus application should have the ability to scan within zip
files.

What should I have done, that would have got rid of this file, without
getting rid of all my restore points?

I would suggest getting another antivirus application that has a
real-time scanner as discussed above, and set it to update daily.

 

[Guest]

Ithought I had a decent virus checker. I use Sophos, which has a real time
scanner and is updated daily. It told me that it had scanned the three items
in the zip file and they were OK. But when I unzipped it, out popped five
items and Sophos immediately popped up saying that there was a virus in one
of them.

What I really can't understand is how the file got into a restore point so
fast. As soon as I got the warning, I deleted all the files, emptied all
wastebaskets etc. It was almost as if the restore point was operating as a
secondary wastebasket - that isn't how it works is it?

Thanks for the point about not relying on restore points older than a week -
it is a good reminder. In fact, the only time I wanted to use a restore point
it didn't work. It seems like they might be a nice idea, but need a bit more
development to become reliable?

Cheers

Eric

 

[Steve N.]

Avast! does it.

Alias

Ok, I'll take your word for it. Never used it. As a general rule though
the OS prevents any program from touching restore points.

Steve N.

 

[Bert Kinney]

Ithought I had a decent virus checker. I use Sophos, which has a real
time scanner and is updated daily. It told me that it had scanned the
three items in the zip file and they were OK. But when I unzipped it,
out popped five items and Sophos immediately popped up saying that
there was a virus in one of them.

Some infection within zip files can be hard to detect. You may want to
send Sophos an email and see what they have to say.
Sophos - Technical support
http://www.sophos.com/support/

What I really can't understand is how the file got into a restore
point so fast. As soon as I got the warning, I deleted all the files,
emptied all wastebaskets etc. It was almost as if the restore point
was operating as a secondary wastebasket - that isn't how it works is
it?

Here's how it works. System Restore constantly monitors key system and
application file changes. Tracking these file changes is necessary to
fully restore the system to a particular state. This aspect of the
feature works to record and, if necessary, preserve a previous file
state, which enables the user to restore to a previous system state.
This change tracking will not interfere with the user's performance
experience.

To track and copy files before changes, System Restore uses a file
system filter driver that is at the kernel level (called Kernel Mode).
This kernel level filter driver monitors file system operations, and,
for select file types and operations, quickly interrupts an operation
(for example, DELETE FILE) and copies or moves the original file before
the operation is complete. The file changes are entered into a log, and
the file copies and logs are stored in an archive on the drive or
partition where the original file resided. Change-based file copying
happens once per specific file per system session or for any given
restore point.

I just did an experiment while monitoring the current restore point
folder (#96) in the System Volume Information folder to see when a file
is actually copied and written to disk in the restore point folder.

Test #1
1. Moved an exe file to the desktop: It did not show up in the restore
point (RP) folder.
2. Moved the exe file to the recycle bin: It did not show up in the RP
folder.
3. Emptied the Recycle Bin: The exe file was written to the RP folder.
4. Created a new restore point and check the RP folder (#96) and the
file was still there, and a new restore point folder was created #97.

Test #2
1. Moved an exe file to the desktop: It did not show up in the most
current (RP) folder #97.
2. Held the Shift key down (to bypass the recycle bin) and clicked
Delete: The exe file did not show up in the RP folder #97.

So you see, when the file in question was deleted, and the recycle bin
emptied, the file is copied and written to restore point folder.
Bypassing the recycle bin prevents the file from being copied and
written.

Thanks for the point about not relying on restore points older than a
week - it is a good reminder. In fact, the only time I wanted to use
a restore point it didn't work. It seems like they might be a nice
idea, but need a bit more development to become reliable?

It's not likely we will see changes to the design of System Restore in
WindowsXP. : - (

 

[Alias]

Ok, I'll take your word for it. Never used it. As a general rule though
the OS prevents any program from touching restore points.

Steve N.

On your advice, I flushed system restore out anyway. What happened is
that Avast found it in system32. Booted into Windows and it found it
again in restore, apparently trying to run. Quarantined it, rebooted,
deleted it, went into Safe Mode and did a complete scan and Avast came
up with nothing.

Alias

Use the Reply to Sender feature of your news reader program to email me.
Utiliza Responder al Remitente para mandarme un mail.