Virus in System Restore ??

Yesterday I switch from Norton's AV to the free edition of AVG.... today AVG is reporting a Virus (Trojan Horse) in, and I assume, all my System Restore files. There are a whole bunch similiar to :
C:\SystemVolumeInformation\-restore{040A663B-5496-4864
for now I put them in the AVG Virus Vault.

In a way I'm not surprised as several times over the past 6 months I've tried System Restore on to be told that the System was "unable to restore to that date "

Obviously Nortorn's AV didn't consider it a Virus and AVG does..... So, where do I go from here guys - any ideas ??? Is there a way to delete the System Restore files and Re-load from the XP disk ? Help would be appreciated

 

Hello reknaw,

After shutting SR down, which cleans out the current RP's, reboot, and then re-enable it, it'll create an initial point.

Regards - Charles

 

Thanks Charles & Christer..... I'll give that a try when I get back home....and advise

 

Just an "idle" observation.

(especially is System Restore is active, although it may be corrupted if restores don't work)

It is interesting to note that AVG actually quaratines viruses found in system restore.

The reason that Norton (and other AVs) does not do this, is because Restore is sacrosanct. It is a picture in time (viruses and all), and to arbitrarily delete files will change that "picture in time" and could result in a corrupted restore point.

When a virus is discovered there, the only way to correct the issue, is as pointed out above, disable and reenable restore.

 

This post deals with a possible Virus being contained in a Restore Point.

The suggestion to shut down and make new is good. I agree.

But I do have to ask. Wouldn't we need to do the same with Ghost Images ? Unless we could be 100% sure when the Nasty got in ?

I also ask because I get the feeling that Ghost backsup (makes an image of ) more ( a lot more ) than System restore.

My vote goes to YES.

BillyBob

 

Hello WhitPhil,

I agree, malware sitting in SR does nothing until a restore is done from the SR point forward of the infection. Any RP prior to that point is good to use provided that the user knows or can make a judgment of where that is. So if someone has a bigger problem with the system, and has no other means for recovery, SR, even a infected one, is better than nothing. Of course, all this is a matter of judgment. Whenever this question comes, I advise taking care of the infection and making sure that the cure isn't worse than the disease, then to wipe the RP's.

Regards - Charles

 

Well, I've taken the advise offered here. I disabled System Restore then used Ad-Aware, Spybot , Pest Patrol and re-run AVG Scan and all is "Clean "

I then re-set System Restore Starting Point. Hopefully, that should solve my problem. Out of curosity, tommorow I may try using the System Restore to see if it has cured that problem also.

Thanks to all you guys - you're great - don't know what I'd do without you.

 

We could be ghosting viruses. That's why I keep older images around that I know are virus free. These are usually on CD.

 

Good morning.

First off. I like the answers ( INFO ) I am getting and it makes me think about adding one of my " Sittin thar doin nuttin " 40 gig HDs and purchasing Ghost.

And seing as how I have three machines on a LAN could I or could I not in some way use ghost to back them up also ?

I can almost hear a comment. " NAME THEM properly " if Ghost gives us that choice.

That brings up another thought/question.

Would it or would it not be bad to use one of those images if you had changed HARDWARE ?

Also the question comes from MISTAKES that I have made. I installed a new Video Card and drivers for it. Got it all working nicely. ( made a HUGH difference in Links Golf ) But I had a problem with another game. So WITHOUT THINKING I did a SR. ( MADE BEFORE the new card )

I do not think I need to say any more. I said enough at that time.

I better do some THINKING here. My CDROM is lettered right after my last HD partition on this machine. HD partition H: then CDROM I:

Thought process complete. SCRAP that Idea. I do not think it would be worth the problems it would cause.

Coffee time.
BillyBob

 

I like very much this exchanging of ideas.

I was not really thinking of Ghost itself at the time BUT;

EXAMPLE ONLY. Cause I do not have Ghost but the same basic ideas apply to System Restore.

If I was using Ghost and had an Image made a Month ago.

Two weeks ago I added a 2nd Printer. A 2nd HD and partitioned it. The original was C: thru H: CDROM I. The new HD added I: & J: Which now makes the CDROM K:

I have several programs that are backed up to the CD. I have several program that do use the CD to work. More than likely evry one ( or most ) of them is going to require modifing.

I added a 2nd Printer and a USB Scanner. ( I would lose the 2nd one only )

Somwhere inbetween Windows itself was updated.

Images were made at various steps. I will defintely go along with that idea. I do that with System Restore. But once I am done the old ones get removed.

After all bugs are worked out I make a new image.

Now do you still wish to tell me that the Image made a Month ago is worth keeping ?

I say NO. For one thing it is sometimes hard enough to get things to work the FIRST time without having to do it again.

In my case I would realy have nothing to gain by adding another HD anyway cause I still have lots of room on the existing HD. ( at least 20gig left out of 80gig ) So it would not be really worth any possible hassle.

BillyBob

 

BUT. What if I was only unhappy with one piece of the new hardware ( say the scanner ) and I used the old image ? I think I would be very UNHAPPY about losing the printer too. Even though they are not that much work.

Plus I believe I would also lose any and all other changes and added software etc. that I may have done it the meantime.

( A LOT can change in the course of a Month )

As you say, Windows updates are nothing to replace.

However I get your very valid point about a 2nd HD and using it for backups, Ghost images or what ever.

On the two 98SE machines I would have no problem with adding a 2nd HD. The CDROMS are set to S: and T: Even on the 98 SUD. Why I did not do that with XP I have no Idea. ( poor planning maybe ? )

I am being called to lunch. Catch you later.

BillyBob.

 

It is when you have stuff that goes WAY back to at least 95. They would install in 95 or 98 but I doubt very much that they would install in XP.

And some of the stuff I do not even have ( or can't find ) the disks for.

But. Just like most anything else there are Pros & Cons.

BillyBob