system restore & virus

On Wed, 6 Apr 2005 15:41:02 -0700, MAP wrote:


Another thing to remember and I see it all of the time in this newsgroup is
that on
occasion the folder that keeps these checkpoints gets corrupted and none of
the restore points work,oh ya they are listed but a restore is a no go.
It is best when you are doing your regular system maintenance(and have no
problems) to shut off system restore and reboot then turn it back on and
create a new checkpoint ,this will delete all restore points as well as any
corruption.

That's worth keeping in mind, but so far whenever I've had to restore, I've had
no trouble. Maybe luck, or maybe just learned to avoid the majority of
troubles.

Like this restore stuff. Lots of what I've heard in this thread is worth
keeping.
--
more pix @ http://members.toast.net/cbminfo/index.html

On Wed, 6 Apr 2005 16:27:03 -0700, MAP wrote:



It is best when you are doing your regular system
maintenance(and
have no problems) to shut off system restore and reboot then
turn it
back on and create a new checkpoint ,this will delete all
restore
points as well as any corruption.


But I wouldn't do this unless there's a problem. Corruption does
happen occasionally, but not often.

But Ken,how do you know their is a problem unless you try to use SR and it
doesn't work,but then it is too late.

If you have as many points [system managed] as I do, you can do like I did when
I 1st started with XP and keep restoring all the way back to the 1st one until
you hit one that isn't corrupted.
Course once you've gone all the way back to the last restore point accessible,
you could have saved time by just reinstalling the OS.
--
more pix @ http://members.toast.net/cbminfo/index.html

Unfortunately you don't know when the corruption occurs, unless or
course a virus scan shows an infection within the System Volume
Information folder. One could also suspect restore point corruption on
a system found to contain malware/spyware. To test system restore,
create a restore point and immediately restore to it.

--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/


MAP wrote:
It is best when you are doing your regular system
maintenance(and
have no problems) to shut off system restore and reboot
then turn it
back on and create a new checkpoint ,this will delete all
restore
points as well as any corruption.


But I wouldn't do this unless there's a problem.
Corruption does
happen occasionally, but not often.

But Ken,how do you know their is a problem unless you try
to use SR and it doesn't work,but then it is too late.

On Wed, 6 Apr 2005 18:48:37 -0400, "Bert Kinney" wrote:


Restoring to a point prior to the virus probably will not work. All
restore points are linked together and rely on each other. When a
restore point is used all the restore points newer than it are
required to perform the restore. So a date prior to the virus would
have to use the restore point containing the virus to perform the
restore.. Two thing could happen, the virus would be reactivated, or
the restore point would fail do to corruption of the restore point by
the virus.

See a prior reply about this.

--
more pix @ http://members.toast.net/cbminfo/index.html

"Bert Kinney" wrote:

Hi Husky,

By default System Restore stores 90 day worth of restore points.
Download the XPSystemRestoreLife.vbs script and run it. It will show
how many days it is set to (at the top of the dialog box) and allow it
to be changed.
System Restore Scripts
http://home.earthlink.net/~mvp_bert/...srscripts.html

If in fact the virus is hiding in one of the restore point folders it
can be removed purging all the restore points. This can be done by
disabling SR or by running Disk Cleanup.
How to Disable and Enable System Restore
http://home.earthlink.net/~mvp_bert/html/disablesr.html

Restoring to a point prior to the virus probably will not work. All
restore points are linked together and rely on each other. When a
restore point is used all the restore points newer than it are
required to perform the restore. So a date prior to the virus would
have to use the restore point containing the virus to perform the
restore.. Two thing could happen, the virus would be reactivated, or
the restore point would fail do to corruption of the restore point by
the virus.

Hope this helps explain it.
--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/


Hi Bert, I learned something new today :-)
I didn't know that the restore points were linked together with the newer
ones,
Thank's

In ,
MAP typed:

It is best when you are doing your regular system
maintenance(and
have no problems) to shut off system restore and reboot then
turn it
back on and create a new checkpoint ,this will delete all
restore
points as well as any corruption.


But I wouldn't do this unless there's a problem. Corruption
does
happen occasionally, but not often.

But Ken,how do you know their is a problem unless you try to
use SR
and it doesn't work,but then it is too late.


Yes, but on the other hand if you do it preemptively when you
don't need to, you may delete a restore point that it later turns
out you needed.

Since corruption is relatively rare (although it *does* occur too
often) I'd much rather keep the restore points that exist, so
they are there *if* you need them. If you do it your way, you're
substantially increasing the risk that you won't have the restore
point you need.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup

In ,
Husky typed:

On Wed, 6 Apr 2005 14:23:31 -0700, "Ken Blake"
wrote:


The program designed to use the virus is the virus itself. If
it's inside a restore point it can't execute, and can't do any
harm unless, as I said, you restore that Resotore Point.

I hate to tell you this, but virus are much more sophisticated
than
you want to believe. ie: One I cleaned weeks ago was nothing
more
than a html link to a web site. The payload was at the website.
The worst offenders now don't do any damage or even let you
know
they're there. You're thinking kiddie scripts that screw with
your OS
and annoy at a minimum.

It hasn't happened to me yet, but it has to others. Virus,
Trojans
I'm not going to debate the semantics. Are now opening up your
drive
space as download space for pirate software, and spam relays to
divert the trail from the one using those virus/backdoors. And
who
knows what's in their bag of tricks now.

Being dial up has it's options. Not on long enough or with a
fast
enough connection to make the backdoor worthwhile.

The opinion I've seen on this says dump all the restore
points
if you get a virus in one of them.


Not necessary, as I said, as long as you don't restore that
restore point.


Makes no sense. If the scan shows a new
virus and it's in one of the restore point folders, restoring
the system at that point, should bring the virus out in the
open
where it can be deleted or cleaned. thus retaining all
previous
restore points.


No, you're mistaken. There's no need to restore the Restore
Point
containing the Virus. Even if you subsequently clean it, you
accomplish nothing by doing this. If you have a Restore Point
which includes a virus, you can at any time restore to an
earlier
Restore Point that doesn't include it. The only difficulty is
knowing which Restore Points are infected and which are not.

Again you miss my point. Restoring the point that includes in
the
virus would only be done for the purpose of cleaning of the
virus. If
you restore to a prior point, that'd be a different issue
altogether.
I'm just talking about points inside restore points.
Maybe I'm different, I scan at a minimum weekly. If I were to
find
one and have it reported as included in a hidden restore point,
the
next step to me would be to restore that point, It couldn't be
much
older than a week. And it would seem that it might have
actually been
created by the virus to hide itself.


I'm not going to argue with you any further. I've made my points
and you may believe me or not, as you choose. But you have a very
mistaken view of what a restore point is.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup

In ,
MAP typed:

Hi Bert, I learned something new today :-)
I didn't know that the restore points were linked together with
the
newer ones,



Just as an addition to Bert's excellent advice, that's precisely
the reason why you can't selectively delete Restore Points.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup

"Husky" wrote in message
...
Just a question in case it does happen. I have maybe 6-7 months of restore
points currently and perfectly happy with all of them.

But something I've been reading here. If you get a virus there seems to be
some
sort of opinion to delete all previous restore points if the virus is
found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus, if there's any
doubt to
whether it was cleaned or not, to restore the system one restore point
prior to
the virus ?

--
more pix @ http://members.toast.net/cbminfo/index.html

If you are curious as to what the restore points actually have in them then
go to the System Volume Information folder which store the restore points, I
once had to go in and open a restore point to get rid of ALTNET, and a few
other executables that were garbage. The best way to do this is in safe
mode. I got this info from
http://www.theeldergeek.com/system_v...on_folder1.htm

Good Luck



Jim

Hi Jim,

I suspect messing with the files within folders in the System Volume
Information folder would cause that restore point to become corrupt,
which in turn would cause any prior restore points to become corrupt
also. Did you experience different results after making modifications
within these folders?

--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/

Jim Donovan wrote:
"Husky" wrote
Just a question in case it does happen. I have maybe 6-7
months of restore points currently and perfectly happy
with all of them. But something I've been reading here. If you get
a virus
there seems to be some
sort of opinion to delete all previous restore points if
the virus is found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus,
if there's any doubt to
whether it was cleaned or not, to restore the system one
restore point prior to
the virus ?

--
more pix @ http://members.toast.net/cbminfo/index.html

If you are curious as to what the restore points actually
have in them then go to the System Volume Information
folder which store the restore points, I once had to go
in and open a restore point to get rid of ALTNET, and a
few other executables that were garbage. The best way to
do this is in safe mode. I got this info from
http://www.theeldergeek.com/system_v...on_folder1.htm

Good Luck



Jim

"Bert Kinney" wrote in message
...
Hi Jim,

I suspect messing with the files within folders in the System Volume
Information folder would cause that restore point to become corrupt, which
in turn would cause any prior restore points to become corrupt also. Did
you experience different results after making modifications within these
folders?

--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/

Jim Donovan wrote:
"Husky" wrote
Just a question in case it does happen. I have maybe 6-7
months of restore points currently and perfectly happy
with all of them. But something I've been reading here. If you get a
virus
there seems to be some
sort of opinion to delete all previous restore points if
the virus is found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus,
if there's any doubt to
whether it was cleaned or not, to restore the system one
restore point prior to
the virus ?

--
more pix @ http://members.toast.net/cbminfo/index.html

If you are curious as to what the restore points actually
have in them then go to the System Volume Information
folder which store the restore points, I once had to go
in and open a restore point to get rid of ALTNET, and a
few other executables that were garbage. The best way to
do this is in safe mode. I got this info from
http://www.theeldergeek.com/system_v...on_folder1.htm

Good Luck



Jim


Hello Bert

This all started out because SpyBot S & D and Microsoft Beta could not
remove the ALTNET registry key, and each time I tried an earlier restore
point I would still get this problem, because it was resident in the restore
points, so to clean this I had to delete the restore points(through the
System Restore function) go into safe mode and reclaim the permissions for
the registry and manually delete the keys, but to answer your question I am
not sure if deleting an .exe file in the restore point would corrupt the
file, I am not familiar with restore points being linked with each other, so
to me a simple deletion of the .exe should be okay or so I think, it would
be an interesting experiment though to activley delete files in the restore
point and then do a restore to that point, you can always reverse the
restore I guess if some of the files deleted interferred with the operation
of an application.



Jim

On Wed, 6 Apr 2005 20:16:32 -0400, "Bert Kinney" wrote:

Unfortunately you don't know when the corruption occurs, unless or
course a virus scan shows an infection within the System Volume
Information folder. One could also suspect restore point corruption on
a system found to contain malware/spyware. To test system restore,
create a restore point and immediately restore to it.

That wouldn't tell you a thing. I'm under the impression corruption being
referred to here is data corruption on the HD. That's happened several times
with instant power failures while writing to the HD.
Stuff like that can't be planned for or avoided without a battery power supply.
And then it might corrupt the restore points, only if that were the process
being written.

--
more pix @ http://members.toast.net/cbminfo/index.html

Ken Blake wrote:
In ,
Husky typed:

On Wed, 6 Apr 2005 14:23:31 -0700, "Ken Blake"
wrote:


The program designed to use the virus is the virus itself. If
it's inside a restore point it can't execute, and can't do any
harm unless, as I said, you restore that Resotore Point.

I hate to tell you this, but virus are much more sophisticated
than
you want to believe. ie: One I cleaned weeks ago was nothing
more
than a html link to a web site. The payload was at the website.
The worst offenders now don't do any damage or even let you
know
they're there. You're thinking kiddie scripts that screw with
your OS
and annoy at a minimum.

It hasn't happened to me yet, but it has to others. Virus,
Trojans
I'm not going to debate the semantics. Are now opening up your
drive
space as download space for pirate software, and spam relays to
divert the trail from the one using those virus/backdoors. And
who
knows what's in their bag of tricks now.

Being dial up has it's options. Not on long enough or with a
fast
enough connection to make the backdoor worthwhile.

The opinion I've seen on this says dump all the restore
points
if you get a virus in one of them.


Not necessary, as I said, as long as you don't restore that
restore point.


Makes no sense. If the scan shows a new
virus and it's in one of the restore point folders, restoring
the system at that point, should bring the virus out in the
open
where it can be deleted or cleaned. thus retaining all
previous
restore points.


No, you're mistaken. There's no need to restore the Restore
Point
containing the Virus. Even if you subsequently clean it, you
accomplish nothing by doing this. If you have a Restore Point
which includes a virus, you can at any time restore to an
earlier
Restore Point that doesn't include it. The only difficulty is
knowing which Restore Points are infected and which are not.

Again you miss my point. Restoring the point that includes in
the
virus would only be done for the purpose of cleaning of the
virus. If
you restore to a prior point, that'd be a different issue
altogether.
I'm just talking about points inside restore points.
Maybe I'm different, I scan at a minimum weekly. If I were to
find
one and have it reported as included in a hidden restore point,
the
next step to me would be to restore that point, It couldn't be
much
older than a week. And it would seem that it might have
actually been
created by the virus to hide itself.


I'm not going to argue with you any further. I've made my points
and you may believe me or not, as you choose. But you have a very
mistaken view of what a restore point is.

Ken,

Never argue with an idiot. They bring you down to their level then beat you
with experience... ;o) eg


--
In memory of MS MVP Alex Nichol: http://www.dts-l.org/

Thanks for the information Jim.


--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/


Jim Donovan wrote:
"Bert Kinney" wrote
Hi Jim,

I suspect messing with the files within folders in the
System Volume Information folder would cause that
restore point to become corrupt, which in turn would
cause any prior restore points to become corrupt also.
Did you experience different results after making
modifications within these folders? --
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/

Jim Donovan wrote:
"Husky" wrote
Just a question in case it does happen. I have maybe
6-7 months of restore points currently and perfectly happy
with all of them. But something I've been reading
here. If you get a virus
there seems to be some
sort of opinion to delete all previous restore points
if the virus is found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus,
if there's any doubt to
whether it was cleaned or not, to restore the system
one restore point prior to
the virus ?

--
more pix @ http://members.toast.net/cbminfo/index.html

If you are curious as to what the restore points
actually have in them then go to the System Volume
Information folder which store the restore points, I
once had to go in and open a restore point to get rid
of ALTNET, and a few other executables that were
garbage. The best way to do this is in safe mode. I got
this info from
http://www.theeldergeek.com/system_v...on_folder1.htm

Good Luck



Jim


Hello Bert

This all started out because SpyBot S & D and Microsoft
Beta could not remove the ALTNET registry key, and each
time I tried an earlier restore point I would still get
this problem, because it was resident in the restore
points, so to clean this I had to delete the restore
points(through the System Restore function) go into safe
mode and reclaim the permissions for the registry and
manually delete the keys, but to answer your question I
am not sure if deleting an .exe file in the restore point
would corrupt the file, I am not familiar with restore
points being linked with each other, so to me a simple
deletion of the .exe should be okay or so I think, it
would be an interesting experiment though to activley
delete files in the restore point and then do a restore
to that point, you can always reverse the restore I guess
if some of the files deleted interferred with the
operation of an application.


Jim