Sign in with
Sign up | Sign in
Your question

system restore & virus

Last response: in Windows XP
Share
Anonymous
April 6, 2005 3:17:21 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Just a question in case it does happen. I have maybe 6-7 months of restore
points currently and perfectly happy with all of them.

But something I've been reading here. If you get a virus there seems to be some
sort of opinion to delete all previous restore points if the virus is found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus, if there's any doubt to
whether it was cleaned or not, to restore the system one restore point prior to
the virus ?

--
more pix @ http://members.toast.net/cbminfo/index.html

More about : system restore virus

Anonymous
April 6, 2005 3:17:22 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

In news:m2v751pjsci0ht2rqdf8i2okga4dcr74kl@4ax.com,
Husky <cbminfo@toast.net> typed:

> Just a question in case it does happen. I have maybe 6-7 months
> of
> restore points currently and perfectly happy with all of them.


You're mistaken. Restore points can not go back further than 90
days. Where are you seeing these 6-7 months of Restore Points?



> But something I've been reading here. If you get a virus there
> seems
> to be some sort of opinion to delete all previous restore
> points if
> the virus is found inside a protected restore point folder.


No, whether you have a virus or not, there's no option to
selectively delete Restore Points. You can delete them all or you
can delete them all but the last one. Those are your only
choices.


> Wouldn't it make more sense that when you find a virus, if
> there's
> any doubt to whether it was cleaned or not, to restore the
> system one
> restore point prior to the virus ?


As I said, that's not a option. Also realize that a virus inside
a restore point is completely harmless. It can do no harm unless
you restore that Restore Point.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup
Anonymous
April 6, 2005 3:24:48 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

XP does not keep restore points older than 90 days (and for good reason.)

Modem Ani

"Husky" <cbminfo@toast.net> wrote in message
news:m2v751pjsci0ht2rqdf8i2okga4dcr74kl@4ax.com...
> Just a question in case it does happen. I have maybe 6-7 months of restore
> points currently and perfectly happy with all of them.
>
> But something I've been reading here. If you get a virus there seems to be
some
> sort of opinion to delete all previous restore points if the virus is
found
> inside a protected restore point folder.
>
> Wouldn't it make more sense that when you find a virus, if there's any
doubt to
> whether it was cleaned or not, to restore the system one restore point
prior to
> the virus ?
>
> --
> more pix @ http://members.toast.net/cbminfo/index.html
Related resources
Anonymous
April 6, 2005 4:03:23 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Wed, 6 Apr 2005 11:24:48 -0400, "Modem Ani" <notquinoas@notmyrealbox.com>
wrote:

>XP does not keep restore points older than 90 days (and for good reason.)

You'll have to take that up with M$. I have restore points all the way back to
6 November.

6 months back. Maybe it has more to do with available disc space, than dates.

>
>Modem Ani
>
>"Husky" <cbminfo@toast.net> wrote in message
>news:m2v751pjsci0ht2rqdf8i2okga4dcr74kl@4ax.com...
>> Just a question in case it does happen. I have maybe 6-7 months of restore
>> points currently and perfectly happy with all of them.
>>
>> But something I've been reading here. If you get a virus there seems to be
>some
>> sort of opinion to delete all previous restore points if the virus is
>found
>> inside a protected restore point folder.
>>
>> Wouldn't it make more sense that when you find a virus, if there's any
>doubt to
>> whether it was cleaned or not, to restore the system one restore point
>prior to
>> the virus ?
>>
>> --
>> more pix @ http://members.toast.net/cbminfo/index.html
>

--
more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 6, 2005 5:30:35 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

By default, System Restore purges restore points older than 90 days.
Depending on how much your system has changed, it would be unwise to restore
a restore point as recent as one day. Could you be confusing System Restore
with backing up?

Modem Ani

"Husky" <cbminfo@toast.net> wrote in message
news:7t18515p0k3cmjbuannfb7a3coe4lrl1t4@4ax.com...
> On Wed, 6 Apr 2005 11:24:48 -0400, "Modem Ani"
<notquinoas@notmyrealbox.com>
> wrote:
>
> >XP does not keep restore points older than 90 days (and for good reason.)
>
> You'll have to take that up with M$. I have restore points all the way
back to
> 6 November.
>
> 6 months back. Maybe it has more to do with available disc space, than
dates.
>
> >
> >Modem Ani
> >
> >"Husky" <cbminfo@toast.net> wrote in message
> >news:m2v751pjsci0ht2rqdf8i2okga4dcr74kl@4ax.com...
> >> Just a question in case it does happen. I have maybe 6-7 months of
restore
> >> points currently and perfectly happy with all of them.
> >>
> >> But something I've been reading here. If you get a virus there seems to
be
> >some
> >> sort of opinion to delete all previous restore points if the virus is
> >found
> >> inside a protected restore point folder.
> >>
> >> Wouldn't it make more sense that when you find a virus, if there's any
> >doubt to
> >> whether it was cleaned or not, to restore the system one restore point
> >prior to
> >> the virus ?
> >>
> >> --
> >> more pix @ http://members.toast.net/cbminfo/index.html
> >
>
> --
> more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 6, 2005 7:56:10 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Wed, 6 Apr 2005 10:52:28 -0700, "Ken Blake"
<kblake@this.is.an.invalid.domain> wrote:

start/accessories/system tools/system restore
welcome to system restore, would you like to
create a restore point, restore to a previous date. etc..
Maybe it doesn't do that with XP home.

>In news:m2v751pjsci0ht2rqdf8i2okga4dcr74kl@4ax.com,
>Husky <cbminfo@toast.net> typed:
>
>> Just a question in case it does happen. I have maybe 6-7 months
>> of
>> restore points currently and perfectly happy with all of them.
>
>
>You're mistaken. Restore points can not go back further than 90
>days. Where are you seeing these 6-7 months of Restore Points?
>
>
>
>> But something I've been reading here. If you get a virus there
>> seems
>> to be some sort of opinion to delete all previous restore
>> points if
>> the virus is found inside a protected restore point folder.
>
>
>No, whether you have a virus or not, there's no option to
>selectively delete Restore Points. You can delete them all or you
>can delete them all but the last one. Those are your only
>choices.
>
>
>> Wouldn't it make more sense that when you find a virus, if
>> there's
>> any doubt to whether it was cleaned or not, to restore the
>> system one
>> restore point prior to the virus ?
>
>
>As I said, that's not a option. Also realize that a virus inside
>a restore point is completely harmless. It can do no harm unless
>you restore that Restore Point.

--
more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 6, 2005 8:22:07 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Wed, 06 Apr 2005 12:03:23 -0400, Husky <cbminfo@toast.net> wrote:

> help : The actual number of saved restore points depends on how much activity there has been on your computer, the size of your hard disk
> help : (or the partition that contains your Windows XP Professional folder), and how much disk space has been allocated on your computer to
> help : store System Restore information. See To change System Restore settings.
> help :

When it says one to three weeks of restore points, that might mean up to 90
restore points not 90 days.
Actually I don't even see how you get 90 out of three weeks. That's 21 at best.
then again it could also be based on drive space as I said earlier. I allowed
it to use as much space as it wanted.

If you aren't installing new software every single day, there's little need for
the OS to create a restore point. Thus the 6 months back on my restore points.

Now back to the subject. Is there any reason to dump all the restore points if
you get a virus inside one of the protected folders ?

And why does my virus program work and others don't ?

>On Wed, 6 Apr 2005 11:24:48 -0400, "Modem Ani" <notquinoas@notmyrealbox.com>
>wrote:
>
>>XP does not keep restore points older than 90 days (and for good reason.)
>
>You'll have to take that up with M$. I have restore points all the way back to
>6 November.
>
>6 months back. Maybe it has more to do with available disc space, than dates.
>
>>
>>Modem Ani
>>
>>"Husky" <cbminfo@toast.net> wrote in message
>>news:m2v751pjsci0ht2rqdf8i2okga4dcr74kl@4ax.com...
>>> Just a question in case it does happen. I have maybe 6-7 months of restore
>>> points currently and perfectly happy with all of them.
>>>
>>> But something I've been reading here. If you get a virus there seems to be
>>some
>>> sort of opinion to delete all previous restore points if the virus is
>>found
>>> inside a protected restore point folder.
>>>
>>> Wouldn't it make more sense that when you find a virus, if there's any
>>doubt to
>>> whether it was cleaned or not, to restore the system one restore point
>>prior to
>>> the virus ?
>>>
>>> --
>>> more pix @ http://members.toast.net/cbminfo/index.html
>>

--
more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 6, 2005 8:30:00 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Wed, 6 Apr 2005 10:52:28 -0700, "Ken Blake"
<kblake@this.is.an.invalid.domain> wrote:


>> Wouldn't it make more sense that when you find a virus, if
>> there's
>> any doubt to whether it was cleaned or not, to restore the
>> system one
>> restore point prior to the virus ?
>
>
>As I said, that's not a option.

Of course it is. that's the reason it makes so many restore points. You can
pick any restore point listed, and restore the machine to that point. It can be
the 1st point ever made, or the one made last, or any one in between.

>Also realize that a virus inside a restore point is completely harmless. It can do no harm unless
>you restore that Restore Point.

I would guess if a virus program can find it inside a restore point, that the
program designed to use the virus can also find it to use it.

The opinion I've seen on this says dump all the restore points if you get a
virus in one of them. Makes no sense. If the scan shows a new virus and it's in
one of the restore point folders, restoring the system at that point, should
bring the virus out in the open where it can be deleted or cleaned. thus
retaining all previous restore points.
--
more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 6, 2005 8:30:01 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

In news:r8h8515d8l8iltfqpvsjt0a0stgpnjbgku@4ax.com,
Husky <cbminfo@toast.net> typed:

> On Wed, 6 Apr 2005 10:52:28 -0700, "Ken Blake"
> <kblake@this.is.an.invalid.domain> wrote:
>
>
>>> Wouldn't it make more sense that when you find a virus, if
>>> there's
>>> any doubt to whether it was cleaned or not, to restore the
>>> system one
>>> restore point prior to the virus ?
>>
>>
>> As I said, that's not a option.
>
> Of course it is. that's the reason it makes so many restore
> points.
> You can pick any restore point listed, and restore the machine
> to
> that point.


Yes, you're right of course. Sorry, I somehow managed to misread
that as thinking you wanted to selectively *delete* a Restore
Point, not restore one.


> It can be the 1st point ever made, or the one made last,
> or any one in between.


No, it can only be one of the restore points that still exist. If
you've been using the system for a while, it's highly unlikely
that the first Restore Point ever made still exists. Restore
Points are kept subject to two limitations:

1. The amount of disk space allocated to them. When that space is
used, older Restore Points are deleted to make room for newer
ones.

2. By default, there's a maximum of 90 days for keeping any
Restore Point. That default can be changed by modifying the
registry entry RPLifeInterval


>> Also realize that a virus inside a restore point is completely
>> harmless. It can do no harm unless you restore that Restore
>> Point.
>
> I would guess if a virus program can find it inside a restore
> point,
> that the program designed to use the virus can also find it to
> use it.


The program designed to use the virus is the virus itself. If
it's inside a restore point it can't execute, and can't do any
harm unless, as I said, you restore that Resotore Point.


> The opinion I've seen on this says dump all the restore points
> if you
> get a virus in one of them.


Not necessary, as I said, as long as you don't restore that
restore point.


> Makes no sense. If the scan shows a new
> virus and it's in one of the restore point folders, restoring
> the
> system at that point, should bring the virus out in the open
> where it
> can be deleted or cleaned. thus retaining all previous restore
> points.


No, you're mistaken. There's no need to restore the Restore Point
containing the Virus. Even if you subsequently clean it, you
accomplish nothing by doing this. If you have a Restore Point
which includes a virus, you can at any time restore to an earlier
Restore Point that doesn't include it. The only difficulty is
knowing which Restore Points are infected and which are not.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup
Anonymous
April 6, 2005 9:01:07 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

_________In response to________
"Husky" <cbminfo@toast.net> wrote in message news:cpg851hao26k6mk283kc3f25nn8tmbtmit@4ax.com...
|
| And why does my virus program work and others don't ?
|

How the 'ell is anyone supposed to answer that?

What virus program do (did) you write?

--
Just my 2ยข worth,
Jeff
Anonymous
April 6, 2005 10:48:37 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Hi Husky,

By default System Restore stores 90 day worth of restore points.
Download the XPSystemRestoreLife.vbs script and run it. It will show
how many days it is set to (at the top of the dialog box) and allow it
to be changed.
System Restore Scripts
http://home.earthlink.net/~mvp_bert/html/body_srscripts...

If in fact the virus is hiding in one of the restore point folders it
can be removed purging all the restore points. This can be done by
disabling SR or by running Disk Cleanup.
How to Disable and Enable System Restore
http://home.earthlink.net/~mvp_bert/html/disablesr.html

Restoring to a point prior to the virus probably will not work. All
restore points are linked together and rely on each other. When a
restore point is used all the restore points newer than it are
required to perform the restore. So a date prior to the virus would
have to use the restore point containing the virus to perform the
restore.. Two thing could happen, the virus would be reactivated, or
the restore point would fail do to corruption of the restore point by
the virus.

Hope this helps explain it.
--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/


Husky wrote:
> Just a question in case it does happen. I have maybe 6-7
> months of restore points currently and perfectly happy
> with all of them.
>
> But something I've been reading here. If you get a virus
> there seems to be some sort of opinion to delete all
> previous restore points if the virus is found inside a
> protected restore point folder.
>
> Wouldn't it make more sense that when you find a virus,
> if there's any doubt to whether it was cleaned or not, to
> restore the system one restore point prior to the virus ?
April 6, 2005 10:48:38 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

"Bert Kinney" wrote:

> Hi Husky,
>
> By default System Restore stores 90 day worth of restore points.
> Download the XPSystemRestoreLife.vbs script and run it. It will show
> how many days it is set to (at the top of the dialog box) and allow it
> to be changed.
> System Restore Scripts
> http://home.earthlink.net/~mvp_bert/html/body_srscripts...
>
> If in fact the virus is hiding in one of the restore point folders it
> can be removed purging all the restore points. This can be done by
> disabling SR or by running Disk Cleanup.
> How to Disable and Enable System Restore
> http://home.earthlink.net/~mvp_bert/html/disablesr.html
>
> Restoring to a point prior to the virus probably will not work. All
> restore points are linked together and rely on each other. When a
> restore point is used all the restore points newer than it are
> required to perform the restore. So a date prior to the virus would
> have to use the restore point containing the virus to perform the
> restore.. Two thing could happen, the virus would be reactivated, or
> the restore point would fail do to corruption of the restore point by
> the virus.
>
> Hope this helps explain it.
> --
> Regards,
> Bert Kinney MS-MVP Shell/User
> http://dts-l.org/


Hi Bert, I learned something new today :-)
I didn't know that the restore points were linked together with the newer
ones,
Thank's
Anonymous
April 6, 2005 10:48:39 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

In news:6B923493-222C-4DF5-A452-C586B66B6B8E@microsoft.com,
MAP <MAP@discussions.microsoft.com> typed:

> Hi Bert, I learned something new today :-)
> I didn't know that the restore points were linked together with
> the
> newer ones,



Just as an addition to Bert's excellent advice, that's precisely
the reason why you can't selectively delete Restore Points.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup
Anonymous
April 7, 2005 12:07:09 AM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Wed, 6 Apr 2005 14:23:31 -0700, "Ken Blake"
<kblake@this.is.an.invalid.domain> wrote:


>The program designed to use the virus is the virus itself. If
>it's inside a restore point it can't execute, and can't do any
>harm unless, as I said, you restore that Resotore Point.
I hate to tell you this, but virus are much more sophisticated than you want to
believe. ie: One I cleaned weeks ago was nothing more than a html link to a web
site. The payload was at the website.
The worst offenders now don't do any damage or even let you know they're there.
You're thinking kiddie scripts that screw with your OS and annoy at a minimum.

It hasn't happened to me yet, but it has to others. Virus, Trojans I'm not
going to debate the semantics. Are now opening up your drive space as download
space for pirate software, and spam relays to divert the trail from the one
using those virus/backdoors. And who knows what's in their bag of tricks now.

Being dial up has it's options. Not on long enough or with a fast enough
connection to make the backdoor worthwhile.

>> The opinion I've seen on this says dump all the restore points
>> if you get a virus in one of them.
>
>
>Not necessary, as I said, as long as you don't restore that
>restore point.
>
>
>> Makes no sense. If the scan shows a new
>> virus and it's in one of the restore point folders, restoring
>> the system at that point, should bring the virus out in the open
>> where it can be deleted or cleaned. thus retaining all previous restore
>> points.
>
>
>No, you're mistaken. There's no need to restore the Restore Point
>containing the Virus. Even if you subsequently clean it, you
>accomplish nothing by doing this. If you have a Restore Point
>which includes a virus, you can at any time restore to an earlier
>Restore Point that doesn't include it. The only difficulty is
>knowing which Restore Points are infected and which are not.

Again you miss my point. Restoring the point that includes in the virus would
only be done for the purpose of cleaning of the virus. If you restore to a
prior point, that'd be a different issue altogether. I'm just talking about
points inside restore points.
Maybe I'm different, I scan at a minimum weekly. If I were to find one and have
it reported as included in a hidden restore point, the next step to me would be
to restore that point, It couldn't be much older than a week. And it would seem
that it might have actually been created by the virus to hide itself.

Then with it accessible I'd run the scan again and delete it. Preserving any
previous restore points and making sure any future restore points are clean.
But as long as that virus lives inside a point, restoring to any point prior to
it, would release it, and compromise the machine.

I've restored all the way back to square one at one time. All points after it
disappeared when I did that. Telling me that the points only update changed
stuff.
--
more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 7, 2005 12:07:10 AM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

In news:09t8511r7db654jj9tpo2n5btqvpng8lfm@4ax.com,
Husky <cbminfo@toast.net> typed:

> On Wed, 6 Apr 2005 14:23:31 -0700, "Ken Blake"
> <kblake@this.is.an.invalid.domain> wrote:
>
>
>> The program designed to use the virus is the virus itself. If
>> it's inside a restore point it can't execute, and can't do any
>> harm unless, as I said, you restore that Resotore Point.

> I hate to tell you this, but virus are much more sophisticated
> than
> you want to believe. ie: One I cleaned weeks ago was nothing
> more
> than a html link to a web site. The payload was at the website.
> The worst offenders now don't do any damage or even let you
> know
> they're there. You're thinking kiddie scripts that screw with
> your OS
> and annoy at a minimum.
>
> It hasn't happened to me yet, but it has to others. Virus,
> Trojans
> I'm not going to debate the semantics. Are now opening up your
> drive
> space as download space for pirate software, and spam relays to
> divert the trail from the one using those virus/backdoors. And
> who
> knows what's in their bag of tricks now.
>
> Being dial up has it's options. Not on long enough or with a
> fast
> enough connection to make the backdoor worthwhile.
>
>>> The opinion I've seen on this says dump all the restore
>>> points
>>> if you get a virus in one of them.
>>
>>
>> Not necessary, as I said, as long as you don't restore that
>> restore point.
>>
>>
>>> Makes no sense. If the scan shows a new
>>> virus and it's in one of the restore point folders, restoring
>>> the system at that point, should bring the virus out in the
>>> open
>>> where it can be deleted or cleaned. thus retaining all
>>> previous
>>> restore points.
>>
>>
>> No, you're mistaken. There's no need to restore the Restore
>> Point
>> containing the Virus. Even if you subsequently clean it, you
>> accomplish nothing by doing this. If you have a Restore Point
>> which includes a virus, you can at any time restore to an
>> earlier
>> Restore Point that doesn't include it. The only difficulty is
>> knowing which Restore Points are infected and which are not.
>
> Again you miss my point. Restoring the point that includes in
> the
> virus would only be done for the purpose of cleaning of the
> virus. If
> you restore to a prior point, that'd be a different issue
> altogether.
> I'm just talking about points inside restore points.
> Maybe I'm different, I scan at a minimum weekly. If I were to
> find
> one and have it reported as included in a hidden restore point,
> the
> next step to me would be to restore that point, It couldn't be
> much
> older than a week. And it would seem that it might have
> actually been
> created by the virus to hide itself.


I'm not going to argue with you any further. I've made my points
and you may believe me or not, as you choose. But you have a very
mistaken view of what a restore point is.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup
Anonymous
April 7, 2005 12:17:53 AM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Wed, 6 Apr 2005 18:48:37 -0400, "Bert Kinney" <bert@NSmvps.org> wrote:


>Restoring to a point prior to the virus probably will not work. All
>restore points are linked together and rely on each other. When a
>restore point is used all the restore points newer than it are
>required to perform the restore. So a date prior to the virus would
>have to use the restore point containing the virus to perform the
>restore.. Two thing could happen, the virus would be reactivated, or
>the restore point would fail do to corruption of the restore point by
>the virus.

See a prior reply about this.

--
more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 7, 2005 1:16:41 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

"Husky" <cbminfo@toast.net> wrote in message
news:m2v751pjsci0ht2rqdf8i2okga4dcr74kl@4ax.com...
> Just a question in case it does happen. I have maybe 6-7 months of restore
> points currently and perfectly happy with all of them.
>
> But something I've been reading here. If you get a virus there seems to be
> some
> sort of opinion to delete all previous restore points if the virus is
> found
> inside a protected restore point folder.
>
> Wouldn't it make more sense that when you find a virus, if there's any
> doubt to
> whether it was cleaned or not, to restore the system one restore point
> prior to
> the virus ?
>
> --
> more pix @ http://members.toast.net/cbminfo/index.html

If you are curious as to what the restore points actually have in them then
go to the System Volume Information folder which store the restore points, I
once had to go in and open a restore point to get rid of ALTNET, and a few
other executables that were garbage. The best way to do this is in safe
mode. I got this info from
http://www.theeldergeek.com/system_volume_information_f...

Good Luck



Jim
Anonymous
April 7, 2005 1:16:42 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Hi Jim,

I suspect messing with the files within folders in the System Volume
Information folder would cause that restore point to become corrupt,
which in turn would cause any prior restore points to become corrupt
also. Did you experience different results after making modifications
within these folders?

--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/

Jim Donovan wrote:
> "Husky" wrote
>> Just a question in case it does happen. I have maybe 6-7
>> months of restore points currently and perfectly happy
>> with all of them. But something I've been reading here. If you get
>> a virus
>> there seems to be some
>> sort of opinion to delete all previous restore points if
>> the virus is found
>> inside a protected restore point folder.
>>
>> Wouldn't it make more sense that when you find a virus,
>> if there's any doubt to
>> whether it was cleaned or not, to restore the system one
>> restore point prior to
>> the virus ?
>>
>> --
>> more pix @ http://members.toast.net/cbminfo/index.html
>
> If you are curious as to what the restore points actually
> have in them then go to the System Volume Information
> folder which store the restore points, I once had to go
> in and open a restore point to get rid of ALTNET, and a
> few other executables that were garbage. The best way to
> do this is in safe mode. I got this info from
> http://www.theeldergeek.com/system_volume_information_f...
>
> Good Luck
>
>
>
> Jim
Anonymous
April 7, 2005 1:31:35 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Wed, 6 Apr 2005 20:16:32 -0400, "Bert Kinney" <bert@NSmvps.org> wrote:

>Unfortunately you don't know when the corruption occurs, unless or
>course a virus scan shows an infection within the System Volume
>Information folder. One could also suspect restore point corruption on
>a system found to contain malware/spyware. To test system restore,
>create a restore point and immediately restore to it.

That wouldn't tell you a thing. I'm under the impression corruption being
referred to here is data corruption on the HD. That's happened several times
with instant power failures while writing to the HD.
Stuff like that can't be planned for or avoided without a battery power supply.
And then it might corrupt the restore points, only if that were the process
being written.

--
more pix @ http://members.toast.net/cbminfo/index.html
Anonymous
April 7, 2005 2:26:40 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

"Bert Kinney" <bert@NSmvps.org> wrote in message
news:eAcKVJ3OFHA.3072@TK2MSFTNGP09.phx.gbl...
> Hi Jim,
>
> I suspect messing with the files within folders in the System Volume
> Information folder would cause that restore point to become corrupt, which
> in turn would cause any prior restore points to become corrupt also. Did
> you experience different results after making modifications within these
> folders?
>
> --
> Regards,
> Bert Kinney MS-MVP Shell/User
> http://dts-l.org/
>
> Jim Donovan wrote:
>> "Husky" wrote
>>> Just a question in case it does happen. I have maybe 6-7
>>> months of restore points currently and perfectly happy
>>> with all of them. But something I've been reading here. If you get a
>>> virus
>>> there seems to be some
>>> sort of opinion to delete all previous restore points if
>>> the virus is found
>>> inside a protected restore point folder.
>>>
>>> Wouldn't it make more sense that when you find a virus,
>>> if there's any doubt to
>>> whether it was cleaned or not, to restore the system one
>>> restore point prior to
>>> the virus ?
>>>
>>> --
>>> more pix @ http://members.toast.net/cbminfo/index.html
>>
>> If you are curious as to what the restore points actually
>> have in them then go to the System Volume Information
>> folder which store the restore points, I once had to go
>> in and open a restore point to get rid of ALTNET, and a
>> few other executables that were garbage. The best way to
>> do this is in safe mode. I got this info from
>> http://www.theeldergeek.com/system_volume_information_f...
>>
>> Good Luck
>>
>>
>>
>> Jim
>
>
Hello Bert

This all started out because SpyBot S & D and Microsoft Beta could not
remove the ALTNET registry key, and each time I tried an earlier restore
point I would still get this problem, because it was resident in the restore
points, so to clean this I had to delete the restore points(through the
System Restore function) go into safe mode and reclaim the permissions for
the registry and manually delete the keys, but to answer your question I am
not sure if deleting an .exe file in the restore point would corrupt the
file, I am not familiar with restore points being linked with each other, so
to me a simple deletion of the .exe should be okay or so I think, it would
be an interesting experiment though to activley delete files in the restore
point and then do a restore to that point, you can always reverse the
restore I guess if some of the files deleted interferred with the operation
of an application.



Jim
Anonymous
April 8, 2005 5:16:59 AM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Ken Blake wrote:
> In news:09t8511r7db654jj9tpo2n5btqvpng8lfm@4ax.com,
> Husky <cbminfo@toast.net> typed:
>
>> On Wed, 6 Apr 2005 14:23:31 -0700, "Ken Blake"
>> <kblake@this.is.an.invalid.domain> wrote:
>>
>>
>>> The program designed to use the virus is the virus itself. If
>>> it's inside a restore point it can't execute, and can't do any
>>> harm unless, as I said, you restore that Resotore Point.
>
>> I hate to tell you this, but virus are much more sophisticated
>> than
>> you want to believe. ie: One I cleaned weeks ago was nothing
>> more
>> than a html link to a web site. The payload was at the website.
>> The worst offenders now don't do any damage or even let you
>> know
>> they're there. You're thinking kiddie scripts that screw with
>> your OS
>> and annoy at a minimum.
>>
>> It hasn't happened to me yet, but it has to others. Virus,
>> Trojans
>> I'm not going to debate the semantics. Are now opening up your
>> drive
>> space as download space for pirate software, and spam relays to
>> divert the trail from the one using those virus/backdoors. And
>> who
>> knows what's in their bag of tricks now.
>>
>> Being dial up has it's options. Not on long enough or with a
>> fast
>> enough connection to make the backdoor worthwhile.
>>
>>>> The opinion I've seen on this says dump all the restore
>>>> points
>>>> if you get a virus in one of them.
>>>
>>>
>>> Not necessary, as I said, as long as you don't restore that
>>> restore point.
>>>
>>>
>>>> Makes no sense. If the scan shows a new
>>>> virus and it's in one of the restore point folders, restoring
>>>> the system at that point, should bring the virus out in the
>>>> open
>>>> where it can be deleted or cleaned. thus retaining all
>>>> previous
>>>> restore points.
>>>
>>>
>>> No, you're mistaken. There's no need to restore the Restore
>>> Point
>>> containing the Virus. Even if you subsequently clean it, you
>>> accomplish nothing by doing this. If you have a Restore Point
>>> which includes a virus, you can at any time restore to an
>>> earlier
>>> Restore Point that doesn't include it. The only difficulty is
>>> knowing which Restore Points are infected and which are not.
>>
>> Again you miss my point. Restoring the point that includes in
>> the
>> virus would only be done for the purpose of cleaning of the
>> virus. If
>> you restore to a prior point, that'd be a different issue
>> altogether.
>> I'm just talking about points inside restore points.
>> Maybe I'm different, I scan at a minimum weekly. If I were to
>> find
>> one and have it reported as included in a hidden restore point,
>> the
>> next step to me would be to restore that point, It couldn't be
>> much
>> older than a week. And it would seem that it might have
>> actually been
>> created by the virus to hide itself.
>
>
> I'm not going to argue with you any further. I've made my points
> and you may believe me or not, as you choose. But you have a very
> mistaken view of what a restore point is.

Ken,

Never argue with an idiot. They bring you down to their level then beat you
with experience... ;o) <eg>


--
In memory of MS MVP Alex Nichol: http://www.dts-l.org/
Anonymous
April 9, 2005 9:14:23 PM

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Thanks for the information Jim.


--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/


Jim Donovan wrote:
> "Bert Kinney" wrote
>> Hi Jim,
>>
>> I suspect messing with the files within folders in the
>> System Volume Information folder would cause that
>> restore point to become corrupt, which in turn would
>> cause any prior restore points to become corrupt also.
>> Did you experience different results after making
>> modifications within these folders? --
>> Regards,
>> Bert Kinney MS-MVP Shell/User
>> http://dts-l.org/
>>
>> Jim Donovan wrote:
>>> "Husky" wrote
>>>> Just a question in case it does happen. I have maybe
>>>> 6-7 months of restore points currently and perfectly happy
>>>> with all of them. But something I've been reading
>>>> here. If you get a virus
>>>> there seems to be some
>>>> sort of opinion to delete all previous restore points
>>>> if the virus is found
>>>> inside a protected restore point folder.
>>>>
>>>> Wouldn't it make more sense that when you find a virus,
>>>> if there's any doubt to
>>>> whether it was cleaned or not, to restore the system
>>>> one restore point prior to
>>>> the virus ?
>>>>
>>>> --
>>>> more pix @ http://members.toast.net/cbminfo/index.html
>>>
>>> If you are curious as to what the restore points
>>> actually have in them then go to the System Volume
>>> Information folder which store the restore points, I
>>> once had to go in and open a restore point to get rid
>>> of ALTNET, and a few other executables that were
>>> garbage. The best way to do this is in safe mode. I got
>>> this info from
>>> http://www.theeldergeek.com/system_volume_information_f...
>>>
>>> Good Luck
>>>
>>>
>>>
>>> Jim
>>
>>
> Hello Bert
>
> This all started out because SpyBot S & D and Microsoft
> Beta could not remove the ALTNET registry key, and each
> time I tried an earlier restore point I would still get
> this problem, because it was resident in the restore
> points, so to clean this I had to delete the restore
> points(through the System Restore function) go into safe
> mode and reclaim the permissions for the registry and
> manually delete the keys, but to answer your question I
> am not sure if deleting an .exe file in the restore point
> would corrupt the file, I am not familiar with restore
> points being linked with each other, so to me a simple
> deletion of the .exe should be okay or so I think, it
> would be an interesting experiment though to activley
> delete files in the restore point and then do a restore
> to that point, you can always reverse the restore I guess
> if some of the files deleted interferred with the
> operation of an application.
>
>
> Jim
!