Virus in System Restore Point(s)

NerdUprising

[ Method ]
Joined
23 May 2003
Messages
736
Each time I log in (after the computer has been sitting idle at log in screen for any random amount of time) I recieve three or so alerts (from AVG) that I have a virus at (insert path of System Volume Information\_restore\{some numbers and letters})... I run a full system scan, and it finds nothing. My guess is that I had a virus when I (or the system) created a restore point, which has since been removed. Now the virus sits in quarantine inside of a restore point that I will never use... how should I go about removing it ?
 
Create a new restore point

now...
Open My Computer
Right click on your main windows system hard drive, select Properties
Click on the button Disk Cleanup
Click on the Advanced tab, and click the button to remove all but your last system restore point
Click OK

you now have only one restore point, but the remains of the virus should be gone
 
here is the solution

Microsoft Knowledge Base Article - 263455

Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
View products that this article applies to.
This article was previously published under Q263455
SYMPTOMS
When you run an antivirus program, you may receive a report that indicates that one or more files in the _Restore\Temp or the _Restore\Archive folders contain a virus or are infected with a virus. Also, your antivirus program may indicate an inability to remove the virus from the file or files.
CAUSE
This behavior occurs because the System Restore feature in Windows Millennium Edition (Me) protects all folders and files in the _Restore folder on the Windows Me system partition. This folder and all of its subfolders are the data store that the System Restore feature uses to restore your computer's operating system to a previous state from a previous point in time.

Although some antivirus programs may have the ability to work with files that have been compressed or stored in .zip or .cab file format, the System Restore feature does not permit these utilities to manipulate these files within the data store. The data store is protected for data integrity purposes, and the System Restore feature is the only method you can use to obtain access to the data store. Because of this, the antivirus program is unable to remove the virus from the file or files in the data store. The files in the data store are inactive and can be used only by the System Restore feature.
RESOLUTION
To work around this behavior, use the appropriate method.
Use the First In First Out (FIFO) Feature
The FIFO routine purges the oldest restore points so that newer, more current restore points can be added to the data store. FIFO starts automatically when the files in the data store reach 90 percent of the maximum size of the data store. System Restore purges the oldest files first until the files in the data store occupy no more than 50 percent of the maximum size of the data store.

For example, if the maximum size of the data store is 400 megabytes (MB), 90 percent of this is 360 MB and 50 percent is 200 MB. If the data store is 200 MB when you view the properties of the _Restore folder, it is 50 percent of the maximum size. If you adjust the size of the data store to the minimum size of 200 MB, FIFO occurs when you click Apply.

NOTE: If the data store is less than 90 percent (180 MB) of the minimum (200 MB) value, adjusting the size does not have any effect in purging restore points. In this scenario, you must carefully consider the use of the methods that are described in this article.

Over a period of time, the data store purges restore points on a FIFO basis as the maximum size of the data store is reached. There are a few scenarios in which FIFO can be used to purge older restore points to retain more recent restore points on the computer.
FIFO Method 1
No action is required if the system has been cleaned and only the data store is reported by the antivirus tool to have suspicious files. Until all infected files are processed out on a FIFO basis, the antivirus tool may still report that there are infected files that it cannot obtain access to within the data store.
FIFO Method 2
You can trigger the FIFO feature to remove older restore points from the data store by resizing the data store. To use the System Restore feature to adjust the size of the data store:
View the properties of the _Restore folder to determine how much data is actually in the data store. You do this to determine if this step will have any effect on the data store. If the data store uses less than 90 percent (less than 180 MB) of the minimum value (200 MB), this method may have no effect on purging the restore points. If less than 90 percent of the data store is used, even at the minimum settings you should consider using FIFO method 1 or using the "Manually Purge the Data Store" method that is listed later in this article.
Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Performance tab.
Click File System.
Adjust the System Restore disk space use slider to the approximate lower amount, and then click Apply.

Note that you can use the System Restore disk space use slider to select the minimum amount of space to allocate for the data store, the maximum amount, or a size in between. Adjusting the slider to a lower value changes the the values that trigger FIFO. You may need to restart your computer for any changes to take effect.
Click OK, and then click OK to close System properties.
Use the antivirus tool to scan the computer to verify that the virus-infected files have been purged from the data store. If there are still infected files in the data store, repeat the previous steps and lower the data store size until the data store is clear of infected files.

Note that you can also use the calendar page in the System Restore tool to view how far back the restore points were purged.
After the infected files have been cleared from the data store by using this method, return the slider to the original or appropriate size, click OK to close any open windows, and then restart your computer.
If there still is an infected file in the data store after you resize the data store to the minimum size, you can either wait for it to be processed out on a FIFO basis (FIFO method 1), or you may want to consider using the "Manually Purge the Data Store" method that is described later in this article to remove all restore points on your computer.
Manually Purge the Data Store
To completely and immediately remove the infected file or files in the data store, disable and re-enable the System Restore feature.

WARNING: Using the following steps will completely remove all restore points from the data store. Do not use this method if this will cause problems. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer.
Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Performance tab.
Click File System, and then click the Troubleshooting tab.
Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK.
Restart the computer when you are prompted to do so. When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.
STATUS
This behavior is by design.
MORE INFORMATION
The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.

The System Restore feature is not designed to detect or scan for virus infections or virus activity. Most computer virus infections seek or attack files with extensions such as .exe or .com. These are file types that the System Restore feature is designed to monitor.

NOTE: If you restore your computer to a previous state when you did not have an installed antivirus tool, you must install an antivirus tool and clean any files that were restored and are infected.
 
Many thanks Geffy - that fixed everything quite beautifully

and thank you tdinc for that bit of research, even though I'm rockin' the XP, but it's all good and groovy now, so thanks peoples

:)
 
Or do it the easy way like I do:

Turn off system volume backups under System Restore Settings, reboot, turn the restore points back on. Wella old points deleted, new ones created.
 
Hmm...I have Sophos, and it penetrates right through the System Restore folders. In fact, the few worms / viruses I've had, they've inevitably been in those folders and I had no problem eliminating them. I wonder why the other antivirus progs can't do that too?

Melon
 
I installed avast and it found and cleaned a virus in my restore points. Nortons and McAffee both missed it. Maybe it was just luck that Avast found it but it made a believer out of me. By the way I also use AVG on other computers I own and it has worked very well also.
 
iowaboy said:
I installed avast and it found and cleaned a virus in my restore points. Nortons and McAffee both missed it.
Always a good idea to run a backup AV. No anti-virus is going to catch everything 100% of the time ... just to many virus/trojans/malware for one company to have definitions for. I like to use
housecall as its a good free online scanner. :)
 
The reason NAV missed it is because the System Volume Folder (where the restore points are stored) is excluded from the virus scan by default. You can go to NAV, Options, Manual scan, exclusions and remove the SVIU from there and the SVI will be included in the scan and the virus should be detected!


BTW - as I understand it, a virus in a restore point (even if undetected by NAV because of the exclusion) will not cause any harm - as if you shoud happen to use that restore point - the virus will be immediately detected (provided auto detect is so!
 
Xie said:
Always a good idea to run a backup AV. No anti-virus is going to catch everything 100% of the time ... just to many virus/trojans/malware for one company to have definitions for.


i take it you never looked at www.nod32.com :rolleyes:

about time u should ;)
 

Members online

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back