System Restore

Seem to notice that alot of spyware seems to attach themselves in this list
.... C:\_restore\temp.

Is there a way to right protect this item and then complete a system restore
manually. Would this reduce this type of behavior?

"You mention the problem of archived infected files. SR has no knowledge as
to the purpose of any archived file or whether it is "malware" (copyright
CQuirke) or not and treats all files the same. This means that it is
possible to restore to an infected state if the system was infected when the
checkpoint being created. If however the system became infected or malware
arrived after the last checkpoint was created and this infection was
immediately deleted the infected files will not be restored on rolling back
to the checkpoint even though copies of the infected files may be in the
_restore\temp folder. If however the system was infected at the time the
checkpoint was created, then yes, any subsequently deleted infected file
will be restored. See MS KB Q263455 - "Anti-Virus Tools Cannot Clean
Infected Files in the _Restore Folder"
(http://support.microsoft.com/support.../Q263/4/55.ASP).

Mike Maltby MS MVP
-----

--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
In Memorium: Alex Nichol
http://www.microsoft.com/windowsxp/e...ts/nichol.mspx
Your cooperation is very appreciated.
------
"Sean" wrote in message
...
Seem to notice that alot of spyware seems to attach themselves in this
list
... C:\_restore\temp.

Is there a way to right protect this item and then complete a system
restore
manually. Would this reduce this type of behavior?

So... rather than having this System Restore complete automatically.

Is there a procedure I can complete manually to ensure that this does not
happen?

Sean,

A good place to start would be by reading and learning a bit about system
restore. What you are talking about isn't a problem, doesn't cause
problems and cannot be prevented. The solution is to flush the restore
archive but this should only be done once the system is clean and after
all traces of the malware have been removed other than for the restore
archive.
--
http://www.microsoft.com/windowsxp/e...ts/nichol.mspx
In memory of a very dear friend, Windows MVP Alex Nichol

Mike Maltby MS-MVP



Sean wrote:

So... rather than having this System Restore complete automatically.

Is there a procedure I can complete manually to ensure that this does
not happen?

Well heres my dilemma.

When I purchase McAfee Virus Scan. Im told that I have to run this in safe
mode.

Then it identifies and cleans two files that it located, however, the issue
persists as now they have been loated in _restore\temp.

When the scan located them there it couldnt delete, quarantine, or clean
files.

Be easier to flush the system if the system could be better protected, no?

Dilemma? What don't you understand in both Jack and my posts and the KB
article to which Jack referred you?

May I repeat: "The solution is to flush the restore archive but this
should only be done once the system is clean and after all traces of the
malware have been removed other than for the restore archive." to which I
should have added "and the system is working correctly including being
able to connect to the net"

Be easier to flush the system if the system could be better
protected, no?

I'm sorry but do have to ask, did you read the previous posts?
--
http://www.microsoft.com/windowsxp/e...ts/nichol.mspx
In memory of a very dear friend, Windows MVP Alex Nichol

Mike Maltby MS-MVP



Sean wrote:

Well heres my dilemma.

When I purchase McAfee Virus Scan. Im told that I have to run this in
safe mode.

Then it identifies and cleans two files that it located, however, the
issue persists as now they have been loated in _restore\temp.

When the scan located them there it couldnt delete, quarantine, or
clean files.

Be easier to flush the system if the system could be better
protected, no?

This is what Im saying Mike, you shouldnt have to flush this archive if it
was better protected!

Once again may I suggest you read a little about system restore as it
should help you understand how it works. What exactly is it that you
think should be protected and from what? That system restore should
protect itself from accessing its own archive? The system restore archive
structure is well protected and the entire contents harmless whilst in
that location.
--
http://www.microsoft.com/windowsxp/e...ts/nichol.mspx
In memory of a very dear friend, Windows MVP Alex Nichol

Mike Maltby MS-MVP



Sean wrote:

This is what Im saying Mike, you shouldnt have to flush this archive
if it was better protected!

Mike, heres my position.

I complete a virus scan in safe mode with system restore disabled and no
hidden files.

The first attempt indicates that it cleaned the files, however, the problem
still persisted and completed another scan.

This time the path showed the two viruses in C:\_restore\temp.....cpy.

Now, Ive scanned using McAfee, Panda, Ad-aware, Spybot, CW Shredder,
Stinger, HiJack this, Symantecs online scan ......Ive gone through the
registry.

Having a little difficulty understanding how these files got into this area.
I like System Restore, although, what I originally asked was if the restore
can be write protected, "For Example, Mike", and manually complete a restore
point.

Then at a particular time complete scans and create a restore point.

If you've disabled System Restore and there's still .CPY files present, then
you disabled it in an incorrect manner.

Note that you MUST reboot IMMEDIATELY after disabling System Restore if this
is to work properly.

You will now have to manually clear the Restore archive....
Boot to DOS, using your Startup Disk (if you don't have one and can't make
one from Start | Add/Remove Programs, then download a diskmaker from
www.bootdisk.com, and create the floppy by running the file)

At the A:\ prompt, type the following commands (followed by [return])


ATTRIB -S -R -H C:\_RESTORE

REN C:\_RESTORE OLDREST


When the A:\ prompt returns, remove the floppy, and reboot the PC. The
Control Files will be rebuilt, and a Restore point should be created.

Then delete the C:\OLDREST folder, and reboot again.

Finally adjust the space allocated to the restore folder

--
Noel Paton (MS-MVP 2002-2005, Windows)

Nil Carborundum Illegitemi
http://www.btinternet.com/~winnoel/millsrpch.htm

In fond memory of one of life's Gentlemen - Alex Nichol
http://www.aumha.org/alex.htm

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's

"Sean" wrote in message
...
Mike, heres my position.

I complete a virus scan in safe mode with system restore disabled and no
hidden files.

The first attempt indicates that it cleaned the files, however, the
problem
still persisted and completed another scan.

This time the path showed the two viruses in C:\_restore\temp.....cpy.

Now, Ive scanned using McAfee, Panda, Ad-aware, Spybot, CW Shredder,
Stinger, HiJack this, Symantecs online scan ......Ive gone through the
registry.

Having a little difficulty understanding how these files got into this
area.
I like System Restore, although, what I originally asked was if the
restore
can be write protected, "For Example, Mike", and manually complete a
restore
point.

Then at a particular time complete scans and create a restore point.