sys,restore trojan

Discussion in 'NOD32 version 2 Forum' started by bigc73542, Oct 29, 2004.

Thread Status:
Not open for further replies.
  1. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    And all these years I was under the impression that you couldn't clean or delete any malware from restore ?
     

    Attached Files:

    Last edited: Oct 29, 2004
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Re: sysrestore trojan

    That's interesting. Was that a safe mode removal?
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: sysrestore trojan

    No it was in real time
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: sysrestore trojan

    The restore on this version of xppro is a little custom and it does not show the restore folder anywhere, it can not be found. But it is there and works like a dream
     

    Attached Files:

  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Re: sysrestore trojan

    I know an antivirus can scan sys restore and find viruses.

    So you have modified the restore folder?
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: sysrestore trojan

    I didn't but the programer that customized my xp could have. I might have to ask. I like the ability to clean baddies out of restore.
     
  7. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Was that a scheduled scan or something?

    The scheduled scan is performed as the local system account, which has more access to the System Volume Information-folder, than normal users.

    Best regards,
    Anders
    nod32 antivirus
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I was reading email and it popped up.
     
  9. Emniman

    Emniman Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    12
    hmmm i tought it looked intresting so i took a peek in my quarantine and iv got 2 removals from restorefolder. - :)
     
  10. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Yep.... NOD32 found 4 viruses in my system restore and cleaned them... and no I have not modified system restore.... I don't think you can?

    Anyways, I"ve heard that you can only view them... but thats not true... it can delete them too!.... I also had it find a virus in a zip file and successfully deleted that one too!
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Nod or any other antivirus shouldn't be able to delete anything from inside system restore folder

    where they do they then make the entire system restore useless as the log will not match with the restore point(s) and consequently when you try to use it to get you out of trouble you will most likely get a message that system restore could not restore due to corrupted/damaged restore points

    M$ made it so that only the system can insert to that folder and it is supposed to be that only a complete restore can take place not selective and if it finds one missing file or extra file that doesn't correspon=d to the log it aborts the restore operation

    I think that nod really should do what other antiviruses do & just warn of inferctions in system restore as the only proper way to remove them is completely purge the system restore as described by M$

    that is turn it off, reboot and turn it back on again
     
  12. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Could one of you guys that have removed a virus from System restore, try and see if it will restore from that point? it would be a good experiment.
     
  13. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Also could any of the folks that had NOD find a virus in system restore and cleaned it make a new restore point and then try it to see if it works?
     
  14. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I restored to a point before and after it deleted the file and restore still worked. Believe the reason it does what it does is that restore is integrated into the C drive partition. Restore does not have a seperate partition like my other win xp comp does. I finally found where it is located when I did a defrag with diskkeeper. But it is not labeled and does not have a folder listed for it but it does work very well.

    bigc
     
    Last edited: Nov 2, 2004
  15. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    I haven't tried it... but I would think as long is it is just "extracting" funky files that aren't supposed to be there anyway and are not system critical.. it should work just fine..... kinda like deleting a file out of a zip file and still being able to open the zip file to get the rest of the files therein.
     
  16. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    It must be something along those lines.
     
  17. ?jram

    ?jram Guest

    I have done this before fooling around with restore, I had a virus in system restore folder, I tried to do a system restore,it said it couldn't go to that date...I turned off my AV , tried the date again, it restored to the date,turned on my AV and caught the virus when I scanned..This is a good way to restore your system if it's really messed up.. I haven't had a virus with NOD32 , so I haven't tried it..
     
Thread Status:
Not open for further replies.