 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows Me / Software / March 2005System Restore
Seem to notice that alot of spyware seems to attach themselves in this list ... C:\_restore\temp. Is there a way to right protect this item and then complete a system restore manually. Would this reduce this type of behavior? "You mention the problem of archived infected files. SR has no knowledge as to the purpose of any archived file or whether it is "malware" (copyright CQuirke) or not and treats all files the same. This means that it is possible to restore to an infected state if the system was infected when the checkpoint being created. If however the system became infected or malware arrived after the last checkpoint was created and this infection was immediately deleted the infected files will not be restored on rolling back to the checkpoint even though copies of the infected files may be in the _restore\temp folder. If however the system was infected at the time the checkpoint was created, then yes, any subsequently deleted infected file will be restored. See MS KB Q263455 - "Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder" (http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP). Mike Maltby MS MVP -----  SignatureJack E. Martinelli 2002-05 MS MVP for Shell/User / DTS Help us help you: http://www.dts-L.org/goodpost.htm http://www.microsoft.com/athome/security/protect/default.aspx In Memorium: Alex Nichol http://www.microsoft.com/windowsxp/expertzone/meetexperts/nichol.mspx Your cooperation is very appreciated. ------ > Seem to notice that alot of spyware seems to attach themselves in this list > ... C:\_restore\temp. > > Is there a way to right protect this item and then complete a system restore > manually. Would this reduce this type of behavior? So... rather than having this System Restore complete automatically. Is there a procedure I can complete manually to ensure that this does not happen? Sean, A good place to start would be by reading and learning a bit about system restore. What you are talking about isn't a problem, doesn't cause problems and cannot be prevented. The solution is to flush the restore archive but this should only be done once the system is clean and after all traces of the malware have been removed other than for the restore archive. Signaturehttp://www.microsoft.com/windowsxp/expertzone/meetexperts/nichol.mspx In memory of a very dear friend, Windows MVP Alex Nichol Mike Maltby MS-MVP mike.maltby@gmail.com > So... rather than having this System Restore complete automatically. > > Is there a procedure I can complete manually to ensure that this does > not happen? Well heres my dilemma. When I purchase McAfee Virus Scan. Im told that I have to run this in safe mode. Then it identifies and cleans two files that it located, however, the issue persists as now they have been loated in _restore\temp. When the scan located them there it couldnt delete, quarantine, or clean files. Be easier to flush the system if the system could be better protected, no? Dilemma? What don't you understand in both Jack and my posts and the KB article to which Jack referred you? May I repeat: "The solution is to flush the restore archive but this should only be done once the system is clean and after all traces of the malware have been removed other than for the restore archive." to which I should have added "and the system is working correctly including being able to connect to the net" > Be easier to flush the system if the system could be better > protected, no? I'm sorry but do have to ask, did you read the previous posts? Signaturehttp://www.microsoft.com/windowsxp/expertzone/meetexperts/nichol.mspx In memory of a very dear friend, Windows MVP Alex Nichol Mike Maltby MS-MVP mike.maltby@gmail.com > Well heres my dilemma. > [quoted text clipped - 9 lines] > Be easier to flush the system if the system could be better > protected, no? This is what Im saying Mike, you shouldnt have to flush this archive if it was better protected! Once again may I suggest you read a little about system restore as it should help you understand how it works. What exactly is it that you think should be protected and from what? That system restore should protect itself from accessing its own archive? The system restore archive structure is well protected and the entire contents harmless whilst in that location. Signaturehttp://www.microsoft.com/windowsxp/expertzone/meetexperts/nichol.mspx In memory of a very dear friend, Windows MVP Alex Nichol Mike Maltby MS-MVP mike.maltby@gmail.com > This is what Im saying Mike, you shouldnt have to flush this archive > if it was better protected! Mike, heres my position. I complete a virus scan in safe mode with system restore disabled and no hidden files. The first attempt indicates that it cleaned the files, however, the problem still persisted and completed another scan. This time the path showed the two viruses in C:\_restore\temp.....cpy. Now, Ive scanned using McAfee, Panda, Ad-aware, Spybot, CW Shredder, Stinger, HiJack this, Symantecs online scan ......Ive gone through the registry. Having a little difficulty understanding how these files got into this area. I like System Restore, although, what I originally asked was if the restore can be write protected, "For Example, Mike", and manually complete a restore point. Then at a particular time complete scans and create a restore point. If you've disabled System Restore and there's still .CPY files present, then you disabled it in an incorrect manner. Note that you MUST reboot IMMEDIATELY after disabling System Restore if this is to work properly. You will now have to manually clear the Restore archive.... Boot to DOS, using your Startup Disk (if you don't have one and can't make one from Start | Add/Remove Programs, then download a diskmaker from www.bootdisk.com, and create the floppy by running the file) At the A:\> prompt, type the following commands (followed by [return]) ATTRIB -S -R -H C:\_RESTORE REN C:\_RESTORE OLDREST When the A:\> prompt returns, remove the floppy, and reboot the PC. The Control Files will be rebuilt, and a Restore point should be created. Then delete the C:\OLDREST folder, and reboot again. Finally adjust the space allocated to the restore folder SignatureNoel Paton (MS-MVP 2002-2005, Windows) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm In fond memory of one of life's Gentlemen - Alex Nichol http://www.aumha.org/alex.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's > Mike, heres my position. > [quoted text clipped - 20 lines] > > Then at a particular time complete scans and create a restore point. The problem that I have is I cannot create a boot disk. The external cd drive I have doesnt read my bootable cds either. Is there an option to complete this running dos under accessories? and for the "dummies" maybe they could assist in creating a boot disk using a flash drive or memory stick slot rather than cds; would be helpful You'll have to ask Sony how to do it - they should have supplied a means to do so SignatureNoel Paton (MS-MVP 2002-2005, Windows) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm In fond memory of one of life's Gentlemen - Alex Nichol http://www.aumha.org/alex.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's > The problem that I have is I cannot create a boot disk. > [quoted text clipped - 5 lines] > using > a flash drive or memory stick slot rather than cds; would be helpful > I complete a virus scan in safe mode with system restore disabled and > no hidden files. Why disable system restore rather than simply resetting it? Have you read up yet on system restore? Resetting system restore clears the archive. If it doesn't then clear the archive manually from DOS. Then immediately re-enable when back in Windows. To leave system restore disabled is like sky diving without a parachute, a sport which from your many posts in these newsgroups over the past weeks you could be fond of - either that or like scuba diving without a breathing set <g>. Perhaps you make hourly backups of your system, in which case well done, but if not then you, possibly more than most during this time of experimentation, need system restore running and fully working. I see that Noel has kindly posted details of how to correctly reset system restore and also how to clear the archive from DOS. Regards, Signaturehttp://www.microsoft.com/windowsxp/expertzone/meetexperts/nichol.mspx In memory of a very dear friend, Windows MVP Alex Nichol Mike Maltby MS-MVP mike.maltby@gmail.com > Mike, heres my position. > [quoted text clipped - 16 lines] > > Then at a particular time complete scans and create a restore point. When Sysytem restore was disabled a reboot automatically is requested and was completed at that time. The Virus Scan indicated that two files were in C:\_restore\temp .. cpy. Could not clean, quaratine, or delete at this point. > Could not clean, quaratine, or delete at this point. I'm sorry but I have to ask once again have you read anything about system restore yet or even my last reply? Signaturehttp://www.microsoft.com/windowsxp/expertzone/meetexperts/nichol.mspx In memory of a very dear friend, Windows MVP Alex Nichol Mike Maltby MS-MVP mike.maltby@gmail.com > When Sysytem restore was disabled a reboot automatically is requested > and was completed at that time. [quoted text clipped - 3 lines] > > Could not clean, quaratine, or delete at this point. On Wed, 16 Mar 2005 16:41:13 GMT,"Mike M" <No_Spam@Corned_Beef.Only> penned this whopper in microsoft.public.windowsme.software >> Could not clean, quaratine, or delete at this point. > > I'm sorry but I have to ask once again have you read anything about > system restore yet or even my last reply? Cleaning infections of System Restore files for Dummies:: Download the latest "F-Prot" and make a floppy. Boot the floppy and run the program. Done. Signature"Time will bring to light whatever is hidden; it will cover up and conceal what is now shining in splendor." Horace (65 - 8 BC); Roman poet. Mike Mike, Somewhat overkill but hopefully simple enough for Sean to manage to do. Noel has already explained how to delete the entire _RESTORE folder from DOS but Sean for some doesn't seem to have done this as otherwise he wouldn't be seeing any infected CPY files in that location. What concerns me about an application like F-Prot removing individual infected files from the archive is that this might then leave the user under the impression that the checkpoints can still be used. However that is not the case and the restore will fail if one of the files has been removed so personally I feel it better to get the system running as intended and then boot to DOS and wipe the _RESTORE archive entirely good files and bad. Regards, Signaturehttp://www.microsoft.com/windowsxp/expertzone/meetexperts/nichol.mspx In memory of a very dear friend, Windows MVP Alex Nichol Mike Maltby MS-MVP mike.maltby@gmail.com > Cleaning infections of System Restore files for Dummies:: > Download the latest "F-Prot" and make a floppy. > Boot the floppy and run the program. > Done. On Wed, 16 Mar 2005 18:19:56 GMT,"Mike M" <No_Spam@Corned_Beef.Only> penned this whopper in microsoft.public.windowsme.software > Mike, > [quoted text clipped - 13 lines] > > Regards, you're right, and I usually go through the more involved process of disabling SR, removing the bad guys, then killing those restore points, but I did say it was for "dummies" right? Signature"Time will bring to light whatever is hidden; it will cover up and conceal what is now shining in splendor." Horace (65 - 8 BC); Roman poet. Mike > you're right, and I usually go through the more involved process of > disabling SR, removing the bad guys, then killing those restore > points, but I did say it was for "dummies" right? Indeed you did Mike and hopefully will now fix the problem. Thanks for a most helpful post that could well help Sean resolve his problems in clearing the archive. Regards and best wishes, SignatureMike M |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.