Virus in System Restore

[FreewheelinFrank]

Hi,

Can somebody help me out here?

I've seen a lot of people say in threads that if a virus 'keeps coming back' the solution is to delete the system restore files.

For example:

If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder.

...you may have to turn off the system restore as an infection can hide in it and will always return when you reboot.

Is it possible for a virus to be active in the system restote files: i.e. to infect the computer upon reboot without any action by the user? I had thought previously that virus files might exist in the system restore files, protected by the OS but not a threat unless the user were to run system restore and restore the computer to a time when the virus was active.

If viruses can be active in system restore, can somebody point me to a link for information.

Any help greatly appreciated.

Ta!Merci!Sukur!Grazie!Dank! muchly.

[polonus]

Hi FreewheelinFrank,

Go to this link, there you will get the basic info.
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleansystemrestore.shtml
It describe exactly what you are looking for.

greets,

polonus

[FreewheelinFrank]

Cheers Polonus, but this link only seems to confirm what I thought before:

System Restore is a feature of Windows XP and Windows ME and if the virus infects the computer, it is possible that the virus could be backed up in the system restore folder. To scan and clean System Resore, you need to be disable it.

I.e. that viruses will be in the system restore folder but not active.

I want somebody to tell me if viruses can really 'keep coming back' and 'return when you reboot' without the user first using system restore, and if so, where can I read up on this?

[DavidR]

Personally I don't believe that just because the virus is in a restore point it can become active/restored on boot. Something, another element/file would have to initiate a restore of the missing file (virus).

As far as I'm aware system restore is inert, a little like a giant zip file I suppose, it must first be opened and the file (restore point) extracted. In the same way you normally have to initiate system restore and select a restore point to restore (this may also need a reboot?).
In order for something to automatically restore a virus it would have to know the _restore point allocated by windows to the deletion of the virus, which I think is unlikely.

When a virus supposedly comes back, we don't know it is the same exact one restored; the fact that it may be in a restore point, just confirms avast deleted it but windows saved it, it hasn't come back.
It is more likely the fact that it is back because of other elements still being on the system and downloading it again, so hijackthis should be run also if things supposedly just come back.
It is also likely that it is back because of an unpatched vulnerability or revisiting those same web sites where they first got infected.

But I don't believe deleting the system restore points is of any help in the virus not coming back, a coincidence perhaps. Many people report a virus 'coming back' when avast detects it in a restore point.

[FreewheelinFrank]

Thanks!

That was pretty much my understanding of the situation.

I wonder if it is also possible for clever viruses in memory to delete their own file, only rewriting it just before shutdown, and if this sort of situation would explain the sort of posting which says:

'avast! found a virus and I did what the program suggested but the virus just came back when I rebooted'?

I've paraphrased this posting

http://forum.avast.com/index.php?topic=14458.0

I think if avast! finds a virus in memory, it prompts to do a boot time scan. I wonder if something about the option presented is confusing some users. Just a though. Any comments appreciated...

[polonus]

Hi FreewheelinFrank,

One reason behind disabling of system restore is that windows will not allow any third party application access to the system restore folders (and virus authors know this), thus if you have a virus residing in the system restore folders your AV program will be denied access to it and subsequently it will be unable to remove the virus to quarantine. Disabling system restore is not for the faint hearted or inexperienced users because on disabling system restore you will delete all of your previous restore points (checkpoints - but it will make one new when you Re-Enable it), meaning you will not be able to restore to a point prior to that. Windows by default will not allow the deletion of an application that is running, that is why we have to start up in safe mode. You can choose in XP Safe Mode with Networking Option or Safe Mode with Command option (there you use no graphical interface). NUM lock must be off before the arrow keys on the numeric keypad will function lest you can only operate the RESTORE CONSOLE.

Maybe this answered a few points,

polonus

[DavidR]

Unfortunately polonus, it doesn't answer the question posed by freewheelinfrank, "Is it possible for a virus to be active in the system restote files: i.e. to infect the computer upon reboot without any action by the user? "

I think the answer is no. I base this assumption on what would be required to achieve that task as explained in my previous post.

@ freewheelinfrank
I believe there are already viruses that do delete their carrier file once established and reside in memory. If avast was to detect one of these I would hope that it wouldn't get established.

I'm not sure if avast doesn't scan memory as a normal part of the startup scanning process so it may detect it early enough to either delete it from memory or suggest a boot scan.

[Lisandro]

"Is it possible for a virus to be active in the system restote files: i.e. to infect the computer upon reboot without any action by the user

Oh, I think yes and no.
I mean, some actions of the user, knowing or not, could bring back the system restore feature, activating files and, perhaps, the infected ones.
For instance: protected system files of Windows, drivers restoration, etc.
System restore folder can only be 'opened' by System (but the Administrator could get rights for it).
In theory, any process logged as system could use the files inside of System Restore.
Definetively, for me, system restore is not avast! Chest 

[FreewheelinFrank]

Cheers Tech!

As of now, are there any viruses which can aquire system rights for themselves?

[Lisandro]

As of now, are there any viruses which can aquire system rights for themselves?

Any virus maker round to answer? 

[polonus]

Hi Tech,

I am not a virus maker, far from it, but FunLove for instance has system rights on the computer in a second stadium of infection, where Ntoskml.exe file is checked only during the startup process and a blue screen and error message is prevented by a patch of Ntldr, even if the checksum does not match. Workings of FunLove and Bolzano are quite similar, the same virus author is suspected. Here is a link:
http://www.securiteam.com/securitynews/3C5PRSAPPM.html
Hope this helps,

polonus

[Lisandro]

I am not a virus maker

Sure...

Hope this helps

Sure again... I was just trying to say that I'm not an expert - far from it - on virus behavior or technical stuffs about how they run, infect, etc.
So, as we can see again, System Restore is not a Chest (Quarentine) 

[DavidR]

"Is it possible for a virus to be active in the system restore files: i.e. to infect the computer upon reboot without any action by the user

Oh, I think yes and no.
I mean, some actions of the user, knowing or not, could bring back the system restore feature, activating files and, perhaps, the infected ones.
For instance: protected system files of Windows, drivers restoration, etc.

But the question is to infect the computer upon reboot without any action by the user, so I think not.

System restore folder can only be 'opened' by System (but the Administrator could get rights for it).
In theory, any process logged as system could use the files inside of System Restore.
Definetively, for me, system restore is not avast! Chest

I agree, System restore is not the avast chest, but it is a windows protected storage area, so aside from all the other programming requirements to restore a deleted _restore point the virus would also have to circumvent the windows protection (which is probably the easiest part). Any form of automated recovery of a deleted virus (by another virus element), would need to know the _recovery point ID generated by Windows and then restore the virus to the previous location.

This requires a complex series of actions (especially after reboot) so I still believe the answer is no.

[DavidR]

As of now, are there any viruses which can aquire system rights for themselves?

Any virus maker round to answer?

If you are logged on as a user with administrator and you are browsing (downloading email, etc.) with those same rights then, if you are infected then that virus also has administrator rights. It doesn't even have to allocate those rights to itself, so technically they would all be allocated administrator rights by default. This is one of the reasons they can put files in the system folders I believe.

DropMyRights - Browsing the Web and Reading E-mail Safely as an Administrator