Can a virus create or delete System Restore points?

Topic

New Reply

My machine began acting oddly starting last Friday. I was initially unable to get the System Restore application to run. After taking several other steps over the weekend to locate and remove any possible viruses, I am now able to run System Restore. However, it is only showing me one Restore point which is from a point in time prior to when I believe the infection took place. And that Restore point has a timestamp of just after midnight on the day before the beginning of the infection… even though I am certain the machine was turned off at that time. So I have two questions:

– Is it possible for a virus to delete system restore points which were created prior to the when the machine was infected?
– Is it possible for a virus to infect a machine, and then create its own restore point with a phony date and time?

My machine has more than enough space for restore points, so there is no reason why it should have lost all of those which were created prior to last Friday. I’m probably being paranoid here, but I suspect that this virus may have deleted all the other old restore points, and then saved itself in a restore point which only looks like it was created prior to the infection. Has anyone heard of that happening, or if that is even possible?

Thanks,
Ted

Reply | Quote

Replies

Welcome to the Lounge!

“locate and remove any possible viruses” <- resulting details would be useful

Almost anything is possible with malware, Ted. Best advice would be to take it to a specialist malware forum like Majorgeeks, BleepingComputer, TechSupportForum, Sysnative.com, etc.

If you can access the logs from your anti-malware programs for the current problems, zip and attach them here, it should be possible to gain some clues from them.

Reply | Quote

I also would not trust that restore point. If the virus somehow did something, this restore point could re-install the virus and start your problems over again.

This is one of those times when a System Image created recently would have saved your bacon so to speak.

Reply | Quote

Hi,

I just wanted to mention that you probably not being paranoid in this case. Viruses often do to turn off system restore entirely or remove older restore points. I assume it is done since it makes it harder to easily get around the viruses. I have seen this multiple times in my computer repair business.

l would not trust the one restore point that is available and as others have mentioned, go to some other web sites for more detailed help in removing the possible virus.

Good Luck

Reply | Quote

Totally agree. The “bad guys” who unleash this stuff are continuously getting better at preventing us from using tools to beat their malware. Lately I’ve seem some that prevents booting into safemode. My last resort (before removing the HD and scanning it as an attached drive) has been to use the Windows 7 Repair Disk that I was wise enough to create. I use it to do a system restore.

Reply | Quote

I had one recently which prevented safe mode restart but I was able to start in command mode and run malware bytes from dos wo internet, then log onto MBAM updates and run it again. It was the “Extortion Virus.” It did delete my restore points and disable “Task Manager”.
It pays to know how to get to A-Virus SW in Dos.

Reply | Quote

Suppose some malware has somehow gotten into your Windows system but it has not yet shown any obvious symptoms to make you suspect a problem exists. Then Windows creates a new Restore Point (for example, you told Windows to create one before you install some new software, or a Windows Update causes a new Restore Point to be created, etc.) Now, your Restore Point includes the malware so when you use System Restore you are bringing back the malware again. To fix this, delete all Restore Points, then run anti-virus or whatever to remove the malware, then re-boot. With the Restore Points gone the malware should also be gone
.

Reply | Quote

There are several AV and AS programs that you can set to scan inside of Restore Points.
They can find and remove viruses stored there.

Another way to eliminate those is to shut off system restore and reboot. That erases all Restore points.
Then turn System Restore back on and manually make a new restore point.

I run a script, in my Startup folder, that forces a new Restore Point every time I boot up my PC. That’s at least once a day. It’s always good to have a fresh Restore Point when you need it. Eh?

Cheers Mates!
The Doctor

PS: If you’d like a copy of that script to Force an Instant Restore Point. Here it is:
https://app.box.com/s/v0s7fhxx7yah6wgynik2

Reply | Quote

Most of the malware, viruses now a days able to delete the system restore points and creates their own. Rather than depending on Windows for restoring system, I would like to recommend you to go for third part solution like Faronic Deep Freeze, etc. These type of system software, restore the original configuration on every restart. I have faced same issue several months before and lost my most of the data. At that time, I have repaired my windows 7 os but not able to get the data. That’s why rather than depending on the Windows restore, installed deep freeze which works good for me.

Reply | Quote