C
Cadillakin
I ask this question because I don't know.
Recently, my wife and daughters computer was infected with malware.
Although different scanners gave different readings, the infection was
probably Vundo and others associated with that system intrusion.
When I figured out that the computer was infected, I attempted system
restore. There were restore points extending back about two weeks, I
chose one a few days back. But when I restored from a couple of days
back, I was perplexed when the restore finished, it seemed to indicate
that I chose a restore point from that present moment... with a date of
Dec 14. I had chosen Dec 11, or thereabouts.
I couldn't go back and choose another one and try again. When I had
rebooted after attempting to clean and fix things, then use the system
restore.. there was a nearly 5-10 minute pause before the login screen
appeared..AND system restore was disabled. Seemingly, when I got to the
desktop, ALL the progress I made in cleaning entries were undone. Back to
square zero.
Was the disabled and infected system restore somehow reinfecting the
system? And why such a long pause before the login screen? During that
time, there was indeed some writing to disk, as indicated by the sounds
and hard drive light on the computer case.
I eventually cleaned it all up.. but it was a struggle as the malware had
disabled many of the system processes... ie: copying was not allowed,
anti-malware and antivirus apps wouldnt run. MSI files were disabled.. so
almost nothing would install. Hijack This did in fact run and was a huge
help in diagnostics. System help had also been removed.. as well as the
run box. System passwords were changed, and many other common tasks were
disabled. I was able to use the run box on task manager.. but none of it
really helped, because a reboot put me back to the pausing login screen
and the system was again totally reinfected.
A boot disk got me on the right track. I eventually deleted the infected
files in system32, cleared the trojans registry entries with Hijack This,
and also deleted the restore points while using the boot disk. I finished
it up with a windows repair. A long process indeed.
What happened when I attempted system restore? Am I mistaken or is it
possible for the trojan to subvert my chosen restore point date, instead,
backup the current state - then disable? And finally, can that infected
restore point be used by the malware to reinfect the system each and
every time the system reboots? Was that occurring when the system paused
at the login screen?
Recently, my wife and daughters computer was infected with malware.
Although different scanners gave different readings, the infection was
probably Vundo and others associated with that system intrusion.
When I figured out that the computer was infected, I attempted system
restore. There were restore points extending back about two weeks, I
chose one a few days back. But when I restored from a couple of days
back, I was perplexed when the restore finished, it seemed to indicate
that I chose a restore point from that present moment... with a date of
Dec 14. I had chosen Dec 11, or thereabouts.
I couldn't go back and choose another one and try again. When I had
rebooted after attempting to clean and fix things, then use the system
restore.. there was a nearly 5-10 minute pause before the login screen
appeared..AND system restore was disabled. Seemingly, when I got to the
desktop, ALL the progress I made in cleaning entries were undone. Back to
square zero.
Was the disabled and infected system restore somehow reinfecting the
system? And why such a long pause before the login screen? During that
time, there was indeed some writing to disk, as indicated by the sounds
and hard drive light on the computer case.
I eventually cleaned it all up.. but it was a struggle as the malware had
disabled many of the system processes... ie: copying was not allowed,
anti-malware and antivirus apps wouldnt run. MSI files were disabled.. so
almost nothing would install. Hijack This did in fact run and was a huge
help in diagnostics. System help had also been removed.. as well as the
run box. System passwords were changed, and many other common tasks were
disabled. I was able to use the run box on task manager.. but none of it
really helped, because a reboot put me back to the pausing login screen
and the system was again totally reinfected.
A boot disk got me on the right track. I eventually deleted the infected
files in system32, cleared the trojans registry entries with Hijack This,
and also deleted the restore points while using the boot disk. I finished
it up with a windows repair. A long process indeed.
What happened when I attempted system restore? Am I mistaken or is it
possible for the trojan to subvert my chosen restore point date, instead,
backup the current state - then disable? And finally, can that infected
restore point be used by the malware to reinfect the system each and
every time the system reboots? Was that occurring when the system paused
at the login screen?