Will Defender really delete the bad files that I have set in optio

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

page?

because I just downloaded the beta 2 and did a 1st full scan of it and it
came up with no offending files. then I downloaded the latest Defender
updates and did a 2nd full scan and it showed a few offending files. when I
looked over the files that it said it deleted I saw that the 1st sesssion
scan had bad files that were deleted in the HKLM location, and then in the
2nd session scan a few of those same files showed up and were deleted but
this time it was in the C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\A[some
numbers].exe

I couldn't find where that directory was so I couldn't verify it was indeed
deleted. I did check those in the HKLM registry and there are not there so I
am guessing it was deleted in the HKLM registry. Does the "restore" in the
C:\System Volume Information\_restore.... mean that it will restore those
deleted files or had Defender really deleted them for good?
Thanks for any help.
 
I doubt if Defender removed anything from your system restore area, because
it does not remove anything from system restore, or from archive (zipped)
files, or from quarantined files. The standard procedure following
cleaning of the registry however is to clean up system restore manually so
as not to risk accidentally restoring infected bits to your registry in the
future.

First create a new Restore Checkpoint Start > Programs > Accessories >
System Tools > System Restore > Create a Restore Point.

Then Start > Programs > Accessories > System Tools > Disk Cleanup > tab to
More Options > System Restore > Clean up.

This will remove all but the most recently created restore checkpoint, then
try another Windows®Defender full scan, which should be completely clean.
Some people have complained of an excess of System Restore Checkpoints
created by WD (many per day), so be sure you really want to clean off the
older checkpoints before you do this. They will all roll off your system
eventually even if you do nothing, but I wouldn't use those older restore
points unless you were really desperate, since they will restore the HKLM
bits.
 
Thanks for that reply, but I am still a little confused about what you wrote
to what I was asking. I do not want to restore my computer to a previous
point.

To make it clearier, so you are saying that Defener will not/doesn't really
delete the files in the directory, C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\A[some
numbers].exe, even though it said so in its History section that it has
deleted the offending files in that directory? and that at some later point
my computer will restore those offending files in C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\..., that
Defender has said it deleted?

Like I said I couldn't find the directory, C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\..., to see
if those offending files are really gone. I even tried to use the Show All
Hidden files and folder options in Windows Explorer, but got no such
folder/directory. I do have a partitioned section on my C drive that it said
is used to do a "System Restore" procedure, but it is labeled as D drive
instead of C even though it inside the C drive. So this where the C:\System
Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\...,
is located at?

Thanks.

Dave M said:
I doubt if Defender removed anything from your system restore area, because
it does not remove anything from system restore, or from archive (zipped)
files, or from quarantined files. The standard procedure following
cleaning of the registry however is to clean up system restore manually so
as not to risk accidentally restoring infected bits to your registry in the
future.

First create a new Restore Checkpoint Start > Programs > Accessories >
System Tools > System Restore > Create a Restore Point.

Then Start > Programs > Accessories > System Tools > Disk Cleanup > tab to
More Options > System Restore > Clean up.

This will remove all but the most recently created restore checkpoint, then
try another Windows®Defender full scan, which should be completely clean.
Some people have complained of an excess of System Restore Checkpoints
created by WD (many per day), so be sure you really want to clean off the
older checkpoints before you do this. They will all roll off your system
eventually even if you do nothing, but I wouldn't use those older restore
points unless you were really desperate, since they will restore the HKLM
bits.

--

Regards, Dave

page?

because I just downloaded the beta 2 and did a 1st full scan of it and it
came up with no offending files. then I downloaded the latest Defender
updates and did a 2nd full scan and it showed a few offending files. when
I
looked over the files that it said it deleted I saw that the 1st sesssion
scan had bad files that were deleted in the HKLM location, and then in
the
2nd session scan a few of those same files showed up and were deleted but
this time it was in the C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\A[some
numbers].exe

I couldn't find where that directory was so I couldn't verify it was
indeed
deleted. I did check those in the HKLM registry and there are not there
so I
am guessing it was deleted in the HKLM registry. Does the "restore" in
the
C:\System Volume Information\_restore.... mean that it will restore
those
deleted files or had Defender really deleted them for good?
Thanks for any help.
Click to expand...
Click to expand...
 
Yes, I understand that you don't want to do any restore right now, but what
if you do a restore next week. It's an all or nothing situation, and you
might not want to bring back the registry entries that are backed up in
those older restore points. You're correct WD does not attempt to clean
restore checkpoints, because the checkpoints are archive files, but it can
detect the signatures. So when you ask if that at some later point will
your computer restore those offending files to your real registry, it's
more like you might ask for a restore of those older checkpoints
un-intentionally, and that could be a problem. However it should not
happen automatically and while their just restore checkpoints their safe.
Restored registry entries are often seen as a way more sophisticated
spyware re-establishes itself on a cleaned system. See this post and the
reply from Mike Treit [msft] for more information.

From: George
Subject: WD cannot delete files error 0x80501001
Date: Mon, 6 Mar 2006 04:46:27 -0800
Newsgroups: microsoft.private.security.spyware.general

My System Volume Information folder is located on C: which is the only
partition on my system. What's unique about it is that it's owned by
SYSTEM with full permissions, and no other user is shown with any
permissions in properties > security. Here's some more information on
accessing that folder using XP by changing user permissions:

http://support.microsoft.com/kb/309531
--

Regards, Dave

Thanks for that reply, but I am still a little confused about what you
wrote
to what I was asking. I do not want to restore my computer to a previous
point.

To make it clearier, so you are saying that Defener will not/doesn't
really
delete the files in the directory, C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\A[some
numbers].exe, even though it said so in its History section that it has
deleted the offending files in that directory? and that at some later
point
my computer will restore those offending files in C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\...,
that
Defender has said it deleted?

Like I said I couldn't find the directory, C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\..., to
see
if those offending files are really gone. I even tried to use the Show
All
Hidden files and folder options in Windows Explorer, but got no such
folder/directory. I do have a partitioned section on my C drive that it
said
is used to do a "System Restore" procedure, but it is labeled as D drive
instead of C even though it inside the C drive. So this where the
C:\System
Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\...,
is located at?

Thanks.

Dave M said:
I doubt if Defender removed anything from your system restore area,
because
it does not remove anything from system restore, or from archive
(zipped)
files, or from quarantined files. The standard procedure following
cleaning of the registry however is to clean up system restore manually
so
as not to risk accidentally restoring infected bits to your registry in
the
future.

First create a new Restore Checkpoint Start > Programs > Accessories >
System Tools > System Restore > Create a Restore Point.

Then Start > Programs > Accessories > System Tools > Disk Cleanup > tab
to
More Options > System Restore > Clean up.

This will remove all but the most recently created restore checkpoint,
then
try another Windows®Defender full scan, which should be completely
clean.
Some people have complained of an excess of System Restore Checkpoints
created by WD (many per day), so be sure you really want to clean off
the
older checkpoints before you do this. They will all roll off your
system
eventually even if you do nothing, but I wouldn't use those older
restore
points unless you were really desperate, since they will restore the
HKLM
bits.

--

Regards, Dave

page?

because I just downloaded the beta 2 and did a 1st full scan of it and
it
came up with no offending files. then I downloaded the latest Defender
updates and did a 2nd full scan and it showed a few offending files.
when
I
looked over the files that it said it deleted I saw that the 1st
sesssion
scan had bad files that were deleted in the HKLM location, and then in
the
2nd session scan a few of those same files showed up and were deleted
but
this time it was in the C:\System Volume
Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP495\A[some
numbers].exe

I couldn't find where that directory was so I couldn't verify it was
indeed
deleted. I did check those in the HKLM registry and there are not there
so I
am guessing it was deleted in the HKLM registry. Does the "restore" in
the
C:\System Volume Information\_restore.... mean that it will restore
those
deleted files or had Defender really deleted them for good?
Thanks for any help.
Click to expand...
Click to expand...
Click to expand...
 
Back
Top