Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Restore Point File Names


  • Please log in to reply
2 replies to this topic

#1 StarGator

StarGator

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:02:50 PM

Posted 13 June 2010 - 05:49 AM

While I was watching a Malwarebytes' Antimalware scan, it was processing files in the System Volume Information directory, which contains restore points. Some files were being displayed as having names such as ... A000180.exe, A000181.dll, A000182.com, A000183.exe, A000184.sys .... and incrementing each filename by the digit 1 in the rightmost character, and increasing the digit to its left when the rightmost digit reached 9 and became 0 for the next filename. In other words, the names of the files were serial numbers with typical executable filename extensions.

Is that how the files are named by Windows XP for Restore Points?? I always thought that they would have the actual, original filename and extention, at least, even if not the entire pathname for each file. From time-to-time, MBAM drops to a longer line and appears to flash a longer pathname which seems normal, but it is too quick for me to really read before it resumes the series that I described above.

This is important because that filename format is used by a certain program, and the developer's tech support will only say that they have received and read my message, but they do not offer any actual information, advice or aid.

Thank-you for your assistance.
--- StarGator

Have you fallen into a wormhole today?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 PM

Posted 14 June 2010 - 04:07 PM

Hello and welcome
I borrowed this reply from our quietman7

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan were in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point.



TO prevent this you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 StarGator

StarGator
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:02:50 PM

Posted 23 June 2010 - 09:25 PM

Thank-you for your reply. That is what Malwarebytes Antimalware tech support told me, too.
--- StarGator

Have you fallen into a wormhole today?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users