Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Is This Possible?

  • Please log in to reply
1 reply to this topic

#1 Glaring_Foil


  • Members
  • 6 posts
  • Local time:07:05 PM

Posted 03 October 2011 - 11:30 AM

The other day I cleaned up a computer which was infected with the OpenCloud rogue anti-virus. I used ComboFix to initially remove it, then ran MalwareBytes, SuperAntiSpyware, and Spybot Search and Destroy afterwards which didn't really find anything other than cookies. The one thing I forgot to do was to remove all the previous system restore points.

Here's my issue, the computer was brought back to me two days later with the same exact problem again. I initially thought that maybe they just accidently downloaded it again, but this didn't look like the case after looking at the history in Internet Explorer.

I looked at the Windows system log which showed that after the machine was powered on for an hour, Microsoft Security Essentials started finding and blocking viruses from the Windows system restore points. Shortly after, Microsoft Security Essentials was logging that settings within the program were being changed (the person who had the machine wouldn't have done this) and then there were a bunch of TCP/IP and DHCP errors after this (the machine wasn't able to get online anymore because the TCP/IP stack was infected).

Like I said, when I checked the Internet history, I really didn't see anything that would indicate that the person re-infected it. They also said they weren't able to get back online with it since they got it back (was working fine before I shut it down and gave it back to the person I repaired it for). My question is, is it really possible for Windows to become re-infected with a virus that was stored in the system restore points, even if system restore wasn't run?

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:08:05 PM

Posted 03 October 2011 - 03:47 PM

Yes,If you had a virus on the system when it made the restore point, that restore point will stored the virus. The anti-virus software will clean the system and report that the virus has been removed, but then the restore point will re-infect the system. This is because the anti-virus software has no access to the restore point and therefore cannot detect the virus that is stored in it. You do not have to open the restore point for the restore point to re-infect the system. The virus in the restore point will infect the system on its own.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users