Posted 03 October 2011 - 11:30 AM
The other day I cleaned up a computer which was infected with the OpenCloud rogue anti-virus. I used ComboFix to initially remove it, then ran MalwareBytes, SuperAntiSpyware, and Spybot Search and Destroy afterwards which didn't really find anything other than cookies. The one thing I forgot to do was to remove all the previous system restore points.
Here's my issue, the computer was brought back to me two days later with the same exact problem again. I initially thought that maybe they just accidently downloaded it again, but this didn't look like the case after looking at the history in Internet Explorer.
I looked at the Windows system log which showed that after the machine was powered on for an hour, Microsoft Security Essentials started finding and blocking viruses from the Windows system restore points. Shortly after, Microsoft Security Essentials was logging that settings within the program were being changed (the person who had the machine wouldn't have done this) and then there were a bunch of TCP/IP and DHCP errors after this (the machine wasn't able to get online anymore because the TCP/IP stack was infected).
Like I said, when I checked the Internet history, I really didn't see anything that would indicate that the person re-infected it. They also said they weren't able to get back online with it since they got it back (was working fine before I shut it down and gave it back to the person I repaired it for). My question is, is it really possible for Windows to become re-infected with a virus that was stored in the system restore points, even if system restore wasn't run?