Is System Restore Being Subverted and Used by Current Malware?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I ask this question because I don't know.

Recently, my wife and daughters computer was infected with malware.
Although different scanners gave different readings, the infection was
probably Vundo and others associated with that system intrusion.

When I figured out that the computer was infected, I attempted system
restore. There were restore points extending back about two weeks, I
chose one a few days back. But when I restored from a couple of days
back, I was perplexed when the restore finished, it seemed to indicate
that I chose a restore point from that present moment... with a date of
Dec 14. I had chosen Dec 11, or thereabouts.

I couldn't go back and choose another one and try again. When I had
rebooted after attempting to clean and fix things, then use the system
restore.. there was a nearly 5-10 minute pause before the login screen
appeared..AND system restore was disabled. Seemingly, when I got to the
desktop, ALL the progress I made in cleaning entries were undone. Back to
square zero.

Was the disabled and infected system restore somehow reinfecting the
system? And why such a long pause before the login screen? During that
time, there was indeed some writing to disk, as indicated by the sounds
and hard drive light on the computer case.

I eventually cleaned it all up.. but it was a struggle as the malware had
disabled many of the system processes... ie: copying was not allowed,
anti-malware and antivirus apps wouldnt run. MSI files were disabled.. so
almost nothing would install. Hijack This did in fact run and was a huge
help in diagnostics. System help had also been removed.. as well as the
run box. System passwords were changed, and many other common tasks were
disabled. I was able to use the run box on task manager.. but none of it
really helped, because a reboot put me back to the pausing login screen
and the system was again totally reinfected.

A boot disk got me on the right track. I eventually deleted the infected
files in system32, cleared the trojans registry entries with Hijack This,
and also deleted the restore points while using the boot disk. I finished
it up with a windows repair. A long process indeed.

What happened when I attempted system restore? Am I mistaken or is it
possible for the trojan to subvert my chosen restore point date, instead,
backup the current state - then disable? And finally, can that infected
restore point be used by the malware to reinfect the system each and
every time the system reboots? Was that occurring when the system paused
at the login screen?




--
Regards,
Cadillakin

Re: Is System Restore Being Subverted and Used by Current Malware?


| I ask this question because I don't know.

| Recently, my wife and daughters computer was infected with malware.
| Although different scanners gave different readings, the infection was
| probably Vundo and others associated with that system intrusion.

| When I figured out that the computer was infected, I attempted system
| restore. There were restore points extending back about two weeks, I
| chose one a few days back. But when I restored from a couple of days
| back, I was perplexed when the restore finished, it seemed to indicate
| that I chose a restore point from that present moment... with a date of
| Dec 14. I had chosen Dec 11, or thereabouts.

| I couldn't go back and choose another one and try again. When I had
| rebooted after attempting to clean and fix things, then use the system
| restore.. there was a nearly 5-10 minute pause before the login screen
| appeared..AND system restore was disabled. Seemingly, when I got to the
| desktop, ALL the progress I made in cleaning entries were undone. Back to
| square zero.

| Was the disabled and infected system restore somehow reinfecting the
| system? And why such a long pause before the login screen? During that
| time, there was indeed some writing to disk, as indicated by the sounds
| and hard drive light on the computer case.

| I eventually cleaned it all up.. but it was a struggle as the malware had
| disabled many of the system processes... ie: copying was not allowed,
| anti-malware and antivirus apps wouldnt run. MSI files were disabled.. so
| almost nothing would install. Hijack This did in fact run and was a huge
| help in diagnostics. System help had also been removed.. as well as the
| run box. System passwords were changed, and many other common tasks were
| disabled. I was able to use the run box on task manager.. but none of it
| really helped, because a reboot put me back to the pausing login screen
| and the system was again totally reinfected.

| A boot disk got me on the right track. I eventually deleted the infected
| files in system32, cleared the trojans registry entries with Hijack This,
| and also deleted the restore points while using the boot disk. I finished
| it up with a windows repair. A long process indeed.

| What happened when I attempted system restore? Am I mistaken or is it
| possible for the trojan to subvert my chosen restore point date, instead,
| backup the current state - then disable? And finally, can that infected
| restore point be used by the malware to reinfect the system each and
| every time the system reboots? Was that occurring when the system paused
| at the login screen?

| --
| Regards,
| Cadillakin

Malware does indeed corrupt and disable the System Restore capability.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is System Restore Being Subverted and Used by Current Malware?

On Tue, 20 Jan 2009 17:22:02 -0500, David H. Lipman wrote:

<sniped>
Quoted text here. Click to load it

David,

Is there any published on-line information about this, that you can point
me toward...

JR the postman


Re: Is System Restore Being Subverted and Used by Current Malware?


| On Tue, 20 Jan 2009 17:22:02 -0500, David H. Lipman wrote:

| <sniped>

Quoted text here. Click to load it

| David,

| Is there any published on-line information about this, that you can point
| me toward...

| JR the postman


Not that I know of.

I know this by examining malware samples and see what they do prior to their
submission to
vendors and anti malware authors.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is System Restore Being Subverted and Used by Current Malware?

On Wed, 21 Jan 2009 16:49:53 -0500, David H. Lipman wrote:

Quoted text here. Click to load it

That's why I asked the question to start the thread, there is not much
written on this issue.

I was keeping a close eye on what was going on as I analyzed and
attempted to troubleshoot the problems. One moment, I'm in the desktop
and my system restore is fine, with a few points to choose from.. And a
few minutes later, after I chose the restore point, it SEEMINGLY creates
a restore point from the PRESENT MOMENT, and disables the ability to
restore completely. Those past restore points were gone and everything
was greyed out. But before it was disabled.. it notified me that the
restore was successful and gave me the date NOT from the past, but from
that present moment.

At every subsequent boot, the computer stalled at the login screen.. many
minutes passing before login names came up. My take was the malware was
reinfecting the computer with the "disabled" restore.


--
Regards,
Cadillakin

Site Timeline