Does NIS scanning in Safe Mode check System Restore folder?

For removal of a Trojan, Symantec instructions are to disable System Restore so those folders can be scanned.  However, Windows (XP Pro, SP3) warns that this deletes all the restore points.  I would rather not delete all the restore points since that would reduce my options for repairing my system, I am looking for another alternative.

 

Does scanning in Safe Mode allow NIS 2010 to scan the System Restore folder? 

 

BACKGROUND:

 

NIS SONAR detected and blocked a High Risk threat.

 

The following is from NIS history:

File Actions
File: c:\documents and settings\scs\local settings\temp\pdfupd.exe
Removed 

 

While NIS indicates the file was removed, Symantec info indicates that a number Trojans self-copy and create the file named pdfupd.exe.  I think it would be prudent to do an entire system scan that includes the System Restore folders.   http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=3

 

A manual scan using Malwarebytes found and deleted a Trogan in another location. Here is part of the log:

Files Infected:
C:\Documents and Settings\SCS\Local Settings\Temporary Internet Files\Content.IE5\EUGBFK0U\dc97ad[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

A search at Symantec for these Trojans indicates they are low risk, but I'm not sure that I have identified the correct Trojan! See my problems below.

 

REMAINING PROBLEMS:

 

1.  I could not enter Safe Mode until I used System Restore to an earlier date.  I ran a NIS scan in safe mode, but nothing was found.

 

2. Some display issues: Some Windows and Application icons changed in size. Onscreen volume and LCD brightness setting bar changed color and are solid instead of segmented. Volume and Brightness are controlled by the Fn key on my Dell notebook.  I'm thinking a driver might have been corrupted??  I tried changing Display Themes in the Control Panel and no change. 

 

Thanks in advance,

 

Scott

Hi Scott-S,

 

Windows does not allow the restore points contained in System Volume Information to be modified.  This is to protect the integrity of each restore point.  So, even though some anti-malware products will scan SVI, if anything is found they normally will not be able to remove it, and your remedy will still be to remove the restore points manually.  Even if an AV product did attempt to remove an infection from the compressed restore point, there is a good likelihood that doing so would corrupt the file, making it useless for a later restoration.  Also, an infection in a restore point cannot run and so poses no threat to your PC unless you use that restore point in a recovery, at which point Auto-Protect would catch it.  For all of these reasons and the fact that scanning the SVI would be quite time consuming, Norton does not involve itself with scanning the System Volume Information.

 

Your best course of action would be to clean all infections off of your computer and then manually create a restore point that would be known clean (we hope).  Then you can open the DIsk Cleanup feature in XP and select the More Options tab.  Clicking the System Restore button will present you with the option of removing all but the last restore point.

 

By the way you are correct that you should keep all of your restore points until your system is clean.  While deleting the restore points is the only way to clear out any viruses they may contain, it is still preferable to keep and have a dirty restore point to use if you need to recover your system than to have no restore points available at all.  Once the system is clean, then delete the System Volume Information to prevent reinfection.  I have never understood the advice to discard all of your restore points as a first step in cleaning up an infected system.

System restore to an earlier time will make enough changes to Windows files that it may appear to help.  It is not like a drive image, in that setting it back makes the machine the same as it was prior to the infection.  My guess is that your machine is still infected.  You can try scanning with Norton and or Malwarebytes in safe mode when some of the drivers may be inactive.  Make certain that both are fully updated first.

 

Norton will not scan the system volume information because it is excluded from scans by default.

 

You would be best to ensure that the machine is clean of all infection, delete everything in the temp folder, clear all browser caches, and then et rid of all of the system restore information.  You will then be able to manually set a new system restore point that you know is uninfected.

 

SendofJive & delphinium,

 

Thanks for the informative replies.

 

It is very difficult to enter Safe Mode.  Of the choices available with F8, only "Directory Services Restore Mode (Windows domain controllers only)" is the only way to Safe Mode. 

 

I cannot return to an earlier point using System Restore whether from Safe Mode or Normal Mode.  I tried 8 different Set Point dates of the 71 that I have that go back to May.

 

I scanned NIS from Safe Mode earlier and nothing was found. I will give Malwarebytes a try and scan in Safe Mode overnight.

 

Any other recommendations?

 

Thanks in advance,

Scott

Hi Scott,

 

In Computer Settings > Exclusions > Scan Exclusions > Configure, you could if you wish remove the System Volume Information folder from the list if you are curious. A scan should then scan this folder but as SendOfJive said this will cause the scan to take longer and NIS will not be able to remove an infection there anyway.

 

If you do this, please make sure and add it back in to the list of exclusions when you are done testing.

 

As SendOfJive said it is best to clean your PC of infections, make a restore point and then remove all but the last restore point from your system. This is the absolute safest way since it is possible that even if scanned NIS could miss something in the system restore points.

 

E.g., you would certainly not want to risk a later system restoral causing malware to become active again.

 

Hope this helps.

 

Best wishes.

Allen

Norton's Product Tamper Protection will prevent you from being able to successfully restore using any restore point.  Turn off Norton Product Tamper Protection in the Norton Miscellaneous settings, do the restore operation, and then re-enable Tamper Protection to keep the Norton program secure.

 

I would use System Restore only as a last resort.  It reverts your registry to an earlier time, and some programs may not find that to their liking.  It is better to first use methods targeted at removing the infection than to make system-wide changes that may have unintended consequences.


SendOfJive wrote:

Norton's Product Tamper Protection will prevent you from being able to successfully restore using any restore point.  Turn off Norton Product Tamper Protection in the Norton Miscellaneous settings, do the restore operation, and then re-enable Tamper Protection to keep the Norton program secure.

 

I would use System Restore only as a last resort.  It reverts your registry to an earlier time, and recently updated programs may not find that to their liking.  It is better to use anti-malware tools targeted at the infection than to make system-wide changes that may have unintended consequences.


Thanks SendOfJive! I was keying in on one specific area that I wanted to comment on and missed that the OP had tried to actually use System Restore!

 

Of course that won't work with Tamper Protection on. :smileywink:

 

Allen

SendOfJive,

 

Thanks for the heads-up on the Tamper protection.  I didn't know it disabled System Restore.

 

"I would use System Restore only as a last resort.  It reverts your registry to an earlier time, and some programs may not find that to their liking.  It is better to use anti-malware tools targeted at the infection than to make system-wide changes that may have unintended consequences."

 

Okay, that makes sense.  I am rescanning without the exclusion of "\System Volume Information\" (thanks Allen!) to see if any other malware is present that is causing my problems.

 

If I cannot find any other malware, then I'm hoping that reverting to an earlier restore point will resolves my display problems and difficulty in starting Safe Mode. If I return to earlier system date, I will update Windows and my apps before using them.

 

Thanks again!

 

Scott


AllenM wrote:

In Computer Settings > Exclusions > Scan Exclusions > Configure, you could if you wish remove the System Volume Information folder from the list if you are curious.


Allen,

thanks for pointing this out.

Scott

Still struggling.  I am wondering what my next step should be.

 

Subsequent full system scans are clear. Scans in normal and safe mode (cleared scan exclusions) using both NIS and Malwarebytes have not found any other malware. So I can’t understand an apparent improvement -- I can now enter Safe Mode in the normal manner, ie., by selecting that start-up option in F8 menu.  Before, I needed to use other approaches, e.g. msconfig’s safe boot.

 

Remaining problems: There are still some minor display issues and I cannot return to an earlier point using System Restore (with Tamper Protection turned OFF).

 

The display issues: (1) The icons in the icon tray appear to be coarser and (2) The left side of Windows Explorer looks slightly different in color and missing lines. (3) In Word the save dialog box has a different background color on the left side.

 

So the clean scans suggest the Trojan(s) have been removed, although a Symantec page for the Trojan Norton identified (pdfupd.exe) recommends registry edits for final clean-up which I'm willing to do. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=3

 

Do the display issues suggest the system is still infected or just damaged??

 

I’d like to return to an earlier point using System Restore (Is that a good idea??) to see if that will return the display to its previous appearance, and eliminate possible unseen problems. ( I previously thought I returned to the last restore point, but I now question this and wonder if I didn’t see the error message.)

 

I have been researching at Symantec and Microsoft’s Knowledge Base for hours . . .

 

What should my next step be? 

 

Thanks in advance,

Scott

I uninstalled NIS and tried System Restore. The Restore was Incomplete.  Same message as before.