Figured this would be the best place for this discussion. If incorrect please move.
System restore point.... They're used a lot to fix viruses. Its one of the first thing I check when one is brought to me. I'm sure that a virus could find its way into your restore point data but how likely is that to happen?
Has anyone ever experienced restoring a PC and it still be infected?
Yes. It has happened with me. Because the virus was present in a different drive on the HDD. So it did not make a difference restoring system (C Drive).
I didnt even think of that. Was the PC's partitioned out user data or program files?
Some virus target system restore just for this purpose as AV often do not have access to "hidden" files, ensuring the virus can stay after removal
There were 3 drives. The C drive contained the programs. The E drive contained all user media like music, video, etc. which also contained some infected files.
After system restore, the PC looked fine but the viruses would enter in few hours again. Hence we determined that the viruses were hidden in another partition altogether.
Most viruses can infect restore points nowadays, but it's usually the 1st restore point (although I'm sure some are quite capable of infecting all of them). I usually tell people when they are restoring due to a virus, to go the 2nd, or better yet, 3rd restore point.
As Dinish pointed out, if you have a hidden partition somewhere on the system, usuall written by a rootkit, a system restore doesn't do any good.
Why do they target just one? And by first do you me the lasted one created or the first one ever created?
It's usually the last one created, the one most people will roll back to in an attempt to purge the virus. Hence the reason it embeds itself into that point. I have seen systems though where the virus will either delete or disallow access to restore points altogether.
Quote