From: "RS" 

That's very odd; where I work we have to deal with a lot of students using
computers.  Most of them are fairly computer illiterate, but there's always
the few who get kicks out of finding a way to get admin access to delete
registry files, install viruses and such.



To fix this problem, the computer center bought a nice little program
called Drive Shield (http://www.centuriontech.com/driveshield.htm).  An
interesting point about drive shield is that once it's activated, you can't
find it. The program folder that it's in is not just set to hidden; the OS
just can not find it.  The process that runs DS will also never be
displayed.  So users will never know that it's there, but it's always
running.  This sucker basically takes a "snapshot" of the
computer when it (the program) is activated.  Once activated even changes
made by administrators on the computer will revert back to the original
settings when it's rebooted.  You might have your friend check to make sure
that the guy never downloaded and ran something like this on his computer.



--RS



Also, if they managed to do this without the program, please let me know.
It'd be nice not to have to pay for a license for drive shield if there's a
simple (and free) alternative.




"Chris Robinson"  wrote in
message news:3F8FA704.17AB77C{at}NOSPAMtotalise.co.uk...
> This is the strangest problem I've ever seen on a PC.  The PC belongs to
> my flatmate's brother and runs Windows 2000 service pack 2.  His brother
> called him up yesterday to say he was having a strange problem.  He said
> that whenever he reeboots his PC it goes back to how it was before (a
> GREAT description there :oP).
>
> Anyway, my friend went over to have a look at it and here's what
> happens:
>
> - You boot up the PC and it boots into Windows with no problems.  Let's
> call the state it's in after boot (all files/ folders/ settings etc)
> state A.
> - Whatever you now do to the system, like install/ uninstall software/
> apply Windows service packs/ delete files, when you reboot it will
> return to state A with any deleted files returing, any installed
> programs not there anymore etc.
>
> First off, let me tell you that the system has a 30Gb Hard Drive.  5Gb
> is for the Windows partition and the other 25Gb is a seperate partition
> for data.  Both are fairly full (the Windows drive only had about 38Mb
> free when my frend went around to look at it).  Here's what he did:
>
> - Booted the system.  Uninstalled AVG6 and installed AVG7, making sure
> all registry entries/files for AVG6 were gone comletely.  Ran a full
> VirusScan of the system and found some Virus's that he said were
> "non-major" ones.  AVG removed them completely.  He disabled system
> restore/ hibernation features.  He then cleared over 1.5Gb of temp
> files/ crap from the Windows drive and defragged the system (which took
> 1/2hr or so).  He then deleted about 1Gb of data files from the other
> partition as a test (these were backed up onto CD).
> - So, after doing this, he reboots the system.  Guess what?  It returns
> exactly to state A - the virus's are back, AVG6 is back with no trace of
> AVG7, the 2.5Gb of deleted files had returned and the drive was as
> fragmented as before.  Strange huh?  He also mentioned there was no
> major hard disk activity upon reboot (so some app wasn't restoring an
> image each time - and where would it store the data anyways?)...
>
> I mean, you start to think that it's some kind of problem with data
> being written to the disk (i.e. it's not being!) but can this happen on
> this scale?  Is it possible that there's some kind of program lurking
> that makes Windows think it's performing write operations to the disk
> but isn't?
>
> The strangest thing is that he's tried it all in safe mode with the same
> effect.  Also, the defragging bit's odd because he saw it defrag and
> there was hard disk activity when it was defragging (like there should
> be).  I've suggested trying a tool like Eraser to completely wipe some
> files whilst in Windows and see if they return but I think they would by
> the sounds of things because it appears that they're not actually being
> deleted in the first place!
>
> Has anyone ever seen this kind of thing before?  I know there are 3rd
> party devices that can do this (I think NEC make one that restores an
> image on each boot) - but this is a PC that my flatmate built from
> scratch.
>
> Chris....
>
>
>

--- BBBS/NT v4.01 Flag-5