$SysReset and ProgramData (Virus?)

Question

Hello guys, i have a doubt. A few days ago i got my PC infected, someone got remote acess to my PC so i tried to do a clean reinstall. I tried everything, even delete both partitions and start the installation by a USB stick, i tried to install Win 7 and Win 10 but every single time i noticed that the windows set alot of events about changing permissions, authorizations and made some hidden folders like ProgramData on my C:/. What concerns me is the content of those folders

This $SysReset folder i know it's because i tried to reinstall just by a cloud ISO but inside the AppxLogs it has a file named "RestoreDownlevelAllUserStore" with some weird lines like

2025/01/28 00:08:05.717 Begin RestoreDownlevelAllUserStore.log.
2025/01/28 00:08:05.717 In RestoreDownlevelAllUserStore C:\Windows.old C:\.
2025/01/28 00:08:05.717 Normailized system roots C:\Windows.old C:.
2025/01/28 00:08:05.717 In RestoreFoldersAndRegistry C:\Windows.old C:.
2025/01/28 00:08:05.717 In RemoveAllAppsFromSystemSis C:.
2025/01/28 00:08:13.592 In LoadSoftwareHiveAndOpenKeyForSystemRoot C:\Windows.old APPX_HIVE_RESTORE_SRC_ALIAS_SOFTWARE.
2025/01/28 00:08:13.983 RegLoadHive C:\Windows.old\Windows\System32\Config\Software, 0x0.
2025/01/28 00:08:13.983 In LoadSoftwareHiveAndOpenKeyForSystemRoot C: APPX_HIVE_RESTORE_DST_ALIAS_SOFTWARE.

It's just seems like no matter what i do, it always bring the virus back, what should i do?

Answer 1

Hello,

"C:\ProgramData" is a common Windows default hidden directory. The location of the system default environment variable %ProgramData% points here. This is a normal directory. Undeniably, there is indeed malicious software that uses the advantage of this hidden directory to drop malicious software here. But from the information you have provided so far, there is no evidence that there are signs of malware here.

There are many documents in Microsoft learn that mention this directory, which you can refer to:

https://learn.microsoft.com/en-us/windows/win32/shell/profiles-directory

https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-folderlocations-programdata

"$SysReset" and "Windows.old" folder are usually the directory that appears after system reset or system upgrade and installation. The purpose is to ensure that the system install process will not go wrong, back up the files of the original system, and rollback when the installation is wrong.

Answer 2

Hi Tiago Eto,

Thanks for your post. Generally speaking, Protect your PC from viruses that can screw up your computer, or allow criminals to steal your data, personal information, or money.

• Use an anti-malware app - Installing an anti-malware app and keeping it up to date can help defend your PC against viruses and other malware (malicious software). Microsoft Defender is free anti-malware software included with Windows, and it's kept updated automatically through Windows Update. There are also anti-malware products made by other companies that you can choose from.
• Don't open email messages from unfamiliar senders, or email attachments that you don't recognize - Many viruses are attached to email messages and will spread as soon as you open the attachment. It's best not to open any attachment unless it's something you're expecting. For more information see: Protect yourself from phishing.
• Use a pop-up blocker with your internet browser - Pop-up windows are small browser windows that appear on top of the website you're viewing. Although most are created by advertisers, they can also contain malicious or unsafe code. A pop-up blocker can prevent some or all of these windows from appearing. The pop-up blocker in Microsoft Edge is turned on by default.
• If you're using Microsoft Edge, make sure SmartScreen is turned on - SmartScreen in Microsoft Edge helps protect you from phishing and malware attacks by warning you if a website or download location has been reported as unsafe. For more info, see How can SmartScreen help protect me in Microsoft Edge?
• Pay attention to Windows SmartScreen notifications - Be cautious about running unrecognized apps downloaded from the Internet. Unrecognized apps are more likely to be unsafe. When you download and run an app from the internet, SmartScreen uses info about the app's reputation to warn you if the app isn't well-known and might be malicious.
• Keep Windows updated - Periodically, Microsoft releases special security updates that can help protect your PC. These updates can help prevent viruses and other malware attacks by closing possible security holes. Windows Update helps to make sure that your PC receives these updates automatically, but you may still have to restart your machine occasionally for the updates to install completely.
• Use your internet browser's privacy settings - Some websites might try to use your personal info for targeted advertising, fraud, and identity theft. All modern browsers have privacy settings that you can enable to control what sites can see or do. For more information about configuring the privacy settings in Microsoft Edge see Configure your privacy settings so they're right for you.
• Make sure User Account Control (UAC) is turned on - When changes are going to be made to your PC that require administrator-level permission, UAC notifies you and gives you the chance to approve the change. UAC can help keep viruses from making unwanted changes. To open UAC, swipe in from the right edge of the screen, and then tap Search. (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search.) Enter uac in the search box, and then tap or click Change User Account Control settings.
• Make sure that Tamper Protection is turned on - In Windows 10 and 11 we have a feature called Tamper Protection that prevents unauthorized apps from changing your security settings. Many viruses and malware try to disable anti-malware software or other security settings when they're installed in order to evade detection. See Prevent changes to security settings with Tamper Protection for information on how to confirm that it's turned on.

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.