<

Viruses in the System Volume Information (System Restore).

Published on
43,654 Points
16,454 Views
42 Endorsements
Last Modified:
Awarded
Editor's Choice
Community Pick
System Restore -- is a Windows utility that periodically saves the changes made in the system, e.g., backup monitored files, registry, drivers and allow users to roll back the system to its previous state in the event of PC instability or program failures. It is indeed a very useful windows component that can save users time of repairing or reinstalling the Operating System.

However, in cases where the system is infected, System Restore might also back up infected files and viruses. But the good thing is, it is also very easy to remove viruses in that folder, all you have to do is turn it off and all viruses will be deleted along with all of the restore points.

So... with an infected system - when do you purge those restore points? Do you disable it BEFORE or AFTER removing the infections? The timing as to when to turn off System Restore is very important.

There have been so many discussions about this, and I've addressed it many times. The best time to turn it off is AFTER the cleanup, hence this article.

The bad practice that many PC techs have is the disabling of System Restore before cleaning the system.  YOU SHOULD NOT DO THIS. They also believe that viruses in the System Restore will creep out of that folder and re-infect the system. Of course that's an absolute nonsense...  the fact is, viruses in that folder are DORMANT and HARMLESS. They don't do anything while in that folder, the only time that those viruses become active and pose a threat to the system is when you use those infected restore points.

You might say, "but Symantec suggests to turn it off before running a scan?"  Well it's wrong to suggest that!... but let's be fair and look at it from their own perspective. They say that, possibly for the following reasons:

     1. Antivirus can not delete viruses in the System Restore.
     2. There's a fairly good chance that the scan will hang when scanning that folder.
     3. It dramatically shortens the scanning time.

Now that certainly makes sense... but what about the users? Is it to their advantage if System Restore is disabled before the cleanup? The answer is NO, in fact for the PC users, it is a BAD idea to turn off System Restore before cleaning the system. While removing malware/viruses, things can go wrong, there are times when the removal process will not go smoothly, and the user will need those restore points. If the user turns it off, he will have no restore points to go back to. It is better to have a possibly infected restore points than none where the only option left is to reformat.

To quote [MVP] MowGreen's thoughts on SR, "It's better to have a leaky, rodent infested life boat than no life boat at all."

In Conclusion:

The best time to disable System Restore in an infected system is AFTER the cleanup when the system is in a stable condition.
When the PC is clean, and you no longer need those restore points, you can turn it off to flush all the viruses and create a new and clean restore point.

I hope this article will help some users understand the importance of keeping those restore points intact while in the process of removing infections.



* If you like, also check out these links and read the comments from Microsoft's Most Valuable Professionals.

CalamityJane (MS-MVP Consumer Security)

"II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore older and set a new point AFTER the PC is clean and all programs are working properly."
http://www.dslreports.com/faq/13622


Sandi Hardmeier (MS-MVP, AH-VSOP) , in her webpage "Troubleshooting browser hijackings" and also in an article "Bug busting: Getting Rid of Spyware"
http://inetexplorer.mvps.org/tshoot.html
http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx

She CLEARLY stated NOT to delete Restore Points before attempting spyware removal because if something goes wrong there's no way to reverse your actions. Yes you would want to delete those restore points but the time to do it is later, not while in the process of cleaning the system.


Bugbatter (MS-MVP Consumer Security), 'pre-cleanup' speech.
"If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly."
http://en.community.dell.com/forums/p/19318659/19645158.aspx#19645158


Jim Eshelman (MS-MVP, AumHa Webmaster/Proprietor), in his article "Purging old System Restore points"
"Leave System Restore in place until your computer is clean and stable."
http://forum.aumha.org/viewtopic.php?f=43&t=13209&view=next


Steve Wechsler- aka Mow Green (MS-MVP, AH-VSOP)
(Msg. 5)
"Sorry, Symantec's advice is just plain wrong. What if the tool you've
download prevents the system from rebooting, then what ? You'll have *no* restore points to use to regain control of the system."
http://www.eggheadcafe.com/software/aspnet/33972249/help-on-disabling-windows.aspx


tashi - (MS-MVP. Consumer Security)
"Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware."
http://forums.spybot.info/showthread.php?t=288


Bert Kinney (MS-MVP, AH-VSOP)
(Msg. 8)
"When removing virus/spyware infection, DO NOT DELETE ALL RESTORE POINTS until the system is confirmed clean and functioning normally."
http://forum.soft32.com/windows/Reinstall-XP-Home-Dell-ftopict277428.html


Happy computing!
42
Comment
48 Comments
LVL 58

Expert Comment

by:tigermatt
Thanks rpg! Voted Yes above.
0
LVL 47

Author Comment

by:rpggamergirl
Hi tigermatt,

Thank you for voting yes! :)

0
LVL 38

Expert Comment

by:younghv
rpg - Thank you a million times!
I am going to link this Article about 15 times a day. So many of our contributing Experts have been taught wrong about this whole idea, and you have set them straight!
(If I could figure the formating on this site, I would bold this whole response.)
Excellent work!
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

LVL 1

Expert Comment

by:Karl Haskins
I disagree, we have disable system restore because of its inability to perform as expected. Also because Symantec recommends that system restore be turned off. It uses valuable resources on the PC and I've never had it fix anything.
0
LVL 38

Expert Comment

by:younghv
CohKarlHaskins:
Please go back and read through the Article again.
The exact recommendation by rpggamergirl is what any System Technician should be doing.
Under no circumstances should any of us rely on one source (your Symantec reference), rather we should do some research and - based on our own practical experience - make a decision.
0
LVL 1

Expert Comment

by:Karl Haskins
I still stand behind what I said. I have no faith in system restore. I am MCP with over 15 years experience. I support a large corporate enviroment with over 4000 computers. You can do what you want, I can disagree if I want. No one is wrong here.
0
LVL 55

Expert Comment

by:Mark Wills
Hi CohKarlHaskins

I do use System Restore, along with a lot of other people (I would imagine).

Fortunately I have not had to use it because of a virus, but have definitely used it and thought it was a life saver.  At the time, I was wondering what would happen if it already contained some kind of corruption (like a virus) and this Article works for me.

Seeing as you have disabled system restore and dont use it, then this Article is pretty moot for you. Mainly because it isn't about the benefits or otherwise of system restore, more so, what to do in the advent of a virus in there...

Interestingly, you have indeed aroused my interests. Maybe System Restore can cause more pain than good, and there are good options or alternatives to help restore systems. While this might not be the right thread to discuss that, it does sound like it would make for a great Article from you.

So putting on my Page Editor hat, and being opportunistic, can we entice / encourage you to write an Article about System restore, the pain it can cause, and any alternatives ?
0
LVL 1

Expert Comment

by:Karl Haskins
System Restore is a bad idea in a corporate environment.
1.      System Restore gives a false sense of security
o      System Restore does not protect the PC from viruses, spyware or malware.
o      The main purpose is to protect against software conflicts and bad device drivers. (A trained PC tech can fix these issues without a canned solution).
o      System Restore works better if there are no restore points set between the restore point you want to use.
o      System Restore works best if the restore point is used before any other changes are made to the computer.
o      System Restore can use up valuable disk space.
o      Users can change the settings without being a local administrator.
2.      System Restore can backup and restore virus infections on the computer.
o      Ive experienced this first hand with one of our power users
3.      System Restore process occupies valuable system resources.
o      I have disabled System Restore on slow systems to speed them up.
o      I have disable System Restore to recover disk space.
4.      There are issues with using System Restore with domain membership.
5.      System Restore can cause the dreaded Procedure Entry Point error. (This is the show stopper as the system will need to be reimaged once this happens)


Now, I'm not saying that it is worthless. I'm just saying that I can't put any faith it System Restore's ability to recover a system in the environment I work in. We train our new techs to operate as if there is no System Recovery utility and it works for us.

0

Administrative Comment

by:will_see
CohKarlHaskins:

Good points, but this article is not just about "system restore".

Would second mark_wills' suggestion for you to write an Article about system restore elaborating a little bit more on the points above.

It is an important subject and does warrant its own thread / article.

Regards,
will_see
EE Admin
0
 

Administrative Comment

by:younghv
The vast majority of Experts-Exchange Members are going to benefit from the advice in this Article and it is important to raise the visibility.
Therefore, I am selecting it as a "Community Pick".

younghv
Page Editor
0
 

Administrative Comment

by:younghv
AnilKumarSharma,
I am the Page Editor and the designated Subject Matter Expert for the anti-malware Zones.

Your two comments above here have been deleted and I encourage you to submit your own Article about your point of view.

In the future, I encourage you to very carefully read what is actually written in the Article - and the authorities referenced - before posting any comments.

I also encourage you to keep in mind that this is a professional IT Forum and we expect common courtesy to reign in any comment that is posted.

Below is a copy of the comments I posted in the technical question where you were making similiar statements.

younghv
Page Editor

http://www.experts-exchange.com/Q_25043163.html

It is very obvious that you have very little experience is this kind of situation, so I encourage you to do what I do ... pay attention to those who know what they're talking about.

The recommendation to run ComboFix is exactly right for two reasons.
First and foremost, it is known to correct this exact problem.
Second, ComboFix will create a new "Restore Point" that will at least allow the Asker to re-boot the system in case something goes wrong.

I have been following the advice of "rpggamergirl" in this and many other Forums for a lot of years and she gives some of the best advice to be found anywhere. As a multiple MS MVP nominee, she has earned the respect and gratitude of thousands of people all over the world.

Looking at your profile, I see that you have only just started trying to answer questions here on EE. Please take my comments in the manner intended and improve upon the advice you are offering.
0
LVL 31

Expert Comment

by:Thomas Zucker-Scharff
I voted yes above.  This is an excellent article and I thank you for writing it.  I wrote an article on how to disable.reenable System REstore in a more step by step (tutorial) method.  I linked to your article in the first paragraph since you explain what System Restore is so well.

My article can be found here:

http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Windows/XP/Removing-protected-System-Restore-files-if-they-have-been-infected.html
0
LVL 47

Author Comment

by:rpggamergirl
Thanks tzucker, :)

senad,

I think you misunderstand what this article is all about. If you have any questions or need further clarifications let me know and I'll try and explain it to you.
0
LVL 47

Author Comment

by:rpggamergirl
To all:

Please note that this article is not about System Restore versus other System Recovery utilities....it is simply about System Restore in an infected pc and when to purge those restore points.


For Expert senad:
I don't think I can explain it any simpler than I already had...
But here are some links where MS-MVP awardees have posted comments/written tutorials about this subject matter.

Teachers and Malware Experts in anti-spyware forums teach and practise the same method in cleaning an infected system.


Below are some comments/articles that support my point, posted/written by prestigious Microsoft Most Valued Professionals:


CalamityJane (Microsoft MVP Consumer Security)

Top Ten Do's and Dont's of HijackThis for Helpers

"II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly."
http://www.dslreports.com/faq/13622



Sandi Hardmeier (MS-MVP, AH-VSOP) , in her webpage "Troubleshooting browser hijackings" and also in an article "Bug busting: Getting Rid of Spyware"
http://inetexplorer.mvps.org/tshoot.html
http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx

She CLEARLY stated NOT to delete Restore Points before attempting spyware removal because if something goes wrong there's no way to reverse your actions. Yes you would want to delete those restore points but the time to do it is later, not while in the process of cleaning the system.



Bugbatter (MS-MVP Consumer Security), 'pre-cleanup' speech.

"* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly."
http://en.community.dell.com/forums/p/19318659/19645158.aspx#19645158



Jim Eshelman (MS-MVP, AumHa Webmaster/Proprietor), in his article "Purging old System Restore points"
http://forum.aumha.org/viewtopic.php?f=43&t=13209&view=next

"It is a common recommendation, when cleaning for viruses in Windows ME or Windows XP, to advise that System Restore be disabled and all old stores cleared before starting on your cleaning. We do not recommend this approach.
The reason for the recommendation is that many viruses are stored when a System Restore point is created and, should you use System Restore, you will bring these back onto your computer. This is useful to know! But it is also true that, in cleaning highly infected systems, sometimes you make mistakes that cripple Windows and it is better to be able to take a step back to a working version of Windows - even an infected one! - rather than have Windows trashed completely."

And in that guidelines it says to "...Leave System Restore in place until your computer is clean and stable."



Steve Wechsler- aka Mow Green (MS-MVP, AH-VSOP)

"Sorry, Symantec's advice is just plain wrong. What if the tool you've
download prevents the system from rebooting, then what ? You'll have
*no* restore points to use to regain control of the system.
It's better to have a leaky, rodent infested life boat than no life boat
at all."
http://www.eggheadcafe.com/software/aspnet/33972249/help-on-disabling-windows.aspx



tashi - (MS-MVP. Consumer Security)

"Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for."
http://forums.spybot.info/showthread.php?t=288



Bert Kinney (MS-MVP, AH-VSOP)

"When removing virus/spyware infection, DO NOT DELETE ALL RESTORE POINTS
until the system is confirmed clean and functioning normally. Here's why.
If something goes wrong in the virus/malware removal process you will have
no way to reverse your actions. Sometimes the removal process can be more
damaging to the system than the infection. Two examples would be if the
system became unbootable, or if the ability to connect to the internet to
retrieve additional cleaning utilities is lost. So it is a good practice to
leave System Restore restore points intact until the cleaning process is
over and the system is otherwise clean of infection. Virus and malware
infection residing within restore points are dormant, unless the system is
restored to an infected restore point. Just don't forget to purge all
existing restore points after the cleaning is complete."
http://forum.soft32.com/windows/Reinstall-XP-Home-Dell-ftopict277428.html


Malware Experts and MS-MVP awardees in Consumer Security who have hands-on experienced in malware removal would tell you the same thing as what I've stated in this article.



0
LVL 7

Expert Comment

by:samenglish
A couple of points here...

(1) The position advocated by several MS MVP's is also MS's position, no doubt they have a vested interest here too. I wouldn't like to develop a mechanism that claims to provide system recovery and then have other people trying to discredit it. In my opinion, SR works well and cannot be discredited. It is a valuable part of the Windows operating system. It may not be the *only* mechanism by which you can address system corruption issues, it may not be the *best*, it may not be *perfect*, but it is a great improvement over the Win98 and 95 days, isn't it? I've used it several times and I've come to rely on it as my preferred option if it's viable.

(2) Symantec has a long history of producing products that protect the user and help the user in times of trouble. And they would also understandablly react to someone moving in on their turf, but MS isn't the only alternative to Symantec products, are they? I imagine that other products also try to convince the user that they are the be all and end all of system recovery. It's a standard product marketing agenda, that's understandable too.

(3) To be fair to MS, it is their operating system, and they're best placed to recover your corrupt system. Why should they sit by and watch someone else enter their jurisdiction and begin to clean up the streets. Some would argue that MS is unfairly advantaged and that it should be limited in how integrated its operating system is, but I would think that system recovery is something you would like to take for granted from a mature operating system.

My conclusion, if you use MS, and MS work well, and the MS components in question come at no added cost, then why switch to another product unless there is a vested interest, or for research purposes, or personal preference. If it is out of personal preference, then let's not try to imply that "it doesn't work properly" or something like that. Apart from the cost of MS products, they're generally good products that many people can and should safely rely on, and Windows is still the preferred OS even for many "experts" including myself.

rpggamergirl, I voted yes, good article, and thank you for your effort.
0
LVL 54

Expert Comment

by:b0lsc0tt
Thanks for the article and time to write it.  Especially for stating the issues and your point so well.  It is one I agree with.  I have to admit at times I do completely disable System Restore and have relied on other methods for recovering.  I can understand that point made by one of the others.  To me this article isn't for those cases or that audience though.  It does help me for those machines or cases where I do have System Restore active and that machine gets infected.  Thanks for clearly expressing your recommendation and for the explanation of it.  It makes sense now although I will admit in the past I have followed the other advise, partially because I was afraid it would make cleaning harder.

bol
0
 

Administrative Comment

by:younghv
senad:
You need to move on.
One of your options is to write and submit an Article of your own.

younghv
Page Editor
0
LVL 51

Expert Comment

by:Keith Alabaster
Voted Yes.

Good article.
- Useful advice on when to clear restore points - irrespective of whether a virus has even been in the equation or not, that is almost a side issue.

Keith
0
LVL 47

Author Comment

by:rpggamergirl
younghv,

Thank you for the EC designation, much appreciated.
Also thanks to the PEs who voted.



samenglish,

I certainly agree with you... thank you for sharing your opinion, positive feedback and the Yes vote.


bol,

I can understand that some users may prefer other methods for recovering and will disable System Restore....Depending on how a pc is setup, System Restore functions extremely well in some systems(I haven't had any problems with it) while not so in others. That's because some programs installed in the system can interfere with System Restore's functionality.

In some circumstances where a user or a scanner(some anti-malware scanners can delete viruses in System Restore) had deleted a file in that folder, restore points will then become corrupt and restoration will fail, since each restore points is linked together with the previous ones if one is missing the link is broken. When this happens, all restore points should be purged straightaway.
I'm glad you found this article helpful, thanks.


Keith,

Thanks for your comment and the Yes vote.

-------------------

If it's needed, here's an MS link that provides steps on how to turn Off and On System Restore.
http://support.microsoft.com/kb/310405
0
LVL 23

Expert Comment

by:Shane Russell
When I do use windows xp in boot camp or in a virtual machine or even on a normal pc I refuse to use system restore as a backup plan / method / route.

I do a clean fresh install - ascertain which drivers the computer needs ( chipset, video / audio etc ) and install all of them doing the chipset first, then latest network card, latest audio etc

Disable and delete and restore points etc

Then I install any software I require whether it be open office, microsoft office, gimp and the likes ie anti virus, anti spyware , possibly a software firewall ie free zone alarm.

Then I would use something like acronis true image, norton ghost, bacula or something similiar and make an image of the system to either a dvd set or an external hard drive ( preferably an ext hdd ) from there I store all my data on another hard drive / storage pool - preferably somewhere that has raid even if its an external Lacie RAID 1 hdd or else where similiar that way if I need to re install windows then I can use the dvd set or ext hdd to re image the computer.

All the data I had is safe assuming when you go through the installation process you have the ext hdd dis connected so you dont accidentally format it and then the computer will be re imaged and all your data safe because your data is still on the ext hard drive or other hard drive that has nothing to do with the system drive ( C: ) or wherever you installed windows as you keep it seperate.
0
LVL 31

Expert Comment

by:Thomas Zucker-Scharff
gecko,

Your method is one of the best.  Unfortunately, most people don't have the wherewithal (sp?) or technical expertise to do it that way.  I've set up many systems and cleaned many more.  Most of the time users don't have backups and the data, apps and OS are on the same partition.  If they have a default Windows setup then System Restore is enabled and in turn their best backup solution.  Once they leave my office they have a different view of backup and some new software.  I also tell them pretty much the best way to go about configuring their computer is as you have described.  

On the off hand that they have had a malware problem (usually why they come to me), My LAST step is to disable SR, thereby deleting all their restore points and any problems that may be reintroduced later on.  I use the procedure I outlined above to make sure that any malware on the machine doesn't leave my office.  (you'd be surprised how often people reinfect their machines with system restore)

Thanks for your comments.
0
LVL 23

Expert Comment

by:Shane Russell
I'm surprised that the way IT has gone they have not come up with an all in one raid 1 -  256 gig drive that has 2  hard drives ( Laptop hard drives ) so that you could have that installed on the 2nd channel whether SATA OR PATA and re direct my documents to that partition and make it policy to store data on that partition and if they wanted have group policy or volume shadow copy keep a backup of it assuming the network connection is fast enough  and disable system restore completely and have some software as per mentioned above acronis, ghost or what ever software supports it that would on shutdown reboot into dos or its own util that would do an image of the main drive to the other drive so if it did go sunny side up then you could replace the main drive and boot into the util and get it to restore the OS at its last capture point and all the apps / data would still be there and obviously if one of the laptop drives died you just replace it and it would copy the data to the other drive.

That way users data are backed up on each pc locally as well as backed up on the server centrally via tape or nas or w/e
0
LVL 3

Expert Comment

by:DavidLeal
One of the firts things I do with my corporate and personal computers was to disable the System restore, when something say earlier, it give a false sence of security, im the domain admin, and one of my first domain plicys was the "system restore : disable"

I prefer to format the corrupt or infecter computers, almost all time it taker fewer time in comparation to time invested to solve "extrange" problems...

Im a good problem solver, and resolve a lot of issues with PCs and Servers, but with PC's if pass 30 mins with any idea of the problem, i give the PC to my support personal to format it... with server all time solve the issues, some times with ideas taked here, or with the good friend google =)
0
LVL 23

Expert Comment

by:Shane Russell
aka re imaging the computer whether it be via WDS, RIS, Sysprep, ghost, acronis true image, FOG , clone zilla or otherwise
0
LVL 23

Expert Comment

by:Shane Russell
Thanks for the clarification of this post just picked up on this comment

"She CLEARLY stated NOT to delete Restore Points before attempting spyware removal because if something goes wrong there's no way to reverse your actions. Yes you would want to delete those restore points but the time to do it is later, not while in the process of cleaning the system."

=============================
I got to the point with viruses / spyware where if the computer is infected and I did delete system restore points and it would not boot up ( depending on the error you get ( BSOD ) then you may be able to replace the relevant items from the recovery folder ) but if it refuses to startup then I use a linux live disc such as knoppix or bart pe or a win pe disc ( there are other discs available ie ultimate boot disc )  to backup any data and format and re install the OS along with drivers and software which is always a good thing because you get

1. A fresh install so you know you have completely wiped out the problems ( viruses / spyware / maleware etc )

2. You get up to date drivers

3. When you install the software all the software will be updated along with the OS updates depending on if you run windows updates or if you already have an up to date installation disc with all updates previously slip streamed.

4. Although this may take a bit longer then just repairing it there still may be left overs that have been missed and although its stopped the computer from being slow or whatever the signs were a fresh install is a lot easier and safer bet of getting rid of a computer riddled with viruses / malware etc

5. Yes I never thought of doing it that way around with ref to disabling system restore last but I have had a few cases where I have ran the virus scan ( different anti virus solutions / apps ) and it still stated that the computer was infected ( all definitions were up to date at that point in time ) , in the end the user had copied all there data to an external hard drive which was scanned for viruses / malware and turned out to be clean so we disabled system restore and re ran the scan and that seemed to resolve the issue.
0
LVL 47

Author Comment

by:rpggamergirl
To All:

Please, let us not change the focus of this article from "viruses in System Restore" to being just about System Restore or about system backup methods.

This article is NOT about data backup systems like Acronis or Norton ghost.
It is simply what the title states "Viruses in the Volume System Information folder(System Restore)" and when to purge those restore points when the system is infected.

If you're not even using System Restore, then this article doesn't apply to you.

Thank you for your comments, :).
0
 

Administrative Comment

by:Mark Wills
Well said rpggamergirl.

@gecko_au2003, maybe you can write an Article of your own ? Seems you have a few ideas to share.

Regards,
Mark Wills
0
LVL 23

Expert Comment

by:Shane Russell
I don't use windows or do any of that now - at least for the time being, would be nice to get back into the IT support realm of work again but currently need to get more qualifications so will be working on that.

Also learning more about the apple mac platform / BSD / *NIX so sort of given up on the windows platform with all the problems and have to x, y and z to keep it running , not to say other operating systems are better as they all have there pros and cons.

Anyway back to the system restore article and enough said about other ways of doing things.

I may consider doing a few articles later on.
0
LVL 38

Expert Comment

by:Rich Rumble
I also disagree, especially since Conficker (downadup) resets the system restore points, it's unreasonable to assume other Viri don't or haven't done this in the past (which they have)
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker (payload section)
System restore does act silently if vital/critical system files have been altered, and no action from the user is prompted, the files are replaced. Also if one BSOD's, or somehow comes to the "use last known good configuration screen" the restore point it being accessed and used. I've seen this a few times, the viri are not as "dormant" as the article leads people to believe.
I think it's a judgment call to delete the restore points before or after infection, I'm of the opposite opinion of the article on the side of AV vendors, disable before cleaning. Perhaps our Xp and Vista setups are different than yours, but users who have sys restore enabled in our environments get reinfected over and over with the same viri unless there is a patch that directly stops them, or they are not an administrator.
-rich
0
LVL 31

Expert Comment

by:Thomas Zucker-Scharff
It has been my experience that when this particular version of conficker attacks the reset of the System Restore is merely deleting all your restore points, YMMV.  I have yet to have a real problem in which System Restore points have infected a computer without being used.  Although I am not familiar with System Restore working in the way you suggest I could imagine it to be the case.  In the end it doesn't really make a difference since I believe "having an infected restore point is better than having none at all" is a truism.  My last step in cleaning a computer is always to disable and then reenable system restore thereby deleting all old restore points anyway.  

I agree with rpggamergirl in her very adept analysis of this.
0
LVL 38

Expert Comment

by:Rich Rumble
That's sort of what I was getting at... I think it goes both ways. If you have no restore points, and it's not easy for the average user to tell, then you won't have a restore point to fall back on should the removal mess something up. Downadup/Conficker has been around 2-3 years now, if a user has had the infection long enough and installed their patches/sp's or even other software that sets a restore point before installing, then conficker does get "backed up" in the restore point. When a restore is done from a conficker infected restore point, upon conficker execution that restore point is gone again often leading to even more OS instability than before restoring to the infected rp. It's not limited to conficker, but it's a fine example.
Our company has had mixed success with system restore (infected or not) so we probably are more biased against it, as for us it's been more headache than blessing, YMMV etc..
So my point is not to argue if having a infected restore point is better than none, it's that you might not have one at all, esp if you catch the infection quickly. I think deleting before or after depends on what you have been infected with, it might be better to err on rpg's side, even if there is no restore point to go back to. I'm more of a LUA advocate than anything else.
-rich
0
LVL 31

Expert Comment

by:Thomas Zucker-Scharff
In which case I agree with what you say as we have many users who (by default) have SR enabled and don't have the slightest idea it's there until they get something for which they need to call me.  Generally I don't use restore points and tend to lean toward reimaging a system completely rather than wasting time trying to delouse it and finding out down the road that something was still left and it's infected again.  I also use Microsoft's SteadyState on computers (excellent software) which puts the system back in the exact state you left it in when you installed SS after every reboot.  This is of course not for those users who save a lot of files to their hardrives or make significant changes to local drives.
0
LVL 38

Expert Comment

by:younghv
I don't pretend to speak for the author of this piece, but one of the reasons for writing it may have been to combat an increased incidence of certain advice here on EE. We had several new experts start telling ALL Members to ALWAYS start their disinfecting procedures by deleting all Restore Points.

Obviously, that is not always the right decision for everyone.

The vast majority of people asking those questions here on EE are one/two computer home users with very limited IT skills. Having a Restore Point to fall back to (infected or not) is a viable way of getting them back up and running again.
0
LVL 23

Expert Comment

by:Shane Russell
>>We had several new experts start telling ALL Members to ALWAYS start their disinfecting procedures >>by deleting all Restore Points.

I think I was guilty of this to start with and at the time did not realise that they were starter users and personally the way I do it with a boot disc ( bart pe, linux live disc or the likes ) and recover data that way and then just do a fresh install.

Appologies to anyone If I did do that !!
0
LVL 38

Expert Comment

by:younghv
gecko_au2003:
I don't remember seeing you do that and I tend to keep a pretty close eye on the Zones.

Quite honestly, I miss the old days when (by regulation) any infected box had the HDD removed and destroyed, with an image loaded on a new HDD - about a 15 minute job.

Now my customers have no image, no backup, (no common sense - LOL), and they pay me by the hour to grind out their data (MY BABY/WEDDING PICTURES ARE GONE!) and 'repair' their systems.

Oh well, at least it keeps me in beer money.
0
LVL 40

Expert Comment

by:evilrix
Perfect. Voted yes.
0
LVL 23

Expert Comment

by:Shane Russell
In a work enviroment I think its a case of all data goes to your network drive ( home area or whatever you want to call it for arguments sakes ) and if anything like that happens its a case of a re image or swapping hard drives and re image / re install as you mention above.

lol @ beer money, free as in beer I take it.
0
LVL 47

Author Comment

by:rpggamergirl
I see... this article is still getting lots of attention, :).
Thank you tzucker for your positive comments on this thread....much appreciated.

younghv,
You hit the nail... that was the main reason I wrote this article so users will realize that it's a good practice to keep SR intact till after the cleanup.
Thanks for the input, it's nice to think of the 'up-side' of having these nasties, :)

evilrix,
Thanks for the Yes vote!


@ richrumble:
In those cases where viruses already reset system restore, so be it, but that shouldn't stop us from practising what proves to be a better method.

<<<"Our company has had mixed success with system restore (infected or not) so we probably are more biased against it, as for us it's been more headache than blessing,...">>>

As I've mentioned before, some factors can affect System Restore's functionality, from buggy BIOS, disk space, dual booting, and installed programs e.g. if SRP is turned on in Norton etc...IBM Rescue and Recovery, some versions of Zone Alarm etc.
Deletions of restore points also can sometimes be caused by third party tools, but there's often workaround without uninstalling the culprit app.
System Restore also shouldn't be monitoring OEM systems with Recovery partitions as that interferes SR functionality.

Windows System Restore works wonderfully well in most systems but may not work for some....depending on how the system is setup.

Thank you all for keeping this article active, :)
0
LVL 14

Expert Comment

by:systan
intriguing...I vote yes.
0
LVL 22

Expert Comment

by:senad
it's not a symantec issue...Microsoft explicitly insisted that these files be left alone
(excluded from scanning) and hence the issue.Otherwise they threatened not to give
'designed for windows' label to any AV.Virus writers immediately seized the opportunity
before Microsoft realized it was a mistake.
0
LVL 14

Expert Comment

by:systan
hi senad;
Are you saying that my openion or comment is right? or wrong? If it is wrong then I'll accept that as a complement, thank you.  If it is right, then I must be a system expert that knows the flow of the virus.
0
LVL 22

Expert Comment

by:senad
See for yourself (pic).
This is NIS 2011.
However,you can remove the default scanning option so Norton will
scan the system volume info.
07.09.png
0
LVL 23

Expert Comment

by:Shane Russell
I've always been of the opinion to

Ensure you have all the relevant discs ( OS ) and all the latest drivers downloaded ( preferably from a separate computer that is not infected or from a library to a memory stick so you at least have the network / chipset drivers ) so you can if need be start over ( see bottom )

1. backup any data
2. delete restore points / disable system restore
3. update virus definitions / spyware definitions and run scans to remove malware in safe mode
4. boot back into windows ( normally ) and re run the scans to double check it has not missed anything
5. run an online free av scan just to ensure that my local anti malware has not missed anything
6. re enable system restore and create a fresh restore point

Assuming nothing goes wrong in between, if it does then just a fresh install from the OS installation discs and the drivers from said memory storage device ( whether memory stick, ext hdd, optical disc ie cd or dvd r or rw

Either way you are able to get back to a point where you have a non malware OS
0
LVL 38

Expert Comment

by:younghv
All readers should refer back to the actual Article and read the "In Conclusion: " (last) section and note the multitude of MS MVP's who support the process that rpggamergirl has detailed for us.

Then note the number of MS MVP's who are posting their disagreement (none).
0
 

Administrative Comment

by:younghv
@systan:
Your "Joke" comment has been deleted.
Please only post technical comments that relate to the Article.

younghv
Page Editor
Experts-Exchange
0
LVL 23

Expert Comment

by:Shane Russell
fair enough younghv but quoting this sentence ( para phrasing here )

"The best time to disable System Restore in an infected system is AFTER the cleanup when the system is in a stable condition."

How do you or would you decipher when the computer / windows is in a stable enough or clean enough state to disable system restore assuming there is malware in the system restore points as I have had it before a number of times on xp where I have done all the scans I can in safe mode or booted up normally and it still detects the viruses / spyware etc repeatedly ( being the same infections ) and after removal of said malware ( whether they are viruses / spyware or whatever ) after a reboot they re appeared.

I honestly can't remember what the xp machine was infected with now so couldn't tell you which ones it may of been but in the end I was going around in circles so disabled system restore to start with after a data backup.

0
LVL 38

Expert Comment

by:younghv
Posting as an Expert.

I never disable the System Restore function.
When my logs have been examined and found clean by those I trust (starting with rpg) I will turn off the function, reboot the computer, and then turn it back on.

As I (and many others) have already stated, the advice and recommendations here are targeted at the basic home user. They don't have an IT shop at their beck and call with all of the various devices (and images) sitting there waiting to solve the problem for them.

I spent many years in an environment where 'repair/cleaning' was NEVER an option. Any sign of infection was a "Format/Re-load" - without any discussion. Of course, we had the resources to perform that function on any computer in our inventory in about 15-20 minutes, so it wasn't that big a deal.

We seem to have any number of commenters here who want to impose their personal/professional philosophy on something that is simply a very good set of instructions for the average user.
0
LVL 14

Expert Comment

by:systan
Nice tricks
0

Featured Post

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month