Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Viruses in the System Volume Information (System Restore).

rpggamergirl
CERTIFIED EXPERT
Published:
Updated:
System Restore -- is a Windows utility that periodically saves the changes made in the system, e.g., backup monitored files, registry, drivers and allow users to roll back the system to its previous state in the event of PC instability or program failures. It is indeed a very useful windows component that can save users time of repairing or reinstalling the Operating System.

However, in cases where the system is infected, System Restore might also back up infected files and viruses. But the good thing is, it is also very easy to remove viruses in that folder, all you have to do is turn it off and all viruses will be deleted along with all of the restore points.

So... with an infected system - when do you purge those restore points? Do you disable it BEFORE or AFTER removing the infections? The timing as to when to turn off System Restore is very important.

There have been so many discussions about this, and I've addressed it many times. The best time to turn it off is AFTER the cleanup, hence this article.

The bad practice that many PC techs have is the disabling of System Restore before cleaning the system.  YOU SHOULD NOT DO THIS. They also believe that viruses in the System Restore will creep out of that folder and re-infect the system. Of course that's an absolute nonsense...  the fact is, viruses in that folder are DORMANT and HARMLESS. They don't do anything while in that folder, the only time that those viruses become active and pose a threat to the system is when you use those infected restore points.

You might say, "but Symantec suggests to turn it off before running a scan?"  Well it's wrong to suggest that!... but let's be fair and look at it from their own perspective. They say that, possibly for the following reasons:

     1. Antivirus can not delete viruses in the System Restore.
     2. There's a fairly good chance that the scan will hang when scanning that folder.
     3. It dramatically shortens the scanning time.

Now that certainly makes sense... but what about the users? Is it to their advantage if System Restore is disabled before the cleanup? The answer is NO, in fact for the PC users, it is a BAD idea to turn off System Restore before cleaning the system. While removing malware/viruses, things can go wrong, there are times when the removal process will not go smoothly, and the user will need those restore points. If the user turns it off, he will have no restore points to go back to. It is better to have a possibly infected restore points than none where the only option left is to reformat.

To quote [MVP] MowGreen's thoughts on SR, "It's better to have a leaky, rodent infested life boat than no life boat at all."

In Conclusion:

The best time to disable System Restore in an infected system is AFTER the cleanup when the system is in a stable condition.
When the PC is clean, and you no longer need those restore points, you can turn it off to flush all the viruses and create a new and clean restore point.

I hope this article will help some users understand the importance of keeping those restore points intact while in the process of removing infections.



* If you like, also check out these links and read the comments from Microsoft's Most Valuable Professionals.

CalamityJane (MS-MVP Consumer Security)

"II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore older and set a new point AFTER the PC is clean and all programs are working properly."
http://www.dslreports.com/faq/13622


Sandi Hardmeier (MS-MVP, AH-VSOP) , in her webpage "Troubleshooting browser hijackings" and also in an article "Bug busting: Getting Rid of Spyware"
http://inetexplorer.mvps.org/tshoot.html
http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx

She CLEARLY stated NOT to delete Restore Points before attempting spyware removal because if something goes wrong there's no way to reverse your actions. Yes you would want to delete those restore points but the time to do it is later, not while in the process of cleaning the system.


Bugbatter (MS-MVP Consumer Security), 'pre-cleanup' speech.
"If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly."
http://en.community.dell.com/forums/p/19318659/19645158.aspx#19645158


Jim Eshelman (MS-MVP, AumHa Webmaster/Proprietor), in his article "Purging old System Restore points"
"Leave System Restore in place until your computer is clean and stable."
http://forum.aumha.org/viewtopic.php?f=43&t=13209&view=next


Steve Wechsler- aka Mow Green (MS-MVP, AH-VSOP)
(Msg. 5)
"Sorry, Symantec's advice is just plain wrong. What if the tool you've
download prevents the system from rebooting, then what ? You'll have *no* restore points to use to regain control of the system."
http://www.eggheadcafe.com/software/aspnet/33972249/help-on-disabling-windows.aspx


tashi - (MS-MVP. Consumer Security)
"Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware."
http://forums.spybot.info/showthread.php?t=288


Bert Kinney (MS-MVP, AH-VSOP)
(Msg. 8)
"When removing virus/spyware infection, DO NOT DELETE ALL RESTORE POINTS until the system is confirmed clean and functioning normally."
http://forum.soft32.com/windows/Reinstall-XP-Home-Dell-ftopict277428.html


Happy computing!
42
17,835 Views
rpggamergirl
CERTIFIED EXPERT

Comments (48)

CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
All readers should refer back to the actual Article and read the "In Conclusion: " (last) section and note the multitude of MS MVP's who support the process that rpggamergirl has detailed for us.

Then note the number of MS MVP's who are posting their disagreement (none).
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Administrative

Commented:
@systan:
Your "Joke" comment has been deleted.
Please only post technical comments that relate to the Article.

younghv
Page Editor
Experts-Exchange
Shane Russell2nd Line Desktop Support

Commented:
fair enough younghv but quoting this sentence ( para phrasing here )

"The best time to disable System Restore in an infected system is AFTER the cleanup when the system is in a stable condition."

How do you or would you decipher when the computer / windows is in a stable enough or clean enough state to disable system restore assuming there is malware in the system restore points as I have had it before a number of times on xp where I have done all the scans I can in safe mode or booted up normally and it still detects the viruses / spyware etc repeatedly ( being the same infections ) and after removal of said malware ( whether they are viruses / spyware or whatever ) after a reboot they re appeared.

I honestly can't remember what the xp machine was infected with now so couldn't tell you which ones it may of been but in the end I was going around in circles so disabled system restore to start with after a data backup.

CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
Posting as an Expert.

I never disable the System Restore function.
When my logs have been examined and found clean by those I trust (starting with rpg) I will turn off the function, reboot the computer, and then turn it back on.

As I (and many others) have already stated, the advice and recommendations here are targeted at the basic home user. They don't have an IT shop at their beck and call with all of the various devices (and images) sitting there waiting to solve the problem for them.

I spent many years in an environment where 'repair/cleaning' was NEVER an option. Any sign of infection was a "Format/Re-load" - without any discussion. Of course, we had the resources to perform that function on any computer in our inventory in about 15-20 minutes, so it wasn't that big a deal.

We seem to have any number of commenters here who want to impose their personal/professional philosophy on something that is simply a very good set of instructions for the average user.

Commented:
Nice tricks

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community