System Restore

  • Thread starter Thread starter RobbieA
  • Start date Start date
R

RobbieA

Hi All:

I'd like to get a consensus of opinion, or at least the
best pros and cons, regarding the latest reference by
Vanguard to turn off System Restore, "disable System
Restore" for cleaning up the box.

Several times Bill S has questioned that wisdom.....

How about it Bill, Plun, Andre, Ron K, Steve D, Ron C,
Bullwinkle JM, Frank S, Steve W and Randy K? What say
you?

Tks,

RobbieA
 
Yes, it does have its risk, but my recommendation after doing a thorough
scan in safe mode is to restart back immediately in Normal Mode and
immediately reenable system restore and create a new restore point right
away!
 
Disabling sys restore is now current when removing a lot of viruses (they
use sysrestore to restore themselves). Usullay, I try a first shot with sys
restore active.
 
But who says the same can't happen with Spyware as they are even more
intelligent than viruses.
 
RobbieA said:
Hi All:

I'd like to get a consensus of opinion, or at least the
best pros and cons, regarding the latest reference by
Vanguard to turn off System Restore, "disable System
Restore" for cleaning up the box.
Click to expand...

I don´t like that method in first step and if it also
is a PC with only problem with IE and "slowdowns" I first tries
combinations of other methods.

I ask myself this:

- Can this PC be infested with virus, spyware ?

- Updated virusprogram ? No, Housecall onlinescanning or
Stinger.
Scan reports about virus or spyware within certain
restorepoints RP ?
I then remove specific restorepoints within C:/System Volyme
Information

- Servicepacks ?, Firewall ?, Update after spyware removal !

- Any backups ? With no backups you must be careful.

Then it´s time for safemode:

- Run CCleaner, in all three tabs to save scantime and
remove all junk.
And this really saves a lot scantime ! I always use default
settings and
removes everything. I know this is against MS policy but
someone must have
had a bad day when he/she approved this temporarily
"graveyard" within all WindowsPC.

- Run Adaware, sometimes also Spybot.

- Run MSAS again

- Restart, if problem persist I then check around some
wellknown forum.

- If this PC really is infested it can be a good idea to
clear out SR after this and
then directly start SR again with a new RP.
 
Hi Robbie,

<What say you?>
IMVHO, there is no set rule for when you kick SR to the curb. I usually
use gut instinct and try my tricks first w/o stopping SR just on the offhand
case that something very bad may happen when I work on the machine.
That said, once I get a feel that the machine has a bundle of woes, the
temp, TIF, and SR get kicked.

Additionally, there is a MSKB Article about it, and I can post that for you
after I get back to the office on Monday.

Ron Chamberlin
MS-MVP
 
My View is If you have a virus,Trojan or Worm identified
as being on your system then disable system restore
before peforming any clean up,I wouldnt attempt to clean
a pc up with restore left on as you can be forever going
round in cirlces cleaning up the same stuff as any trace
in the restore files of the malware will in many cases
cause it to regenerate when you reboot your pc.

Sure if you have only just picked up malware then use the
restore first to go back to a time when you know the
system was clean but if you cannot do this then the
restore points are useless depending on what the
infection is,

If you have some adware/spyware issues then system
restore can be left on and dealing with the adware
manually can be the best option.But once its clear there
is viruses/worms or trojans involved id always advise
disabling the restore area or helping people is a waste
of their and my time when they reboot and everything
comes back

I appreciate everyone will have different views on this
so its a good question to ask but i wouldnt personally
help someone clean a pc of malware who wanted to keep the
restore switched on as its a waste of time,Id advise them
to use it if they can to clear the scumware and failing
that id advise disabling it then only enable it again
once everything is clean

Regards Andy
 
Jacques-what evidence can you cite to show that viruses "use sysrestore to
restore themselves."

Even Symantec, who make this recommendation do not say that. What they do
say does not justify removing this important safety net, in my opinion.

Can someone show me a published technical note from an antivirus vendor
which states that viruses can be in some way automatically restored from
System Restore--Symantec certainly doesn't say anything like that?
 
I have yet to hear an argument from the proponents of turning off SR that
has a clear basis in fact. I've read what Symantec says about doing this,
and it doesn't seem to me to justify the action. It says that 1) viruses
may be detected by their software in the SR store area, and 2) if you use an
infected restore point, the virus will be restored.

I'm going to do some digging at other antivirus vendors sites--but you would
think that if this really was a significant issue in virus removal, that
every antivirus vendor would have a clear statement about doing this as part
of the cleaning operation.

My preference continues to be to clean the machine first, then destroy old
restore points and create a new one.
 
Here's what Trend Micro has to say:
============================
Windows Millennium Edition (ME) and Windows XP have a feature known as
System Restore, which creates backups of certain files in the _Restore
folder. The System Restore feature usually backs up files with EXE or COM
extensions, which may include infected files and malware programs. Files in
the _Restore folder are protected and can only be accessed using System
Restore. This feature must be disabled first before Trend Micro antivirus
can access and clean these files.
========================

Frankly, this statement also appears inaccurate to me. I'm uncertain about
Windows Millennium edition, but when you disable SR on XP, the restore
points are destroyed (i.e. the files are deleted)--so the bit about "Trend
Micro antivirus can access and clean these files" makes no sense!
 
Mcafee has a stock paragraph about System Restore on Windows Millennium
which states that turning off SR is necessary to clean the files in the SR
storage area. I wasn't able to find a more general statement which
mentioned this feature in XP, in a quick search.

So--so far, I find no mentions of viruses doing anything automatic from the
SR storage area.
 
Bill said:
So--so far, I find no mentions of viruses doing anything automatic from the
SR storage area.
Click to expand...

Well, you can have automatic behavior from SR but most
antivirus programs now identify specific restorepoints RPXXX
and these can then be manually removed.

This is from Symantec:

Cannot repair, quarantine, or delete a virus found in the
_RESTORE or System volume information folder

Situation:
Norton AntiVirus detected a virus in the _RESTORE or the
System volume information folder, but it cannot repair,
quarantine, or delete the infected file.

Solution:
About System Restore
Windows uses System Restore to restore files on your
computer in case they become damaged. System Restore is
enabled by default. Windows Me keeps the restore information
in the _RESTORE folder. Windows XP stores this information
in the System volume information folder. These folders are
updated when the computer restarts. If the computer is
infected with a virus, the virus could be backed up in these
folders.

Repairing System Restore
By default, Windows prevents System Restore from being
modified by outside programs. Because of this, any repair
attempts made by Norton AntiVirus will fail. To work around
this, you must disable System Restore, and restart the
computer. This will purge the contents of the _RESTORE or
System volume information folder. You must then run a full
system scan. To do this, find your operating system in the
list below and follow the steps. Click the icon to the left
of your version to either expand ( ) or collapse ( ) that
section. (If you cannot expand a section, then read the
document Cannot expand sections in a Symantec Knowledge Base
document.)

http://service1.symantec.com/SUPPOR...8825696500726d13?OpenDocument&src=bar_sch_nam
 
F-secure:
-----------------
In Windows Millenium there was a new feature introduced called System
Restore. The new Windows XP has this feature. It creates backup copies of
the essential system files so they can be restored if they get corrupted.
Sometimes this makes disinfection difficult as backup files can get infected
and copied to System Restore folder by Windows. Then after disinfection
Windows will copy the infected file back over the clean ones.
----------------
This is none-too-carefully worded. "Windows will copy the infected file
back over the clean ones."

Yes--if the user chooses to use the restore point. Not in any automagic
fashion.
 
IMHO - this is the best write-up of the vendors that I've found so far. It
is neutral in tone, and gives clear information about what is happening, and
how to fix it:

---------------------------------------------------------------------------------
The RealTime Protector displays a message saying that files in
"c:\system volume information\restore" are infected.

The problem is that the system restore component of your Windows ME or
XP has backed up your system while it was infected.

System Restore is a component of Windows that you can use to restore
your computer to a previous state, if a problem occurs, without losing your
personal data files (such as Microsoft Word documents, browsing history,
drawings, favourites, or e-mail). System Restore monitors changes to the
system and some application files, and it automatically creates easily
identified restore points. These restore points allow you to revert the
system to a previous time. They are created daily and at the time of
significant system events (such as when an application or driver is
installed). You can also create and name your own restore points at any
time.

Follow the steps that apply to your operating system:

Windows Me:
1. Close all open programs.
2. Right-click My Computer on the Windows desktop, and then click
Properties.
3. Click the Performance tab.
4. Click File System.
5. Click the Troubleshooting tab.
6. Check Disable System Restore, click OK, and then click Close.
7. Click Yes to restart. This disables the System Restore feature and
will purge the contents of the _RESTORE folder when the system is restarted.
8. Make sure you have up to date virus signature files for F-Prot and
scan to disinfect.
9. Scan all files and all drives.
10. After cleaning the infected files, repeat steps 1 through 7,
except in step 6, uncheck Disable System Restore.

Windows XP:
1. Click Start, and then right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Make sure you have up to date virus signature files for F-Prot and
scan to disinfect.
8. Scan all files and all drives.
9. After cleaning the infected files, repeat steps 1 through 6, except
in step 4, uncheck Turn Off System Restore.

If you ignore the warning from the RealTime Protector, it will
disappear eventually when new restore points are created.
 
plun said:
Well, you can have automatic behavior from SR but most antivirus
programs now identify specific restorepoints RPXXX and these can then be
manually removed.

This is from Symantec:

Cannot repair, quarantine, or delete a virus found in the _RESTORE or
System volume information folder

Situation:
Norton AntiVirus detected a virus in the _RESTORE or the System volume
information folder, but it cannot repair, quarantine, or delete the
infected file.

Solution:
About System Restore
Windows uses System Restore to restore files on your computer in case they
become damaged. System Restore is enabled by default. Windows Me keeps the
restore information in the _RESTORE folder. Windows XP stores this
information in the System volume information folder. These folders are
updated when the computer restarts. If the computer is infected with a
virus, the virus could be backed up in these folders.

Repairing System Restore
By default, Windows prevents System Restore from being modified by outside
programs. Because of this, any repair attempts made by Norton AntiVirus
will fail. To work around this, you must disable System Restore, and
restart the computer. This will purge the contents of the _RESTORE or
System volume information folder. You must then run a full system scan. To
do this, find your operating system in the list below and follow the
steps. Click the icon to the left of your version to either expand ( ) or
collapse ( ) that section. (If you cannot expand a section, then read the
document Cannot expand sections in a Symantec Knowledge Base document.)

http://service1.symantec.com/SUPPOR...8825696500726d13?OpenDocument&src=bar_sch_nam
Click to expand...

Removing specific restore points is a step forward--but what I read above
from Symantec still talks about blowing it all away.

I think this step is more justified with regards to a virus or trojan which
may involve risk of data loss or loss of confidentiality, than with the
average piece of spyware.

I also think that maybe they are selling their customers short--or
underestimating their intelligence. Surely the program could differentiate
between viruses found in the SR store and those found in the running system,
and provide better advice?

At any rate--I don't see blowing away all restore points on the theory that
it might make it easier to say that your system is clean of spyware.
 
Acording to virus descriptions (personaly I only faced virus involving
security leaks which were easy to fix after updating OS), some put part of
their code in C:\Restore which can't be cleaned. by any program but can
easily restore a missing file. I think that Symantec is right to say "IF YOU
can't clean tomething involving restore, you must stop restore".
As a short cut, anybody is efectivly wrong saying the first thing to do is
to deactivete. It's why i wrote "first try in the normal way (safe mode with
sys restore active)". perhaps a mis understanding of my poor english if you
understood something different.
 
Jacques said:
Acording to virus descriptions (personaly I only faced virus involving
security leaks which were easy to fix after updating OS), some put part of
their code in C:\Restore which can't be cleaned. by any program but can
easily restore a missing file. I think that Symantec is right to say "IF YOU
can't clean tomething involving restore, you must stop restore".
As a short cut, anybody is efectivly wrong saying the first thing to do is
to deactivete. It's why i wrote "first try in the normal way (safe mode with
sys restore active)". perhaps a mis understanding of my poor english if you
understood something different.
Click to expand...

Hi Jaques

You can often remove this directly within _specific_ restore
points, RPXXX.

Most antivirus programs detects in which RPXXX there is
virus but they cant
remove them.

See this screen dump from my C:/System Volume Information:

http://hem.bredband.net/b288305/rp.JPG

It is really "overkill" to cut all restorepoints...!
 
Jacques said:
Acording to virus descriptions (personaly I only faced virus involving
security leaks which were easy to fix after updating OS), some put part of
their code in C:\Restore which can't be cleaned. by any program but can
easily restore a missing file. I think that Symantec is right to say "IF
YOU can't clean tomething involving restore, you must stop restore".
As a short cut, anybody is efectivly wrong saying the first thing to do is
to deactivete. It's why i wrote "first try in the normal way (safe mode
with sys restore active)". perhaps a mis understanding of my poor english
if you understood something different.
Click to expand...

I think I over-reacted to your message. You were clear about cleaning first
with System Restore active.

I just want to lay to rest, if possible, this myth about there being some
automatic mechanism that can cause a virus or spyware to reactivate itself
when stored in a System Restore restore point.

I won't claim exhaustive knowledge in this area, but I'm looking for clear
evidence of such a mechanism--in the form of advice from a vendor or a clear
report about a particular virus, and I haven't seen it.
 
Back
Top