System Restore and Viruses - Spyware

[Mayet]

One of the most important things when using a program like ms anti spy or adaware to clean a system of spyware with WinMe or XP is to turn off the system restore. Otherwise when rebooting the system the malaware will return.

The system restore function is also useful when cleaning off systems that have been completely trashed by spyware by returning the system to a pre infected date. After this is complete use a good program to then completely clean the system, having the system restore function turned off at this point. Then when system is completely clean and purring set a new restore point.

After all spyware is cleaned do an sfc system file checker by going to start - run and typing sfc /scannow

this will replace windows files back to their original form.

Oh and a last minute msconfig doesn't go astray to get tuned performance of startup and memory resources.

[emr]

One of the most important things when using a program like ms anti spy or adaware to clean a system of spyware with win2k or XP is to turn off the system restore. Otherwise when rebooting the system the malaware will return.

The system restore function is also useful when cleaning off systems that have been completely trashed by spyware by returning the system to a pre infected date. After this is complete use a good program to then completely clean the system, having the system restore function turned off at this point. Then when system is completely clean and purring set a new restore point.

After all spyware is cleaned do an sfc system file checker by going to start - run and typing sfc /scannow

this will replace windows files back to their original form.

Oh and a last minute msconfig doesn't go astray to get tuned performance of startup and memory resources.

Not sure I get you on this one Mayet.

If you clean a system using spyware apps then (theoretically) the spyware should be removed. Are you saying on reboot system restore will restore the spyware automatically? That's not the way it works as far as I know; you have to run system restore manually and select a restore point. Agreed you should remove restore points prior to the cleaning of the system to avoid it being restored to an infected state.

Otherwise I don't see how it can reinfect through sytem restore.

Am I being dumb?

2k doesn't have system restore by the way.

emr

[Platypus]

I suspect Mayet meant to say WinME where she typed Win2k.

The recommendation to turn System Restore off is pretty universal, for example here:

http://forums.majorgeeks.com/showthread.php?t=35407

Restore data can't be cleaned by AV/AS software, so if an infected state has been saved, it can be restored. I gather the problem can be that an AV or Anti-spy scan is an activity that triggers an automatic restore point, and upon re-boot, the effect the scan has had on "watched" files will appear to be undesirable (they've been removed or altered) so they will be restored. Remember this is a normal process for System Restore when new software is installed for example, and if "watched" files have been changed by the installation in a way that could affect Windows adversely, the originals will be re-instated. Whether this will successfully re-instate working Spyware is unclear to me, but it could still be detected on a scan, and could certainly re-instate a virus, and unremovable infections have been attributed to this cause.

Microsoft are very conservative about this, and suggest not to turn System Restore off, as if something does really go wrong with the disinfection process, there is no restore point (even an infected one) to go back to and try again. They suggest if the malware returns, go to Safe Mode and repeat the removal process, and when scans show all clear, then delete the potentially infected restore points.

[TechZ]

The problem with System Restore files as I understand it, is that they are locked and cannot be cleaned, unless you turn off System Restore and clean in Safe Mode.

[Ferrit]

Mayet is correct


Thats a fact. Antivirus/spyware programs cannot touch stuff inside the system restore file so
1: It cant be cleaned correctly
2: Using a infected restore point is pretty much useless
Shut off system restore reboot clean the system regular and safemode then reboot then if you must turn it back on

[confus-ed]

Mayet is correct


Thats a fact. Antivirus/spyware programs cannot touch stuff inside the system restore file ..

You think ? .. for sure ? I think they can & do, but aren't always sucessful because it depends on ' however whatever' is putting itself back in (see Platypus's explanation in which he did better than I well might ! ) .. your chances are definately improved if you turn off system restore, but I'd say the most important thing is being in safe mode as even with system restore still on, if your app cleans system restore points (which most do) then without the right services present it can't get 'put back in anyway' which is the problem with using these apps in 'normal mode' ..

.. good gravy !!.. that means I agree with M$ !

[Platypus]

Microsoft's answer (from the System Restore FAQ):

Q. What should I do if my anti-virus scanner cannot access the System Volume Information folder to remove a virus?

A. If the System Volume Information (SVI) folder is on a FAT partition and a virus infected file has been detected or copied to the data store before it was cleaned, the data store needs to be purged to remove the Restore Point with the infected file. To do this, the user should disable and then re-enable System Restore monitoring on that particular drive.

If the System Volume Information Folder is on an NTFS partition, the SVI directory can be accessed by a virus utility to clean an infected file as any other part of the file system.

http://www.microsoft.com/technet/pro.../faqsrwxp.mspx