Author Topic: Why disable System Restore if virus found in Restore area?  (Read 2854 times)

0 Members and 1 Guest are viewing this topic.

Offline larrymcg

  • Full Member
  • ***
  • Posts: 100
Why disable System Restore if virus found in Restore area?
« on: September 28, 2008, 05:32:27 AM »
Advice on this forum says that if something is found in the system restore area, you should (temporarily) disable System Restore (which will delete all the checkpoints).

Why is that advice given? 
Is it just to keep you from doing a system restore and reinstate the virus?
Can the virus cause a problem while in the system restore area?

I had an issue with a virus that was in the system restore area but I knew when it entered the system.  So I was able to use system restore to go back before the virus appeared and get rid of it.  Isn't that an OK thing to do?

--Larry

Offline wyrmrider

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1298
Re: Why disable System Restore if virus found in Restore area?
« Reply #1 on: September 28, 2008, 05:46:00 AM »
This is a volunteer forun so there is a wide range of opinions
the only advantage to deleting the restore information is that there are then no hits in system restore which cause panic

I prefer to leave system restore alone till clean up is done and put up the fires as the happen
IF the fix goes wrong the ability to roll back even with some bad stuff is preferable to a total reinstall, at least you get a second chance at a fix

after cleanup clean the system, set new restore point, defrag, update software, get safe with some preventive programs and practices

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: Why disable System Restore if virus found in Restore area?
« Reply #2 on: September 29, 2008, 01:32:17 AM »
Why indeed.

I think this stems from a misunderstanding on how system restore works. Some, mistakenly, believe SR is automatic. That is, it will replace files it "sees" are missing without user intervention. Not true. The only automatic thing about SR is it will create new restore points automatically.

To continue along the misconception. When cleaning a computer, sometimes the malware returns. Again the belief is that it is coming from the SR. Again not true, it's most likely a malware process replacing/creating the bad files. So SR gets turned off, all malware finally is removed and everyone gets a pat on the back, not realizing how close to total disaster they were.

With SR turned off and the wrong file is removed, computer doesn't boot. Now what?

At least an infected restore point is better than nothing. The key thing to remember is, the SR points will do nothing until you use them.

Cleaning the SR is a simple task. Once the computer is deemed clean, then turn off SR and turn it on. No need to reboot with xp (vista too, i think).

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: Why disable System Restore if virus found in Restore area?
« Reply #3 on: September 29, 2008, 04:26:09 AM »
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one.  THEN you can delete the older ones.  Here's how, from BleepingComputer:

Quote
Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


This is the safest way because you always have at least one restore point.



Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline larrymcg

  • Full Member
  • ***
  • Posts: 100
Re: Why disable System Restore if virus found in Restore area?
« Reply #4 on: September 29, 2008, 04:46:16 AM »
Rick F quoted a source that said that since the system restore area is a protected directory, your tools can not delete these files.  So, what does this message from avast mean?

C:\System Volume Information\_restore{83EDAE07-21AD-43D5-9DDB-76266B708F73}\RP803\A0051784.dll [L] Win32:Amitis-M [trj] (0)
File was successfully moved to chest...

Does it mean the file was moved to the virus chest but is still in the system restore area?  (I would call that a copy, not a move.)  Or is the offending file not in the system restore area and a subsequent system restore will be safe?

--Larry

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: Why disable System Restore if virus found in Restore area?
« Reply #5 on: September 29, 2008, 06:07:36 AM »
RickF

The method you posted is the one I use. I just posted the 2nd best one just to emphasize not to reboot.

It would seem the tools are getting stronger. Check a MBAM or SAS log and you will see files being removed. I would say those files are being removed during bootup.

I wouldn't use a once infected point, who knows what else is in it. Besides, once the computer is clean, create a known clean one.
« Last Edit: September 29, 2008, 06:10:06 AM by oldman »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Why disable System Restore if virus found in Restore area?
« Reply #6 on: September 29, 2008, 07:48:31 AM »
Some anti-malware products will delete System Restore files, but deleting a file in a System Restore point breaks that restore point. With luck there will be a previous uninfected Restore Point. Not deleting infected System Restore files at least gives the option of restoring an infected system and trying again if everything goes pear-shaped.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Why disable System Restore if virus found in Restore area?
« Reply #7 on: September 30, 2008, 12:20:38 AM »
Some anti-malware products will delete System Restore files, but deleting a file in a System Restore point breaks that restore point.
Good to learn... Will the other points remain?
The best things in life are free.