Why isn't system restore reccomended as a first step in the malware removal guide?

Discussion in 'Malware Help (A Specialist Will Reply)' started by lordmaynoth, Feb 19, 2010.

  1. lordmaynoth

    lordmaynoth Private First Class

    Dear MG,

    I do lots of virus/spyware removal at least 2-3 removal jobs per day. I am really surprised that system restore isn't discussed more as a first step towards malware removal, as usually it will restore the system to a clean or semi clean state.

    The first thing I do in all virus/spyware cases is boot into safe mode do a system restore to the earliest system restore point download the latest avira and set all options to max, then update and scan with it, then malwarebytes and super antispyware. If they all come back clean then I do a full windows update, and install firefox, adblock, java, flash, foxit reader, ccleaner and smartdefrag and reboot, check for windows updates again reboot etc. Then run a full ccleaner and defrag, and remove all system restore points and create a new one.

    Are there any legitimate reasons why a system restore isn't listed as a first step towards malware removal?
     
    lordmaynoth, Feb 19, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    We actually say not to toggle system restore until after we are sure the user is clean, not before, as it may be an only hope of survival if something happens during the removal procedures! :major

    If you read many of the threads here, you will find that it is quite common for a user to not be able to get into system restore! Some are, and we then must still have scans run to make sure there was no malware in that restore point.
     
    TimW, Feb 19, 2010
    #2
  3. lordmaynoth

    lordmaynoth Private First Class

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    So if an infected user boots to safe mode uses system restore, then scans using avira, malwarebytes and superantispyware what additional risk does this pose?
     
    lordmaynoth, Feb 19, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    It doesn't pose any risk. What I was indicating is that very many viruses will stop the use of system restore.

    So, if one can do that, and then run scans to make sure no malware is in that restore point, they should be in good shape. Read some of our logs and you will see that quite often, the scans find malware in system restore folders. That is why we still need to check logs even when a restore has been done. :major
     
    TimW, Feb 19, 2010
    #4
  5. lordmaynoth

    lordmaynoth Private First Class

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    awesome thank you
     
    lordmaynoth, Feb 19, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    You are most welcome. Safe surfing. :)
     
    TimW, Feb 19, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    As TimW stated, in many modern day malware infections, System Restore has been disabled and so has safe boot mode, however, your below comment is not a good thing to do.
    The danger in this can be two fold.
    1. You are basically uninstalling every single program, update, and setting that the user has made after the date of this restore point. If you did this on any of my systems, I would not be very happy with you since so much would be lost and would require reinstallation, updating and retweaking. The oldest system restore point could be bare bones Win XP and the user could already have XP SP3.
    2. You could be restoring a Restore Point with even more problems then you currently have and it could potentially even render the PC unbootable.
    Most security companies foolishly want you to actually disable System Restore immediately when there is an infection. We take a different and much better/more secure approach, to keeping restore points until active malware is around. See step 4 of Windows XP Cleaning Procedure for our comments.
     
    chaslang, Feb 19, 2010
    #7
  8. lordmaynoth

    lordmaynoth Private First Class

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    Well usually I ask the customer when they noticed issues with the computer I boot to safemode and roll back back a month+ prior to that if possible. I scan after the system restore using avira+malwarebytes+superantispyware, then update windows and install all the good free software I can think of run a crap cleaner and a defrag and remove all other system restore points and create a new one. This process seems to work really well for me in general, can't see any reason why it isn't recommended honestly. Just my $0.02
     
    Last edited: Feb 20, 2010
    lordmaynoth, Feb 20, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    In some ways, what you are doing is only a few steps away from just doing a complete Reformat and Re-installation, in that ( depending upon how far you roll it back ) they are losing possibly irretrievable data and/or files. So unless doing a restore is the absolute only thing you can do ( which 99% it isn't), you are better off removing the malware first, doing your program updates and then removing all restore points once you are sure the system is clean. That way, your customer is not risking losing any personal data or files from an old restore point. Just my 2 cents worth.:major


    ( Which is just rewording what Chaslang already stated. )
     
    TimW, Feb 20, 2010
    #9
  10. lordmaynoth

    lordmaynoth Private First Class

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    Well you guys are the experts in this area so I guess you have a point, but I've never had an issue yet with losing personal data etc.

    I started using system restore for malware removal when I started seeing infections that blocked downloads of MB/SAP and avira and blocked them from installing etc. I haven't come across any that have blocked safe mode and system restore yet.

    I guess I am just lazy, it seems an easier battle for me to do it this way and not fight with malware for control of the system.
     
    lordmaynoth, Feb 20, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    Stay at it long enough and you will. :)
     
    TimW, Feb 21, 2010
    #11
  12. lordmaynoth

    lordmaynoth Private First Class

    Re: Why isn't system restore reccomended as a first step in the malware removal guide

    Well I saw my first rootkit so it's interesting seeing new things in the wild.
    I guess if I saw something that blocked system restore I would use my linux usb drive with avira and super anti spyware to remove it.
     
    lordmaynoth, Feb 21, 2010
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds