System Restore and malware removal - what is best practice?
Back in March of this year I wrote a column entitled "Bug Busting: Getting Rid of Spyware". In it I advise:
"Some people recommend that System Restore be turned off and all Restore Points deleted before attempting spyware removal. DO NOT DO THIS. If something goes wrong (anything is possible) you will have no way to reverse your actions. You'll want to delete your old Restore Points, but the time to do that is later, not now."
Other MVPs are of a like mind. For example, Jim Eshelman, MVP of aumha.net, in his article at http://aumha.net/viewtopic.php?t=15265&sid=f99fc4aceedff192a5242516fe78cd83 says:
"..it is also true that, in cleaning highly infected systems, sometimes you make mistakes that cripple Windows and it is better to be able to take a step back to a working version of Windows - even an infected one! - rather than have Windows trashed completely. To quote Mow Green, "a leaky lifeboat is better than no lifeboat in a storm."
What we recommend is: (1) Understand that using System Restore on an infected system MIGHT [my emphasis] bring back virus-infected files you don't want. (2) Leave System Restore in place until your computer is clean and stable. (3) Then get rid of the old infected restore points."
Donna Buenaventura, MVP of dozleng.com and a member of the Alliance of Security Analysis Professionals says:
"Deleting your restore point prior cleaning the system is not the first thing to do."
Unfortunately, some companies and advisors advocate disabling system restore *before* attempting a cleanup. This is dangerous advice. First, things can and do go wrong when attempting to remove malware. Second, the Restore Points may not be infected anyway. Third, any malware that may be in a Restore Point is harmless unless and until System Restore is used to restore a system to an earlier state, and that won't happen without direct user intervention.
You say things can and do go wrong when attempting to remove malware.. what could go wrong?
The most common problem caused by the removal of malware is an inability to access the internet. One of the first widespread, and consequently high profile, examples of this problem was the removal of the now infamous new.net back in 2002.
After new.net was removed using what was, at the time, the most popular antispyware product around (AdAware), victims were left unable to access the Internet:
An inability to access the internet is not the only thing that can go wrong. A system may be left unstable after malware removal - Internet Explorer may crash or no longer run - worst case scenario is a system that is unable to load Windows at all.
If System Restore is disabled there is no easy way to recover when things go wrong. We should never leave ourselves or those we advise, in the position of having no easy way back, but that is what is happening when people are told to disable System Restore before attempting a cleanup. For a person that owns more than one computer, or has access to somebody else's machine in an emergency, or who has the support of a friendly IT Department or Helpdesk or resident geek with sufficient knowledge to undo the damage, losing internet access or being left with a damaged machine does not leave them isolated from help. But for the normal home user with only one machine, it can be disasterous.
You say the Restore Points may not be infected.. how is this possible?
System Restore does not monitor all files and folders. The default file and folder inclusions and exclusions in effect on a particular machine are listed in a file called filelist.xml, saved to the directory C:\WINDOWS\system32\Restore\
Microsoft lists the default file type inclusions at this URL:
Of particular interest to us when discussing Web based malware are the Internet Explorer related directories that are *not* monitored by default which include:
..\Downloaded Program Files
..\Offline Web Pages
..\Documents And Settings\All Users\Favorites
..\Documents And Settings\All Users\Documents
..\Documents And Settings\Default User\My Documents
..\Documents And Settings\Default User\Favorites
..\Documents And Settings\Default User\Cookies
..\Documents And Settings\Default User\Cache
..\Documents And Settings\Default User\Local Settings\History
..\Documents And Settings\Default User\Local Settings\Temp
..\Documents And Settings\Default User\Local Settings\Temporary Internet Files
If malware has dumped its wares into the commonly used folders listed above, deleting Restore Points is a waste of time.
It is especially important to note that ..\Downloaded Program Files is excluded from System Restore. This is the file to which add-ins, BHOs, chat plugins, java, activex files etc are saved when downloaded via Internet Explorer.
The inclusion of *:\Documents And Settings\*\Application Data\Microsoft\Internet Explorer\Quick Launch is of no danger. This is simply the shortcuts that appear on the Quick Launch taskbar.
You say any malware that may be in a Restore Point is harmless unless and until System Restore is used .. how is this possible?
It is important to understand that files in the _Restore folder are inactive - think of it as a type of suspended animation. Only the System Restore process itself is able to access files in that folder. Hostile programs and processes cannot, of themselves, use a Restore Point to reinstall or repair themselves.
To be clear, an application *create* a Restore Point, it can *remove* a Restore Point, but it cannot *use* a Restore Point. (Under debate)
Is there any benefit to disabling System Restore before attempting malware removal?
No. There is no harm in leaving a Restore Point in place as an emergency backup in case things go wrong. Do not leave yourself with no easy way out if malware removal causes problems.
Ok, so what is the right thing to do?
Follow the instructions at the URL below to try to clean your system:
You will see that my article:
- advises you to create a backup of essential data and a Restore Point before doing anything else (because we don't know if/when the last point was created, and we want to be able to undo immediate damage);
- recommends several cleaners and, just as importantly, two programs that should fix LSP problems;
- shows you how to use the helper programs to greatest effect;
- shows you show to create a 'known good' Restore Point after your system has been cleaned;
- shows you how to avoid infection in the future.
A last word
There are articles on the Microsoft site and elsewhere that advise you to disable System Restore before attempting a cleanup - please, do not follow that advice. I and other MVPs who have been dealing with malware for a long time and have seen what can go wrong, even for the experienced, are trying to convince the authors of such articles to change the error of their ways, but its an uphill battle.