Should I disable system restore b4 removing spyware/malware/virus?

Shenan
Sun Jun 06 01:05:07 CDT 2004

NeedAspirin wrote:
>

It's not necessary and likely a bad idea to do it before making major
changes like that. Leave it on and if your restore you already had reports
back with something you cannot get rid of, then turn it off and back on.

Turn off System Restore.
http://support.microsoft.com/?kbid=310405
Reboot.
Turn on System Restore.
http://support.microsoft.com/?kbid=310405
Make a Manual Restoration Point.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpsysrst.mspx

--
<- Shenan ->
--
The information is provided "as is", with no guarantees of completeness,
accuracy or timeliness, and without warranties of any kind, express or
implied. In other words, read up before you take any advice - you are the
one ultimately responsible for your actions.

anonymous
Sun Jun 06 01:26:03 CDT 2004

I'm a bit confused. I thought that if I DON'T disable it, than garbage found by AdAware/SpybotS&D & antivirus may still be lurking on the disk in the "System Restore" area, & may reappear if a restore is actually done. (I've had trouble with reappearing junk from purityscan/clickspring & thought not diasabling the restore before running Spybot & AdAware was causing it. Have just learned of uninstall program that will hopefully do the job.)

Shenan
Sun Jun 06 01:37:36 CDT 2004

"NeedAspirin wrote:
> I'm a bit confused. I thought that if I DON'T disable it,
> than garbage found by AdAware/SpybotS&D & antivirus
> may still be lurking on the disk in the "System Restore" area,
> & may reappear if a restore is actually done. (I've had trouble
> with reappearing junk from purityscan/clickspring & thought
> not diasabling the restore before running Spybot & AdAware
> was causing it. Have just learned of uninstall program that will
> hopefully do the job.)

If you have spyware in the system restore (or viruses, trojans, whatever) it
is just sitting there and unless you use the system restore and restore to a
previous point, it cannot do much. It's like a backup of your registry
entries and system files. Unless you restore that backup, it's safe.

So if it finds something in the system restore area, I would suggest THEN
tunring off, rebooting, turning back on and making the manual point of the
now completely cleaned system.

--
<- Shenan ->
--
The information is provided "as is", with no guarantees of completeness,
accuracy or timeliness, and without warranties of any kind, express or
implied. In other words, read up before you take any advice - you are the
one ultimately responsible for your actions.

PA
Sun Jun 06 21:03:41 CDT 2004

A lot depends on what spyware/malware/virus is present.

Generally one only needs to address System Restore when dealing with a
virus/Trojan. One would first make sure the Trojan has been dispatched
(other than in SysRestore files), create a new restore point, and then use
Disk Cleanup>More Options to delete all but the last restore point.

Also empty Recycle Bin, delete TIF and contents of TEMP.

Check your system for "hijackware":

Dealing with Hijackware
http://mvps.org/winhelp2002/unwanted.htm
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot
http://aumha.org/a/parasite.htm

CoolWebSearch Chronicles & CWShredder
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run in this order:

1. CWShredder (fix all)

2. Ad-Aware (fix all)

3. Spybot (generally, fix all in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.merijn.org/files/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also update your virus definitions and then run a full system scan. From
now on, do both daily.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect

anonymous
Mon Jun 07 01:46:03 CDT 2004

Thnx PA Bear. OK. The machine in question wasn't mine & was never updated or protected. A few days ago I updated windows, installed & ran an av (etrust), adaware, spybot S&D, spywareblaster, & CWshredder. If memory serves, the av showed (and cleaned) over 300 files infected with virus, worm, &/or trojan, including files in system restore (not certain about this). Adaware, spybot, & cwshredder all turned up stuff---especially the first two--- and my concern was whether what they cleaned up is still sitting in files in system restore. Since the only time a restore is likely to be run is if there are problems with the machine, it would be insane to leave infected files around that could be restored. Am familiar w/Hijackthis but didn't get a chance to install/run it; was preoccupied with figuring out what some of the processes running were (eg.: winttr.exe, which turned out to be purityscan). Wasn't aware of DiskCleanup>more options, so I just turned off restore, rebooted, & turned it on again. Next time I have access to the machine, I'll run Hijackthis & take care of recycle, TIF, & Temp. (I assume it's safe to delete everything in Temp???) Thx again.

PA
Mon Jun 07 12:42:59 CDT 2004

Please, always include previous message in your replies here.

I've been assuming we're dealing with WinXP here. If the machine needed
WinXP-SP1 from Windows Update (WinUp), make certain you've returned to WinUp
for additional patches and criticals not included in the download of
WinXP-SP1. (New updates are scheduled for release tomorrow, 08 Jun-04.)

If a Trojan still resides in Restore Point data, AV apps will usually "see"
this. And it's best, in your situation, to enable Show Hidden Files and
then run the AV scan in Safe Mode.

Why take chances? If you're certain the machine is Trojan- and
malware-free, create a new Restore Point and delete the previous ones, per
my last post. You'll be freeing up quite a bit of memory in the process,
too.
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

What You Should Know About Spyware
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx

NeedAspirin wrote:
> Thnx PA Bear. OK. The machine in question wasn't mine & was never updated
> or protected. A few days ago I updated windows, installed & ran an av
> (etrust), adaware, spybot S&D, spywareblaster, & CWshredder. If memory
> serves, the av showed (and cleaned) over 300 files infected with virus,
> worm, &/or trojan, including files in system restore (not certain about
> this). Adaware, spybot, & cwshredder all turned up stuff---especially the
> first two--- and my concern was whether what they cleaned up is still
> sitting in files in system restore. Since the only time a restore is
> likely to be run is if there are problems with the machine, it would be
> insane to leave infected files around that could be restored. Am familiar
> w/Hijackthis but didn't get a chance to install/run it; was preoccupied
> with figuring out what some of the processes running were (eg.:
> winttr.exe, which turned out to be purityscan). Wasn't aware of
> DiskCleanup>more options, so I just turned off restore, rebooted, &
> turned it on again. Next time I have access to the machine, I'll run
> Hijackthis & take care of recycle, TIF, & Temp. (I assume it's safe to
> delete everything in Temp???) Thx again.