Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

System Restore and malware removal – what is best practice?

September 17th 2005 in Uncategorized

Back in March of this year I wrote a column entitled “Bug Busting: Getting Rid of Spyware”.  In it I advise:


“Some people recommend that System Restore be turned off and all Restore Points deleted before attempting spyware removal. DO NOT DO THIS. If something goes wrong (anything is possible) you will have no way to reverse your actions. You’ll want to delete your old Restore Points, but the time to do that is later, not now.”
http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx


Other MVPs are of a like mind.  For example, Jim Eshelman, MVP of aumha.net, in his article at http://aumha.net/viewtopic.php?t=15265&sid=f99fc4aceedff192a5242516fe78cd83 says:


“..it is also true that, in cleaning highly infected systems, sometimes you make mistakes that cripple Windows and it is better to be able to take a step back to a working version of Windows – even an infected one! – rather than have Windows trashed completely. To quote Mow Green, “a leaky lifeboat is better than no lifeboat in a storm.”


What we recommend is: (1) Understand that using System Restore on an infected system MIGHT [my emphasis] bring back virus-infected files you don’t want. (2) Leave System Restore in place until your computer is clean and stable. (3) Then get rid of the old infected restore points.”


Donna Buenaventura, MVP of dozleng.com and a member of the Alliance of Security Analysis Professionals says:


“Deleting your restore point prior cleaning the system is not the first thing to do.”
http://dozleng.com/internetsecurity/?p=72


Unfortunately, some companies and advisors advocate disabling system restore *before* attempting a cleanup.  This is dangerous advice.  First, things can and do go wrong when attempting to remove malware.  Second, the Restore Points may not be infected anyway.  Third, any malware that may be in a Restore Point is harmless unless and until System Restore is used to restore a system to an earlier state, and that won’t happen without direct user intervention.


You say things can and do go wrong when attempting to remove malware.. what could go wrong?
The most common problem caused by the removal of malware is an inability to access the internet. One of the first widespread, and consequently high profile, examples of this problem was the removal of the now infamous new.net back in 2002. 


After new.net was removed using what was, at the time, the most popular antispyware product around (AdAware), victims were left unable to access the Internet:
http://inetexplorer.mvps.org/data/newnet.htm


An inability to access the internet is not the only thing that can go wrong.  A system may be left unstable after malware removal – Internet Explorer may crash or no longer run – worst case scenario is a system that is unable to load Windows at all. 


If System Restore is disabled there is no easy way to recover when things go wrong.  We should never leave ourselves or those we advise, in the position of having no easy way back, but that is what is happening when people are told to disable System Restore before attempting a cleanup.  For a person that owns more than one computer, or has access to somebody else’s machine in an emergency, or who has the support of a friendly IT Department or Helpdesk or resident geek with sufficient knowledge to undo the damage, losing internet access or being left with a damaged machine does not leave them isolated from help. But for the normal home user with only one machine, it can be disasterous.


You say the Restore Points may not be infected.. how is this possible?
System Restore does not monitor all files and folders.  The default file and folder inclusions and exclusions in effect on a particular machine are listed in a file called filelist.xml, saved to the directory C:\WINDOWS\system32\Restore\


Microsoft lists the default file type inclusions at this URL:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sr/sr/monitored_file_extensions.asp


Of particular interest to us when discussing Web based malware are the Internet Explorer related directories that are *not* monitored by default which include:


..\cookies
..\favorites
..\History
..\internetcache
..\Downloaded Program Files
..\Offline Web Pages
..\temp
..\TMP
..\Documents And Settings\All Users\Favorites
..\Documents And Settings\All Users\Documents
..\Documents And Settings\Default User\My Documents
..\Documents And Settings\Default User\Favorites
..\Documents And Settings\Default User\Cookies
..\Documents And Settings\Default User\Cache
..\Documents And Settings\Default User\Local Settings\History
..\Documents And Settings\Default User\Local Settings\Temp
..\Documents And Settings\Default User\Local Settings\Temporary Internet Files


If malware has dumped its wares into the commonly used folders listed above, deleting Restore Points is a waste of time. 


It is especially important to note that ..\Downloaded Program Files is excluded from System Restore.  This is the file to which add-ins, BHOs, chat plugins, java, activex files etc are saved when downloaded via Internet Explorer.


The inclusion of *:\Documents And Settings\*\Application Data\Microsoft\Internet Explorer\Quick Launch is of no danger.  This is simply the shortcuts that appear on the Quick Launch taskbar.


You say any malware that may be in a Restore Point is harmless unless and until System Restore is used .. how is this possible?
It is important to understand that files in the _Restore folder are inactive – think of it as a type of suspended animation.  Only the System Restore process itself is able to access files in that folder.  Hostile programs and processes cannot, of themselves, use a Restore Point to reinstall or repair themselves. 


To be clear, an application *create* a Restore Point, it can *remove* a Restore Point, but it cannot *use* a Restore Point.  (Under debate)


Is there any benefit to disabling System Restore before attempting malware removal?
No. There is no harm in leaving a Restore Point in place as an emergency backup in case things go wrong. Do not leave yourself with no easy way out if malware removal causes problems.


Ok, so what is the right thing to do?
Follow the instructions at the URL below to try to clean your system:
http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx


You will see that my article:



  1. advises you to create a backup of essential data and a Restore Point before doing anything else (because we don’t know if/when the last point was created, and we want to be able to undo immediate damage);
  2. recommends several cleaners and, just as importantly, two programs that should fix LSP problems;
  3. shows you how to use the helper programs to greatest effect;
  4. shows you show to create a ‘known good’ Restore Point after your system has been cleaned;
  5. shows you how to avoid infection in the future.

A last word
There are articles on the Microsoft site and elsewhere that advise you to disable System Restore before attempting a cleanup – please, do not follow that advice.  I and other MVPs who have been dealing with malware for a long time and have seen what can go wrong, even for the experienced, are trying to convince the authors of such articles to change the error of their ways, but its an uphill battle.


3 comments to...
“System Restore and malware removal – what is best practice?”

Colin

I deleted my system restore memory, stupidly, and am now looking to see if this is reversible in anyway – if i had just restored to an earlier date my PC would be fine – instead PestTrap is making my life hell! Anyone help?

Sandi says: I'm so sorry but deleting system restore points is not reversible.  I'd recommend you post to the aumha.net forums for help with your infection – we'll see what we can do for you.



jeremy

hi.. your suggestions are very informative and it cleared alot of things in my head. thank you guys for generously sharing your knowledge to people like me. you are like heroes of the cybeworld…

GOD BLESS !!! AND MORE POWER!!!



Brenda

I tried downloading a few so-called FREE malware program which some sites recommended ONLY to find out all their program did was scan my system and report the spyware THEN the scarem screen came up that said they detected 450-600 spyware programs BUT you are required to BUY their program to rid your system of these problems. THIS IS BAIT & SWITCH and even if I wanted to purchase their program, I would not do so because of their “trap.”

I HATE reading recommendations of free programs only to find they removed ZERO viruses and spyware.

WORSE, I sent to my system to find a few of their reported spyware only to learn the search only came up on their BAIT & SWITCH report. hmmm How is this possible… that the files wouldn’t show up on my file/system search but these files are indicated on their report?

This again gave me cause for concern.

Also, after investing 3 hours trying a myriad of programs that all failed to remove the IE browser hijacking program, something said “do a system restore” from a few days prior. Sure enough, this resolved my problem and I regained control over my IE browser.

Which I had remembered to try this BEFORE I invested hours trying worthless programs.

My business teaches employees ID theft awareness and prevention so I’m careful NEVER to click on pop-up but the attackers are getting more clever as they embed maliceous code in seaming safe websites without doing more than accessing the website. I’ll have to remember to pass along the suggestion to do a “system restore” prior to buying bogus software.


Did you know that there is a special utility available on MSDN that makes it easy to add RSS to your web site?  Check it out here:RSS Tool for Frontpage 2003

Previous Entry

Bryan Starbuck, the Dev Lead for Outlook Express and all around nice guy, and survived being interviewed by Robert Scoble for Channel 9.
Outlook Express will be renamed to Windows Mail in Windows Vista.
The video interview includes shots of OE in Windows Vista in action – go check it out:http://channel9.msdn.com/showpost.aspx?postid=116711
Side note: Its quite ironic that […]

Next Entry

Archives