Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Getting Rid Of Spyware By Sytem Restore?

  • Please log in to reply
4 replies to this topic

#1 brad white

brad white

  • Members
  • 1 posts
  • Local time:10:23 AM

Posted 27 July 2007 - 09:42 AM

hi everyone! my first post here. I have a question. will i be able to delete spyware and trojans by using system restore to restore to a date before i picked it all up? thanks

BC AdBot (Login to Remove)


#2 jwinathome


  • Members
  • 1,360 posts
  • Gender:Male
  • Location:Atlanta, Georgia
  • Local time:11:23 AM

Posted 27 July 2007 - 10:10 AM

Welcome to Bleeping Computer brad white....

System Restore alone will not remove infections. Clearing system restore points is usually reserved for the end of the malware cleaning.

See here:
What System Restore does not store in a Restore Point include:

* Windows XP passwords and hints are not restored. This is done so that you do not by accident restore an old password and then lock yourself out of the computer..
* Microsoft Internet Explorer and Content Advisor passwords and hints are not restored.
* Any file types not monitored by System Restore like personal data files e.g. .doc, .jpg, .txt etc.
* Items listed in both Filesnottobackup and KeysnottoRestore (More on that later)
* User-created data stored in the user profile
* Contents of redirected folders

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

#3 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • Local time:04:23 PM

Posted 27 July 2007 - 10:18 AM


The quick answer is 'no'. You would be better to download HijackThis, run a scan, and post the log with a description of your problems in the HijackThis forum. See section 9 of this guide.

The longer answer is that system restore monitors only a core set of specified system and application file types (e.g. .exe, .dll etc), archiving the states of these files before system changes are made. System Restore does not monitor any other files such as your documents or malware. Though using system restore *may* remove registry entries associated with the malware, it would not remove the files. In any case, troublesome malware would monitor the registry entries and replace them if removed.

Hope that helps

#4 pascor22234


  • Members
  • 403 posts
  • Local time:11:23 AM

Posted 27 July 2007 - 12:51 PM

The long answer is "Yes - maybe. It's worth a shot." System Restore monitors all the directories and files associated with the OS including installed applications and the Registry files. Most infections put their files somewhere in the OS folders and add Registry settings so that the these malware files automatically run at startup.

If a Restore point was made before the infection existed then a successful Restore will eliminate both the malware files and its Registry settings. Keep in mind that many "smart" infections deliberately damage System Restore to prevent this disinfection method. That's why I said that maybe this will work.

Also keep in mind that nasty infections damage the Registry which cannot be repaired without a successful run of System Restore. If Restore can't be run then your only alternative is to reinstall the OS.

You have nothing to lose and a lot to gain in attempting to Restore to a point in time before the infection except, perhaps, applications that you have installed since that time.

#5 baker1


  • Members
  • 34 posts
  • Local time:11:23 AM

Posted 28 July 2007 - 08:20 PM

Using Backups and System Restore-When a Virus attacks your computer,one of the first actions it typically takes is to infect other files.If the virus remains undetected for days or weeks,you could find that some of the infected files have been copied as part of your regular backups.The System Restore feature in Windows XP,which takes regular snapshots of system files,can also keep copies of infected files.The risk?After you successfully clean up the infection,you restore your backed-up data files,only to discover that doing so inadvertently reinfects your computer.To avoid this frustrating scenario,follow this advice: Always perform a complete virus scan before performing a full backup.If you schedule both tasks weekly,be sure to run the virus scan task before the backup task.After cleaning up a virus infection,install your anti-virus software and the latest virus definitions before restoring any backed files. This precaution ensures that the anti-virus program will detect any infected files in your back up set as they're restored.Because of the design of Windows,it is not possible to repair or replace infected files saved in the System Volume Information Folder during a System Restore operation.Anti-Virus programs can detect the presence of a virus in this location,but they can't clean it up.The solution is to completely purge all System Restore checkpoints and their accompaning saved files.To do so,follow these steps:1. Open Control Panel and double-click the System icon(in the Performance and Maintenance category).2. Click the System Restore tab and select the Turn Off System Restore On All Drives check box.(If your computer has only a single volume,this text will read simply Turn Off System Restore.)3.Click Apply,and then click OK to close the dialog box.4.Restart your computer.5.Update your anti-virus software(The System Restore procedure might have removed recent updates to the scanning engine).Run a complete scan for viruses,using the most current virus definitions.6.After verifying that the system is free of any infections,repeat steps 1 thru 4,this time clearing the Turn Off System Restore check box. Page's 488-489-under protecting your personal computer-part 3-Microsoft Windows XP-Networking And Security-Inside/Out-by Ed Bott and Carl Siechert

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users