12 Comments

Can I Remove a Virus Using System Restore

Written by:  • Edited by: Bill Bunter
Updated May 5, 2010 • Related Guides: Microsoft | Computer Viruses

When System Restore first appeared in the market, computer manufacturers and other companies claimed that it gave users "Peace of Mind" and that it could remove viruses and fix other problems with the computer. In this article, I will explore this concept, and shed some light on it.

Removing Viruses with System Restore?

This topic comes up once in a while. Especially since a lot of the computer manufacturers will try it as part of their tech support for *any* problems that you may contact them with. And in most cases, System Restore is one of--if not the best-- option to use. However, in the case of virus removal, System Restore is a false hope.

The Myth

The myth is that System Restore is “a rolling safety net is always kept under the user, enabling the user to recover from recent undesirable changes.” (Microsoft, 2001). This was the basis that Microsoft and other companies used when the feature was first introduced. One change listed is the infection of the system by viruses or other malware.

The Reality

In reality, System Restore can create copies of the infected files. And some viruses may be capable of infecting the restore volume as well as the actual system files. When a person cleans their computer using an anti-virus, then uses System Restore, they may inadvertently re-infect the computer. Or if they use System Restore as a means of removal, either the restore will fail (if the anti-virus cleans the virus out during the restore process) or the restore will replace the file with an infected version.

What to Do

Most sites that deal with virus or malware removal will tell you that the first step is to shut down System Restore completely. This deletes all restore points that have been saved up to this point. Then, they have you go through the removal process for the specific virus/malware that you’re infected with. This could include running a scanner, a cleaning tool, or manually removing the virus. Finally, they will have you re-enable System Restore.

Final Thoughts

System Restore is a good safety net, and Microsoft was smart in implementing this feature. However for virus removal, there are much better options to use. And because of the nature of System Restore, it is not an effective option for virus removal. It’s nature is to copy files without making sure they are clean, and not allowing anti-virus programs to clean them inside of the restore volume. You’re much better off with having an effective anti-virus solution installed, and disabling System Restore during the virus removal process.

References

http://msdn.microsoft.com/en-us/library/ms997627.aspx Quote about System Restore

http://antivirus.about.com/od/windowsbasics/a/systemrestore.htm Recommendation for disabling System Restore during virus removal.

Next Article »
We Also Recommend...

Comments

Showing all 12 comments
 
Fernando Jul 31, 2011 1:23 PM
Restored and fixed
If i didn´t had a system restore point, then i would have a useless computer right now, Restoring to a previous point from when the fixed all as it was, i´m still thinking of one or two files that i have that seemed suspicious because of Avast information but everything is ok now as it was, i now know somehow what was that caused the problem (an infected downloaded file as i disabled avast because i thought it was a safe installation), then scanned with Avast, deleted suspicious infected files, computer then was still malfunctioning and doing all kinds of things, i even heard some music at times and saw strange things in the screen, i wanted to cry, i saw some error info and took note of the names of files attempting to open, opened them constantly in sandbox just to see if avast could isolate them, my pc was screwed anyways, i had infected detected files that Avast isolated at the time they were created and then i deleted them, then i cleaned registry and other things, then i saw that restore points were there again!, system restore did it for me! yeha! so i guess this article is not for all viruses, i wouldn´t recommend to delete all restore points until you´re completely sure that your restore points are infected too, but i don´t think that way at all, restore points are known for restoring to a previous state of the system when the infected files were still not created so i guess it can and will work in most cases just because of that, if the virus can mess with the dates of the created files then i guess it won´t. I´m not a pc expert anyway but i have a good pc now because of system restore, thanks
Anonymous Jul 17, 2011 2:29 PM
System Restore is better than NO restore
If a virus *REALLY* messes up your system... which would you rather have:

1. A past point to do a system restore... and only have the 1 original, minor virus.

or

2. *NO* past point of recovery... ever... and you have a totally non-working computer?

#1 at least gives you a "second try and fixing things".
aaron May 3, 2011 5:43 PM
RE: Can I Remove a Virus Using System Restore
System Restore is an option when anti-virus fails, and you're someone who isn't saavy enough to clean out the virus manually in safe mode.

It restores the registry and the system files, so as long as you've got a clean restore point, it should disable the virus. But it depends on how the virus is designed. If it plops a link to itself in the users "startup" folder for example, it could re-do it's damage the next time the computer logs in.
Marielle Apr 10, 2011 7:39 AM
Re: Others' commets
System restore does not work to remove malware.

System restore only monitors and restores specifi Windows operating system files. When a restore is done on an infected computer, all that does is make a virus harder to remove because it hides it in the registry. It is still there but now harder to find and eradicate.

Even Microsoft says it's a mistake to use system restore when dealing with malware. Here is a quote by a Microsoft MVP on the subject: http://bertk.mvps.org/html/tips.html#9
jmdeur Jan 23, 2011 5:39 AM
systgem restore bashing
system restore apppears to have worked for me, so i can't complain especially after having wasted two hours while some microsoft technician in India piddled around inside my machine accomplishing nothing.
Mark Jan 11, 2011 1:21 PM
system restore fixes computers
Here is what is wrong with the reasoning in this article:

When a virus infects a computer it does two main things:
1) It can create files
2) It can modify or delete files

When you attempt to remove a virus with a scanner, say, MBAM, you will usually succeed in removing the virus.

Unfortunately for you:
Almost every single virus scanner will do nothing to fix broken files.

System restore is by far the easiest way to restore files back to how they were before the virus

Please note that system restore cannot fix everything and that you should ALWAYS FOLLOW UP WITH VIRUS SCANS just in case it missed something which it often can.

Also please only run system restore from the recovery console (press f8 on startup and hit "Repair my computer")

If you chose this approach I would recommend trying to run system restore first because restore points can be infected but more commonly there will still be malware left

In summary nothing is easier (and possible better) at restoring files than system restore BUT it is not a substitute for virus scanners
dylan hill Oct 14, 2010 3:05 AM
just dodge a blow
Well I just got the same exact virus that you got S.Bing and kit worked like a charm, as for you tanned, you might have had that virus on your comp for a while so keep going bac and further back until you find a clean image
S. Bing Sep 7, 2010 4:27 PM
System Restore Virus
There is a virus called System Restore that is installed if you try to run certain videos (usually porn) It says that it will scan your computer and you will undoubtebly wind up with it telling you that you have 30 or more trojans,worms, key loggers and other horrible things. It then will prompt you to buy the removal version which costs a minimum of $49 but you will not be able to run it.
And that is because it is a scam. The only virus you have is called System Restore and it will not only tell you that you have horrible viruses, it will also not let you open a lot of other applications including valid anti viral programs. If you can run real antiviral programs, you will see that your computer is probably clean.

Removal is fairly involved and can be found on the internet by just typing System Restore Virus Removal. You may not be able to access the internet from the infected computer however.

The easiest way to remove this has already been discusssed and that is to do a real system restore.
To do this on Vista, repeatedly press F8 when you restart the machine until it allows you to choose Start in Safe Mode. Then when it starts up, just look up System Restore in the Help menu and follow the directions. I just did this and it works fine.
Call your credit card company to make sure you weren't charged for the nonexistant software. (I wasn't) and if your really worried about identity theft,
ask them to change your account. Apparently lots of people are affected by this virus but the credit card companies don't do anything about them. I spent over $100 having a pro work on my computer until I really looked into this and found this five minute fix. Apparently the Credit Card companies are too busy to really care because when I complained, they just said they would watch my account. Good Luck.
Tanner Wilson Jul 11, 2010 3:25 PM
Even oldest restore point doesn't work.
I restored back to october of 2008 and it wouldn't rid me of viruses. I get a message every few seconds asking "Application cannot be executed. The file <insertfilenamehere>.exe is infected. Do you want to activate your antivirus software." It even does it when I try to open norton to fix the problem.. Any advice?
Oman May 22, 2010 10:11 PM
depends on the virus
I guess a more complicated virus will infect system restore as the article suggests.

However I've used System Restore a few times to get rid of viruses as a ditch last hope before doing a fresh OS install and it HAS worked effectively. I'd say include it as a latter option, because it does work in some cases.
PatrickDickey May 21, 2010 5:47 PM
Agreed to a point...
I will agree with you that it's possible to restore a file that was infected with a clean copy. However, unless you catch the infection immediately, or keep restoring back until you find one that's clean (or just choose the earliest possible restore point), there's no guarantee.

Also, one of the latest "USB viruses" actually puts the file inside of the System Restore volume and points to that file in the autorun.inf file. So, when you insert the thumb drive into your computer, it runs the virus automatically.

Ultimately, there are better options than trying System Restore. With System Restore, you may have to try it repeatedly with older points (or use the oldest point and hope that it didn't have the infected version of the file at that time). Plus you have to repair or reinstall any programs that were added to the system after that point. At least with the antivirus, you should still be able to use your programs (unless they are infected).

Thanks for stopping by and and for your comment, and have a great day:)
Patrick.
Jon May 21, 2010 5:19 PM
a bit deceiving
i've restored many systems utilizing past clean restore points. If the restore points from the past were created before the infection, you stand a good chance of being able to fully recover your system by stepping back to one of them.
 
blog comments powered by Disqus
Computer Security
FEATURED AUTHORS
Charles M Bowen Donna Buenaventura Jayant R Row JCTorpey
Matt Isaac PreciousJohnDoe Tye Yorkshire Chad Anderson
Most Popular Articles
Email to a friend