Restoring after a virus

Discussion in 'other software & services' started by Rmus, Nov 22, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A friend's son got a virus via his AOL buddy list. When he realized what had happened, he just enabled the most recent XP restore point and that was that.

    I don't see this XP feature talked about too much. Are there some drawbacks to using restore points?

    thanks,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I didn't notice any problems in particular with System Restore in XP....but the infected file is still going to remain in the Restore folders for backup purposes :eek: :D

    No need to worry I think.
     
  3. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    It's certainly a handy tool, but not a true 'go back' tool like you would get with a cloned disc. It only backs up system files and not data, so it won't recover files that you delete or lose, and it may not completely delete a prog that messes up your comp.
    On its default settings it is a tremendous disc space hog. You can have several Gb of space tied up in restore points.
    As Firecat said, it's very easy to end up with a tainted restore point. If you've got SR turned on and you get an infection, then you will almost certainly end up with it in one or more of your restore points. Dormant of course, but waiting to be 'restored'.
    I've still got SR turned on, but I don't really need it. I've got a ghosted image on a backup HDD. I've throttled back the amount of space that it is allowed to use....and I clear out all the resore points on a fairly regular basis, either by turning it off/on or using 'disc cleanup'.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not sure what you mean - if you restore to a previous point, how can anything in the current session be retained?

    How can this happen unless a restore point is created while you are infected? As I understand from my friend, after an internet session he restores to a previous point, which would wipe out any infection caught while online.

    You can choose when to create the restore point:

    "you can create and name your own restore points at any time. If you’ve installed a program that has made your computer unstable, you can open system restore, choose a restore point, and return your computer to its previous stable state."

    http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for mentioning that - I just read more, and it would seem to be a big drawback of the feature:

    ------------------------
    Q. Does System Restore uninstall my program if I restore to a point before the program was installed?

    A. System Restore does not completely uninstall any program if restoring to a point prior to the program installation. As System Restore is based on an inclusionary model, any files added or modified by the installation (which is not monitored by System Restore) or added to or modified in a non-monitored drive will not be tracked. To remove all changes an installation may have made to the system, the user should first use the Add/Remove option in the control panel to remove the application prior to using System Restore.
    ---------------------------

    The question is, would restoring to a previous state remove all files installed by a virus or trojan?


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    ...if SR made a restore point during that session. If not sure of the frequency, it's something like on boot and every ten hours....and this would depend on the disc space allowed.

    If he's restoring to a known 'good' point, he's probably OK. But that doesn't mean there won't necessarily be some tainted restore points there....
     
  7. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    That's the biggie eh!?
     
    Last edited: Nov 22, 2005
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    "Originally Posted by Rmus
    The question is, would restoring to a previous state remove all files installed by a virus or trojan?"

    I don't have XP to see what happens, so can you try one and post back with your results :D

    Thanks,

    -rich
     
  9. Cochise

    Cochise A missed friend

    Joined:
    Jan 26, 2003
    Posts:
    2,549
    Location:
    North Thoresby Lincs Good Olde England
    Well, in my very limited experience with regard Syst.Restore and deadly infiltration..when I had a Trojan...I used Kav to find and snuff it (From advice from the Good Guys here)..then I did a restore to an earlier time, then disabled SR......then a Restart...then enabled SR and the Trojan was no more...whether that was right or wrong, it worked for me......I then just set a new SR.....:D


    Cochise,:cool: Just trying to keep up....:D
     
  10. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    I hope you`re right because that`s what I do. :)
     
Loading...
Thread Status:
Not open for further replies.