Can viruses hide out in System Restore points?

Topic

New Reply

Having received conflicting opinions on this point, I’m hoping you sharpshooters can give me a definitive answer.

I’m running Windows 7 Pro. A recent system scan with Malwarebytes turned up two bugs, which I’ve removed. The question is, are duplicates of these bugs hiding out in various System Restore Points, and if so, why? Why wouldn’t Malwarebytes (or any antivirus software) also scan System Restore points? The notion that restore points are somehow “exempt” from scanning defies all logic and common sense.

Yet I’ve had people tell me that if a virus turns up my computer, it’s best to delete all System Restore points lest I reinfect my system.

Your thoughts on this would be greatly appreciated, and thanks!

Reply | Quote

Replies

Antivirus may not have enough permission to remove malware from restore files until system restore is disabled. Malware may also be in a dormant stage in restore files that is not as detectable. Also, once cleaned and operating normally again it’s a moot point to trust or use an old system restore point; make a new one, delete the rest and move on.
Malware is often placed in the restore point files to keep anyone from so easily removing the malware. However, using a system restore point can often get a system that is almost beyond functional back to a state in which it can be scanned and cleaned more readily so they are not completely useless after a malware infestation.

Reply | Quote

I am no expert, but I would think that System Restore may get contaminated if the system was already contaminated and a restore point taken.This would mean that infected files would be saved in System Restore and restoring those files might then get the infection back.

Presuming that all infections will have infected System Restore is wrong. Actually, restoring the system to a previous restore point is, sometimes, an effective way of getting rid of easier to clean infections.

This means that a blanket statement that you should always delete restore points is clearly excessive. Whether you should or not, depends on the infection, the time it occurred and whether system files were clean at the time the restore points were made.

Reply | Quote

I am no expert, but I would think that System Restore may get contaminated if the system was already contaminated and a restore point taken.This would mean that infected files would be saved in System Restore and restoring those files might then get the infection back.

Yes, that’s certainly the case as well and even more reason why a restore point cannot be trusted but may aid in malware removal if the point of infection cannot be inferred, and the same self-determining logic stands for deleting all restore points after an infection is cleared up. In other words, if a restore point stands up to all malware scans and returns a clean bill of health, that is your new starting point for restore points.

Reply | Quote

I’ve seen anti virus software and anti malware like MBAM and SAS (SuperAntiSpyware) pinpoint infections in the Restore points in the past.

It’s best to save those Restore points, just in case clean up attempts go badly wrong. Sometimes reinfecting and having to clean up again is better than having an non-bootable computer.

Once you are completely certain the machine is clean (best to have experts in the specialist malware forums check that, save all your logs for them too), System Restore can be disabled and the machine rebooted before re-enabling SR and creating a fresh Restore point.

Some software, CCleaner for instance, can selectively remove Restore points (except the most recent usually) if you can detect which RPs are infected.

Reply | Quote

I’ve never read of any instance of malware infecting any existing Restore Point. That doesn’t mean that it can’t happen only I’ve never read about it. If you have an infection when the Restore Point is created then the Restore Point will be infected. Restoring an infected restore point will restore the infection too. Cleaning restore points is usually fruitless. You either have to delete them or let them disappear on their own as they will be automatically deleted at some point.

Joe

--Joe

Reply | Quote

Am grateful to all of you for your input. Let me rephrase my question slightly:

If (as I believe to be the case) my system was infected a month ago, it seems reasonable to conclude that every restore point created since the date of infection would contain a copy of the infection.

Today’s malware scan detected malware in ONE folder…….and nowhere else. If there are multiple copies of the virus lurking in System Restore points — and logically, there ought to be — why didn’t the scan detect them?

Antivirus may not have enough permission to remove malware from restore files until system restore is disabled.

And that may be the answer. But why would Windows withhold permission from a virus scanner for any reason? If I were Windows, I’d roll out the welcome mat to any virus scanner that felt like dropping by. “Glad you could come,” I’d say. “Let the killing begin.”

Anyway, I’ll go ahead and delete my old System Restore points, and start fresh. Thanks again, everyone.

Reply | Quote

Your computer may have been infected a month ago, perhaps your System wasn’t. Sounds strange, eh?

System Restore does just that, it restores the System, not all files and folders on the computer. All it does is creates copies of vital System files and some Program files and creates copies of Registry entries. Exact details will vary according to which Windows OS is in use.

You only need to look at the size occupied by SR; for many years, I’ve always restricted SR to use only 4-5% of the System drive, that’s still enough for several SR points. On my current 120GB SSD, it’s down to 1%, yet that’s still more than enough for a single SR to be stored (but I do only have 32GB space used).

Reply | Quote

Thank you, Satro.

I seem to have an overly simplistic understanding of what System Restore does. I’d assumed it created copies of everything except for personal data. The reality is obviously not so cut-and-dried.

So how’s this for a strategy going forward:

1. Scan for viruses, and remove any infections.
2. Confirm that system is functioning normally.
3. Create a new post-scan System Restore point.
4. Delete all previous System Restore points, just to be safe.

Sound okay?

Reply | Quote

If 1. is effective, that means your antimalware apps can deal with whatever infections got to your system. This means that if you restored your system, the same apps would be able to deal with the infection. This said, I don’t see 4. to be a need, especially in case the infection didn’t affect existing restore points.

Reply | Quote

I see your point, Rui, and thanks. Makes sense.

Reply | Quote

I see your point, Rui, and thanks. Makes sense.

You’re welcome :).

There is no harm in doing 4. I just don’t believe in applying recipes without thinking about it a bit more. if you want to play safe, yes, 4. is the way to go, but you won’t be infected just because you decided to keep your restore points.

One thing that we haven’t addressed here is the other layer of your safety net – system backups. If you browse around and if you regularly read our forum, you will know many of us are system imaging “zealots”. An up to date image is your best safeguard against all kinds of threats, may those be hardware malfunctions or software issues, whether they are caused by malware or not. I image my systems once a week, using alternate external hard drives. That has kept me from serious data losses a few times.

Reply | Quote

I hear ya.

I actually purchased and installed Macrium Reflect Pro on this new laptop, but haven’t backed up my system because the instructions scare the bejesus out of me.

Plus, after browsing support forums for Macrium and a handful of other system imaging apps, it’s obvious that infallible imaging software doesn’t exist. And lord help me if something goes wrong, because the jargon on those support forums is so arcane it might as well be braille.

I’ve long admired you “system imaging zealots” and would like to learn how to do system backups, even if it means hiring someone to walk me through it. Times being what they are, I can’t swing that right now, but it’s on my bucket list!

Reply | Quote

Can this be of help?

There are more where this one came from:

http://www.youtube.com/user/Macrium?feature=watch

Reply | Quote

yes
of course they can

you should totally scrub your pc using every possible program to ensure that there are no virus or other problems lurking before doing a restore point

you do not need to delete them all

should one contain a virus
just keep going back until you get to a clean one

Having received conflicting opinions on this point, I’m hoping you sharpshooters can give me a definitive answer.

I’m running Windows 7 Pro. A recent system scan with Malwarebytes turned up two bugs, which I’ve removed. The question is, are duplicates of these bugs hiding out in various System Restore Points, and if so, why? Why wouldn’t Malwarebytes (or any antivirus software) also scan System Restore points? The notion that restore points are somehow “exempt” from scanning defies all logic and common sense.

Yet I’ve had people tell me that if a virus turns up my computer, it’s best to delete all System Restore points lest I reinfect my system.

Your thoughts on this would be greatly appreciated, and thanks!

Reply | Quote

Since installing Win7 I haven’t got any infections. However if you back track about a decade ago, WinXP was the new kid on the block. One of the worst infections I saw back then was when a child downloaded what he thought was a new game to try. 30 minutes later, there were some 120 infections detected. How = ???
We eliminated about 100 of them rather quickly. The remaining 20 were in XP’s system restore folders!!! These were defiant about removal. Eliminating system restore points DID NOT REMOVE those viruses. In fact back in those days deleting system restore points did not remove them from the computer; it just made them unavailable for use. Them with their viruses remained!!!
We had to boot in safe mode and manually delete the restore folders to eliminate the viruses!!! That was then, this is now. That was the early days of WinXP.
These days I use disk imaging rather than system restore points. Prior to any disk image, I always check for malware to insure the image will be clean.
Michael

Reply | Quote

I’d like to pick up on the backups.
Since you have Macrium Reflect Pro please go ahead and start a backup procedure
— I understand it’s a daunting task for someone new at it especially since it’s clumsy and challenging
— But if you wait until it would be beneficial to recover being clumsy & challenging will be even more so

I have friends who have lost out big time by not doing backups: system or at least their important data
— When their system went really bad, it wasn’t only the expense of restoring their computers, it was time & frustration that took over the situation
— They spent time wondering where in the world is their original or recovery discs (in most cases they didn’t even have one, and then the loss of their data: both personal and naturally pictures along with other family members data & pictures
— When their computers were running good, they used to say they didn’t have to worry about backing up anything because they don’t do “anything” on their computers
— Oh yes. Should’ve seen their reaction when they wanted whatever “anything” was

It’s true doing your backups the first time can be daunting. Anyway may I suggest the following?
— Get a notebook so you can write down questions when a procedure seems
— Bookmark the youtube video
— As you start, take the time to absorb what each screen shows
— Write notes on what you observe
— Post a question if you get stumped on one of the choices and or procedures
— Even if it takes you a few days or even a week to complete your first setup at least you’ll be off & running
— Once you have backup schedule, keep track of it
— You might find out you prefer to make some changes on your original selections and now is the time to find that out
I hope these ideas help

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

Those videos look extremely helpful, Rui! Thanks very much for the link. (Wish I had a second computer so I could fiddle with Macrium while watching the vids.)

Speedball and Michael37713, I appreciate your thoughts and input. (You’re in the system imaging camp too, huh, Michael? A pattern is emerging on this thread.)

cmptrgy, your tips are excellent. Thanks for taking the time to post them. I need to get over my fear of starting, and just dive in. In my defense, I do a full data backup every week, and make incremental backups in between. So when the computer starts belching molten lava, at least my data is safe.

But there’s nothing I dread more than having to reinstall / tweak Windows and all my programs. Avoiding that headache is, for me, the number one reason to get up to speed with system imaging.

Thank you all very much for your help and patience.

Reply | Quote

Those videos look extremely helpful, Rui! Thanks very much for the link. (Wish I had a second computer so I could tag along with Macrium while watching the vids.)
Thank you all very much for your help and patience.

That’s what we are here for :).

Reply | Quote

.

Reply | Quote

I would offer a few more suggestions.
I tend to keep my own notes of programs I use. They are simple reminders and memory jogs of things I discovered when using the app. In this example, I would keep a short file named; “My Macrium Notes.doc”. This would be just a short note to myself about things I learned and felt I needed to remember for the future.

Next I would strongly suggest some form of offline storage of your images. Keeping images stored on the same hard disk as the system is on can be disastrous if the computer crashes. The images could crash with it. In my case I use a 1T Toshiba USB drive for image storage. They tend to be $79 at wal mart.

Practice looking through the image backups you save. It’s neat to see the files you saved. You know they are safe.

The initial level of backup images is intended to recover to the equipment it came from. Later you might want to look into saving images that can be recovered to equipment other than where it came from. This is a different ballgame. Refer that til later, when you feel comfortable.

One neat advantage of saving an image (cleaned of malware) is that any new infections are automatically erased when you recover that saved image. For example if you saved a clean image last week, and got a vicious infection today, recovering the computer to last weeks image just erases today’s infection. Often it is faster to just recover the saved clean image than to troubleshoot the type and kind of removal techniques needed to get rid of it!!!

It is also interesting to note that system restore will also be reverted to its condition at the time of backup saving!!! So, even if a nasty virus got there, it still is removed by image restoring.

You have lots to look forward to. Best wishes.
Michael

Reply | Quote

Thanks for the addenda, Michael!

I’m a note-keeper myself. Am sure I’ll have reams of notes on Macrium.

I do store my data offline. Actually, I’m the last man on earth to backup onto CDs. I used to backup onto an external drive until one day the drive died, taking with it three years’ worth of data. Couldn’t afford to have the data professionally salvaged, so that was that. (My own fault for not having several drives, and using them in rotation.)

When I purchased Macrium, I also bought a new 1T drive for image backups. Am hoping it’s possible to copy those images to DVD, because I’ll feel a lot more secure. (And I know I should store a copy of my data off site in the event of flood, fire, or plague.)

Later you might want to look into saving images that can be recovered to equipment other than where it came from.

The ability to do precisely that was one of the major selling points of Macrium Pro. If I can figure that out, I’ll be cookin’ on all four.

Thanks again for your help and encouragement!

Brooks

Reply | Quote

Having received conflicting opinions on this point, I’m hoping you sharpshooters can give me a definitive answer.

I’m running Windows 7 Pro. A recent system scan with Malwarebytes turned up two bugs, which I’ve removed. The question is, are duplicates of these bugs hiding out in various System Restore Points, and if so, why? Why wouldn’t Malwarebytes (or any antivirus software) also scan System Restore points? The notion that restore points are somehow “exempt” from scanning defies all logic and common sense.

Yet I’ve had people tell me that if a virus turns up my computer, it’s best to delete all System Restore points lest I reinfect my system.

Your thoughts on this would be greatly appreciated, and thanks!

Jumping right to the end of the line……
The answer is YES, restore points can contain copies of viruses, spyware and trojans that have infected your PC.

Most really good scanners will scan the restore points as well as the hard drive(s) and remove any malware found.
Don’t rely on Malware Bytes as a do-all, fix-all program. It’s good, but not THAT good.

If you do ‘whole drive’ backups, you don’t need to backup old restore points and they can be deleted before doing the backup. That can save a lot of space in your Backup Image File.

A virus can attach itself to almost any type of file. I once scanned my computer with a new AV program (AVG Free) and found a virus on a picture that had been sent to me several years before.

Good Luck!
The Doctor

Reply | Quote

Thanks for chiming in, Doc!

Reply | Quote

Yes. Malware can and does get stored in system restore points. And your registry usually has keys created by malware and those to would also be restored.

I found this all out years ago when using combofix. I will tell you this. I do use Malwarebytes (pd version) but if something gets by or “I” by accident let something in and didn’t discover till later. I use Combofix. It cleans everything including all those system backups, restore points (without deleting them all), registry entries. I love it it’s awesome. It just simply removes what at least 99% of those apps you’d pay for cannot do… Combofix is for removal, the author physically updates the program constantly so nothing can stop, bind, or blind it.

Any worries you have will become a non issue.

Reply | Quote

Thanks very much, hkb.

Just took a quick glance at ComboFix on the main site, and will check it out later. Looks like a very serious tool.

Reply | Quote

Yes, ComboFix is a very serious tool, most malware forums warn that it is not to be used except under their instruction; it can, and does, cause non-booting computers under certain circumstances.

Reply | Quote

I’ve bookmarked ComboFix, but won’t be running it without a hawk-eyed overseer standing by. Thanks, satrow.

Reply | Quote