Disable and Enable Restore in Windows Xp after virus/worm infection

[Bun Mui]

When someone is infected with a worm or virus.

One should scan with anti-virus checker.
Remove all viruses or worms.

Afterwards it is recommended that you disable restore
re-start the computer and afterward Enable restore
and re-start the computer.

As I understand this will delete all previously
restore points which may contain the virus/worm.

So from my understanding if a person's computer
is infected with a worm or virus your restore points
will become useless even before the infection since
you must delete all the previous restore points
in order to disable and enable restore to get rid of the
worm/virus currently on the computer.
Is that correct?

I just wonder where (what directory) on the hard drive
are the restore points located?????

What about the registry? Should I fool around with it?
Or is it not necessary?
Since some websites tell you to delete the stuff on
the registry which was made by virus or worm.
But I don't like fooling around with it.
Since they say if you make a mistake your
system may not start back up again if you do something
wrong or don't back it up.
Which is a scary thought.

I got infected with agobot virus before.
Now it is removed by anti-virus software.
Just wondering if it is still necessary to touch
the registry?

Thanks.

Bun Mui

 

[TheUnknownSoldier]

The System restore points are in a hidden or system folder on the root of
every HD and is called "System Volume Information"

 

[Will Denny]

Hi

There is no need to touch the Registry for a virus in System Restore. The
SR files are held in the System Volume Information folder - which is hidden.
You will need to unhide it via Windows Explorer. Changing anything in that
folder while SR is running could make SR unusable.

--

Will Denny
MS-MVP Windows - Shell/User


| When someone is infected with a worm or virus.
|
| One should scan with anti-virus checker.
| Remove all viruses or worms.
|
| Afterwards it is recommended that you disable restore
| re-start the computer and afterward Enable restore
| and re-start the computer.
|
| As I understand this will delete all previously
| restore points which may contain the virus/worm.
|
| So from my understanding if a person's computer
| is infected with a worm or virus your restore points
| will become useless even before the infection since
| you must delete all the previous restore points
| in order to disable and enable restore to get rid of the
| worm/virus currently on the computer.
| Is that correct?
|
| I just wonder where (what directory) on the hard drive
| are the restore points located?????
|
| What about the registry? Should I fool around with it?
| Or is it not necessary?
| Since some websites tell you to delete the stuff on
| the registry which was made by virus or worm.
| But I don't like fooling around with it.
| Since they say if you make a mistake your
| system may not start back up again if you do something
| wrong or don't back it up.
| Which is a scary thought.
|
| I got infected with agobot virus before.
| Now it is removed by anti-virus software.
| Just wondering if it is still necessary to touch
| the registry?
|
| Thanks.
|
| Bun Mui

 

[Guest]

I have similar problem - have been infected with blaster and others. Cant restore config at any Point. Have lost all my profiles and settings and cant copy from backup due to corrupt settings in registry - not sure how to solve???????????

 

[zag]

Bum answer from an MVP - Will.
Explain to him how to get rid of his SRP's which are
pretty much useless now anyhow.
Also, be aware that System Volume Info files show up
differently with NTFS than with FAT32.
Bun -
Go to your Windows Help section and read up on System
Restore Points and how to delete all but the last one,
or how to delete tham all.

z --------------------------------------------------

 

[Will Denny]

Hi

If you can't Restore, have lost profiles and the Registry is corrupt, you
may have to look at a 'Repair' or 'Clean' install of XP:

How to Perform a Windows XP Repair Install"
http://michaelstevenstech.com/XPrepairinstall.htm

"Clean Install Windows XP"
http://michaelstevenstech.com/cleanxpinstall.html

Courtesy of MVP Michael Stevens.

--

Will Denny
MS-MVP Windows - Shell/User


| I have similar problem - have been infected with blaster and others. Cant
restore config at any Point. Have lost all my profiles and settings and cant
copy from backup due to corrupt settings in registry - not sure how to
solve???????????

 

[Plato]

When someone is infected with a worm or virus.

One should scan with anti-virus checker.
Remove all viruses or worms.

Afterwards it is recommended that you disable restore
re-start the computer and afterward Enable restore
and re-start the computer.

Incorrect. One should disable System Restore BEFORE you run the
anti-virus.

 

[Plato]

I have similar problem - have been infected with blaster and others. Cant restore config at any Point. Have lost all my profiles and settings and cant copy from backup due to corrupt settings in registry - not sure how to solve???????????

System restore is NOT designed as a virus removal tool.

 

[Alex Nichol]

One should scan with anti-virus checker.
Remove all viruses or worms.

Afterwards it is recommended that you disable restore
re-start the computer and afterward Enable restore
and re-start the computer.

As I understand this will delete all previously
restore points which may contain the virus/worm.

So from my understanding if a person's computer
is infected with a worm or virus your restore points
will become useless even before the infection since
you must delete all the previous restore points
in order to disable and enable restore to get rid of the
worm/virus currently on the computer.
Is that correct?

Not entirely. But if you restored to an infected point the virus would
return and you should immediately clean it again. which is rarely going
to be a good idea. Restoring to a point *before* the infection should
be OK, but really it is better to take a clean start. Rather than
disabling/enabling, I would wait for a new, clean, point to be made (or
make one manually) then use the button in Disk Cleanup - More Options to
delete all but that most recent point.

I just wonder where (what directory) on the hard drive
are the restore points located?????

In System Volume Information (on each partition if more than one, for
the items related to it). You need to have Folder Options - View set to
show Hidden files, and *not* Hide Protected mode ones to see them. But
leave then alone, unless you *have* disabled restore, when I would
reboot and clear out anything that may have got left there

You should need to do nothing about the registry direct in this context
(it is included in each point and restored with it). Leave the registry
alone unless you have explicit instruction on just what to do, or have
good knowledge of how it works

 

[Bun Mui]

Incorrect. One should disable System Restore BEFORE you run the
anti-virus.

This is what it says here-

http://www.grisoft.com/faq/us_faqtext.php?id=180&sid=26

It doesn't mention anything about running anti-virus software after you
disable it.

If what you said is the case shouldn't system restore be always disabled
at default while using Avg ANTI-VIRUS SOFTWARE?
That means that no restore points will ever be made if you are running
AVG. Kinds of defeats the purpose of system restore, right?

Thanks.

Bun Mui

 

[Troy]

if you guys actually read this
http://www.grisoft.com/faq/us_faqtext.php?id=180&sid=26 you would see that
it says to do this if you keep getting a virus warning and you scan and
doesn't find anything.... also if you read it says that you are just turning
off system restore restarting and turning it back on. I actually had this
problem, the virus warning AVG was giving me said that it was a infected
system restore file..... after doing what this site says don't get that
message anymore.

 

[Plato]

In the above case I was addressing "When someone is infected with a worm
or virus."
eg I stand by what I said in the context. ie if you are infected disable
system restore _before_ you run the anti-virus, NOT afterwards.

 

[Kelly]

Symantec states:

System Restore option in Windows XP

Users of Windows XP should temporarily turn off System Restore. Windows XP
uses this feature, which is enabled by default, to restore the files on your
computer in case they become damaged. If a virus, worm, or Trojan infects a
computer, System Restore may back up the virus, worm, or Trojan on the
computer.

Windows prevents outside programs, including antivirus programs, from
modifying System Restore. Therefore, antivirus programs or tools cannot
remove threats in the System Restore folder. As a result, System Restore has
the potential of restoring an infected file on your computer, even after you
have cleaned the infected files from all the other locations.

Also, in some cases, online scanners may detect a threat in the System
Restore folder even though you scanned your computer with an antivirus
program and did not find any infected files.

For instructions on how to turn off System Restore, read your Windows
documentation, or the article "How to turn off or turn on Windows XP System
Restore"

 

[Troy]

basically I figure by turning off system restore then turning back on you
are removing all old restore points, therefore removing any backup of the
virus...... no you wouldn't need to scan it...... if you read either AVG or
Symantec say it basically tells you that.

 

[Alex Nichol]

Windows prevents outside programs, including antivirus programs, from
modifying System Restore. Therefore, antivirus programs or tools cannot
remove threats in the System Restore folder. As a result, System Restore has
the potential of restoring an infected file on your computer, even after you
have cleaned the infected files from all the other locations.

I think it better to let a new clean point be made then use disk clean
up to remove all but the most recent (now clean) point

 

[Kelly]

True and same here, Alex. I was only offering the information (if read)
that most users are presented with when going to the removers, etc.