Mike said:
And everyone who gives such advice is wrong and clearly doesn't
understand what and how system restore works. Disable SR and clear
the archive once the problem is resolved but not before as this
removes the lifeline of being able to restore a trashed system to a
good state using a system checkpoint created before infection.
An infected archive will never cause a problem unless a user
voluntarily chooses to restore to a checkpoint created after
infection and before the system was cleaned. Even that might be
acceptable if the user manages to create an unusable system whilst
trying to clean their system. -- Mike Maltby MS-MVP
(e-mail address removed)
Ehh, Mike...
How many really bad infected ME/XP systems did you have to "repair"? I
have to, quite regularly, and when a system really is up into the very
core of the system infected, your "lifeline" could be a "lifeline with
a block of concrete at the other end".
Didn't you have the experience that on such systems the spyware was
back after reboot? No? Hmm, then you must have been working on
different ME/XP systems than I. Bottom line: If a system is screwed up
badly (Virus, trojan, Spyware) then your system restore's (archives,
whatever you call them) are so too...
In a reaction to a reply to your above quoted post you write:
But if not yourself a user may well want to restore to an uninfected
checkpoint created prior to any infection. By flushing the restore
archive as a first action one removes such action from ones armoury
of tools.
You forgot to mention "an alert and aware user"; most people don't know
where they got an infection from and when... how in the world could
they go back to an uninfected restore point? First question to people
with problems: "Did you install any software lately?" Second one:
"While surfing was there a pop up demanding to download something, and
did you click the "Yes" button?"... 95% of the people don't know an
answer to these questions because:
a. They are not the only user of the system (kids too for instance)
b. They don't have a clue...
A simple example that everyone will undrstand, and perhaps even
recognize: System is infected with a virus, virus is hidden in a
"system" flagged file. File is saved by the OS in system restore; scan
reveals this, but the file cannot be deleted by the AV-program; cure:
Throw away the system restore files (by disabling the feature), after
cleaning the system re-enable it again (and in XP I would manually make
a restore point clearly labeled as "Clean restore point".
Same goes for a system infected with for instance "CoolWeb"; I have
seen it return into the system from restore poitns... only after the
above actions was taken, the system once again was cleaned and a new
fresh restore point ws made, the infection was gone permanently!
Given the other posts you posted in this thread don't expect you to
agree with me, however being over 15 years in the trade of computer
support and (still) very involved in helping people to get rid of
spyware and the alike I thought it would be a good idea to let people
see another opinion with examples based upon practical experience!
Regards
Dick