Malware Removal Using System Restore

What Is System Restore?

System RestoreFirst of all, for those who don’t know what System Restore is, System Restore is a built-in Windows utility that can restore your computer’s “System Files” to a previous point in time. The System Protection feature in Windows regularly creates these System Restore checkpoints, but they can also be created manually. It’s a fairly easy way to undo undesired system changes to your computer without affecting your personal data files, such as documents, pictures, music, videos, e‑mail, and more. As such, it also will not bring back any personal data files you may have lost. It will however, affect programs, windows updates, drivers, system settings, Windows account passwords, etc., that you have setup since the date of the System Restore point you are rolling back to. See the video below for an overview on how to use System Restore to remove a malware infection.

System Restore is not a magic pill, it doesn’t always work and you need a reasonably good restore point available to restore from. Also, using System Restore frivolously might not end well. If System Restore had been turned-off, you won’t have any restore points. You just might have to perform a fresh Windows installation if you can’t get it to boot-up.

Sadly, I differ with the major antivirus companies that always recommend that one of the first things you do when you have a virus is to disable System Restore so you won’t be at risk of restoring any old infections. Some computers get so infected that they won’t even boot to Windows. I say that an infected System Restore point that allows you to boot up, is better than NO System Restore points. But once I have disinfected the computer and Windows is running stable again, then I will disable System Restore to remove all the old System Restore points, after which I will turn it back on to begin creating new, good System Restore points.

But, when your computer won’t boot up at all, you are probably wondering how you could even use System Restore in the first place. In the old days (just a few years ago), we would perform a manual System Restore using the Recovery Console, but ever since Vista, we have a built-in Startup Repair option with a GUI that we can invoke with the F8 key at boot-up that will allow you to use System Restore. Of course, PC Techs like to use Live-Windows CDs as well.

Can System Restore Be Used to Remove Malware?

Yes, it is possible to remove malware using Window’s built-in System Restore feature. But, should this be your first resort towards repair? Not always. So when is the time right to use System Restore? System Restore may contain up to 3 months of Restore Points with default settings, but it is not a good idea to go back too far, especially if you have made multiple, significant changes to your system. System Restore is most effective when you roll back to a known good point just before the time of the offending change that caused your problem.

What complicates things with computers is prolonged use after you realize you have a problem. Some people go weeks and months, even years before they get their computer serviced. Ironically, they get used to the degraded performance and end up accepting it as normal.  But what #?*! me off though, is when a customer tells me how their computer worked so perfectly just before the problem that was finally bad enough for them to bring it in for repair. About 99.99% of the time, they are either in denial, naive, or lying. The bottom line is that if the computer was “truly” working great up until the point it got infected, and you dealt with it right away, you could probably completely reverse the infection using System Restore in about 15 minutes. But if you have been putting-off repairing your computer problems for some time now (like most people), System Restore might help your computer to walk again, but not to run, and it will probably get worse again anyway. I’m starting to feel my tough-love feelings come out again.

Recent Malware Removal Experience Using System Restore

I checked in a previous customer’s computer that had an obvious fake antivirus program infection called “Malware Protection”. It was a full-on infection that I usually spend hours to disinfect. There was even an icon for it on the Desktop. He told me everything seemed fine up until the infection showed up the day before. He lived down the street and brought his computer in right away. When I checked the date the Malware Protection icon was created, it was as he said on the day before. I poked around his computer, checked his antivirus Quarantine Logs and Event Viewer and determined that this was the only major problem the computer had experienced since it was last serviced.

[ws3v]malwareprotection.mp4,480,360,false,true[/ws3v]

It was a rare event in my business to have a malware infected computer that I could fix with a few clicks of the mouse. He could have done it himself. So I ran System Restore and restored the system to the closest date just before the infection. After the System Restore successfully completed, I poked around again and ran several malware and antivirus scans to ensure there were no more infections. It was clean, and the malware scans I ran all came up clean. I used the extra time I had to do other types of routine maintenance and updates.

Anyway, System Restore is a very powerful tool, but please use it with discretion. To wisely use or not to use it, as well as how you determine which date to roll-back to are important things to consider before you blindly grasp at straws trying to fix your computer.

System Restore vs System Recovery

I would add one more thing though, please don’t confuse System Restore with System Recovery. They are 2 entirely different operations. System Recovery involves reinstalling your Windows Operating System, and for the most part, running System Recovery is usually destructive and will reformat you hard drive, which will in-turn wipe out your data. It is used to recover your system back to the original factory settings, just as it was out of the box when you bought it. As a rule-of-thumb, always backup your data first before running a System Recovery. If you accidentally run a destructive System Recovery without backing up your data first, it is possible to recover maybe 80-90% of your data if you SEIZE to use your computer immediately after the recovery, and bring it in right away. Just know that a successful recovery may depend on why you were running a System Recovery in the first place.

As always, you can avoid being put in this position by heeding my Basic Spyware Prevention Tips.

spyware prevention comments

2 Responses to “Malware Removal Using System Restore”

  1. How to Check Hard Drive for Errors | Gakidoo's Computer Repair

    […] from the Boot Options Menu using F8. For Vista and Windows 7, you could perform a System Restore with the Startup Repair option using F8. In either case, I would check the drive for errors first […]

  2. Mariel

    The newer types of malware head right to restore points and infect all of them so attempting system restore on an infected computer will not only not remove the infection in many cases, it can make it extremely difficult to remove. System restore masks the infection and buries it so deeply in the OS and registry, even more sophisticated removal tools cannot detect and remove it.

    I do agree with your statement that system restore should not be disabled until malware removal has been completed, because if something should go wrong in the process, a “dirty” restore point is better than the alternative. Part of best practice in malware removal is to turn off system restore after the infection has been removed, then reboot and turn it back on, flushing all restore points in the process.

Leave a Reply



XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>