Malware Removal Using System Restore
What Is System Restore?
First of all, for those who don’t know what System Restore is, System Restore is a built-in Windows utility that can restore your computer’s “System Files” to a previous point in time. The System Protection feature in Windows regularly creates these System Restore checkpoints, but they can also be created manually. It’s a fairly easy way to undo undesired system changes to your computer without affecting your personal data files, such as documents, pictures, music, videos, e‑mail, and more. As such, it also will not bring back any personal data files you may have lost. It will however, affect programs, windows updates, drivers, system settings, Windows account passwords, etc., that you have setup since the date of the System Restore point you are rolling back to. See the video below for an overview on how to use System Restore to remove a malware infection.
System Restore is not a magic pill, it doesn’t always work and you need a reasonably good restore point available to restore from. Also, using System Restore frivolously might not end well. If System Restore had been turned-off, you won’t have any restore points. You just might have to perform a fresh Windows installation if you can’t get it to boot-up.
Sadly, I differ with the major antivirus companies that always recommend that one of the first things you do when you have a virus is to disable System Restore so you won’t be at risk of restoring any old infections. Some computers get so infected that they won’t even boot to Windows. I say that an infected System Restore point that allows you to boot up, is better than NO System Restore points. But once I have disinfected the computer and Windows is running stable again, then I will disable System Restore to remove all the old System Restore points, after which I will turn it back on to begin creating new, good System Restore points.
But, when your computer won’t boot up at all, you are probably wondering how you could even use System Restore in the first place. In the old days (just a few years ago), we would perform a manual System Restore using the Recovery Console, but ever since Vista, we have a built-in Startup Repair option with a GUI that we can invoke with the F8 key at boot-up that will allow you to use System Restore. Of course, PC Techs like to use Live-Windows CDs as well.
Can System Restore Be Used to Remove Malware?
Yes, it is possible to remove malware using Window’s built-in System Restore feature. But, should this be your first resort towards repair? Not always. So when is the time right to use System Restore? System Restore may contain up to 3 months of Restore Points with default settings, but it is not a good idea to go back too far, especially if you have made multiple, significant changes to your system. System Restore is most effective when you roll back to a known good point just before the time of the offending change that caused your problem.
What complicates things with computers is prolonged use after you realize you have a problem. Some people go weeks and months, even years before they get their computer serviced. Ironically, they get used to the degraded performance and end up accepting it as normal. But what #?*! me off though, is when a customer tells me how their computer worked so perfectly just before the problem that was finally bad enough for them to bring it in for repair. About 99.99% of the time, they are either in denial, naive, or lying. The bottom line is that if the computer was “truly” working great up until the point it got infected, and you dealt with it right away, you could probably completely reverse the infection using System Restore in about 15 minutes. But if you have been putting-off repairing your computer problems for some time now (like most people), System Restore might help your computer to walk again, but not to run, and it will probably get worse again anyway. I’m starting to feel my tough-love feelings come out again.
Recent Malware Removal Experience Using System Restore
I checked in a previous customer’s computer that had an obvious fake antivirus program infection called “Malware Protection”. It was a full-on infection that I usually spend hours to disinfect. There was even an icon for it on the Desktop. He told me everything seemed fine up until the infection showed up the day before. He lived down the street and brought his computer in right away. When I checked the date the Malware Protection icon was created, it was as he said on the day before. I poked around his computer, checked his antivirus Quarantine Logs and Event Viewer and determined that this was the only major problem the computer had experienced since it was last serviced.
It was a rare event in my business to have a malware infected computer that I could fix with a few clicks of the mouse. He could have done it himself. So I ran System Restore and restored the system to the closest date just before the infection. After the System Restore successfully completed, I poked around again and ran several malware and antivirus scans to ensure there were no more infections. It was clean, and the malware scans I ran all came up clean. I used the extra time I had to do other types of routine maintenance and updates.
Anyway, System Restore is a very powerful tool, but please use it with discretion. To wisely use or not to use it, as well as how you determine which date to roll-back to are important things to consider before you blindly grasp at straws trying to fix your computer.
System Restore vs System Recovery
I would add one more thing though, please don’t confuse System Restore with System Recovery. They are 2 entirely different operations. System Recovery involves reinstalling your Windows Operating System, and for the most part, running System Recovery is usually destructive and will reformat you hard drive, which will in-turn wipe out your data. It is used to recover your system back to the original factory settings, just as it was out of the box when you bought it. As a rule-of-thumb, always backup your data first before running a System Recovery. If you accidentally run a destructive System Recovery without backing up your data first, it is possible to recover maybe 80-90% of your data if you SEIZE to use your computer immediately after the recovery, and bring it in right away. Just know that a successful recovery may depend on why you were running a System Recovery in the first place.
As always, you can avoid being put in this position by heeding my Basic Spyware Prevention Tips.