Will a restore point remove a virus?

[Neil Toulouse]

Hi guys!

Somehow a virus has slipped through the net, and even though I have cleaned the PC, it keeps reappearing.

If I restore back to a previous point will that remove the virus? or am I better off running a liveCD solution and going for a 'deep clean'? Last time I performed a 'deep clean' it took something like 16 hours to complete hence my reluctance!

TIA
Neil

I like work. It fascinates me. I can sit and look at it for hours...

 

[stduc]

I very much doubt it. Any self respecting virus should be able to survive a return to a restore point. But worth a try I guess?

I no longer waste hours trying to remove infections. I use storagecrafts shadow protect to make a weekly image of drive C and restore that together with the MBR. I find it less hassle to restore any programs I need to than remove the virus - not that that helps you right now of course.

[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[linney]

I guess it very much depends on the payload of the malware (and where it is located) as to whether System Restore would fix it, and whether you went back far enough would have a bearing too.

System Restore would replace changed, or deleted, .sys, .dll., .exe, and other important system files, it would also replace the Registry with one dated at the chosen Restore Point. It would also keep current (infected) files that it replaces by way of an "undo" restore point that it creates.

Conversely restoring from a restore point might also replace previously removed malware.

I too make very frequent image backups of the various partitions that I have to enable easy recovery.


This is a "heavy hitter" in removing very hard to clear malware, but read the instructions carefully.

A guide and tutorial on using ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[linney]

ComboFix usage, Questions, Help? - Look here

http://www.bleepingcomputer.com/forums/topic273628.html

"Q. I used ComboFix on a 64-bit system and cannot get it to work?

System Requirements: Combofix currently only works with Windows 2000/XP/Vista/Windows 7 (32-bit).

Why? Due to the architecture in 64-bit windows, drivers need to be digitally signed. Windows 64-bit enforces driver signing so rootkits cannot reside on that system unless someone is going to issue certificates to malware writers. Since drivers need to be specific, 32-bit drivers do not run on a 64-bit operating system. As such, rootkits are not seen as often on 64-bit machines so they are less prone to that type of infection but with technology that may change. Right now, the tool's creator has indicated it is very unlikely that there will be a 64-bit version of ComboFix since that OS is more secure than a 32-bit system.

Note: Although ComboFix will work on Windows 7, it is not officially supported yet so if it is run you will receive a warning message that it is a beta version meant for compatibility testing."

 

[Neil Toulouse]

Thanks for the responses guys!

Give me food for thought Will run Dr Web Live CD and see how I get on. If that fails I will format and re-install Windows as ComboFix just comes across as very scary

I like work. It fascinates me. I can sit and look at it for hours...

 

[stduc]

To be 100% sure the virus isn't hiding in the MBR you might want to consider downloading the hard drive manufacturers stand alone CD bootable diagnostics and running those. Choose "zero fill"

In future make regular imager backups with Shadowprotect, Ghost or Trueimage. Take your pick.

[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[Neil Toulouse]

Thanks stduc, I will look into that

I like work. It fascinates me. I can sit and look at it for hours...

 

[Sympology]

@Linney 64bit Rootkits.

Need to keep up I'm afraid :-(

http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html

Robert Wilensky:
We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true.