How can you tell when system restore is infected?

By ejames82
Dec 31, 2007
  1. i have witnessed several hijackthis log analysts say that there was an infection in the system restore that was being analyzed at the time. i am somewhat a newbie, but would like to see an example of the file path, or hijackthis entry, when it's infected.
    i would just like to know what it looks like in the log. thanks, Ed
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You will see a message about "system volume" when the Restore is infected. I encourage removal of Restore points after cleaning a malware infection. This can be done by turning Stem restore off, then turning it back on.

    And there are occasions where it is advised to disable SR "before" the cleaning.
  3. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    you can't really as system restore is a compressed file.
    Once your system is clean, you can turn it back on. A better solution is always to have it OFF and backup your system periodically to another hard drive or device.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I do NOT recommend keeping System Restore off! This is very risky behavior unless a user is advanced enough to create ongoing, available backups. Many are not.
  5. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    so if i see an entry in a hijackthis that refers to "system volume", they're talking about system restore. i am still vague about this, but i will keep it in mind.
    i have read often that a "dirty" restore point is better than no restore point at all. many recommend cleaning the system before turning on, then off, system restore.
    as for the subject of "backing up", a newbie is going to have a hard time finding literature in a step-by-step platform with screenshots. all the info that i could find was way over my head. resources that cater to a newbies are hard to find.
    thanks for the replies, Ed
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    "so if i see an entry in a hijackthis that refers to "system volume", they're talking about system restore." Yes.

    And it has always been my preference to turn off System Restore at the beginning of cleaning instead of the end. I find that many users will resort to whatever they can if they don't know how to troubleshoot a problem. For instance, maybe they run a spyware/adware program, find it and remove it. At a later time, they find they are reinfected and can't figure out why! But at some point, without dropping off the old points, they did a System Restore and infected the system again.

    I ran into those who rather keep the "dirty restore points". It's a matter of preference because dropping or keeping can both be well documented.

    System Restore isn't a backup. It simply restore your system to the way it was before whatever happened to cause the havoc.

    Here is a site with screen shots to help you through understanding how the backup process works and it done:
  7. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    Keeping system restore OFF is wise.
    1. use a good backup plan either through XP or another program - make it automatic.
    2. turning off system restore saves space and speeds up the system
    3. viri LOVE to infect system restore.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    As I explained, the may be safe for an experienced. Users we get with questions are, for the most post, not experienced.
  9. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    bobbye and tedster,
    let me get this straight. you both advocate:
    1. backing up
    2. turning off restore (this eliminates restore points, if i am not mistaken), control panel>system>system restore>check box>apply>ok.

    backing up:
    i checked out the link. open windows xp backup.

    insert your windows xp CD. 'OUCH'!

    the only CD i have is "windows xp service pack 2" which i sent away for. i bought the computer off my neighbor for $50 with no CD. i probably need the "installation" CD that costs $100. it's too bad too, because without the disk, i can't get the file path to start>programs>accessories>backup, can i?

    if i could use the backup utility, the most sensible way to use it would be to copy from c-drive to d-drive, is that correct? if my hard drive failed, i would be protected.

    wouldn't you also agree that the easiest way to back up would be to copy to CD-R via e-drive?

    thanks for the info. Ed
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    1. Yes, I recommend backing up. I recommend a backup be to an external removable media- the reason being as you say- if the hard drive fails. How you do this depends on your system- what drive type is available.

    2. No, I do NOT recommend turning off System Restore! The only exception to this is when you want to drop off restore points intentionally for possible malware infection. As I previously said, a back up and a restore are not the same thing. There are times when something like an update has caused a problem that can be easily fixed by doing a System Restore- no need to do a full backup.

    From TechNet:
    Q. How is System Restore different from Backup?
    A. System Restore monitors only a core set of specified system and application file types (e.g. .exe, .dll etc), while Backup Utility typically backs up all files including users personal data files, ensuring a safe copy stored either on the local disk or to another medium. System Restore does not monitor changes to or recover users' personal data files such as documents, graphics, e-mail, and so on. While system data contained in System Restore's restore points are available to restore to for only a limited period (restore points older than 90 days are deleted by default), backups made by the Backup Utility can be recovered at any time."

    If you use, Windows XP Pro, the Backup utility is on the system, If it's the Home version, then the CD is required. More on backup here:
  11. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    by "CD", you mean the $100 "installation" CD (unfortunately), don't you? my sister-in-law said she has this "installation" CD, could i use it for my computer? i don't think it's ever been used.

    back up "copies" more. understood.

    time to create a new restore point on at least a couple of computers. is there any way this can be changed? 90 days is not long enough.

    thanks for the informative reply and the link. i'll check it out. Ed
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The time the restore points can be available depends on how much 'room' they are allowed to use on the hard drive and how often they are created, where they are stored.

    You can great your own restrore point as well and letting the system automatically create the every 1024 hours.
  13. ejames82

    ejames82 TS Enthusiast Topic Starter Posts: 139

    is this info available? how much room do they need?

    thanks for the reply. Ed
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...