System restore totally cleans malware from system???

[mongoose470]

I am a technician at Barbs Computer Service here in Cedar Rapids Iowa. I have worked on computers for 14 years.

I am now being told that to clean an infected computer with the Internet Security 2010 rogue utility and Virut that all I have to do is system restore. Barb the owner and her two senior techs Mitch and Crawdad are all telling me that system restore is all I need to do because it will clean up the registry and then it won't matter if the infected files are remaining on the computer.

Personally I am flabbergasted at these turn of events as I know malware can infect the very restore points themselves and malware will remain active even if you clear the corresponding registry entries. However I am wondering if I am just crazy because the owner and the two "senior techs" are telling me I have to do this and are claiming that I SHOULD KNOW THIS. Repeat, they want me to do a system restore and nothing more and I am going to stand up for the customer and insist that I have to do a full clean with scans. Am I going crazy here??? It almost seems surreal. They tried to tell me that System Restore has recently changed for XP therefore it is effective at removing viruses bit I have NEVER heard of this.

Your opinion?

 

[joelm3103]

I would say you're not totally safe from the malware with just a simple system restore. As you did mention, malware can even infect the restore points, so restoring would just lead to the same infected state...just thinking your clean.

Edit: Also the malware might not activate when you restore, but the files may still be present; which can be activated by a response or command at anytime.

 

[mongoose470]

The thing with the ISS 2010 rogue utility family is you can't even run System Restore because it kills .exe processes requiring a cleaning from an unmounted storage medium, ala UBCD and then, 9 times out of ten, you have to edit the Winlogon registry key and replace the userinit.exe file just to get it to the point where you can boot and then run system restore.

But my boss and "senior techs" are absolutely demanding I do this. I'm hopng to convince the boss otherwise by gaining other opinions. Maybe I am wrong but I've been working on computers too long to concede this point and I will not do a half *** job.

 

[Osiris]

This can go either way, its a yes and no answer. Some malware will infect System Restore and some wont. As a precaution I usually ask the user to disable system restore, then we clean the system and then once we know its clean for sure, they can enable it if they choose too. Usually when you run some programs such as Combofix and Malwarebytes it will show you where the infection is and it will show system restore as being infected.

 

[carnageX]

No, its generally not possible. As you said, most malware nowadays infects the restore points themselves and it is pretty much necessary to disable system restore, deleting all of the previous restore points and then going on with fixing the problem.

So far with infections like that, I've been booting into Safe mode, disabling entries via MSConfig (or manually going into system32 folder and removing the executable, which is where a lot are located). Then I run HiJackThis to remove entries, as well as ComboFix (if the system is an XP-based system as it doesn't work with Vista/7 yet). MalwareBytes and TrojanRemover are also ran.

Another thing to check that I've been looking at recently, is the IE proxy server settings. Make sure there's no proxy server enabled in IE's internet options.

 

[mongoose470]

No, its generally not possible. As you said, most malware nowadays infects the restore points themselves and it is pretty much necessary to disable system restore, deleting all of the previous restore points and then going on with fixing the problem.

So far with infections like that, I've been booting into Safe mode, disabling entries via MSConfig (or manually going into system32 folder and removing the executable, which is where a lot are located). Then I run HiJackThis to remove entries, as well as ComboFix (if the system is an XP-based system as it doesn't work with Vista/7 yet). MalwareBytes and TrojanRemover are also ran.

Another thing to check that I've been looking at recently, is the IE proxy server settings. Make sure there's no proxy server enabled in IE's internet options.

A note about proxy settings is sometimes they can be hidden. In xp at a command prompt you can type "proxycfg" sans quotes and it will list any proxy severs that are active and then you can use the -d switch to switch to dirct access.

Combofix is a great tool. It works in VISTA but has issues with 64bit operating systems.

 

[carnageX]

Ah that's right, it was x64 that it has problems with; my mistake.

 

[mongoose470]

Ah that's right, it was x64 that it has problems with; my mistake.

This shop has done a lot of things that are very confusing.

They made some rule that any 0x000007E BSODs must be wiped and reloaded. I have resolved 5 of them in the last month without wiping and reloading.

They actually threatened me to never put VLC player on a machine. That is one of the most widely used, most versatile and most trusted third party video utilities ever and they even used to recommend it. The only explaination I was given was that some customers didn't quite understand everything about it.

On the wipe and reload: They accept no other excuse other than the 7E BSOD. If the system doesn't have that we are not allowed to wipe and reload. Just crazy. Time is money and some customers have been without their systems for far longer than required.

One of the techs has convinced the owner that chkdsk is the only reliable tool to determine a hard drive failure (which it does not predict. It just detects errors and does not differentiate between physical and logical errors.) Needless to say this has caused a LOT of problems. They also told me that if memtest doesn't fail within 10 minutes, the memory cannot be bad. Now I have hundreds of examples where memtest wouldn't show a RAM failure until eight hours. This has caused a lot of issues.

I have been a tech for years and quality is of utmost importance to me and right now they are really making me doubt myself. This isn't sour grapes if you all are wondering, I AM questioning what they are trying to teach me because it contradicts all my years of experience. It contradicts their own words and the wisdom of other techs.