I've come across a post in a user forum that suggests "turning off
System Restore BEFORE you un-install anything".

My reflex reaction and position:
I can think of no compelling reason for following this advise under any
circumstances short of at the direction of a malware eratication
program/tool/checklist from a trusted source. Failing that (even if
dealing with the extreme of malware eradication), I would refrain from
purging the restore point data until AFTER the eratication, as I would
not as a general rule want to forsake ANY potential recovery resource
unless and until absolutely necessary (for example, there's always the
possible scenario where the malware infection is mistakenly determined
to begin with). Is not my understanding correct that System Restore
point data is contained and thus benign unless and UNTIL such time that
it is called upon to accomplish an actual restore (unless of-course the
identified malware's modus operandi is to replicate from the infected
restore point directory itself)? In sum, I most certainly for anything
less extreme as malware eratication, would not ever follow this
proposed advise.

I would be most interested in hearing any thoughts by others as to
anything I might be overlooking, or something flawed in my stated
assessment, reasoning or position.

Thanx in advance for your relies.

On 19 Mar 2005 21:34:23 -0800, Craig wrote:

> I've come across a post in a user forum that suggests "turning off
> System Restore BEFORE you un-install anything".
>
> My reflex reaction and position:
> I can think of no compelling reason for following this advise under any
> circumstances short of at the direction of a malware eratication
> program/tool/checklist from a trusted source. Failing that (even if
> dealing with the extreme of malware eradication), I would refrain from
> purging the restore point data until AFTER the eratication, as I would
> not as a general rule want to forsake ANY potential recovery resource
> unless and until absolutely necessary (for example, there's always the
> possible scenario where the malware infection is mistakenly determined
> to begin with). Is not my understanding correct that System Restore
> point data is contained and thus benign unless and UNTIL such time that
> it is called upon to accomplish an actual restore (unless of-course the
> identified malware's modus operandi is to replicate from the infected
> restore point directory itself)? In sum, I most certainly for anything
> less extreme as malware eratication, would not ever follow this
> proposed advise.
>
> I would be most interested in hearing any thoughts by others as to
> anything I might be overlooking, or something flawed in my stated
> assessment, reasoning or position.
>
> Thanx in advance for your relies.

I've seen that advice (disable System Restore before uninstalling anything)
and been surprised by it as well. I feel the same way that you do about it
- it's wrong.

My vote goes to keeping the restore points and even (especially?) if you
are repairing from a malware intrusion. If something goes awry during
cleanup, you still have those restore points to fall back on. Even an
infected restore point could be useful if the only other choice is a
machine that won't boot. Once the machine is clean, then reset System
Restore to clear out any residual restore points that may be infected.


--
Sharon F
MS-MVP ~ Windows Shell/User
In memory of our dear friend, MVP Alex Nichol

Hi Craig,

This statement is wrong! I agree with your assessment of how System
Restore should be used. You are correct, any virus or malware living
in the SR volume is benign until such time as the is restored to that
point.
Just because there is a dormant virus in SR doesn't mean it time to
panic. I would rather boot to a damaged system than not boot at all.

Here's my take on Keeping System Restore Healthy
http://home.earthlink.net/~mvp_bert/html/healthy.html

--
Regards,
Bert Kinney MS-MVP Shell/User
http://dts-l.org/

Craig wrote:
> I've come across a post in a user forum that suggests
> "turning off System Restore BEFORE you un-install
> anything".
>
> My reflex reaction and position:
> I can think of no compelling reason for following this
> advise under any circumstances short of at the direction
> of a malware eratication program/tool/checklist from a
> trusted source. Failing that (even if dealing with the
> extreme of malware eradication), I would refrain from
> purging the restore point data until AFTER the
> eratication, as I would not as a general rule want to
> forsake ANY potential recovery resource unless and until
> absolutely necessary (for example, there's always the
> possible scenario where the malware infection is
> mistakenly determined to begin with). Is not my
> understanding correct that System Restore point data is
> contained and thus benign unless and UNTIL such time that
> it is called upon to accomplish an actual restore (unless
> of-course the identified malware's modus operandi is to
> replicate from the infected restore point directory
> itself)? In sum, I most certainly for anything less
> extreme as malware eratication, would not ever follow
> this proposed advise.
>
> I would be most interested in hearing any thoughts by
> others as to anything I might be overlooking, or
> something flawed in my stated assessment, reasoning or
> position.
>
> Thanx in advance for your relies.

Thank you Sharon and Bert for your prompt replies. This one has been
nagging me for a while thinking there was something I might be
overlooking. But once again, the adage holds true..."Your first
instinct is probably the correct one". Nonetheless, I didn't want to
take any chances being it involved a system recovery tool.

"Today's the best day of my life...and NOW you're part of it!"...Craig