The Ultimate Malware Fighter: System Restore


Use this WinXP utility to bring systems 'back in time' to a pre-attack state


This recipe pulls out all the stops in describing some of the worst malware attacks against typical PC internet browsers. An efffective repellant to these attacks comes from a surprising quarter -- not the expected remedy of anti-virus or anti-spyware software. Based on my real-life experience with a particularly nasty malware program called CoolWeb, I found that both the problem and the solution stem directly from Microsoft's Windows XP OS and Internet Explorer (IE) browser.

While IE is the not the root of the problem per se, its incredible popularity is. Malware authors -- who are performing criminal acts by their practices -- target IE exclusively, because they know that their programs will proliferate the fastest on that browsing platform. After all, something like 70% of the Web-browsing public still uses IE.

The solution comes from System Restore, a great little utility introduced in Windows ME and now included in Windows XP. I like to think of System Restore as a kind of H.G. Wells time machine, because it can essentially transport PC software back in time. More specifically, you can reset the software to a moment prior to a vicious attack by some malware program.

System Restore contains a very useful feature: While it makes an exact replica of the file system as it looks "back in time," it also preserves any NEW data files, including Word documents, Excel spreadsheets, and e-mail messages. One important exception: new software installations. In other words, if you reset the system to a time before new software was installed, you will need to reinstall that software. For this reason, before you run System Restore on a client's system, make sure you have all their software CDs and Web downloads cataloged and available. You're likely to need them.

The good news is that if your clients' XP systems are hit by a destructive malware program, they already have almost everything you'll need to get the systems back up and running. The only addition is a piece of software you can download for free. Let's take a look at what's needed.

Ingredients

This recipe does not require an extensive list of ingredients. In fact, for XP systems, here is the complete list:

  • Windows XP System Restore program. If the system currently runs Windows XP, then System Restore is already installed and ready to go. If your clients run older systems based on Windows ME, then they also have System Restore ready to go.

  • CDs of all software and drivers.

  • Copies of any software and drivers your client may have downloaded from the Internet. If license codes apply, make sure you have these, too. A good practice is to have your client provide you with a checklist of all software on the system. That way, there will be no confusion or need for a second service call. Your customer's software and drivers from a download URL

  • A free trial copy of Computer Associates' Pest Patrol software.

System Restore is not available on older Windows 2000, 98, or 95 systems. For help with systems running those Windows versions, refer to an earlier TechBuilder recipe, The Only True Fix For Windows.

But First, The Bad News

As you probably know, malware has quickly become a very serious problem. I recently had an eye-opening (and nerve wracking) experience, when my own system was attacked by a spyware program called CoolWeb. This is by far the nastiest malware program I've seen. CoolWeb attacked my PC in the following order:

  • First, it reported a Trojan to my McAfee anti-virus program, which told me (incorrectly) that the Trojan had been cleaned and eradicated.

  • Second, it hijacked my IE home page to an annoying "My Search" page as the default.

  • Third, it caused my system to display a large number of pop-up ads that I had not seen previous to the attack.

  • Fourth, CoolWeb caused my copy of Ad-Aware anti-spyware software to actually crash -- an amazing and terrifying sight I have never seen before.

  • Finally, it completely outfoxed Spy Subtract, another anti-spyware program I run. Amazingly, Spy Subtract contains a special CoolWeb killer called CWShredder. This program reported back to me that it found and killed CoolWeb, but then the main Spy Subtract program found more than 1,400 (!!!) pieces of malware on my PC. And I still had annoying pop-ups all over the place.

Similarly, a good friend of mine recently spent three hours on the phone with Hewlett Packard trying to get his machine fixed after a nasty virus attack. Ultimately, the HP tech reps could not help him. So his first question to me was, "How do I fix my PC?" The main part of this recipe is my answer.

What's Behind the Problem?

Under normal circumstances, I have always relied on scanning my hard drive for viruses and spyware. Firewalls are great, but they tend to filter out too much information. Often, a good portion of the content I want gets blocked out. In addition, I challenge the firewall companies to show me a program that blocks every Trojan and malware on the Net.

Many corporate PC users still have a safe haven from viruses and spyware. This is accomplished by creating thin clients, utilizing the latest security systems from Cisco and Citrix. Essentially, an internal network of PCs can be protected by placing a server at the edge of the network, and delivering only the desired content to the end-user PCs. But this solution is costly. And typically it must be tweaked and configured by an enterprise IT department -- not standard operating procedure for a small business or residential user.

AOL and Mozilla Firefox also are "safe" browsing resources, for the simple reason that they are not generally targeted by the notorious malware authors. If I, like two thirds of the browsing public, was not so enamored of IE, there would be no reason to write this article. IE is just an old-time favorite.I cannot explain why, but I can understand why the browsing world at large is willing to suffer attack and abuse in order to remain loyal to this program, at least for today. At the same time, Mozilla Firefox is gaining momentum and popularity against IE. Of course, if Firefox were to become the dominant browser, then it, too, would become a target for black-hat hackers.

Computer Associates' Pest Patrol

There is one piece of software you'll need to get for this malware fix. Pest Patrol is Computer Associate's anti-spyware software. It operates similarly to Spybot and Ad-aware. And it's available in a fully functional trial version, which should be considered a great bonus. Other similar anti-malware systems have trial versions that are non-functioning, and they will only kill malware within the paid-for version. In other words, their trial versions only locate the malware, then ask for payment prior to the actual "execution."

The trial version of Pest Patrol is good for 30 days. After that, if you want to purchase your copy of Pest Patrol, it costs only $30 for a single license. There's a three-pack, too, that lets you save a few dollars.

I decided to include this piece of software in this recipe for 2 main reasons. First, Pest Patrol is the only effective anti-malware software I could find that had a free trial download. That's less of an issue, of course, if you intend to use the software on a repeated basis. In that case, the $30 price is a bargain. And second, Computer Associates remains a highly regarded software supplier.

Here's a screen shot of Pest Patrol's main panel:


By running Pest Patrol on my (previously) infected test system, I managed to find more than 40 spywares and bugs. The software ran without either a hiccup or the annoying requirement of a full system reboot (which Ad-Aware does). But Pest Patrol is not perfect by any means. Although the Windows Control Panel is a favorite "hiding place" of Malware programs, Pest Patrol did not detect any programs hiding there on my test system. Other than by using System Restore (which I'll discuss in the next section), I had to go into the Control Panel, hit Add or Remove Programs, identify by eye the malware programs, and then remove them manually. These programs are not easy to catch, by the way. They have deceptively nice names like Cool Web, Ad Search, and My Search -- all cleverly designed to foil frustrated end-users and PC technicians alike.

System Restore

System Restore is accessed the following way:

  1. It's a good practice to shut down all other applications before using System Restore, as it requires a full-system reboot to complete the installation. Connecting to the internet is not required, however. So shut all applications. Then click "Start."

  2. Slide up to Programs...Accessories...System Tools...and System Restore. Then the program will load. Here's a screen shot of the program-entry screen:


  3. In this recipe, we'll follow the path of restoring the computer to an earlier time. As you can see, you also have the option of creating a restore point. But for now, just click on Next. You will be presented with the following screen:


  4. Chances are good that you will have many "prior dates" to pick from. Select a date that you think will be most beneficial. This is usually the most recent date prior to malware contamination. Unfortunately, picking a good date to restore to is pretty much guesswork. But as I mentioned before, you are in no danger of losing any recent data files or e-mail messages you may have created. Click Next. You will be presented with the following screen:


  5. Click Next. The PC will undertake its own automated operations. You will see a new screen of the restore process. (It's in its own "safe" mode, which does not allow for copying and pasting, which is why I don't have another screen shot here.) When the process is done, the PC will auto-reboot itself.

      With that, System Restore is complete. I find it an unfortunate and distressing state of affairs that this recipe must be written as a "trial and error" process. I believe that a standardized process for eradicating malware is sorely needed. It would be wonderful if the tier-one PC manufacturers, along with Microsoft, would deliver this solution, and soon.



      DAVID KARY is the founder and CEO of rippt.com, and a frequent contributor to TechBuilder.org.