System restore does not work

Solved/Closed
Line32 Posts 31 Registration date Thursday September 18, 2008 Status Member Last seen May 11, 2009 - Sep 19, 2008 at 10:14 AM
 just1n - Jul 8, 2010 at 09:45 PM
Hello,
There is a virus that has settled in the System Restore folder of my computer and I don't know how to get it deleted. I tried with Norton but it seems as if the virus comes back every time and I am now out of ideas on how to get rid of it.
Thanks

21 responses

Keifermail Posts 28 Registration date Saturday February 7, 2009 Status Member Last seen February 15, 2009 5
Feb 8, 2009 at 06:28 PM
I am writing to express gratitude for Morphine on this forum for solving my problem. This invasive "virus/malware/painintheass" seems to be diffrent on every machine and it may take several tries to find the solution as I discovered. I also would like to try and figure out where the "bug" came from. I have related below two possible causes. Please others post their stories and let's see if we can come up with the vector.

I acquired this "virus/malware/headache" on 1/27/2009. My last download from Microsoft was a routine updating of Office 2007. I know this because when I tried to use system restore my last save point was the day before I updated Office. I do not believe that Office is the culprit but I would like to know what the last thing others downloaded before they acguired "the bug." A more likely cause would be my habit of occassionally watching videos on Pornhub. This may be TMI, but hey, if we are to figure out where this thing came from I will be the first to admit to frequenting Pornhub as a possibility. If others suspect the same please post your thoughts.

Now about this bug....

This thing is incredible!

It hijacks every browser on your computer- Explorer, Firefox, Chrome and Safari. When you attempt to Update Windows it sends you to a very good "fake Google page." Every click or search in the fake google page seems to add more malware and directs one to porn sites. i.e. Gay Porn (not that there is anything wrong with that) Just happens that I am straight. I also believe that this is the reason it is worse on some machines than others. I recognized the Google page as fake because I use iGoogle as my home page and there was no button for iGoogle. When I attempted to search is when it became very apparent. It sent you straight to the page it wanted to. It seems that the more you use this fake page the worst the infection becomes.

It doesn't stop at hijacking the browser, it also prevents your Antivirus from updating. I had Trend Micro orginally and went out and bought Kaspersky after being told that it was the best by the IT guys at work This thing shut down Kaspersky's like it owned it. (I had a Disk version of Kaspersky manufactured in Oct 2008. I do believe that had I had Kaspersky before and it was updated, instead of Trend Micro, I would have never caught the bug.) I found this forum yesterday morning Googling "virus hijacks browser and disables updates."

As Morphine sugested: I downloaded the free Trojan Remover 6.7.5. (It is free for 1st 30 days) Find it here:

https://www.simplysup.com/tremover/download.html

Then I ran it. It found the offending file and it stated that it needed to be deleted- which I did by clickin OK or something. I thought I had solved the problem and did nothing else other than attempt to update Kaspersky and Windows. Both failed before completing.

Whoever wrote this "bug" is a genuis, and a sadistic bastard! It is like the last boss fight in good Videogame, you can't kill it with just one weapon. It apprently hides in your RAM and attaches itself back into the registry. That is why you have to have SmitFraudFixTool. Find it here:

http://smitfraudfixtool.com/

This program will cost you unfortnately. I already had RegCure but it did not work- its not made to chase bugs. I paid $39.00 for it and can run it on three computers. Anyway, after running the Trojan Remover again and immediately afterwards running SmitFraudFixTool and cleaning out 3156 so called "bad files." I then updated Kaspersky and ran a system scan which finally put the noose on the damn thing for good. This forum was a godsend!

My computer is now running like a dream! Thank you Morphine for the solution. Please others post their battles with this Monster.
4
OMG thank you SO SO SO much. That virus was quite a nuisance but thanks to that trojan remover software mentioned above it did the trick. That and Mcafee togethor destroyed the virus :). It was quite and adventure and thank you once again.
0
Keifermail Posts 28 Registration date Saturday February 7, 2009 Status Member Last seen February 15, 2009 5 > Steven
Feb 15, 2009 at 01:37 AM
This thing is called the "Kido Worm" , "Downadup" and "Conficker." It began in Oct. 2008 but in December it evolved into a Superworm. Its ability to thwart any attempt to delete it and to spread via USB devices is confounding.

There is a lot of info out there if you Google these names. It is an interesting Worm as it seems to disable every defense before the victim can even launch a counter attack. It disables system restore, shuts off Microsoft updates, blocks Antivirus updates, hijacks the browser (Safari, Explorer, Chrome and Firefox) and finally it downloads more malicious software as it goes. It is impossible to give one set of instructions to remove the Virus as it is different on every machine.

The latest variant of the worm now lets it spread via thumb drives. It operates by copying itself in a random folder created inside the Recycler directory, which is used by the Recycle Bin to store deleted files, and creating an autorun.inf file in the root folder. The worm executes automatically if the Autorun feature is enabled.

Certain TCP functions are also patched to block access to security-related Web sites by filtering every address that contains certain strings. This makes it harder to remove because information about it is difficult to gather from an infected computer. Additionally, the sneaky little worm removes all access rights of the user, except execute and directory usage, to protect its file. Microsoft has created a removal tool for this worm, but if you are infected you must find an uninfected computer to download Microsoft's Malicious Software Removal Tool.

See the following link: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

If you have the Kido/Conficker worm you will no be able to link to the above link.

Microsoft states,
"If your computer is infected with the Conficker worm, you might be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or to access certain Web sites, such as Microsoft Update. If you can't access those tools, try using the Windows Live OneCare Safety Scanner. If that doesn't work, read the following Microsoft Help and Support articles on an uninfected computer. "

My advise is to get the removal tool on a brand new/clean USB device from another computer and then load it onto your computer. The surprising thing is that this thing started in Oct. and already has infected 12.9 million computers. Microsoft has offered a 250K reward to help catch the culprits that created this worm.

Hope this helps,

Keifer
0
rcmtbh > Steven
Mar 10, 2009 at 06:12 AM
Saw your response to this problem dating back to Feb 14. I am now struggling with the same issue and lots more. You mentioned some "trojan remover software did the trick." I was wondering what software?

Thanks for your time. These idiots who create these viruses ought to be hung.
0
Zhaligkeer Posts 2 Registration date Monday March 23, 2009 Status Member Last seen March 24, 2009
Mar 24, 2009 at 11:42 AM
I believe I have a similar bug, but it redirects me to just about everything but the type of sites you mentioned, the most frequent being yellowpages.com. is it the same bug? I am not sure about it being the same one, since I AM able to click the link mentioned, then again if it is as tough as said, it could be that it allows links just to remain hidden?
0
Redeyedtiss > Keifermail Posts 28 Registration date Saturday February 7, 2009 Status Member Last seen February 15, 2009
Apr 2, 2009 at 05:20 PM
Hey all, I have been noticing some weird stuff going on with all my browsers, Mozilla, Chrome, IExplorer, when using google I get redirected to a bunch of random sites, usually .com's and strange search engines. Also, when using other applications they will randomly minimize and this error comes up that is titled google. It says something to the effect of: google update error, not initiating. I don't have google desktop, or even google earth, just chrome. So, I first used adaware anniversary edition and cleaned out some stuff, then I tried hijack this, but nothing out of the ordinary was popping up, then with Asquared it found a ton of malicious spyware trojans. I quarantined all of it and when I restarted explorer did not work... I can't even get to run, not even through safe mode with command prompt, it just doesn't show up. I can tell all the stuff is there because my desktop shows the background image. I am at a loss after trying system restore. I think I am switching to debian linux after this.
0
In Windows Me or XP, how can I save my computer's configuration for use in a System Restore?
In Windows Me and XP, the System Restore feature automatically creates restore points at certain intervals. These points can be used to restore your system to a previously working state. You may want to manually create a restore point if, for example, you are about to install new software or hardware.

Follow the instructions below to manually create a restore point:

From the Start menu, select All Programs or Programs, and then select Accessories, then System Tools, and then System Restore.


Select Create a restore point and click Next.


Type a name for the restore point, and then click Create (XP) or Next (Me).


When the point has been created, click Close (XP) or OK (Me). thanks you
3
when I restore my pc in back date it show error.
how to reslove this problem.

thanks
hemraj
0
raphy00 Posts 1092 Registration date Saturday March 8, 2008 Status Member Last seen February 3, 2014 2
Dec 1, 2008 at 01:34 PM
Hi,

Do a scan online on bitdefender.com

Post the logfile, after.

Do it with Internet Explorer.
0
I have the same problem, bitdefender.com isn't working at the moment?
I tried safe mode on system restore also and it doesnt work either.
0
I cant system restore either. I dont get a command line at the bottom of my screen anymore and cant find one? No start button is on my screen at all?
0

Didn't find the answer you are looking for?

Ask a question
Download the ad-aware 2008 and run the basic scan.
Worked for me.
0
go to start menue click on run then type in regedit--box comes up hold control f atsame time or goto edit up top and click find type in virus name and delete all the files that come up with that press f3 and delete them all keep pressing f3 until they r all gone now it will be out of ur registry forever!
0
In case of virus keeps coming back. You need to run a virus scan on start up .You can do this by downloading Avast from avast.com it is a free varis software for home users.After installing you will be ask if you wont to run a scan on start up check yes.Avast will run scan before windows starts up and list all virus and ttogens.Than you will be ask what you wont to do with the files delite is best.This has always fix my varus problems.
gwebb
0
I had same problem with Conficker. The only successfull tool was BitDefender's http://download.bitdefender.com/resources/files/Download/en/bd_rem_tool.zip
Now, I finally got rid of Conficker, but there is the dammage. He deleted registry hey for safe mode boot, and I can't run pc in safe mode anymore. I guess that he left a lot of "garbage" behind, which I'll see later.
Anyway, it's gone.
Anyone knows how to restore registry (working safe mode) without reinstaling pc?
0
Bel666 > magic
Apr 16, 2009 at 01:12 PM
try running scannow ( google it for more information )
0
Hi, I have tried many of the steps on this page and other sites helpful but not enough – I still had the virus.
I didn’t really do anything, was watching an online video at a site I normally go to. Maybe there was a popup add? I don’t remember. (I can tell you though that I nearly had a heart attack seven time ovber when this just “started to automatically install” itself.)

This virus has now mutated and goes under other names and alias. I can’t find the site where I read it, but apparently it affects Spybot, Zone Alarm, System Restore, Windows Update, Norton, MacAfee, Avast, AVG, Kapernsky, TrendMicro (or whatever its called) Antivirus and so many others. It also blocks access to antivirus sites and online scans. You might be able to get around the latter by using Firefox instead of IE.

Combined with further research I was able to get rid of this deadly Trojan.
It also now adds “AntivirusPro_2010” and “System Security 2009” among other files/names to your computer.

Also read the solutions posted at this site:
http://www.spywarevoid.com/remove-total-security-2009-totalsecurity-2009-removal.html

First you need to boot into Safe Mode (preferably with Networking). You have to press F5 at boot-up.
In SAFE MODE:

CTRL-ALT-DELETE to see all the processes, but you may not see all of them, as it seems many do not come up in Task Manager. If you do see any suspicious tasks, disable them. Also, just removing them from Task Manager *Will NOT* delete the virus, it will still be there and will come back into the processes again and again.

START>RUN> type in “msconfig” and then disable all the items with the names of your viruses, including the following:
- Sys32_nov.exe
- braviax.exe
- oxabayv.dll
- a set of six numbers, I had “18905624.exe”, the numbers will likely be different for you.
- AntivirusPro_2010
- System Security 2009
- Total Security
- any other names that are suspicious or sound similar to virus names on this post.

Delete the following files or folders if you find them (and any similar ones):
C:\ Documents and Settings\All Users\Application Data\18905624
C:\ Documents and Settings\All Users\Start Menu\Programs\Total Security
C:\ Documents and Settings\All Users\Start Menu\Programs\AntivirusPro_2010
C:\ Documents and Settings\All Users\Desktop\Total Security 2009.Ink
C:\ Documents and Settings\All Users\Desktop\AntivirusPro_2010.Ink
C:\ Documents and Settings\Administrator\Sys32_nov.exe

*In addition to “All Users”, also look in the other user profiles, such as “Administrator”, and all the other users you have on your computer for the same files above. Follow the same path for the files in the respective user folders.

In Addition, also delete:
C:\Program Files\AntivirusPro_2010\AVEngn.dll
C:\Program Files\AntivirusPro_2010\htmlayout.dll
C:\Program Files\AntivirusPro_2010
C:WINDOWS\oxabayv.dll (shows up as “Nxoguguxavigamep” in SpySweeper)
C:WINDOWS\braviax.exe
C:\WINDOWS\System\cru629.dat
C:\WINDOWS\System\winsource.dll
C:\WINDOWS\System32\wisdstr.exe
C:\WINDOWS\System32\Sys32_nov.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\Prefetch\Sys32_NOV.exe-18E8F1FC.pf
C:\WINDOWS\Prefetch\BRAVIAX.EXE-OB81BFC9.pf

Then SEARCH (START>Search>Files & Folders>All Files) for the following files/folders and delete them:
You may not have them all, and be sure to check the dates the files were create/modified, this will help you make the determination if it a virus file or not; if it was created on the day you got the virus, and you don’t recognize it, consider deleting it. Also, use the Search ‘Advance Options” to chose modified dates narrowing the search to the same day or 2 days were you know the you got the virus & remember to search *without*
using file extensions to get more complete results for most of the following files:

“sys32_nov” (shows up as “sys32_nov.exe” with file info as
“Pfjqarjmuc yluze Fvwuwou Tacjjlaptyq tlepejo xweyl desd Qecowyk” in SpySweeper)
“oxabayav” (shows up as “oxabayav.dll” with file info as “Nxoguguxavigamep” in SpySweeper)
“braviax” (normally as “braviax.exe” plus other files maybe)
“18905624” => replace with your virus ‘number’
“AntivirusPro_2010”
“System Security 2009”
“Total Security”
“winsource.dll”
“ikowin32.exe”
“tsc”
“9129837.exe”
“cru629” (normally as “cru629.dat” plus other files maybe)
“wpv201251705172.exe”
“wpv711251705172.exe”
“wpv181251705172.exe”
“wpv961251225613.exe”
“wpv111252894422.exe”
“wpv741252921009.exe”
“wpv831252625374.exe”
“ wpv* “ => Try search with the * (astrix) as a wildcard to get any other files starting with
wpv in you computer – delete them all if they look anything like the ones above.

In the Windows Registry (START>RUN> tpe in “regedit” ), delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Security 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Security 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18905624 => Your ‘number’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxabayav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys32_nov
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\18905624 => Your ‘number’
HKEY_LOCAL_MACHINE\Software\Microsoft\System Security 2009
HKEY_LOCAL_MACHINE\Software\Microsoft\18905624.exe => Your ‘number’
HKEY_LOCAL_MACHINE\Software\18905624.exe => Your ‘number’

Now look again for the exact same paths/files above, but now in the HKEY_CURRENT_USER section instead and delete them too if you find them.

Now search for these other keys :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\AntivirusPro_2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\Total Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\System Security 2009

In the section HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
=> Delete only the ones with the following values:
- 18905624 or 18905624.exe (Or your ‘number’)
- AntivirusPro_2010 or AntivirusPro_2010.exe
- braviax or braviax.exe
- sys32_now or sys32_nov.exe
- “Total Security” or “System Security 2009”, etc, etc.

In the section HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Windows
=> Delete the one with the value “cru629.dat”

In the section HKEY_CLASSES_ROOT\CLSID
=> Delete the entire key in { } brackets where you find any of the virus names we mentioned earlier
(sys32_nov.exe, braviax.exe, Total Security, AntiviruisPro_2010, System Security 2009, etc, etc)

Now SEARCH the registry (EDIT>FIND)
Now each time you find something and delete it, don’t forget to EDIT>FIND NEXT to get the rest of the results.
Then once you reach the end, search again one more time to make sure you haven’t missed any before searching the next one. Search for the following and delete any instance you find – especially those with creation dates the same as when you got the virus.:

“sys32_nov” => In some places there are two of these, one right after the other, don’t delete only one and miss the other.
“oxabayav”
“braviax”
“18905624” => replace with your virus ‘number’
“AntivirusPro_2010”
“System Security 2009”
“Total Security”
“winsource.dll”
“ikowin32.exe”
“tsc”
“9129837.exe”
“cru629”
“ wpv* “

Unfortunately after this point, while you have removed most of the virus, you problem is NOT gone. Try to do a virus scan if you can, preferably a boot time scan before windows loads. This may not be enough. After my virus scan, though I got rid of a lot of it, a lot of it kept coming back, especially “braviax” and a few of the others. Also this is a very intelligent virus. It is know to do and did do the following for me:
- Disabled Windows Update
- Corrupted *all* my System Restore point, user or pc checkpoints.
- Disabled Spybot by deleting critical files, and you cannot fix it, only reinstall.
- Created issues with Spysweaper, preventing it from cleaning out infections or completing scans.
- Disabled virus definitions updates in Avast! Antivirus.

What I had to do at this point, was to download “Malwarebytes Anti-Malware” – It’s free. Don’t think about it – like ‘great, another program to install?” Install it, it will get rid of so much none of the other programs could even detect. It’s frankly amazing. Download it at the following sites and then run the scan and get rid of the stupid viruses – and run the scan *several* times until you get a consistent “0 files infected”.
http://www.malwarebytes.org/mbam.php
https://download.cnet.com/Malwarebytes/3000-8022_4-10804572.html

Do you think that is enough? Alas, no, there is more.
After this, I was malware free – but the damage to the operating system had been done. I still could not use System Restore as all the system restore points were corrupted. I could not Right-Click on anything without the sytem suddenly not-quite crashing, but in Windows explorer it would crash explorer.exe (even in safe mode) and on the desktop I couldn’t right or left click on anything after a accidental right-click. Many other issues as well.

I downloaded RegCure 1.6 to solve my problems – it worked like crazy, and removed over 2600 issues.
Download it as a torrent either at Pirate Bay (The Best Option) or download version 1.6 at http://ww38.diagnoseyourpc.com/download5.php
You will need to disconnect your Internet after install and use 2D003 03220 84A76 7A1E9 to at least give you *temporary” access to run the scan and fix problems - otherwise it will only fix 2 problems out of thousands. Then buy the software if it works for you – it did for me.

The only way to fix System Restore is to Right-Click MY COMPUTER>Properties>System Restore and check “turn off Sytem Restore” . *Warning* This will DELETE *ALL* of your previous System Restore points. Do this only if your restore points have been corrupted. You should restart, then turn on System Restore again.

Why, Why would someone spend so much time and effort to do this kind of a program? This is an incredible virus, requiring so much knowledge and effort. If only the programmer who used all his time to create the program and any other future updates to the virus were to instead write legitimate programs, then we could have so many great programs and he/she would no doubt be leading a multi-million dollar software company that could rival Microsoft I’m sure. What a waste – and what a @#$#@%@ jerk he is, too.

Hope I helped.
0
hi there,

i nid help. anybody who knows what a system32\cdmodem.dll is? it is recognized by avg as a worm and it is in the registry... any good willed person who can help... thanks. please email me if you have any idea thanks....
0
Mendim H. Posts 5 Registration date Tuesday February 2, 2010 Status Member Last seen February 21, 2010
Feb 3, 2010 at 09:11 AM
buddy , try with Trojan Remover..

that's virus is trojan... I think.
0
You can manually install the Microsoft essential virus data file by installing the virus software and then by updating the program manually. You will likely not be able do an automatic update, so you most do it manually by finding the Microsoft essential .EXE Virus Data flie; the .EXE program will update the database of the Essential program.
0
I cannot run msconfig, internet or anything...
0
go on google and type in avast! anti-virus and download the the trail
0
I was running into all these same issues. I did everything described on this forum and was able to get rid all malicious programs. Although nothing fixed the issue about the specific anti-virus site's that were being blocked by the malware. After running SmitFraudFix on the infected computer and then on a clean computer, I had realized that my network card's dns had been changed. After I fixed this little issue I was able to download and update my anti-spyware and virus software.

To fix the issue do the following....
GOTO >Control Panel >Network Connections >Right click on your active internet connection and GOTO >properties Double click on >internet protocols (TCP/IP) and select >Obtain DNS server address automatically. NOTE: if you have more then one network adapter do this DNS fix for all adapters to prevent future abuse.

Here are the DNS that I found on my system
93.188.164.103
93.188.161.136

This will remove the blocks on the sites stated in this forum and will stop the malware from downloading and reinstalling itself and also stop the website redirection problem.

After you fix the DNS uninstall your anti-spyware and anti-virus software, download and reinstall them and run your scan, this Virus maybe infecting your protection software definition files when you update while the Virus's DNS is active. This will cause your Scanners to miss the malicious program.

I used Malwarebytes, SUPERAntiSpyware Free Edition, Ad-Aware, Trojan Remover, and RegCure. Each program found objects the other ones missed, i'd suggest running them all just to be safe. I kicked its @$$!


This programmer maybe smart, but he can't outsmart a Fox!

Hope this helps anyone having an issue, Good luck!

-BugsyBoo
0
p

Here are the DNS that I found on my system
93.188.164.103
93.188.161.136

This will remove the blocks on the sites stated in this forum and will stop the malware from downloading and reinstalling itself and also stop the website redirection problem.

After you fix the DNS uninstall your anti-spyware and anti-virus software, download and reinstall them and run your scan, this Virus maybe infecting your protection software definition files when you update while the Virus's DNS is active. This will cause your Scanners to miss the malicious program.

I used Malwarebytes, SUPERAntiSpyware Free Edition, Ad-Aware, Trojan Remover, and RegCure. Each program found objects the other ones missed, i'd suggest running them all just to be safe. I kicked its @$$!


This programmer maybe smart, but he can't outsmart a Fox!

Hope this helps anyone having an issue, Good luck!

-BugsyBoo
0
MERA JO SYSTEM HAIN WOH BOHUT SLOW AUR VIRUS PROBLEM HAIN USE THIK KAR KE MERA SYSTEM KO ACCHA SE CHALU RAKHON
0
i have also been dealing with this from just watching movies on a movie site for my kids. it is a malware and the only thing that got rid of it was malware bytes. it is free and a complete scan killed it all off. now I am in the process of trying to restore all my registry as it has destroyed a bit of it.
0
format your pc
0
That happened to me tonight. It seems as if you have to open restore system before the virus starts up. Mine keeps loading what seems to be antivirus and most of my programs were not working. I kept shutting off the computer and starting it back up and as soon as I could move my mouse cursewr, I went to system restoree until I beat the virus startup. I did this 3-4 times and finally beat it. My computer is ok now.

Brian
0
Thank you so much! I tried system restore several times while trying to resolve this 'painintheass', to no avail. After reading that I may be able to run the program before the virus loads up, I tried.. with success!
0
Yep, I got this from a torrent site, wyzo I think it was. PC kept crashing so I restored it, now nothing works. Keeps telling me I need to buy antivirus, and IE opens about every 5 minutes on its own to porno.com or viagra.com, usually porno.somethingorother. Restoring in safe mode now, gonna re-image tomorrow.
0
system restore won't open.. wonder why??
0
  • 1
  • 2