Search : in
By :

System restore does not work

Last answer on Sep 18, 2009 5:31:15 am BST Line32 , on Sep 19, 2008 3:14:22 pm BST 
 Report this message to moderators

Hello,
There is a virus that has settled in the System Restore folder of my computer and I don’t know how to get it deleted. I tried with Norton but it seems as if the virus comes back every time and I am now out of ideas on how to get rid of it.
Thanks

Configuration: Windows XP
Internet Explorer 7.0

Best answers for « system restore does not work » in :
Activation/Deactivation of System Restore under Windows Vista Show Activation/Deactivation of System Restore under Windows Vista ] After a clean up of malware infection in your system, it is highly recommended that you reset your system restore in order to clean up restore point that might have been...
Disabling/Enabling System Restore in Vista Show Disabling/Enabling System Restore in Vista After disinfection, it is recommended to deactivate and then reactivate System Restore (to clean it) as sometimes the restore points can be infected. Click the Vista logo right-click "Computer"...
System Restore: Blank calendar Show System Restore: Blank calendar If the calendar in the system restore function has become blank, below is a tips of how to remedy to this:- Go to Menu Start and select Run. Type the following command: regsvr32 jscript Afther the...
Restore, create and delete restore points ShowRestore, create and delete restore points Restore, create and delete restore points What is System Restore? The System Restore restores your computer, based upon latest system configuration (one day earlier). System...
[Windows XP] Support/Backup/Recovery/Repair Show[Windows XP] Support/Backup/Recovery/Repair Remote Assistance System Restore Recovery Console Here are some methods to handle major problems with Windows XP Remote Assistance You can ask an expert to troubleshoot your system...
[Virus] System Volume Information Show[Virus] System Volume Information The System Volume Information folder is used by Windows XP for storing data on system configuration and is also used by the System Restore tool to store information and restore points. Restore points...
Download Restoration ShowRestoration is a free tool, in English only, allowing to get back the erased data, even after having emptied the bin ! !
Ask your question Reply

1

raphy00, on Sep 20, 2008 7:03:08 pm BST
  • +8

Click on Begin, all programs, disable restauration systems
Reactive. Il?ya?toujours?solution?a?tout.
@+

Forum?Virus/Securite?:?ATTENTION?!?Le?probleme?n'est?pas?
resolu?tant?qu'on?ne?vous?l'a pas?dit?!!

   
Reply to raphy00

2

hemraj, on Oct 24, 2008 11:00:26 am BST
  • +8

When i restore my pc in back date it show error.
how to reslove this problem.

thanks
hemraj

   
Reply to hemraj

3

raphy00, on Dec 1, 2008 6:34:02 pm GMT
  • +1

Hi,

Do a scan online on bitdefender.com

Post the logfile, after.

Do it with Internet Explorer. Il?y a?toujours?solution?a?tout.
@+

   
Reply to raphy00

4

dez, on Jan 5, 2009 4:59:39 am GMT

I have the same problem, bitdefender.com isn't working at the moment?
I tried safe mode on system restore also and it doesnt work either.

   
Reply to dez

5

dan, on Jan 7, 2009 9:20:50 pm GMT
  • +4

I cant system restore either. I dont get a command line at the bottom of my screen anymore and cant find one? No start button is on my screen at all?

   
Reply to dan

6

garfield, on Jan 8, 2009 4:56:12 pm GMT

Download the ad-aware 2008 and run the basic scan.
Worked for me.

   
Reply to garfield

7

linda, on Jan 17, 2009 4:44:10 pm GMT
  • +7

Go to start menue click on run then type in regedit--box comes up hold control f atsame time or goto edit up top and click find type in virus name and delete all the files that come up with that press f3 and delete them all keep pressing f3 until they r all gone now it will be out of ur registry forever!

   
Reply to linda

8

channa, on Feb 6, 2009 11:24:53 am GMT

In Windows Me or XP, how can I save my computer's configuration for use in a System Restore?
In Windows Me and XP, the System Restore feature automatically creates restore points at certain intervals. These points can be used to restore your system to a previously working state. You may want to manually create a restore point if, for example, you are about to install new software or hardware.

Follow the instructions below to manually create a restore point:

From the Start menu, select All Programs or Programs, and then select Accessories, then System Tools, and then System Restore.


Select Create a restore point and click Next.


Type a name for the restore point, and then click Create (XP) or Next (Me).


When the point has been created, click Close (XP) or OK (Me). thanks you

   
Reply to channa

9

sueneal, on Feb 6, 2009 5:56:53 pm GMT
  • +4

If u can't restore ur computer in normal windows u can use safe mode todo so.

   
Reply to sueneal

10

Keifermail, on Feb 8, 2009 11:28:27 pm GMT
  • +18

I am writing to express gratitude for Morphine on this forum for solving my problem. This invasive "virus/malware/painintheass" seems to be diffrent on every machine and it may take several tries to find the solution as I discovered. I also would like to try and figure out where the "bug" came from. I have related below two possible causes. Please others post their stories and let's see if we can come up with the vector.

I acquired this "virus/malware/headache" on 1/27/2009. My last download from Microsoft was a routine updating of Office 2007. I know this because when I tried to use system restore my last save point was the day before I updated Office. I do not believe that Office is the culprit but I would like to know what the last thing others downloaded before they acguired "the bug." A more likely cause would be my habit of occassionally watching videos on Pornhub. This may be TMI, but hey, if we are to figure out where this thing came from I will be the first to admit to frequenting Pornhub as a possibility. If others suspect the same please post your thoughts.

Now about this bug....

This thing is incredible!

It hijacks every browser on your computer- Explorer, Firefox, Chrome and Safari. When you attempt to Update Windows it sends you to a very good "fake Google page." Every click or search in the fake google page seems to add more malware and directs one to porn sites. i.e. Gay Porn (not that there is anything wrong with that) Just happens that I am straight. I also believe that this is the reason it is worse on some machines than others. I recognized the Google page as fake because I use iGoogle as my home page and there was no button for iGoogle. When I attempted to search is when it became very apparent. It sent you straight to the page it wanted to. It seems that the more you use this fake page the worst the infection becomes.

It doesn't stop at hijacking the browser, it also prevents your Antivirus from updating. I had Trend Micro orginally and went out and bought Kaspersky after being told that it was the best by the IT guys at work This thing shut down Kaspersky's like it owned it. (I had a Disk version of Kaspersky manufactured in Oct 2008. I do believe that had I had Kaspersky before and it was updated, instead of Trend Micro, I would have never caught the bug.) I found this forum yesterday morning Googling "virus hijacks browser and disables updates."

As Morphine sugested: I downloaded the free Trojan Remover 6.7.5. (It is free for 1st 30 days) Find it here:

http://www.simplysup.com/tremover/download.html

Then I ran it. It found the offending file and it stated that it needed to be deleted- which I did by clickin OK or something. I thought I had solved the problem and did nothing else other than attempt to update Kaspersky and Windows. Both failed before completing.

Whoever wrote this "bug" is a genuis, and a sadistic bastard! It is like the last boss fight in good Videogame, you can't kill it with just one weapon. It apprently hides in your RAM and attaches itself back into the registry. That is why you have to have SmitFraudFixTool. Find it here:

http://smitfraudfixtool.com/

This program will cost you unfortnately. I already had RegCure but it did not work- its not made to chase bugs. I paid $39.00 for it and can run it on three computers. Anyway, after running the Trojan Remover again and immediately afterwards running SmitFraudFixTool and cleaning out 3156 so called "bad files." I then updated Kaspersky and ran a system scan which finally put the noose on the damn thing for good. This forum was a godsend!

My computer is now running like a dream! Thank you Morphine for the solution. Please others post their battles with this Monster.

   
Reply to Keifermail

11

Steven, on Feb 14, 2009 5:30:36 am GMT
  • +1

OMG thank you SO SO SO much. That virus was quite a nuisance but thanks to that trojan remover software mentioned above it did the trick. That and Mcafee togethor destroyed the virus :). It was quite and adventure and thank you once again.

   
Reply to Steven

12

Keifermail, on Feb 15, 2009 6:37:16 am GMT
  • +5

This thing is called the "Kido Worm" , "Downadup" and "Conficker." It began in Oct. 2008 but in December it evolved into a Superworm. Its ability to thwart any attempt to delete it and to spread via USB devices is confounding.

There is a lot of info out there if you Google these names. It is an interesting Worm as it seems to disable every defense before the victim can even launch a counter attack. It disables system restore, shuts off Microsoft updates, blocks Antivirus updates, hijacks the browser (Safari, Explorer, Chrome and Firefox) and finally it downloads more malicious software as it goes. It is impossible to give one set of instructions to remove the Virus as it is different on every machine.

The latest variant of the worm now lets it spread via thumb drives. It operates by copying itself in a random folder created inside the Recycler directory, which is used by the Recycle Bin to store deleted files, and creating an autorun.inf file in the root folder. The worm executes automatically if the Autorun feature is enabled.

Certain TCP functions are also patched to block access to security-related Web sites by filtering every address that contains certain strings. This makes it harder to remove because information about it is difficult to gather from an infected computer. Additionally, the sneaky little worm removes all access rights of the user, except execute and directory usage, to protect its file. Microsoft has created a removal tool for this worm, but if you are infected you must find an uninfected computer to download Microsoft's Malicious Software Removal Tool.

See the following link: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

If you have the Kido/Conficker worm you will no be able to link to the above link.

Microsoft states,
"If your computer is infected with the Conficker worm, you might be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or to access certain Web sites, such as Microsoft Update. If you can't access those tools, try using the Windows Live OneCare Safety Scanner. If that doesn't work, read the following Microsoft Help and Support articles on an uninfected computer. "

My advise is to get the removal tool on a brand new/clean USB device from another computer and then load it onto your computer. The surprising thing is that this thing started in Oct. and already has infected 12.9 million computers. Microsoft has offered a 250K reward to help catch the culprits that created this worm.

Hope this helps,

Keifer

   
Reply to Keifermail

17

Redeyedtiss, on Apr 2, 2009 10:20:20 pm BST
  • +1

Hey all, I have been noticing some weird stuff going on with all my browsers, Mozilla, Chrome, IExplorer, when using google I get redirected to a bunch of random sites, usually .com's and strange search engines. Also, when using other applications they will randomly minimize and this error comes up that is titled google. It says something to the effect of: google update error, not initiating. I don't have google desktop, or even google earth, just chrome. So, I first used adaware anniversary edition and cleaned out some stuff, then I tried hijack this, but nothing out of the ordinary was popping up, then with Asquared it found a ton of malicious spyware trojans. I quarantined all of it and when I restarted explorer did not work... I can't even get to run, not even through safe mode with command prompt, it just doesn't show up. I can tell all the stuff is there because my desktop shows the background image. I am at a loss after trying system restore. I think I am switching to debian linux after this.

   
Reply to Redeyedtiss

14

rcmtbh, on Mar 10, 2009 10:12:36 am GMT

Saw your response to this problem dating back to Feb 14. I am now struggling with the same issue and lots more. You mentioned some "trojan remover software did the trick." I was wondering what software?

Thanks for your time. These idiots who create these viruses ought to be hung.

   
Reply to rcmtbh

16

Zhaligkeer, on Mar 24, 2009 3:42:18 pm GMT

I believe I have a similar bug, but it redirects me to just about everything but the type of sites you mentioned, the most frequent being yellowpages.com. is it the same bug? I am not sure about it being the same one, since I AM able to click the link mentioned, then again if it is as tough as said, it could be that it allows links just to remain hidden?

   
Reply to Zhaligkeer

13

gwebb, on Mar 7, 2009 9:42:36 am GMT

In case of virus keeps coming back. You need to run a virus scan on start up .You can do this by downloading Avast from avast.com it is a free varis software for home users.After installing you will be ask if you wont to run a scan on start up check yes.Avast will run scan before windows starts up and list all virus and ttogens.Than you will be ask what you wont to do with the files delite is best.This has always fix my varus problems.
gwebb

   
Reply to gwebb

15

magic, on Mar 15, 2009 9:31:51 pm GMT
  • +1

I had same problem with Conficker. The only successfull tool was BitDefender's http://download.bitdefender.com/resources/files/Download/en/­bd_rem_tool.zip
Now, I finally got rid of Conficker, but there is the dammage. He deleted registry hey for safe mode boot, and I can't run pc in safe mode anymore. I guess that he left a lot of "garbage" behind, which I'll see later.
Anyway, it's gone.
Anyone knows how to restore registry (working safe mode) without reinstaling pc?

   
Reply to magic

18

Bel666, on Apr 16, 2009 6:12:47 pm BST

Try running scannow ( google it for more information )

   
Reply to Bel666

19

 WaterDuck, on Sep 18, 2009 5:31:15 am BST

Hi, I have tried many of the steps on this page and other sites helpful but not enough – I still had the virus.
I didn’t really do anything, was watching an online video at a site I normally go to. Maybe there was a popup add? I don’t remember. (I can tell you though that I nearly had a heart attack seven time ovber when this just “started to automatically install” itself.)

This virus has now mutated and goes under other names and alias. I can’t find the site where I read it, but apparently it affects Spybot, Zone Alarm, System Restore, Windows Update, Norton, MacAfee, Avast, AVG, Kapernsky, TrendMicro (or whatever its called) Antivirus and so many others. It also blocks access to antivirus sites and online scans. You might be able to get around the latter by using Firefox instead of IE.

Combined with further research I was able to get rid of this deadly Trojan.
It also now adds “AntivirusPro_2010” and “System Security 2009” among other files/names to your computer.

Also read the solutions posted at this site:
http://www.spywarevoid.com/...

First you need to boot into Safe Mode (preferably with Networking). You have to press F5 at boot-up.
In SAFE MODE:

CTRL-ALT-DELETE to see all the processes, but you may not see all of them, as it seems many do not come up in Task Manager. If you do see any suspicious tasks, disable them. Also, just removing them from Task Manager *Will NOT* delete the virus, it will still be there and will come back into the processes again and again.

START>RUN> type in “msconfig” and then disable all the items with the names of your viruses, including the following:
- Sys32_nov.exe
- braviax.exe
- oxabayv.dll
- a set of six numbers, I had “18905624.exe”, the numbers will likely be different for you.
- AntivirusPro_2010
- System Security 2009
- Total Security
- any other names that are suspicious or sound similar to virus names on this post.

Delete the following files or folders if you find them (and any similar ones):
C:\ Documents and Settings\All Users\Application Data\18905624
C:\ Documents and Settings\All Users\Start Menu\Programs\Total Security
C:\ Documents and Settings\All Users\Start Menu\Programs\AntivirusPro_2010
C:\ Documents and Settings\All Users\Desktop\Total Security 2009.Ink
C:\ Documents and Settings\All Users\Desktop\AntivirusPro_2010.Ink
C:\ Documents and Settings\Administrator\Sys32_nov.exe

*In addition to “All Users”, also look in the other user profiles, such as “Administrator”, and all the other users you have on your computer for the same files above. Follow the same path for the files in the respective user folders.

In Addition, also delete:
C:\Program Files\AntivirusPro_2010\AVEngn.dll
C:\Program Files\AntivirusPro_2010\htmlayout.dll
C:\Program Files\AntivirusPro_2010
C:WINDOWS\oxabayv.dll (shows up as “Nxoguguxavigamep” in SpySweeper)
C:WINDOWS\braviax.exe
C:\WINDOWS\System\cru629.dat
C:\WINDOWS\System\winsource.dll
C:\WINDOWS\System32\wisdstr.exe
C:\WINDOWS\System32\Sys32_nov.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\Prefetch\Sys32_NOV.exe-18E8F1FC.pf
C:\WINDOWS\Prefetch\BRAVIAX.EXE-OB81BFC9.pf

Then SEARCH (START>Search>Files & Folders>All Files) for the following files/folders and delete them:
You may not have them all, and be sure to check the dates the files were create/modified, this will help you make the determination if it a virus file or not; if it was created on the day you got the virus, and you don’t recognize it, consider deleting it. Also, use the Search ‘Advance Options” to chose modified dates narrowing the search to the same day or 2 days were you know the you got the virus & remember to search *without*
using file extensions to get more complete results for most of the following files:

“sys32_nov” (shows up as “sys32_nov.exe” with file info as
“Pfjqarjmuc yluze Fvwuwou Tacjjlaptyq tlepejo xweyl desd Qecowyk” in SpySweeper)
“oxabayav” (shows up as “oxabayav.dll” with file info as “Nxoguguxavigamep” in SpySweeper)
“braviax” (normally as “braviax.exe” plus other files maybe)
“18905624” => replace with your virus ‘number’
“AntivirusPro_2010”
“System Security 2009”
“Total Security”
“winsource.dll”
“ikowin32.exe”
“tsc”
“9129837.exe”
“cru629” (normally as “cru629.dat” plus other files maybe)
“wpv201251705172.exe”
“wpv711251705172.exe”
“wpv181251705172.exe”
“wpv961251225613.exe”
“wpv111252894422.exe”
“wpv741252921009.exe”
“wpv831252625374.exe”
“ wpv* “ => Try search with the * (astrix) as a wildcard to get any other files starting with
wpv in you computer – delete them all if they look anything like the ones above.

In the Windows Registry (START>RUN> tpe in “regedit” ), delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Security 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Security 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18905624 => Your ‘number’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxabayav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys32_nov
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\18905624 => Your ‘number’
HKEY_LOCAL_MACHINE\Software\Microsoft\System Security 2009
HKEY_LOCAL_MACHINE\Software\Microsoft\18905624.exe => Your ‘number’
HKEY_LOCAL_MACHINE\Software\18905624.exe => Your ‘number’

Now look again for the exact same paths/files above, but now in the HKEY_CURRENT_USER section instead and delete them too if you find them.

Now search for these other keys :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\AntivirusPro_2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\Total Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\System Security 2009

In the section HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
=> Delete only the ones with the following values:
- 18905624 or 18905624.exe (Or your ‘number’)
- AntivirusPro_2010 or AntivirusPro_2010.exe
- braviax or braviax.exe
- sys32_now or sys32_nov.exe
- “Total Security” or “System Security 2009”, etc, etc.

In the section HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Windows
=> Delete the one with the value “cru629.dat”

In the section HKEY_CLASSES_ROOT\CLSID
=> Delete the entire key in { } brackets where you find any of the virus names we mentioned earlier
(sys32_nov.exe, braviax.exe, Total Security, AntiviruisPro_2010, System Security 2009, etc, etc)

Now SEARCH the registry (EDIT>FIND)
Now each time you find something and delete it, don’t forget to EDIT>FIND NEXT to get the rest of the results.
Then once you reach the end, search again one more time to make sure you haven’t missed any before searching the next one. Search for the following and delete any instance you find – especially those with creation dates the same as when you got the virus.:

“sys32_nov” => In some places there are two of these, one right after the other, don’t delete only one and miss the other.
“oxabayav”
“braviax”
“18905624” => replace with your virus ‘number’
“AntivirusPro_2010”
“System Security 2009”
“Total Security”
“winsource.dll”
“ikowin32.exe”
“tsc”
“9129837.exe”
“cru629”
“ wpv* “

Unfortunately after this point, while you have removed most of the virus, you problem is NOT gone. Try to do a virus scan if you can, preferably a boot time scan before windows loads. This may not be enough. After my virus scan, though I got rid of a lot of it, a lot of it kept coming back, especially “braviax” and a few of the others. Also this is a very intelligent virus. It is know to do and did do the following for me:
- Disabled Windows Update
- Corrupted *all* my System Restore point, user or pc checkpoints.
- Disabled Spybot by deleting critical files, and you cannot fix it, only reinstall.
- Created issues with Spysweaper, preventing it from cleaning out infections or completing scans.
- Disabled virus definitions updates in Avast! Antivirus.

What I had to do at this point, was to download “Malwarebytes Anti-Malware” – It’s free. Don’t think about it – like ‘great, another program to install?” Install it, it will get rid of so much none of the other programs could even detect. It’s frankly amazing. Download it at the following sites and then run the scan and get rid of the stupid viruses – and run the scan *several* times until you get a consistent “0 files infected”.
http://www.malwarebytes.org/mbam.php
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Do you think that is enough? Alas, no, there is more.
After this, I was malware free – but the damage to the operating system had been done. I still could not use System Restore as all the system restore points were corrupted. I could not Right-Click on anything without the sytem suddenly not-quite crashing, but in Windows explorer it would crash explorer.exe (even in safe mode) and on the desktop I couldn’t right or left click on anything after a accidental right-click. Many other issues as well.

I downloaded RegCure 1.6 to solve my problems – it worked like crazy, and removed over 2600 issues.
Download it as a torrent either at Pirate Bay (The Best Option) or download version 1.6 at http://www.diagnoseyourpc.com/download5.php,
You will need to disconnect your Internet after install and use 2D003 03220 84A76 7A1E9 to at least give you *temporary” access to run the scan and fix problems - otherwise it will only fix 2 problems out of thousands. Then buy the software if it works for you – it did for me.

The only way to fix System Restore is to Right-Click MY COMPUTER>Properties>System Restore and check “turn off Sytem Restore” . *Warning* This will DELETE *ALL* of your previous System Restore points. Do this only if your restore points have been corrupted. You should restart, then turn on System Restore again.

Why, Why would someone spend so much time and effort to do this kind of a program? This is an incredible virus, requiring so much knowledge and effort. If only the programmer who used all his time to create the program and any other future updates to the virus were to instead write legitimate programs, then we could have so many great programs and he/she would no doubt be leading a multi-million dollar software company that could rival Microsoft I’m sure. What a waste – and what a @#$#@%@ jerk he is, too.

Hope I helped.

   
Reply to WaterDuck
Ask your question Reply
They need your help