Kioskea
Recherche
Ask a question Report

System restore does not work [Solved]

Line32 32Posts Thursday September 18, 2008Registration date May 11, 2009Last seen - Latest answer on Jul 8, 2010 09:45PM
Hello,
There is a virus that has settled in the System Restore folder of my computer and I don't know how to get it deleted. I tried with Norton but it seems as if the virus comes back every time and I am now out of ideas on how to get rid of it.
Thanks
Read more 
Answer
+8
moins plus
I am writing to express gratitude for Morphine on this forum for solving my problem. This invasive "virus/malware/painintheass" seems to be diffrent on every machine and it may take several tries to find the solution as I discovered. I also would like to try and figure out where the "bug" came from. I have related below two possible causes. Please others post their stories and let's see if we can come up with the vector.

I acquired this "virus/malware/headache" on 1/27/2009. My last download from Microsoft was a routine updating of Office 2007. I know this because when I tried to use system restore my last save point was the day before I updated Office. I do not believe that Office is the culprit but I would like to know what the last thing others downloaded before they acguired "the bug." A more likely cause would be my habit of occassionally watching videos on Pornhub. This may be TMI, but hey, if we are to figure out where this thing came from I will be the first to admit to frequenting Pornhub as a possibility. If others suspect the same please post your thoughts.

Now about this bug....

This thing is incredible!

It hijacks every browser on your computer- Explorer, Firefox, Chrome and Safari. When you attempt to Update Windows it sends you to a very good "fake Google page." Every click or search in the fake google page seems to add more malware and directs one to porn sites. i.e. Gay Porn (not that there is anything wrong with that) Just happens that I am straight. I also believe that this is the reason it is worse on some machines than others. I recognized the Google page as fake because I use iGoogle as my home page and there was no button for iGoogle. When I attempted to search is when it became very apparent. It sent you straight to the page it wanted to. It seems that the more you use this fake page the worst the infection becomes.

It doesn't stop at hijacking the browser, it also prevents your Antivirus from updating. I had Trend Micro orginally and went out and bought Kaspersky after being told that it was the best by the IT guys at work This thing shut down Kaspersky's like it owned it. (I had a Disk version of Kaspersky manufactured in Oct 2008. I do believe that had I had Kaspersky before and it was updated, instead of Trend Micro, I would have never caught the bug.) I found this forum yesterday morning Googling "virus hijacks browser and disables updates."

As Morphine sugested: I downloaded the free Trojan Remover 6.7.5. (It is free for 1st 30 days) Find it here:

http://www.simplysup.com/tremover/download.html

Then I ran it. It found the offending file and it stated that it needed to be deleted- which I did by clickin OK or something. I thought I had solved the problem and did nothing else other than attempt to update Kaspersky and Windows. Both failed before completing.

Whoever wrote this "bug" is a genuis, and a sadistic bastard! It is like the last boss fight in good Videogame, you can't kill it with just one weapon. It apprently hides in your RAM and attaches itself back into the registry. That is why you have to have SmitFraudFixTool. Find it here:

http://smitfraudfixtool.com/

This program will cost you unfortnately. I already had RegCure but it did not work- its not made to chase bugs. I paid $39.00 for it and can run it on three computers. Anyway, after running the Trojan Remover again and immediately afterwards running SmitFraudFixTool and cleaning out 3156 so called "bad files." I then updated Kaspersky and ran a system scan which finally put the noose on the damn thing for good. This forum was a godsend!

My computer is now running like a dream! Thank you Morphine for the solution. Please others post their battles with this Monster.
rcmtbh Steven - Mar 10, 2009 06:12AM
Saw your response to this problem dating back to Feb 14. I am now struggling with the same issue and lots more. You mentioned some "trojan remover software did the trick." I was wondering what software?

Thanks for your time. These idiots who create these viruses ought to be hung.
Reply
Zhaligkeer 2Posts Monday March 23, 2009Registration date March 24, 2009Last seen - Mar 24, 2009 11:42AM
I believe I have a similar bug, but it redirects me to just about everything but the type of sites you mentioned, the most frequent being yellowpages.com. is it the same bug? I am not sure about it being the same one, since I AM able to click the link mentioned, then again if it is as tough as said, it could be that it allows links just to remain hidden?
Reply
Rabin- Jan 13, 2010 12:42PM
Hi K and all else

I had the same symptoms of C: Space Available low on Windows Vista with machine running terribly slow and evrything not responding. Thought it was something to do with System Restore as using vssadmin saw the System restore file grow with carnivorous ferocity and however much I increased MaxSize allocated and C: was operating at near 0%. Further AVG free 8.x not updating. No amount of trojan removal and virus removal made an impact. I was on the verge of giving up this morning and go for a reformat when as a last shot I once again checked what was really pushing up file size and with some effort narrowed it down to 2 log and document files totaling, believe it or not, 30GB created by registry mechanic which I had installed recently! Uninstalled RM version 8.x, deleted the 2 hogs and boom! everything was back to normal. It was eureka! I also figured that AVG 8.x needs VC++ distributable installed and I had uninstalled it in the mad scramble to release space on C: So, it was a relief and a yahoo! that I did not have to resort to reformatting.

Thanks for all the ideas that I read on this forum - set me thinking.

Hope this helps someone.

Cheers and all the best with your troubleshooting.

Rabin
Reply
dave- May 28, 2010 05:09AM
i believe i have the same or a similar virus. i also believe it couldve been a virus from pornhub, so i will be avoiding that site in the future
Reply
gervarod- Jul 8, 2010 04:39AM
well use malwarebytes to remove the viruse
Reply
Add comment
Answer
+3
moins plus
In Windows Me or XP, how can I save my computer's configuration for use in a System Restore?
In Windows Me and XP, the System Restore feature automatically creates restore points at certain intervals. These points can be used to restore your system to a previously working state. You may want to manually create a restore point if, for example, you are about to install new software or hardware.

Follow the instructions below to manually create a restore point:

From the Start menu, select All Programs or Programs, and then select Accessories, then System Tools, and then System Restore.


Select Create a restore point and click Next.


Type a name for the restore point, and then click Create (XP) or Next (Me).


When the point has been created, click Close (XP) or OK (Me). thanks you
Add comment
Answer
+0
moins plus
when i restore my pc in back date it show error.
how to reslove this problem.

thanks
hemraj
Add comment
Answer
+0
moins plus
Hi,

Do a scan online on bitdefender.com

Post the logfile, after.

Do it with Internet Explorer.
dez- Jan 4, 2009 11:59PM
I have the same problem, bitdefender.com isn't working at the moment?
I tried safe mode on system restore also and it doesnt work either.
Reply
dan- Jan 7, 2009 04:20PM
I cant system restore either. I dont get a command line at the bottom of my screen anymore and cant find one? No start button is on my screen at all?
Reply
Add comment
Answer
+0
moins plus
Download the ad-aware 2008 and run the basic scan.
Worked for me.
Add comment
Answer
+0
moins plus
go to start menue click on run then type in regedit--box comes up hold control f atsame time or goto edit up top and click find type in virus name and delete all the files that come up with that press f3 and delete them all keep pressing f3 until they r all gone now it will be out of ur registry forever!
Add comment
Answer
+0
moins plus
In case of virus keeps coming back. You need to run a virus scan on start up .You can do this by downloading Avast from avast.com it is a free varis software for home users.After installing you will be ask if you wont to run a scan on start up check yes.Avast will run scan before windows starts up and list all virus and ttogens.Than you will be ask what you wont to do with the files delite is best.This has always fix my varus problems.
gwebb
magic- Mar 15, 2009 05:31PM
I had same problem with Conficker. The only successfull tool was BitDefender's http://download.bitdefender.com/resources/files/Download/en/bd_rem_tool.zip
Now, I finally got rid of Conficker, but there is the dammage. He deleted registry hey for safe mode boot, and I can't run pc in safe mode anymore. I guess that he left a lot of "garbage" behind, which I'll see later.
Anyway, it's gone.
Anyone knows how to restore registry (working safe mode) without reinstaling pc?
Reply
Bel666- Apr 16, 2009 01:12PM
try running scannow ( google it for more information )
Reply
Add comment
Answer
+0
moins plus
Hi, I have tried many of the steps on this page and other sites helpful but not enough – I still had the virus.
I didn’t really do anything, was watching an online video at a site I normally go to. Maybe there was a popup add? I don’t remember. (I can tell you though that I nearly had a heart attack seven time ovber when this just “started to automatically install” itself.)

This virus has now mutated and goes under other names and alias. I can’t find the site where I read it, but apparently it affects Spybot, Zone Alarm, System Restore, Windows Update, Norton, MacAfee, Avast, AVG, Kapernsky, TrendMicro (or whatever its called) Antivirus and so many others. It also blocks access to antivirus sites and online scans. You might be able to get around the latter by using Firefox instead of IE.

Combined with further research I was able to get rid of this deadly Trojan.
It also now adds “AntivirusPro_2010” and “System Security 2009” among other files/names to your computer.

Also read the solutions posted at this site:
http://www.spywarevoid.com/...

First you need to boot into Safe Mode (preferably with Networking). You have to press F5 at boot-up.
In SAFE MODE:

CTRL-ALT-DELETE to see all the processes, but you may not see all of them, as it seems many do not come up in Task Manager. If you do see any suspicious tasks, disable them. Also, just removing them from Task Manager *Will NOT* delete the virus, it will still be there and will come back into the processes again and again.

START>RUN> type in “msconfig” and then disable all the items with the names of your viruses, including the following:
- Sys32_nov.exe
- braviax.exe
- oxabayv.dll
- a set of six numbers, I had “18905624.exe”, the numbers will likely be different for you.
- AntivirusPro_2010
- System Security 2009
- Total Security
- any other names that are suspicious or sound similar to virus names on this post.

Delete the following files or folders if you find them (and any similar ones):
C:\ Documents and Settings\All Users\Application Data\18905624
C:\ Documents and Settings\All Users\Start Menu\Programs\Total Security
C:\ Documents and Settings\All Users\Start Menu\Programs\AntivirusPro_2010
C:\ Documents and Settings\All Users\Desktop\Total Security 2009.Ink
C:\ Documents and Settings\All Users\Desktop\AntivirusPro_2010.Ink
C:\ Documents and Settings\Administrator\Sys32_nov.exe

*In addition to “All Users”, also look in the other user profiles, such as “Administrator”, and all the other users you have on your computer for the same files above. Follow the same path for the files in the respective user folders.

In Addition, also delete:
C:\Program Files\AntivirusPro_2010\AVEngn.dll
C:\Program Files\AntivirusPro_2010\htmlayout.dll
C:\Program Files\AntivirusPro_2010
C:WINDOWS\oxabayv.dll (shows up as “Nxoguguxavigamep” in SpySweeper)
C:WINDOWS\braviax.exe
C:\WINDOWS\System\cru629.dat
C:\WINDOWS\System\winsource.dll
C:\WINDOWS\System32\wisdstr.exe
C:\WINDOWS\System32\Sys32_nov.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\Prefetch\Sys32_NOV.exe-18E8F1FC.pf
C:\WINDOWS\Prefetch\BRAVIAX.EXE-OB81BFC9.pf

Then SEARCH (START>Search>Files & Folders>All Files) for the following files/folders and delete them:
You may not have them all, and be sure to check the dates the files were create/modified, this will help you make the determination if it a virus file or not; if it was created on the day you got the virus, and you don’t recognize it, consider deleting it. Also, use the Search ‘Advance Options” to chose modified dates narrowing the search to the same day or 2 days were you know the you got the virus & remember to search *without*
using file extensions to get more complete results for most of the following files:

“sys32_nov” (shows up as “sys32_nov.exe” with file info as
“Pfjqarjmuc yluze Fvwuwou Tacjjlaptyq tlepejo xweyl desd Qecowyk” in SpySweeper)
“oxabayav” (shows up as “oxabayav.dll” with file info as “Nxoguguxavigamep” in SpySweeper)
“braviax” (normally as “braviax.exe” plus other files maybe)
“18905624” => replace with your virus ‘number’
“AntivirusPro_2010”
“System Security 2009”
“Total Security”
“winsource.dll”
“ikowin32.exe”
“tsc”
“9129837.exe”
“cru629” (normally as “cru629.dat” plus other files maybe)
“wpv201251705172.exe”
“wpv711251705172.exe”
“wpv181251705172.exe”
“wpv961251225613.exe”
“wpv111252894422.exe”
“wpv741252921009.exe”
“wpv831252625374.exe”
“ wpv* “ => Try search with the * (astrix) as a wildcard to get any other files starting with
wpv in you computer – delete them all if they look anything like the ones above.

In the Windows Registry (START>RUN> tpe in “regedit” ), delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Security 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Security 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18905624 => Your ‘number’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxabayav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys32_nov
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\18905624 => Your ‘number’
HKEY_LOCAL_MACHINE\Software\Microsoft\System Security 2009
HKEY_LOCAL_MACHINE\Software\Microsoft\18905624.exe => Your ‘number’
HKEY_LOCAL_MACHINE\Software\18905624.exe => Your ‘number’

Now look again for the exact same paths/files above, but now in the HKEY_CURRENT_USER section instead and delete them too if you find them.

Now search for these other keys :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\AntivirusPro_2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\Total Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Menu Order\Start menu\Programs\System Security 2009

In the section HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
=> Delete only the ones with the following values:
- 18905624 or 18905624.exe (Or your ‘number’)
- AntivirusPro_2010 or AntivirusPro_2010.exe
- braviax or braviax.exe
- sys32_now or sys32_nov.exe
- “Total Security” or “System Security 2009”, etc, etc.

In the section HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Windows
=> Delete the one with the value “cru629.dat”

In the section HKEY_CLASSES_ROOT\CLSID
=> Delete the entire key in { } brackets where you find any of the virus names we mentioned earlier
(sys32_nov.exe, braviax.exe, Total Security, AntiviruisPro_2010, System Security 2009, etc, etc)

Now SEARCH the registry (EDIT>FIND)
Now each time you find something and delete it, don’t forget to EDIT>FIND NEXT to get the rest of the results.
Then once you reach the end, search again one more time to make sure you haven’t missed any before searching the next one. Search for the following and delete any instance you find – especially those with creation dates the same as when you got the virus.:

“sys32_nov” => In some places there are two of these, one right after the other, don’t delete only one and miss the other.
“oxabayav”
“braviax”
“18905624” => replace with your virus ‘number’
“AntivirusPro_2010”
“System Security 2009”
“Total Security”
“winsource.dll”
“ikowin32.exe”
“tsc”
“9129837.exe”
“cru629”
“ wpv* “

Unfortunately after this point, while you have removed most of the virus, you problem is NOT gone. Try to do a virus scan if you can, preferably a boot time scan before windows loads. This may not be enough. After my virus scan, though I got rid of a lot of it, a lot of it kept coming back, especially “braviax” and a few of the others. Also this is a very intelligent virus. It is know to do and did do the following for me:
- Disabled Windows Update
- Corrupted *all* my System Restore point, user or pc checkpoints.
- Disabled Spybot by deleting critical files, and you cannot fix it, only reinstall.
- Created issues with Spysweaper, preventing it from cleaning out infections or completing scans.
- Disabled virus definitions updates in Avast! Antivirus.

What I had to do at this point, was to download “Malwarebytes Anti-Malware” – It’s free. Don’t think about it – like ‘great, another program to install?” Install it, it will get rid of so much none of the other programs could even detect. It’s frankly amazing. Download it at the following sites and then run the scan and get rid of the stupid viruses – and run the scan *several* times until you get a consistent “0 files infected”.
http://www.malwarebytes.org/mbam.php
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Do you think that is enough? Alas, no, there is more.
After this, I was malware free – but the damage to the operating system had been done. I still could not use System Restore as all the system restore points were corrupted. I could not Right-Click on anything without the sytem suddenly not-quite crashing, but in Windows explorer it would crash explorer.exe (even in safe mode) and on the desktop I couldn’t right or left click on anything after a accidental right-click. Many other issues as well.

I downloaded RegCure 1.6 to solve my problems – it worked like crazy, and removed over 2600 issues.
Download it as a torrent either at Pirate Bay (The Best Option) or download version 1.6 at http://www.diagnoseyourpc.com/download5.php,
You will need to disconnect your Internet after install and use 2D003 03220 84A76 7A1E9 to at least give you *temporary” access to run the scan and fix problems - otherwise it will only fix 2 problems out of thousands. Then buy the software if it works for you – it did for me.

The only way to fix System Restore is to Right-Click MY COMPUTER>Properties>System Restore and check “turn off Sytem Restore” . *Warning* This will DELETE *ALL* of your previous System Restore points. Do this only if your restore points have been corrupted. You should restart, then turn on System Restore again.

Why, Why would someone spend so much time and effort to do this kind of a program? This is an incredible virus, requiring so much knowledge and effort. If only the programmer who used all his time to create the program and any other future updates to the virus were to instead write legitimate programs, then we could have so many great programs and he/she would no doubt be leading a multi-million dollar software company that could rival Microsoft I’m sure. What a waste – and what a @#$#@%@ jerk he is, too.

Hope I helped.
Add comment
Answer
+0
moins plus
hi there,

i nid help. anybody who knows what a system32\cdmodem.dll is? it is recognized by avg as a worm and it is in the registry... any good willed person who can help... thanks. please email me if you have any idea thanks....
Add comment
Answer
+0
moins plus
buddy , try with Trojan Remover..

that's virus is trojan... i think.
Add comment
Answer
+0
moins plus
You can manually install the Microsoft essential virus data file by installing the virus software and then by updating the program manually. You will likely not be able do an automatic update, so you most do it manually by finding the Microsoft essential .EXE Virus Data flie; the .EXE program will update the database of the Essential program.
Add comment
Answer
+0
moins plus
I cannot run msconfig, internet or anything...
Add comment
Answer
+0
moins plus
go on google and type in avast! anti-virus and download the the trail
Add comment
Answer
+0
moins plus
I was running into all these same issues. I did everything described on this forum and was able to get rid all malicious programs. Although nothing fixed the issue about the specific anti-virus site's that were being blocked by the malware. After running SmitFraudFix on the infected computer and then on a clean computer, I had realized that my network card's dns had been changed. After I fixed this little issue I was able to download and update my anti-spyware and virus software.

To fix the issue do the following....
GOTO >Control Panel >Network Connections >Right click on your active internet connection and GOTO >properties Double click on >internet protocols (TCP/IP) and select >Obtain DNS server address automatically. NOTE: if you have more then one network adapter do this DNS fix for all adapters to prevent future abuse.

Here are the DNS that I found on my system
93.188.164.103
93.188.161.136

This will remove the blocks on the sites stated in this forum and will stop the malware from downloading and reinstalling itself and also stop the website redirection problem.

After you fix the DNS uninstall your anti-spyware and anti-virus software, download and reinstall them and run your scan, this Virus maybe infecting your protection software definition files when you update while the Virus's DNS is active. This will cause your Scanners to miss the malicious program.

I used Malwarebytes, SUPERAntiSpyware Free Edition, Ad-Aware, Trojan Remover, and RegCure. Each program found objects the other ones missed, i'd suggest running them all just to be safe. I kicked its @$$!


This programmer maybe smart, but he can't outsmart a Fox!

Hope this helps anyone having an issue, Good luck!

-BugsyBoo
Add comment
Answer
+0
moins plus
p

Here are the DNS that I found on my system
93.188.164.103
93.188.161.136

This will remove the blocks on the sites stated in this forum and will stop the malware from downloading and reinstalling itself and also stop the website redirection problem.

After you fix the DNS uninstall your anti-spyware and anti-virus software, download and reinstall them and run your scan, this Virus maybe infecting your protection software definition files when you update while the Virus's DNS is active. This will cause your Scanners to miss the malicious program.

I used Malwarebytes, SUPERAntiSpyware Free Edition, Ad-Aware, Trojan Remover, and RegCure. Each program found objects the other ones missed, i'd suggest running them all just to be safe. I kicked its @$$!


This programmer maybe smart, but he can't outsmart a Fox!

Hope this helps anyone having an issue, Good luck!

-BugsyBoo
Add comment
Answer
+0
moins plus
MERA JO SYSTEM HAIN WOH BOHUT SLOW AUR VIRUS PROBLEM HAIN USE THIK KAR KE MERA SYSTEM KO ACCHA SE CHALU RAKHON
Add comment
Answer
+0
moins plus
i have also been dealing with this from just watching movies on a movie site for my kids. it is a malware and the only thing that got rid of it was malware bytes. it is free and a complete scan killed it all off. now i am in the process of trying to restore all my registry as it has destroyed a bit of it.
Add comment
Answer
+0
moins plus
Add comment
Answer
+0
moins plus
That happened to me tonight. It seems as if you have to open restore system before the virus starts up. Mine keeps loading what seems to be antivirus and most of my programs were not working. I kept shutting off the computer and starting it back up and as soon as I could move my mouse cursewr, I went to system restoree until I beat the virus startup. I did this 3-4 times and finally beat it. My computer is ok now.

Brian
Tony- Jul 7, 2010 05:16PM
Thank you so much! I tried system restore several times while trying to resolve this 'painintheass', to no avail. After reading that I may be able to run the program before the virus loads up, I tried.. with success!
Reply
just1n- Jul 8, 2010 09:45PM
Yep, I got this from a torrent site, wyzo I think it was. PC kept crashing so I restored it, now nothing works. Keeps telling me I need to buy antivirus, and IE opens about every 5 minutes on its own to porno.com or viagra.com, usually porno.somethingorother. Restoring in safe mode now, gonna re-image tomorrow.
Reply
Add comment
Answer
+0
moins plus
system restore won't open.. wonder why??
Add comment
1 2 Next
This document entitled « system restore does not work » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.

Not a member yet?

sign-up, it takes less than a minute and it's free!

Members get more answers than anonymous users.

Being a member gives you detailed monitoring of your requests.

Being a member gives you additional options.