There is a “System Restore” virus that you may mistakenly execute, thinking that it was part of Windows system. This is not a genuine System Restore but rather a malware that will pretend as a useful program to mislead its victims.
System Restore virus will pretend as one program that focuses on hard drive and system optimization. However, in reality, this is another addition to the lists of fake hard drive defragmentation program. It differs from other rogue programs that will produce virus scan on the system. What System Restore virus does was scan the PC for known system and hard drive errors. This fake application will provide PC Performance & Stability Analysis Report that will show false information regarding initialization errors, bad sectors and a bunch of critical errors. It also displays a bunch of fake pop-up alerts informing users of hard drive and system malfunction.
Issuing these types of alert is specifically to make users think that computer needs a licensed version of System Restore to be able to resolve given errors. Malware authors push their programs to the edge where it can even disable legitimate antivirus programs on target machine. Therefore, System Restore reigns as the sole security and optimization software at hand.
The real solution to this kind of problem is to remove the culprit itself. Removing System Restore virus from a compromised system will also stop excessive annoyances it brings. Only use a legitimate anti-virus application and we discourage you to purchase the fake and unknown software.
Update: October 10, 2011
New version of System Restore has this new Graphical User Interface. Other variants from the same rogue family are also using the same skin.
Technical Details and Additional Information:
System Restore Is Also Detected As:
Trojan/Win32.Jorik (AhnLab-V3), TR/Gendal.KD.380718 (AntiVir), Win32:Jorik-AB [Trj] (Avast), Generic25.AGEC (AVG), Trojan.Generic.KD.380718 (BitDefender), Trojan.Win32.Heur.Gen (ByteHero), Win32.HLLW.Autoruner.64124 (DrWeb), Trojan.Agent!IK (Emsisoft), Trojan.Generic.KD.380718 (F-Secure), Trojan.Generic.KD.380718 (G-Data), Trojan.Agent (Ikarus), Trojan.Win32.Jorik.Fraud.fiv (Kaspersky), FakeAlert-SysDef.b (McAfee), Trojan:Win32/FakeSysdef (Microsoft), Win32/Kryptik.UDJ (NOD32), Gen:Variant.Kazy.40327 (nProtect), Suspicious file (Panda), Mal/FakeAV-OP (Sophos), Trojan.Agent/Gen-RogueAntiSpy (SUPERAntiSpyware), Trojan.Win32.Generic!BT (VIPRE)
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
This rogue security application drops the main executable file under this folder:
c:\documents and settings\all users\application data\6dss92c31apgjk.exe
It runs automatically when Windows starts by adding the following registry entry that executes the main file.
“System Restore” virus provides extreme annoyances on the computer once installed. It may redirect Internet browser to several malicious pages. The malware also displays pop-up and system tray alerts typically promoting the rogue application.
System Restore Diagnostics
Windows detected a hard disk error.
A problem with the hard drive sectors has been detected. It is recommended to
download the following certified software to fix the detected hard drive
problems. Do you want to download recommended software?
Hard Drive Failure
The system has detected a problem with one or more installed IDE / SATA hard
disks. It is recommended that you restart the system.
An error occurred while reading system files. Run a system
diagnostic utility to check your hard disk drive for errors.
How to Remove System Restore
1. On fake System Restore console, click on Click here to activate full-functional version. Enter any email address and this code provided by S!Ri.
Activation Code: 1203978628012489708290478989147
3. Download MalwareBytes' Anti-Malware from this link.
4. Once download is complete, double-click on the file to install MBAM. Just load it with default settings. It may prompt for update after installation, please download all necessary updates.
5. MBAM will run right after the update has completed.
6. Click on Perform quick scan, the click on Scan. MBAM will scan the computer for presence of threats. This may take a while.
7. When scan is finished, MBAM will display scan result.
8. Click on Show Results to reveal all identified threats.
9. Make sure that all threats are mark with check. Click on Remove Selected to permanently delete all files and registry entries that belongs to System Restore.
10. If it prompts you to restart the computer, just click No. We need to remove some more files that belong to System Restore.
11. Press Ctrl + Alt + Del on your keyboard. Windows Task Manager will open. On Application, select System Restore and click on End Task. This will end the running process of rogue program.
12. Next, we need to locate and delete the files manually (These steps can be automatically performed by MBAM after restarting the computer).
- For XP Users: Go to C:\Documents and Settings\All Users\Application Data\
- For Vista and Windows 7 Users: Go to C:\Users\(Current User)\AppData\Local\
- Delete all files with questionable random file name similar to the following:
13. We need to remove Startup entry belonging to System Restore.
- Go to Start > Run and type msconfig. This will open System Configuration Utility.
- Click on Startup tab. - Look for startup item consisting of random character.
- Remove the check mark and click OK.
14. Please restart the computer to complete the removal process.
15. After restarting the computer, you need to unhide all files set hidden by System Restore.
- Open My Computer. Go to Drive C: and select all files.
- Right-click on highlighted files then select Properties.
- On Attributes area, remove the mark on Hidden. Please confirm that you will apply the changes to Selected items, subfolders and files.
What To Do If Files and Folders Are Missing?
a. Open Windows Explorer/My Computer.
b. On Top Menu, click on Organize > Folder and Search Options (Windows Vista/7).
On Top Menu, click on Tools > Folder Options (Windows XP).
c. Click on View tab.
d. Mark "Show hidden files and folders"
e. Click on Apply, then OK.
That will show all hidden files and folders on your computer.
16. Lastly, all shortcut link files must be removed. They are all visible on your task bar, desktop and Programs menu. Simply delete any .LNK files that correspond to System Restore. You may also refer to 'Associated Files' section for individual location.
Alternative Removal Method for System Restore
Option 1 : Use Windows System Restore to return Windows to previous state
If System Restore enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before System Restore infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.
Option 2 : System Restore manual uninstall guide
IMPORTANT! Manual removal of System Restore requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.
1. Kill any running process that belongs to System Restore.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for System Restore files (refer to Technical Reference) and click End Process.
2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.
3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.
4. Delete all files dropped by System Restore.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.