System Restore
System Restore virus will pretend as one program that focuses on hard drive and system optimization. However, in reality, this is another addition to the lists of fake hard drive defragmentation program. It differs from other rogue programs that will produce virus scan on the system. What System Restore virus does was scan the PC for known system and hard drive errors. This fake application will provide PC Performance & Stability Analysis Report that will show false information regarding initialization errors, bad sectors and a bunch of critical errors. It also displays a bunch of fake pop-up alerts informing users of hard drive and system malfunction.
Issuing these types of alert is specifically to make users think that computer needs a licensed version of System Restore to be able to resolve given errors. Malware authors push their programs to the edge where it can even disable legitimate antivirus programs on target machine. Therefore, System Restore reigns as the sole security and optimization software at hand.
The real solution to this kind of problem is to remove the culprit itself. Removing System Restore virus from a compromised system will also stop excessive annoyances it brings. Only use a legitimate anti-virus application and we discourage you to purchase the fake and unknown software.
Screen Shot Image:
Update: October 10, 2011
New version of System Restore has this new Graphical User Interface. Other variants from the same rogue family are also using the same skin.
Technical Details and Additional Information:
System Restore Is Also Detected As:
Trojan/Win32.Jorik (AhnLab-V3), TR/Gendal.KD.380718 (AntiVir), Win32:Jorik-AB [Trj] (Avast), Generic25.AGEC (AVG), Trojan.Generic.KD.380718 (BitDefender), Trojan.Win32.Heur.Gen (ByteHero), Win32.HLLW.Autoruner.64124 (DrWeb), Trojan.Agent!IK (Emsisoft), Trojan.Generic.KD.380718 (F-Secure), Trojan.Generic.KD.380718 (G-Data), Trojan.Agent (Ikarus), Trojan.Win32.Jorik.Fraud.fiv (Kaspersky), FakeAlert-SysDef.b (McAfee), Trojan:Win32/FakeSysdef (Microsoft), Win32/Kryptik.UDJ (NOD32), Gen:Variant.Kazy.40327 (nProtect), Suspicious file (Panda), Mal/FakeAV-OP (Sophos), Trojan.Agent/Gen-RogueAntiSpy (SUPERAntiSpyware), Trojan.Win32.Generic!BT (VIPRE)
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Characteristics (Analysis)
This rogue security application drops the main executable file under this folder:
c:\documents and settings\all users\application data\6dss92c31apgjk.exe
It runs automatically when Windows starts by adding the following registry entry that executes the main file.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6DSS92c31Apgjk
Malware Behavior
“System Restore” virus provides extreme annoyances on the computer once installed. It may redirect Internet browser to several malicious pages. The malware also displays pop-up and system tray alerts typically promoting the rogue application.
Added Registry Entries:System Restore Diagnostics
Windows detected a hard disk error.
A problem with the hard drive sectors has been detected. It is recommended to
download the following certified software to fix the detected hard drive
problems. Do you want to download recommended software?Hard Drive Failure
The system has detected a problem with one or more installed IDE / SATA hard
disks. It is recommended that you restart the system.System Error
An error occurred while reading system files. Run a system
diagnostic utility to check your hard disk drive for errors.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "(random characters).exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run "(random characters)" HKCU\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes' HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0' HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1' HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1' HKCU\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no' HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0' HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'Associated Files and Folders:
%LocalAppData%\(random characters) %LocalAppData%\(random characters).exe %LocalAppData%\~(random characters) %LocalAppData%\~(random characters) %StartMenu%\Programs\System Restore\ %StartMenu%\Programs\System Restore\System Restore.lnk %StartMenu%\Programs\System Restore\Uninstall System Restore.lnk %Temp%\smtmp\ %UserProfile%\Desktop\System Restore.lnk
Video Tutorial
How to Remove System Restore
1. On fake System Restore console, click on Click here to activate full-functional version. Enter any email address and this code provided by S!Ri.
Activation Code: 1203978628012489708290478989147
4. Once download is complete, double-click on the file to install MBAM. Just load it with default settings. It may prompt for update after installation, please download all necessary updates.
5. MBAM will run right after the update has completed.
6. Click on Perform quick scan, the click on Scan. MBAM will scan the computer for presence of threats. This may take a while.
7. When scan is finished, MBAM will display scan result.
8. Click on Show Results to reveal all identified threats.
10. If it prompts you to restart the computer, just click No. We need to remove some more files that belong to System Restore.
11. Press Ctrl + Alt + Del on your keyboard. Windows Task Manager will open. On Application, select System Restore and click on End Task. This will end the running process of rogue program.
12. Next, we need to locate and delete the files manually (These steps can be automatically performed by MBAM after restarting the computer).
- For XP Users: Go to C:\Documents and Settings\All Users\Application Data\
- For Vista and Windows 7 Users: Go to C:\Users\(Current User)\AppData\Local\
- Delete all files with questionable random file name similar to the following:
~6DSS92c31Apgjk
6DSS92c31Apgjk
13. We need to remove Startup entry belonging to System Restore.
- Go to Start > Run and type msconfig. This will open System Configuration Utility.
- Click on Startup tab.
- Look for startup item consisting of random character.
- Remove the check mark and click OK.
14. Please restart the computer to complete the removal process.
15. After restarting the computer, you need to unhide all files set hidden by System Restore.
- Open My Computer. Go to Drive C: and select all files.
- Right-click on highlighted files then select Properties.
- On Attributes area, remove the mark on Hidden. Please confirm that you will apply the changes to Selected items, subfolders and files.
What To Do If Files and Folders Are Missing?
a. Open Windows Explorer/My Computer.
b. On Top Menu, click on Organize > Folder and Search Options (Windows Vista/7).
On Top Menu, click on Tools > Folder Options (Windows XP).
c. Click on View tab.
d. Mark "Show hidden files and folders"
e. Click on Apply, then OK.
That will show all hidden files and folders on your computer.
16. Lastly, all shortcut link files must be removed. They are all visible on your task bar, desktop and Programs menu. Simply delete any .LNK files that correspond to System Restore. You may also refer to 'Associated Files' section for individual location.
maradi
Oct 23, 2011 @ 11:53:28
work’s great, thank’s al lot, it is a life saver ! ;-)
kike
Oct 24, 2011 @ 22:40:15
Thanks man, it’s so useful! I have NOD32 but it can stop it, what’s wrong?
Brenda
Oct 27, 2011 @ 14:29:33
OMG!!! thank you so, so, so much!! worked perfectly. easy to follow instructions! Saved my life! and all my personal pictures!!
Brenda
Oct 27, 2011 @ 14:33:13
I take it back. all my personal pictures were gone! help!!
System Restore Fake Alert Virus
Oct 27, 2011 @ 20:55:57
[...] know where it came from and was a b*gger to get rid of and it hides all your files and programs. System Restore | Virus Solution and Removal Please take [...]
Kiks72
Oct 28, 2011 @ 08:10:18
Brenda, it is not gone. The folders and files are hidden. Try the step 15. It will help you unhide those files.
MR BLUE
Oct 29, 2011 @ 20:29:55
BEST ADVISE ANY ONE COULD GET OR HAVE FOR THIS KIND OF CRAPPPPPY VIRUS
Pablo
Oct 29, 2011 @ 23:52:23
Thank you so, so much, it was so helpful, I have all my files back
Nei Silva
Oct 30, 2011 @ 01:14:10
Excelente, thank you very much, segui todos os passos e resolvi o problema recuperando tudo que havia perdido.
Graças a pessoas e tópicos como este, que prestam informações úteis e responsaveis, é que podemos ainda acreditar que existe honestidade na rede mundial. Meu muito obrigado e com certeza vou indicar este site e o topico a quem eu puder e necessitar. Parabens, that God blesses them!!! Valeu !!!
KafreMan
Nov 02, 2011 @ 13:13:55
Muchas gracias, thank you very much, great job!!!
Chris
Nov 03, 2011 @ 18:38:56
Not sure what you mean by Look for statrup item consisting of random character. I am halfway through and not sure what to uncheck.
Thanks.
Chris
todd
Nov 03, 2011 @ 19:28:19
I returned to almost normal…thank you!!
but my computer runs insanely slow now, trying to do step 15, and items will not appear, and the back ground grinding and oh so slowly filling in folders.
Any help with this final issue? THANK U !
Maldrid
Nov 03, 2011 @ 23:31:45
Chris, in this case it is YgCgRkGkFuf Under “Application Data” folder. It is shown on video at 4:06 timeline. Hope this helps.
precisesecurity
Nov 03, 2011 @ 23:56:50
Todd, Unhiding folders and files will eat up some memory, that’s normal.
If you can’t see the lists of folders, try this:
1. Go to Start > Search program and fies, type “folder” (without quote) and press Enter.
2. Click on View tab.
3. Mark “Show hidden files, folders and drives.
That will reveal all hidden contents of your computer.
Chris
Nov 04, 2011 @ 13:05:08
Thanks Maldrid. I don’t see that file, so I will assume I have conquered it! Thanks so much to the author of this post, your directions were clear and your solution works!
Andy
Nov 10, 2011 @ 21:48:51
many thanks for this tutorial. Anyway my copy of this virus had some files with different names and I still have some problems with start-up -can`t remove entries, just get a message an error was returned while attempting to change service… Not 100% sure which files should be removed. Anyway I still have some problems with system boot. Need to update system installation. Can`t make new installation because I may not get all necessary drivers for this old notebook… Thank you anyway.