System Restore blocked by malware

Discussion in 'malware problems & news' started by OliverX669, Jun 10, 2008.

Thread Status:
Not open for further replies.
  1. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello,

    A few days ago searching for a video conversation programme I came across one called SC Video Converter issued by the Software Club, I decided to try it and downloaded it. During the installation procedure a window appeared advising that System Guard was not installed on my pc and had to be to enable the programme to work. I clicked OK and then got a widow showing a licence agreement, which had to be accepted for the installation to continue. Beginning to have doubts I declined the agreement and exited the installation.

    The problem is this.

    Even though I discontinued the installation SC Video Converter IS installed on my pc and I cannot remove it because, I suspect, System Guard has been installed and is preventing me from running System Restore or any other procedure such as regedit or msconfig to get rid of it.

    I desperately need to remove this SC Video Converter, and System Guard, is this possible and if so can anyone please tell me how I can do this? Is this some sort of scam?

    The main need of course is how can I get System Restore to function again as I've always used this to get rid of programmes I have doubts about.

    Any help would be very much appreciated.


    Kind regards,

    Oliver
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    System Guard may be a rogue of the vundo variant.

    You could try a scan with SuperAntispyware for starters and see how it goes.
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,289
    Location:
    England
  4. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello Franklin,

    Thank you for the advice, much appreciated, I'll give it a try right now.

    Regards,

    Oliver
     
  5. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    You tried system restore while in safe mode? (reboot, as system is starting up--press f8 every couple of seconds, when prompted--select safe mode, then run system restore)
     
  6. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello Saraceno,

    Yes I tried that thank you but it did'nt help, thank you for mentioning it though its much appreciated.

    I'm about to post a message to Franklin following his advice, you may find it informative.

    Regards,

    Oliver
     
  7. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello again Franklin,

    I ran a scan using the SuperAntispyware free Home Version download, the results, bearing in mind I have Norton and AOL's McAfee running all the time, are apalling.

    The scan took 40 minutes and the results detected are as follows:-

    Memory Items 1
    Registry Items 7
    File Items 480!

    You were absolutely spot on, SuperAntispyware detected 2 occurences of Trojan.Vundo-Variant/Small-GEN and 5 of Trojan.Vundo-Variant/Small.

    I followed the instructions regarding the removal/quarantine of all these threats and rebooted as required but theres a question I'd like your advice on before I do anything else please.

    On rebooting I notice the icon for the problem programme is still on the desktop should I try to run System Restore now to see if it works and what date should I try to run it at? I would have thought the best date to run it at would be a date BEFORE the installation of the problem programme but if Restore does actually work would that undo all the repairs that SuperAntispyware has just carried out?

    Thanks again for your help.

    Kind regards,

    Oliver
     
  8. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hiya Franklin,

    Just a bit more information.

    I thought I'd try and get rid of the problem programmes icon in the normal way whilst waiting for your reply. I tried right clicking on it and selecting delete, then dragging it to the Recycle Bin, then dragging it to File Shredder. The result was the same in each case, I get an error message window pop up. The Window is headed System Error! and the message is "Attention! Some dangerous trojan horses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:/Windows. Check OK to download the antispyware (Recommended)"

    I guess this is being put up by the Vundo programmes, and I did'nt select OK of course, so maybe the SuperAntispyware has'nt been able to completely eradicate them.

    Oliver
     
  9. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    You said 480 files,are these system files or personal data files or both ?
    With system restore registry is overwritten with the restore point registry,if it is clean so will you restored registry.Not everything in the windowsfolder is replaced at restore so hence my question.

    More thorough solution is imaging though,it takes out the hassle of fidling with the sometimes cripled MS restore solution.
     
  10. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello Huupi,

    Thank you for your reply. I'm sorry I don't know what kind of files the 480 are, SuperAntispyware did'nt give any further information. I don't know anything about "imaging" either I'm afraid as I've never needed it before, System Restore has always worked well for me before.

    Regards,

    Oliver
     
  11. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    You have Norton and AOL's McAfee running all the time? On the same computer?

    Also, you may want to make a post in the SAS forum as you might be able to get some answers over there as well.
     
  12. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    If you believe you are still infected, submit a support request here and we can run a custom diagnostic and see what's going on:
    http://www.superantispyware.com/support.html
     
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Had to grab some shut eye OliverX669 and just got back now.

    You should be in good hands with SAS support.:)
     
  14. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    SAS is a very good program in finding out infections, but not sure how good it is in repairing the system. I had a VUNDO trojan back in 2006 and had to have someone look over the system registry and files in order to get rid of the pop up ads (Winfixer, Adult Friend Finder, etc.). I did that before I started using SAS so I manually got rid of the trojan in the O.S. files and registry myself and also used the VUNDOFIX utility program.
     
  15. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello Saraceno,

    Thank you for your message. Yes, I assure you running System Resore in Safe Mode makes no differance at all, I've just tried it again. After the reboot I get the same error pop-up "It was not possible to restore your system to the chosen date. Choose another date and try again"

    Choosing another date has just the same result.

    Regards,

    Oliver
     
  16. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello acri1965,

    Thank you for your message.

    Yes, I assure you Norton and AOL's MacAfee are running all the time from the moment of power up on this my one and only pc.

    Regards,

    Oliver
     
  17. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello ccsito,

    Thank you for your message.

    Sorry to hear that you too were hit by the Vundo thing and to hear of all the trouble you had to go to to get rid of it.

    I don't think I could carry out all the manual proceedures you went through I'm no pc whizzkid!

    Regards,

    Oliver
     
  18. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello Franklin,

    Thanks for your message and all the trouble you have gone to, I'll follow the SAS link and hopefully they'll be able to help me.

    Regards,

    Oliver
     
  19. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Those vundo and smitfraud types are constantly releasing new variants where even specialised tools such as vundofix.exe and smitfraudfix need updating to order to cleanup properly.

    OliverX669 you may want to have a read of MG's malware cleanup guide.

    Also it's usually advisable to have only one antivirus application running realtime as conflicts can arise.

    No need to uninstall, just have one running realtime and use the other as on demand.
     
  20. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello SUPERAntiSpyware,

    Thank you for your message, I've submitted a Support Request as you advised.

    Thank you for your help.

    Regards,

    Oliver
     
  21. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Oliver,
    Not many of us are that technically astute. I had to generate a system log using the Hijackthis utility and then had someone with more technical expertise read it over and recommend changes to my system. I also rescanned the system after making the changes just to make sure that everything was OK. I would recommend that you do the same. You can surf over to any tech support websites that provide help in removing spyware. They can provide step by step instructions for you to follow. This malware has many variants and not the same step of procedures work for every situation.
     
    Last edited: Jun 11, 2008
  22. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Hi Oliver,

    Obviously if you have the XP CD you can perform a repair, but if you don't have it, the following might provide some further advice.

    System restore troubleshooting:
    http://www.pcbuyerbeware.co.uk/Recovering_Windows_XP.htm#restore

    Restoring from command prompt:
    http://support.microsoft.com/kb/304449/

    Using the microsoft windows malicious software removal tool (for the blaster worm which affects system restore):
    http://support.microsoft.com/kb/833330/en-us

    I would run the microsoft malicious tool first. Then if that fails, try restore from the command prompt, then work through the troubleshooting.
     
Loading...
Thread Status:
Not open for further replies.