System Restore

By | April 13, 2011 | 0 Comment

System Restore is a must-removed program from a compromised computer. This is not the same as the genuine System Restore of Windows, but rogue that claims itself as hard drive tool. When this fake software is installed on the computer, it will begin to display a barrage of fake critical errors. It also provides a system in order to deceive computer owners about the performance and stability of the system. This technique is established to endorse fake System Restore as the solution to these issues. It will always prompt to acquire the registered version of System Restore in order to fix errors detected earlier.

Ignore this System Restore virus and if infected, immediately download a removal tool as suggested on this page. Keep in mind that rogue programs were developed to scam computer users and system troubleshooting is none of their business. Rogue developers focus more on selling fraud programs and stealing money from victim’s credit card account. Remove System Restore and all of its components dropped on the system with only known security product.

Type Rogue
Sub-Type FakeAV
OS Affected Windows XP, Windows Vista, Windows 7

What are the Symptoms of System Restore Infection?

System Restore Scanner

It will modify Windows Registry and add the following entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ‘0’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’

The threat will drop the following malicious files:
Windows Vista & 7:
%AllUsersProfile%\~
%AllUsersProfile%\~r
%AllUsersProfile%\.dll
%AllUsersProfile%\.exe
%AllUsersProfile%\.exe
%UserProfile%\Desktop\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk
%Temp%\internetexplorerupdate.exe

Windows XP:
%AllUsersProfile%\Application Data\~
%AllUsersProfile%\Application Data\~r
%AllUsersProfile%\Application Data\.dll
%AllUsersProfile%\Application Data\.exe
%AllUsersProfile%\Application Data\.exe
%UserProfile%\Desktop\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk
%Temp%\internetexplorerupdate.exe

Leave a Reply

Your email address will not be published. Required fields are marked *