How to remove Windows Restore malware in 5 mn

Written by Administrator | Tuesday, 05 April 2011 05:41

Windows Restore is a rogue Antispyware, it's a malware that pretends to be an Antivirus. Windows Restore is a wolf in sheep's clothing. It conducts a fake scan of your system; you are warned by a fake alarm telling that there are some malwares on your system. It’s true indeed, there is really a malware in your system but I think the only malware on your system is this Windows Restore. Windows Restore invites you to purchase a license for this bogus program to remove malwares, do not, it's a scam, you need a license for a malware? This so-called Antivirus tries to scam you. Uninstall Windows Restore as soon as possible from your system with this removal tool for Windows Restore.

Windows Restore

To remove Windows Restore (Uninstall Windows Restore)

Restart your computer and as soon as your computer turns on hit the F8 key (repeatedly) until a screen comes up
Choose Start computer in SAFE MODE with network support
Open Internet Explorer
Go to Tools => Internet Options => Connections Tab => LAN Settings
Uncheck "Use a proxy server"
Recheck "Automatically detect settings"
Download this free removal tool for Windows Restore
Extract it
Launch
Click on the delete button

Windows Restore will be removed from your system in 10s. Restart your computer when it’s finished.

Processes :

[Random].exe

Files :

%CommonAppData%\[Random].exe
%CommonAppData%\[Random]
%Desktop%\Windows Restore.lnk
%Programs%\Windows Restore\Uninstall Windows Restore.lnk
%Programs%\Windows Restore\Windows Restore.lnk

Registry

Registry values created

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Use FormSuggest = "Yes"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- WarnOnZoneCrossing = 0x00000000
- WarnonBadCertRecving = 0x00000000
- CertificateRevocation = 0x00000000

Registry values modified

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 1601 =
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
- State =

Remove Windows Restore manually :

Restart your computer in safe mode :
- Restart your computer and as soon as your computer turns on hit the F8 key (repeatedly) until a screen comes up
- Choose Start computer in SAFE MODE
Open the infected account
Open explorer, paste into the address bar shell:Common AppData then press enter, it will open C:\Documents and Settings\Christian\Local Settings\Temp on my computer
Remove all .exe files and all random folders under this path
Remove Windows Restore.lnk from your desktop
Remove Windows Restore from your Start menu then Programs
Click on the start menu button then click on run
Type msconfig and press enter
Go to the Startup tab
Uncheck all keys that point to an .exe files under the %Temp% or %CommonAppData% folder and click on OK
Restart your computer in normal mode

This will solve the problem but you can run the removal tool to remove the other registry keys and values.