Title: fake System Restore
Type: Malware
Severity scale:  (80 / 100)

System restore is a legitimate Microsoft Windows program that restores windows functionality when needed. However, there is a fake System Restore as well – a rogue system optimizer. This corrupt optimization program displays various warnings that  PCs hard disk, video card or registry is in bad state and requires repair with a help of System Restore program. While actual System restore can repair software errors after unsuccessful installation, the rogue version of System Restore claims to be able to fix hardware errors. This is simply not true.

System Restore will try to prevent user from running legitimate software. Each executable is blocked randomly explaining that it resides in bad part of hard disk. Eventually, they will launch. Additionally, some internet pages might get blocked. This is done to prevent downloading programs that assist in System Restore’s removal.

To remove System Restore, we recommend launching the application and leaving it running while you open browser windows to download anti-malware programs. We recommend downloading process explorer first, and killing System Restore processes. Then download legitimate anti-spyware program to identify actual System Restore’s files and delete these. These files should reside in AllUsers Application Data folder.

Delete registry values:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘Yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ‘0’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoDesktop” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ” .exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ” “
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ‘0’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = ‘0’

Delete files:
[random].exe from AllUsers\AppData

