The "Windows Restore" Virus

Dennis Foote – System Engineer

This week, I ran into a very intense virus called Windows Restore. It tries to make you think that there is a problem with everything from hardware to software applications on your PC. The reason it was so difficult to remove was the fact that it hides all your icons and stops your IE from being operational.

From past experiences, I know that it looks for certain software like Malwarebytes or ComboFix and disables them. If you do need anti-malware to run, your best bet is to rename it to something different like 123456. This will trick the virus and usually let you install your virus/malware removal programs. Below is a list of manual keys in the registry to look at when trying to remove this virus. Also, remember to go into folder options and show all files and folders.

Malicious Files Added by Windows Restore Virus :
%UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows restore.lnk
%AppData%\Microsoft\[random].exe
%UserProfile%\Desktop\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\

Windows Restore Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policie \Associations “LowRiskFileTypes” = ‘{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1′