The Emsisoft malware research team has discovered a new outbreak of the Windows Restore adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsRestore.
Windows Restore is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.
Variants of the rogue defragmenter:
- Windows Repair
- Windows Recovery
- Windows Diagnostic
- Win Scan
- Win Disk
- Disk Recovery
- Windows Disk
- Windows Scan
- Memory Optimizer
- Disk Optimizer
- Easy Scan
- Good Memory
- Fast Disk
- Disk OK
- My Disk
- Memory Fixer
- HDD Fix
- Scanner
- HDD Low
- Disk Repair
- Defragmenter
- HDD Tools
- Smart HDD
- HDD Rescue
- HDD Plus
- HDD Diagnostic
- Hard Drive Diagnostic
- Disk Doctor
- Win Defragmenter
- WinDefrag
- WinHDD
- CheckDisk
- Ultra Defragger
- Quick Defragmenter
- Smart Defragmenter
- HDD Defragmenter
- System Defragmenter
Create new files:
- %AllUsersProfile%\Application Data\%random%
- %AllUsersProfile%\Application Data\%random%.exe
- %AllUsersProfile%\Application Data\%random%.exe
- %UserProfile%\Desktop\Windows Restore.lnk
- %UserProfile%\Start Menu\Programs\Windows Restore\
- %UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows Restore.lnk
- %UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk
Create/modify registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
DisableTaskMgr: 0×00000001
- HKEY_CURRENT_USER\Software\
75fa38b7-8b94-4995-ad32-52e938867954:
BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Use FormSuggest: “Yes”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
WarnonBadCertRecving: 0×00000000
CertificateRevocation: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
NoChangingWallPaper: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes: “/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr: 0×00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
%random%: “%AllUsersProfile%\Application Data\%random%.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\
CheckExeSignatures: “no”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0×00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0×00000000
Screenshots:
How to remove the infection of Windows Restore (Adware.Win32.WindowsRestore)?
To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
