Fake System Restore

Fake System Restore Description

ScreenshotThe malware that calls itself System Restore is nothing more than the latest clone in a long line of fake PC optimization programs. Because this release of this malware is using a name that also refers to a legitimate Windows utility, there may be some confusion about what is malware and what is real software. The difference is that the fake System Restore costs money, whereas the real System Restore is just a part of Windows and requires no additional fees.

Aside from the fact that System Restore will hound you for money, the major difference between the fake System Restore and the real Windows utility System Restore is that the fake System Restore will tell you all kinds of strange things about your computer, and System Restore will make your PC almost unusable. Whereas the real System Restore is just a utility that allows you to change your computer to an earlier configuration, the fake System Restore pretends to be a defragmenter and system optimization tool.

Because System Restore is a scam, System Restore's reason for being is to get you so scared about the state of your computer that you will fork over a big chunk of money for a fake System Restore "advanced module" license. Always remember, no matter what the fake System Restore tells you, it is false. There is no need to panic!

Unwanted Symptoms Caused by System Restore

Please note that from this point on, all references to "System Restore" are to the malware, the fake defragmenter that holds your computer hostage.

System Restore will load every time Windows starts, and System Restore will display a window that is supposed to look like a scanner interface. The fake interface uses a modified Windows logo, and it looks relatively realistic, even including a "Help and Support" button. This interface will play a progress animation to simulate a scan, and then System Restore will tell you that System Restore has found numerous problems with your computer's hard drive, which System Restore can only fix if you pay to activate System Restore's Advanced Module. However, System Restore can't actually scan your hard drive for problems, System Restore doesn't have any functionality to unlock, and there is no Advanced Module. Everything displayed on the phony System Restore interface is a lie.

You will not be able to click past the fake scanner, but it is possible to wait through it and eventually access the desktop. Unfortunately, being able to get to the desktop doesn't really do any good, because System Restore will interfere with your computer in so many different ways that you will not be able to do anything with it. In order to continue System Restore's campaign of scare tactics, System Restore will create pop-up alerts, which will pop-up almost constantly. The alerts usually start with "Critical error," and they will claim – without referencing System Restore, most of the time – that something has gone horribly wrong with your system's hardware. You'll see warnings that say that your hard drive couldn't be found, that the disk has bad sectors, that data couldn't be saved due to hard drive failure and that there are serious problems with the RAM.

System Restore will use these fake alerts to prompt you to purchase a license for System Restore's Advanced Module, and System Restore can take you to a website where you really can pay for the nonexistent license. Aside from the obvious fact that System Restore is making false claims about the state of your computer, the fact that System Restore apparently expects you to believe that a piece of software could repair the kind of hardware failure System Restore reports is absolutely ludicrous. No defragmenting software can solve the physical, mechanical, or electrical issues that System Restore claims to be able to fix. If your computer really had those problems, which it doesn't, you would need a new hard drive.

While System Restore is on your computer, System Restore will do whatever System Restore can to prevent you from removing System Restore, and convince you that the errors that System Restore reports are real. So, you will not be able to run other programs, and System Restore will claim that this is happening because there has been an error accessing the hard drive. You will not even be able to start Task Manager to kill System Restore's processes, if Windows is in its normal mode, and you will not be able to use Regedit in order to repair the registry. Your web browser may work, but you will only be able to view the System Restore payment website, or an error page. Furthermore, many of the folders on your system will appear to be empty, or they will display the contents of another folder, which is especially common with the System sub folder of Windows. Overall, System Restore's presence is extremely disruptive.

Origins of System Restore

System Restore relies on fake scanners and infected websites and files in order to download itself to your computer without your knowledge. It is common for System Restore to be promoted by online pop-up advertisements, which will tell you that your computer is infected or under performing, and will offer a free scan. In any case, what happens is that the Trojan that supports System Restore is downloaded to your PC, and once it is in, it drops the files for System Restore and sets up the malware. System Restore will then be active the next time you start or restart Windows.

System Restore falls into a category of malware typically referred to as rogue disk defragmenters or rogue system optimization tools, and System Restore is far from the first of its kind. System Restore is closely related to and derived from other fake security programs in this category, almost certainly created and distributed by the same people. Some of System Restore's relatives include Windows Restore, Windows Repair, Windows Recovery, Windows Tool, WinScan, Windows Diagnostic Win Disk, Windows Disk, Windows Scan, Win Defragmenter, Win Defrag, Disk OK, Disk Repair, Disk Doctor, Disk Optimizer, Disk Recovery, HDD OK, HDD Rescue, HDD Low, HDD Diagnostic, Hard Drive Diagnostic, HDD Fix, HDD Plus, HDD Tools, My Disk, Fast Disk, Smart HDD, Scanner, Defragmenter, Memory Fixer, Memory Optimizer, and Good Memory. This family of malware has only been around since December 2010, and it already has all of these members, which means that new names are appearing frequently for what is essentially the same fake security software. System Restore appeared in early April 2011. Along with all of the malware in System Restore's family, System Restore is part of a scam that has been traced to an origin in Russia.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

Technical Information

Screenshots & Other Imagery

Fake System Restore Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Fake System Restore creates the following file(s):
# File Name Detection Count
1 6DSS92c31Apgjk.exe N/A
3 %Desktop%\System Restore.lnk N/A
5 %TempDir%\dfrg N/A
6 %Programs%\System Restore N/A
7 %TempDir%\dfrgr N/A
8 %Programs%\System Restore\System Restore.lnk N/A

Registry Details

Fake System Restore creates the following registry entry or registry entries:
Registry key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

More Details on Fake System Restore

The following messages associated with Fake System Restore were found:
Bad sectors on hard drive or damaged file allocation table – Critical Error
C:\System32\drivers is damaged. This problem may cause a system failure.
Damaged hard drive clusters detected. Private data is at risk. Restore is required
Data Safety Problem. System integrity is at risk.
Disk drive C:\ is unreadable
Drive C initializing error
Files placement on hard drive is not optimized. Defragmentation is required – Performance Issue
GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system failure
Hard drive and memory errors are detected on your PC.
Hard drive does not correspond to system requests
Hard drive doesn't respond to system commands – Critical Error
Hard drive rotational speed exceeds system limits and may cause a system failure
Hard drive space less than technical limits
Local Disc C:\ is not accessible. Make sure the hard drive is installed and connected correctly.
RAM Memory defragmentation is required. Only 40% of RAM Memory is free to use
1253 MB to be removed for computer performance optimization – Performance Issue
RAM memory speed decreased significantly and may cause a system failure
RAM Memory temperature 83 C. Optimization is required for normal RAM functioning
Read time of hard drive clusters less than 500 ms – Critical Error
System files are damaged. System is unstable.

One Comment