Fake Windows Restore
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Ranking: | 14,297 |
| Threat Level: | 100 % (High) |
| Infected Computers: | 304 |
| First Seen: | April 6, 2011 |
| Last Seen: | August 19, 2023 |
| OS(es) Affected: | Windows |
Fake Windows Restore Image
The malware that calls itself Windows Restore is nothing more than the latest clone in a long line of fake PC optimization programs. Because this release of this malware is using a name that also refers to a legitimate Windows utility, there may be some confusion about what is malware and what is real software. The difference is that the fake Windows Restore costs money, whereas the real Windows Restore is just a part of Windows and requires no additional fees.
Aside from the fact that fake Windows Restore will hound you for money, the major difference between the fake Windows Restore and the real Windows utility Windows Restore is that the fake Windows Restore will tell you all kinds of strange things about your computer, and Windows Restore will make your PC almost unusable. Whereas the real Windows Restore is just a utility that allows you to change your computer to an earlier configuration, the fake Windows Restore pretends to be a defragmenter and system optimization tool.
Because Windows Restore is a scam, Windows Restore's reason for being is to get you so scared about the state of your computer that you will fork over a big chunk of money for a fake Windows Restore "advanced module" license. Always remember, no matter what the fake Windows Restore tells you, it is false. There is no need to panic!
Table of Contents
Unwanted Symptoms Caused by Windows Restore
Please note that from this point on, all references to "Windows Restore" are to the malware, the fake defragmenter that holds your computer hostage.
Windows Restore will load every time Windows starts, and Windows Restore will display a window that is supposed to look like a scanner interface. The fake interface uses a modified Windows logo, and it looks relatively realistic, even including a "Help and Support" button. This interface will play a progress animation to simulate a scan, and then Windows Restore will tell you that Windows Restore has found numerous problems with your computer's hard drive, which Windows Restore can only fix if you pay to activate Windows Restore's Advanced Module. However, Windows Restore can't actually scan your hard drive for problems, Windows Restore doesn't have any functionality to unlock, and there is no Advanced Module. Everything displayed on the phony Windows Restore interface is a lie.
You will not be able to click past the fake scanner, but it is possible to wait through it and eventually access the desktop. Unfortunately, being able to get to the desktop doesn't really do any good, because Windows Restore will interfere with your computer in so many different ways that you will not be able to do anything with it. In order to continue Windows Restore's campaign of scare tactics, Windows Restore will create pop-up alerts, which will pop-up almost constantly. The alerts usually start with "Critical error," and they will claim – without referencing Windows Restore, most of the time – that something has gone horribly wrong with your system's hardware. You'll see warnings that say that your hard drive couldn't be found, that the disk has bad sectors, that data couldn't be saved due to hard drive failure and that there are serious problems with the RAM.
Windows Restore will use these fake alerts to prompt you to purchase a license for Windows Restore's Advanced Module, and Windows Restore can take you to a website where you really can pay for the nonexistent license. Aside from the obvious fact that Windows Restore is making false claims about the state of your computer, the fact that Windows Restore apparently expects you to believe that a piece of software could repair the kind of hardware failure Windows Restore reports is absolutely ludicrous. No defragmenting software can solve the physical, mechanical, or electrical issues that Windows Restore claims to be able to fix. If your computer really had those problems, which it doesn't, you would need a new hard drive.
While Windows Restore is on your computer, Windows Restore will do whatever Windows Restore can to prevent you from removing Windows Restore, and convince you that the errors that Windows Restore reports are real. So, you will not be able to run other programs, and Windows Restore will claim that this is happening because there has been an error accessing the hard drive. You will not even be able to start Task Manager to kill Windows Restore's processes, if Windows is in its normal mode, and you will not be able to use Regedit in order to repair the registry. Your web browser may work, but you will only be able to view the Windows Restore payment website, or an error page. Furthermore, many of the folders on your system will appear to be empty, or they will display the contents of another folder, which is especially common with the Windows sub folder of Windows. Overall, Windows Restore's presence is extremely disruptive.
Origins of Windows Restore
Windows Restore relies on fake scanners and infected websites and files in order to download itself to your computer without your knowledge. It is common for Windows Restore to be promoted by online pop-up advertisements, which will tell you that your computer is infected or under performing, and will offer a free scan. In any case, what happens is that the Trojan that supports Windows Restore is downloaded to your PC, and once it is in, it drops the files for Windows Restore and sets up the malware. Windows Restore will then be active the next time you start or restart Windows.
Windows Restore falls into a category of malware typically referred to as rogue disk defragmenters or rogue system optimization tools, and Windows Restore is far from the first of its kind. Windows Restore is closely related to and derived from other fake security programs in this category, almost certainly created and distributed by the same people.
Windows Restore belongs to the FakeSysDef family, and some of Windows Restore's relatives include System Defragmenter, Ultra Defragger, HDD Control, Win HDD, Win Defrag, Win Defragmenter, Disk Doctor, Hard Drive Diagnostic, HDD Diagnostic, HDD Plus, HDD Repair, HDD Rescue, Smart HDD, Defragmenter, HDD Tools, Disk Repair, Windows Optimization Center, Scanner, HDD Low, Hdd Fix.
This family of malware has only been around since December 2010, and it already has all of these members, which means that new names are appearing frequently for what is essentially the same fake security software. Windows Restore appeared in early April 2011. Along with all of the malware in Windows Restore's family, Windows Restore is part of a scam that has been traced to an origin in Russia.
SpyHunter Detects & Remove Fake Windows Restore
Fake Windows Restore Video
Tip: Turn your sound ON and watch the video in Full Screen mode.
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | %AllUsersProfile%\[RANDOM CHARACTERS].dll | ||
| 2. | %Temp%\internetexplorerupdate.exe | ||
| 3. | %AllUsersProfile%\[RANDOM CHARACTERS].exe | ||
| 4. | %AllUsersProfile%\Application Data\[RANDOM CHARACTERS].dll | ||
| 5. | %AppData%\Microsoft\[RANDOM CHARACTERS].exe | ||
| 6. | %AllUsersProfile%\Application Data\[RANDOM CHARACTERS].exe | ||
| 7. | %UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows restore.lnk | ||
| 8. | %AllUsersProfile%\~[RANDOM CHARACTERS]r | ||
| 9. | %UserProfile%\Desktop\Windows Restore.lnk | ||
| 10. | %AllUsersProfile%\~[RANDOM CHARACTERS] | ||
| 11. | %AllUsersProfile%\Application Data\~[RANDOM CHARACTERS]r | ||
| 12. | %UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk | ||
| 13. | %UserProfile%\Start Menu\Programs\Windows Restore\ | ||
| 14. | %AllUsersProfile%\Application Data\~[RANDOM CHARACTERS] | ||
| 15. | 17555252.exe | eadcd8526e23e8a1ed75ea969b841d7f | 0 |
| 16. | dpdclcVKsU.exe | f99e9b62e80b2e491dde49f457fd9bdb | 0 |
Registry Details
Directories
Fake Windows Restore may create the following directory or directories:
| %UserProfile%\Start Menu\Programs\Windows Restore |
Messages
The following messages associated with Fake Windows Restore were found:
|
Activation Reminder
Windows Restore Activation Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features. |
|
Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required. |
|
Critical Error
Hard Drive not found. Missing hard drive. |
|
Critical Error
Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can't find hard disk space. Hard drive error. |
|
Critical Error
RAM memory usage is critically high. RAM memory failure. |
|
Critical Error
Windows can't find hard disk space. Hard drive error. |
|
Critical Error!
Damaged hard drive clusters detected. Private data is at risk. |
|
Critical Error!
Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware. |
|
Internet Protection
External software tries to control variety of your system files. This may lead to breaking of some data in your system. Click here to protect remote access to your PC & delete these programs. |
|
Internet Protection
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Internet Protection. |
|
Internet Protection
Your computer is under the infections threat. Run instant shield protection to safe your data and prevent internet access to your credit card information. Select this to run instant shield. |
|
Internet Protection
Your system has come under attack of harmful software. Click here to deactivate it. |
|
Internet Protection Firewall Alert
Internet Protection has prevent a program from accessing the Internet. "iexplore.exe" is infected with Trojan. This worm has tried to use "iexplore.exe" to connect to remove host and send your credit card information. |
|
Internet Protection Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option. |
|
Internet Protection Firewall Alert
Warning Keylogger activity detected! Your account in social network is under attack. Click here to block unauthorized modification by removing threats (Recommended) |
|
Internet Protection Firewall Alert
Your computer is being attacked from a remote machine! Block Internet access to your computer to prevent system infection. Attacker IP: Attack type: RCPT exploit |
|
Low Disk Space
You are running very low disk space on Local Disk (C:). |
|
System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required. |
|
Windows - No Disk
Exception Processing Message 0x0000013 |
