Fake Windows Restore
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 14,297 |
Threat Level: | 100 % (High) |
Infected Computers: | 304 |
First Seen: | April 6, 2011 |
Last Seen: | August 19, 2023 |
OS(es) Affected: | Windows |
The malware that calls itself Windows Restore is nothing more than the latest clone in a long line of fake PC optimization programs. Because this release of this malware is using a name that also refers to a legitimate Windows utility, there may be some confusion about what is malware and what is real software. The difference is that the fake Windows Restore costs money, whereas the real Windows Restore is just a part of Windows and requires no additional fees.
Aside from the fact that fake Windows Restore will hound you for money, the major difference between the fake Windows Restore and the real Windows utility Windows Restore is that the fake Windows Restore will tell you all kinds of strange things about your computer, and Windows Restore will make your PC almost unusable. Whereas the real Windows Restore is just a utility that allows you to change your computer to an earlier configuration, the fake Windows Restore pretends to be a defragmenter and system optimization tool.
Because Windows Restore is a scam, Windows Restore's reason for being is to get you so scared about the state of your computer that you will fork over a big chunk of money for a fake Windows Restore "advanced module" license. Always remember, no matter what the fake Windows Restore tells you, it is false. There is no need to panic!
Table of Contents
Unwanted Symptoms Caused by Windows Restore
Please note that from this point on, all references to "Windows Restore" are to the malware, the fake defragmenter that holds your computer hostage.
Windows Restore will load every time Windows starts, and Windows Restore will display a window that is supposed to look like a scanner interface. The fake interface uses a modified Windows logo, and it looks relatively realistic, even including a "Help and Support" button. This interface will play a progress animation to simulate a scan, and then Windows Restore will tell you that Windows Restore has found numerous problems with your computer's hard drive, which Windows Restore can only fix if you pay to activate Windows Restore's Advanced Module. However, Windows Restore can't actually scan your hard drive for problems, Windows Restore doesn't have any functionality to unlock, and there is no Advanced Module. Everything displayed on the phony Windows Restore interface is a lie.
You will not be able to click past the fake scanner, but it is possible to wait through it and eventually access the desktop. Unfortunately, being able to get to the desktop doesn't really do any good, because Windows Restore will interfere with your computer in so many different ways that you will not be able to do anything with it. In order to continue Windows Restore's campaign of scare tactics, Windows Restore will create pop-up alerts, which will pop-up almost constantly. The alerts usually start with "Critical error," and they will claim – without referencing Windows Restore, most of the time – that something has gone horribly wrong with your system's hardware. You'll see warnings that say that your hard drive couldn't be found, that the disk has bad sectors, that data couldn't be saved due to hard drive failure and that there are serious problems with the RAM.
Windows Restore will use these fake alerts to prompt you to purchase a license for Windows Restore's Advanced Module, and Windows Restore can take you to a website where you really can pay for the nonexistent license. Aside from the obvious fact that Windows Restore is making false claims about the state of your computer, the fact that Windows Restore apparently expects you to believe that a piece of software could repair the kind of hardware failure Windows Restore reports is absolutely ludicrous. No defragmenting software can solve the physical, mechanical, or electrical issues that Windows Restore claims to be able to fix. If your computer really had those problems, which it doesn't, you would need a new hard drive.
While Windows Restore is on your computer, Windows Restore will do whatever Windows Restore can to prevent you from removing Windows Restore, and convince you that the errors that Windows Restore reports are real. So, you will not be able to run other programs, and Windows Restore will claim that this is happening because there has been an error accessing the hard drive. You will not even be able to start Task Manager to kill Windows Restore's processes, if Windows is in its normal mode, and you will not be able to use Regedit in order to repair the registry. Your web browser may work, but you will only be able to view the Windows Restore payment website, or an error page. Furthermore, many of the folders on your system will appear to be empty, or they will display the contents of another folder, which is especially common with the Windows sub folder of Windows. Overall, Windows Restore's presence is extremely disruptive.
Origins of Windows Restore
Windows Restore relies on fake scanners and infected websites and files in order to download itself to your computer without your knowledge. It is common for Windows Restore to be promoted by online pop-up advertisements, which will tell you that your computer is infected or under performing, and will offer a free scan. In any case, what happens is that the Trojan that supports Windows Restore is downloaded to your PC, and once it is in, it drops the files for Windows Restore and sets up the malware. Windows Restore will then be active the next time you start or restart Windows.
Windows Restore falls into a category of malware typically referred to as rogue disk defragmenters or rogue system optimization tools, and Windows Restore is far from the first of its kind. Windows Restore is closely related to and derived from other fake security programs in this category, almost certainly created and distributed by the same people.
Windows Restore belongs to the FakeSysDef family, and some of Windows Restore's relatives include System Defragmenter, Ultra Defragger, HDD Control, Win HDD, Win Defrag, Win Defragmenter, Disk Doctor, Hard Drive Diagnostic, HDD Diagnostic, HDD Plus, HDD Repair, HDD Rescue, Smart HDD, Defragmenter, HDD Tools, Disk Repair, Windows Optimization Center, Scanner, HDD Low, Hdd Fix.
This family of malware has only been around since December 2010, and it already has all of these members, which means that new names are appearing frequently for what is essentially the same fake security software. Windows Restore appeared in early April 2011. Along with all of the malware in Windows Restore's family, Windows Restore is part of a scam that has been traced to an origin in Russia.
SpyHunter Detects & Remove Fake Windows Restore
Fake Windows Restore Video
Tip: Turn your sound ON and watch the video in Full Screen mode.
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | %AllUsersProfile%\[RANDOM CHARACTERS].dll | ||
2. | %Temp%\internetexplorerupdate.exe | ||
3. | %AllUsersProfile%\[RANDOM CHARACTERS].exe | ||
4. | %AllUsersProfile%\Application Data\[RANDOM CHARACTERS].dll | ||
5. | %AppData%\Microsoft\[RANDOM CHARACTERS].exe | ||
6. | %AllUsersProfile%\Application Data\[RANDOM CHARACTERS].exe | ||
7. | %UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows restore.lnk | ||
8. | %AllUsersProfile%\~[RANDOM CHARACTERS]r | ||
9. | %UserProfile%\Desktop\Windows Restore.lnk | ||
10. | %AllUsersProfile%\~[RANDOM CHARACTERS] | ||
11. | %AllUsersProfile%\Application Data\~[RANDOM CHARACTERS]r | ||
12. | %UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk | ||
13. | %UserProfile%\Start Menu\Programs\Windows Restore\ | ||
14. | %AllUsersProfile%\Application Data\~[RANDOM CHARACTERS] | ||
15. | 17555252.exe | eadcd8526e23e8a1ed75ea969b841d7f | 0 |
16. | dpdclcVKsU.exe | f99e9b62e80b2e491dde49f457fd9bdb | 0 |
Registry Details
Directories
Fake Windows Restore may create the following directory or directories:
%UserProfile%\Start Menu\Programs\Windows Restore |