Subscribe to Our Blog by Email

Your email:

IT Blog

IT Blog

IT Blog

Contact Us

Most Popular Posts

blog

Posts by Month

Terminal's IT Support, Products & Services Blog

Current Articles | RSS Feed RSS Feed

Windows Restore Virus

Posted on Wed, Apr 20, 2011
  
  
  
  

This week, I ran into a very intense virus called Windows Restore. It tries to make you think that there is a problem with everything from hardware to software applications on your PC. The reason it was so difficult to remove was the fact that it hides all your icons and stops your IE from being operational.

From past experiences, I know that it looks for certain software like Malwarebytes or ComboFix and disables them. If you do need anti-malware to run, your best bet is to rename it to something different like 123456. This will trick the virus and usually let you install your virus/malware removal programs. Below is a list of manual keys in the registry to look at when trying to remove this virus. Also, remember to go into folder options and show all files and folders.

Malicious Files Added by Windows Restore Virus :
%UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows restore.lnk
%AppData%\Microsoft\[random].exe
%UserProfile%\Desktop\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\

Windows Restore Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policie \Associations “LowRiskFileTypes” = ‘{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1′

Dennis Foote – System Engineer


Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
We hope you have found this information helpful & if so...Please Follow Us on Twitter! or Like Us on Facebook!
Tags: , , , , , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics