How to Remove System Restore (Rogue Software)"
System Restore" is a rogue Windows registry cleaner and HDD repair program that claims to fix common cause of Windows crashes and error messages (please see the image below). The name of this malicious software is truly misleading. As you probably know, there's a valuable and genuine Windows utility called System Restore. It solves major Windows problems and restores Windows system files while the fake one reports non-existent system errors and HDD failures. System Restore (fake) is from the same family as Data Recovery malware.
Before continuing with the removal instructions, you can use cracked registration key and fake email to register the program. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts.
any@email.com
1203978628012489708290478989147
When running, System Restore will report the following problems on your computer:
Hard drive rotational speed decreased by 20%
Drive C initializing error
Disk drive C:\ is unreadable
System files are damaged. System is unstable
GPU RAM temperature is critically high
The problem may cause errors while loading your operating system
RAM memory speed decreased significantly and may cause a system failure
and many more...
It detects 14 errors on each infected computer. It doesn't matter whether is a brand new PC or and old laptop. All the errors and warnings are predetermined, so don't get spooked. Data Recovery is more annoying than dangerous, however, there's one this that shouldn't be overlooked. The rogue program hides certain files, usually shortcuts and Desktop icons, and moves other files to Windows
%Temp%\smtmp folder.
In Windows 7, the Start menu items are move toAll Users Items = %userprofile%\AppData\Local\Temp\smtmp\1
Current User Items = %userprofile%\AppData\Local\Temp\smtmp\2
Desktop Items = %userprofile%\AppData\Local\Temp\smtmp\4In Windows XP, the Start menu items are move toAll Users Items = %userprofile%\Local Settings\Temp\smtmp\1
Current User Items = %userprofile%\Local Settings\\Temp\smtmp\2
Desktop Items = %userprofile%\Local Settings\Temp\smtmp\4
Desktop item can be moved or copied back with robocopy:robocopy %userprofile%\appdata\local\temp\smtmp\4 %userprofile%\desktop /move /a-:h
All Users can be moved with:robocopy %userprofile%\appdata\Local\Temp\smtmp\1 "c:\ProgramData\Microsoft\Windows\Start Menu" /move /a-:h
Current Users: robocopy %userprofile%\Appdata\Local\TEmp\smtmp\2 "%userprofile%\Appdata\Roaming\Microsoft\Windows\Start Menu" /move /a-:h
or copy this text and rename restoresm.bat:
xcopy %Temp%\smtmp\1\ "%AllUsersProfile%\Start Menu" /e /i /h
xcopy %Temp%\smtmp\2\ "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /e /i /h
xcopy %Temp%\smtmp\3\ "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /e /i /h
xcopy %Temp%\smtmp\4\ "%AllUsersProfile%\Desktop" /e /i /h
Do not delete any files from your Temp folder; otherwise you'll have to use Windows CD/DVD to restore your system. Thankfully, you can unhide your files rather easily. Just follow the removal instructions below. It is also worth mentioning that System Restore executable drops a rootkit from the TDSS family. If you don't remove the rookit the rogue application will be re-installed.
Fake System Restore warnings:Windows detected a hard disk problem A potential disk failure may coss loss of files, applications and documents stored on the hard disk. Please try not to use this computer until the hard disk is fixed or replaced.
Related malware:System Recovery
Master Utilities
HDD RepairUnhide Files:
Type in command promptattrib -h *.* /S /Dor download
unhideThis malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run
TDSSKiller
