Windows Restore (WindowsRestore) Virus Removal Guide

Virus Type: Rogue Security Application
Threat Level: 8 / 10

Windows Restore, also known as WindowsRestore, is a new fake optimization program; optimization programs are designed to optimize the computer by making changes to software and hardware to make the computer perform faster and better. For example, a disk optimization program would optimize a computer hard disk by making files easier to access and cleaning up unused files. Windows Restore attempts to convince the user that there is an issue with their computer by making a majority of files hidden. By hiding the files, the user may believe that the hard drive is corrupt; however, the user can see these files by turning on “hidden files and folders” in folder options. The user can also make these files and folders unhidden by going to properties of these specific folders and deselecting the hidden box. Further in the guide we will detail how to see these files and how to make them unhidden (click here to view). Windows Restore is a clone of other fake computer optimization programs; these fake optimization programs are generally released on a weekly basis. The latest versions of this fake program are Windows Recovery and Windows Repair. Both of these programs were released in March 2016. The user comments at the bottom of this guide may provide insight into the successful removal of WindowsRestore.

Below is our recommended removal tool for Windows Restore. The removal tool has been rated 5 cows out of 5 by Tucows and was previously CNET’s Editor’s Choice. Feel free to download it below.

download

If you are unable to run the removal tool, or are unable to run any programs in general, you may need to stop the processes associated with Windows Restore with task manager. If task manager has been blocked by Windows Restore, try using Process Explorer.

Windows Restore claims to offer a variety of services including being able to view the system status of the computer (computer hard drives, computer memory, system health, performance services and proactive protection), diagnostics (system safety & performance test along with RAM & storage memory test), and the ability to fix errors found. For example, Windows Restore claims to detect HDD read/write errors and scan for junk files and folders. Fake programs like Windows Restore use a variety of methods to enter and infect computers. Windows Restore was recently introduced around April 2016 and is generally installed without user permission through the use of a trojan horse, which is generally downloaded through a security flaw. However, there are also other methods which a fake antivirus program can infect a computer. For example, it has been reported that its previous clone, Windows Recovery, is spreading through a PDF exploit (a security flaw in the PDF file). Some fake antivirus programs have also spread through email attachments. Windows Restore main executable is generally a series of random characters, making it harder to be found by the user. The main executable will be in a different location for different operating systems. The main executable file is also generally hidden; therefore, the user will need to turn on the ability to see hidden files and folders. Windows Restore also different modules; these modules include Scanner Module, Standard Module, and Advanced Module. Similar to other fake programs, Windows Restore also displays in the right hand area of the program specific specifications; for Windows Restore, it will display the operating system, installed memory, and hard drive information.

Important - Windows Restore will hide other files and folders in the computer in an attempt to try and convince the user that there are issues with the hard drive. By turning on “show hidden files and folders,” the user will be able to see their files. In Windows 7, you can search “hidden files and folders” in the Windows Search Bar to find the folder options. To bring up the Windows Search Bar, click on the Windows 7 logo in the bottom left hand portion of the screen (this will bring up the programs). In Windows XP, the user will need to go to tools and then go to folder options in the file manager. In folder options, click “View” and scroll down to “Hidden files and folders.” This will allow the user to see the hidden files and folders. In order too make these files unhidden, you will need to go to the following location.

Windows Vista & Windows 7 – C:\Users\

Windows XP – C:\Documents and Settings\

The user will need to locate the folder with their username. They will then need to right click on the folder and left click on properties. This will bring up the properties. Deselect the hidden box and click ok. A box will come up and select to apply changes to the folder, subfolder, and files.

Windows Restore, like many other fake fake programs, will create a series of warnings and pop ups in order to scare the user into purchasing the fake program. Windows Restore hopes to make the user think that there are serious issues with the computer. Windows Restore may also create these warnings in an attempt to make it look legitimate to the user. Some of these warnings which are created by Windows Restore can be found below. Many of these warnings will come up when attempting to open a program. Windows Restore will generally close the program and then show the warning.

“Hard Drive Failure

The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system.”

“System Error

An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.”

“Critical Error

RAM memory usage is critically high. RAM memory failure.”

Windows Restore, like many other fake fake programs, will also claim that there are many issues with the user’s computer. Some of these issues can be found below.

“Registry Error – Critical Error
Boot sector of the hard drive disk is damaged – Critical Error
Data Safety Problem. System integrity is at risk.
RAM memory temperature is 83 Celsius. Optimization is required for normal operation.
Read time of hard drive clusters less than 500 ms – Critical Error
A problem detected while reading boot operating system files
Drive C initializing error
Bad sectors on hard drive or damaged file allocation table – Critical Error
Hard drive doesn’t respond to system commands – Critical Error
35% of HDD space is unreadable – Critical Error”

Below is additional warnings created by Windows Restore.

“Critical Hard Disk Drive Error

Critical hard disk drive error has been detected!

Windows Restore detected a bad sector on your hard drive.”

“Critical Error

Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can’t find hard disk space. Hart drive error.”

“Critical Error

Damaged hard drive clusters detected. Private data is at risk.”

It is recommended to use safe mode when removing the virus because Windows Restore will generally not be able to load in safe mode. To enter safe mode, restart the computer and press F8 multiple times before the Windows screen to bring up the boot options.

Boot Menu

The safe mode with networking option will allow the user to be able to use the internet in safe mode. Windows Restore can be removed by using the removal tool or by manually removing the virus.

View Windows Restore Files
View Windows Restore Keys

Common symptoms and characteristics of Windows Restore and other rogue security programs include:
1. Windows Restore is generally installed without user permission.
2. Windows Restore uses pop ups and fake virus scans to scare the user.
3. Various antivirus and system programs on the user’s computer will stop functioning.

Manual Windows Restore Removal – In order to manually remove Windows Restore, the processes associated with Windows Restore must be stopped, the files associated with the processes must be removed, and the registry entries must be corrected to the previous state before Windows Restore entered the computer.

Important: Before attempting to manually remove Windows Restore, we recommend that the user read through comments posted by other users on how they removed specific fake antivirus programs since many fake antivirus programs are similar. These comments can be found by clicking here. These comments may provide additional information which may be useful in removing Windows Restore. However, please use discretion since these specific comments pertain to other fake antivirus programs.

Stop Windows Restore Processes (Learn How To Do This)
[random].exe

To clarify, [random].exe means that the executable will be a set of random characters.

Remove Windows Restore Files (Learn How To Do This)

Windows XP – C:\Documents and Settings\All Users\Application Data\Microsoft\[random].exe

Windows Vista & Windows 7 – C:\ProgramData\[random].exe

The file location is different among operating systems (Windows XP, Windows Vista, Windows 7) due to a different method in which each operating system organizes files.

Windows Restore will generally make a large portion of files on the computer hidden. This includes the main executable for Windows Restore. Therefore, the user will need to turn on “show hidden files” in order to see these files. This feature can be found in the folder options under “Hidden files and folders.” In Windows 7, you can search “hidden files and folders” in the Windows Search Bar to find the folder options. To bring up the Windows Search Bar, click on the Windows symbol in the bottom left hand part of the screen. In Windows XP, the user will need to go to tools and then go to folder options in the file manager. In folder options, click “View” and scroll down to “Hidden files and folders.”

Remove Windows Restore Registry Keys (Learn How To Do This)
HKEY_CURRENT_USER\Software\Windows Restore
HKEY_LOCAL_MACHINE\SOFTWARE\Windows Restore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Restore

Remove Windows Restore Startup Entry (Learn How To Do This)
[random].exe

Common Questions -
1. What is a computer virus? (Click Here To View)
2. How did I get this computer virus? (Click Here To View)
3. What common symptoms show that my computer may be infected? (Click Here To View)
4. What is a rogue security application? (Click Here To View)
5. What are some antivirus and antispyware programs which I can use to remove viruses and spyware? (Click Here To View)

If you have any questions or comments, please don’t hesitate to comment below. If you need any help with any of the steps, please don’t hesitate to comment below. We recommend that you follow our safety tips so that you can keep your computer clean Please Click Here to View Our Safety Tips.

Your feedback is very highly valued by others so please feel free to comment below. Please feel free to share a solution that you may have used to remove Windows Restore.

This entry was posted on Tuesday, April 5th, 2016 at 9:57 pm and is filed under Malware Removal. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

16 Responses to “Windows Restore (WindowsRestore) Virus Removal Guide”

Nahia April 6th, 2016 at 1:45 pm

I need help. I think my antivirus(Avast) do this already, but I have a bigger problem… Files don’t show up but they still are but i don’t see them. For example, my music is not there, but my reproducer play the songs. I thinks this virus/trojan has do that… how can I get back my files? -.- Please!!! I need help!!! I have restaured the sistem but it doesn’t work… I follow each step of your guide, but there is no change. I think I doing something wrong… If you can contact with me…

Si April 6th, 2016 at 10:03 pm

NAHIA: Literally copy pasted from the guide

Windows Restore will generally make files on the computer hidden. Therefore, the user will need to turn on “show hidden files” in order to see these files. This feature can be found in the folder options under “Hidden files and folders.” In Windows 7, you can search “hidden files and folders” in the Windows Search Bar to find the folder options. In Windows XP, the user will need to go to tools and then go to folder options in the file manager.

Great guide by the way was pretty freaked out by this virus as am not a very technical person but this was very informative and helpful

Nahia April 7th, 2016 at 11:46 am

OHHHHHHHHHHH THANKSSSSSSSSSSSS. I was confused, because I have Vista and thought I had to go to properties and click on hidden folders. Sorry, my English is terrible. Thank you very much everyone …You have solved the problem!

I freaked out too lol

Fook-Chuen April 8th, 2016 at 8:51 am

I have followed various guides on how to remove the virus which worked. However I am unable to see any file is the “document and settings” folder. I have asked it to show all hidden files but still nothing and in my taskbar all the program shortcuts are miissing – program are still working.help would be appreciated

Fook-Chuen April 8th, 2016 at 8:58 am

sorry I meant in the “start menu” and not the “taskbar”

Chris 20163 April 8th, 2016 at 7:48 pm

Have big problem I to have a Vista System what a pain in the rear. Need help as just getting system into safe was difficult. Thanks

Rocky April 9th, 2016 at 6:39 am

I am having same issues as Fook-Chuen.
- I have only one user set up and all of the files and folders under that user have disappered and their is no “+” next ot the folder indicating the presence of subfolders. However file properties reports a file size of 2.76 GB.
- All folders and files on the progam tab of the start menu have disappered, save for single empty folder Open Office programs.
- It appears all the desktop icons related to the sole user disappeard, but those in the common user file (which is still visible in contrast to the files for the single user) are on the desktop.
- All program shortcut icons in the taskbar also disappeared (the open program icons still appear on the right).
- The desktop

Rocky April 9th, 2016 at 6:51 am

continuing above message – sorry misclick
- The desktop backround immage disappeared and is replaced by a default solid color.

I suspect that the latter 3 issues might result from not being able to access data stored in the files not being addressed in the user file.

In folder options I selected show hidden folders and applied the setting, but it made no difference, neither after restarting. I did not expect it to since the missing files and folders should not be hidden if “Hide Files” was selected.

I also ran the WinDoctor and DiskDoctor repair programs in Norton SystemWorks but they had no affect.

So it appears my User files are there, as evidenced by folder properties, but are not only hidden from view in My Computer but hidden from access by Windows system programs. Any ideas on how to fix?

I have Windows XP.

nick April 9th, 2016 at 7:26 am

hey mate,
i have vista and i have found the hidden files but i can’t get them ‘unhidden’ or back to normal again. ive done a scan and gotten rid of 5 potential virus’ but I can see the hidden “windows restore” shortcut on my desktop. I’m not doing anything as yet but just continueing a full scan of my laptop.
I probably sound like a huge noob but thanks for any help you guys can give.

jon April 9th, 2016 at 9:19 pm

In order to get the desktop & applications back, go to

Windows Vista and Windows 7 – C:\Users\

Windows XP – C:\Documents and Settings\

Find the folder with your username. Right click on your folder and click on properties.
Uncheck the hidden box and press ok. Apply changes to this folder, subfolder and files.

This should allow you to see the files and programs which Windows Restore has hidden.

Wendy April 10th, 2016 at 3:09 pm

I got rid of it by loading SuperAntiSpyware Portable Scanner to a USB stick, but was also left with hidden files. Thanks to Jon I got them back, thanks!!

Dam April 10th, 2016 at 7:30 pm

Windows Restore is not in these registry keys
Couldn’t find it anywhere

HKEY_CURRENT_USER\Software\Windows Restore
HKEY_LOCAL_MACHINE\SOFTWARE\Windows Restore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Restore

Debbie April 12th, 2016 at 10:44 am

I think I’ve gotten rid of the virus and can see my hidden files, but still can’t do a system restore. Also, can’t get my desktop background back. How do I get these things back to normal? System restore especially!

Paul C June 14th, 2016 at 2:06 pm

I have all the symptoms described on this website. I cannot see any of the files as the hidden files option is not selected. Could this virus trojan/win32/alureon.EZ actually deleted the files or corrupted the disk?

Anita June 15th, 2016 at 1:44 am

Window Restore is causing my computer to cycle through and wont’ let me get to my desktop even in safe mode, what do I do?

stephens phalatse July 25th, 2016 at 10:50 am

Your antivirus software detects a boot sector virus. What is a valid option for removing the virus?

Leave a Reply