Fake System Restore Removal Process (remove FakeSystemRestore)

Protect Yourself from Fake System Restore

- Remove rogue anti-spyware/anti-virus programs
- Prevent trojans, hijackers & other malware infections
- Use spyware helpdesk to resolve pesky malware

Start Your Scan Now to Detect Fake System Restore

Fake System Restore

System Restore is a fake non-Microsoft based defragmenter program that aims to lure unsuspecting computer users into purchasing a rogue security application. It should not be confused with the genuine System Restore function from Windows, so in this article, we’ll be adding the word “fake” when referring to the rogue defragmenter program System Restore in order to prevent confusion. Because it has exactly the same name as the Microsoft-based System Restore function that is available on all Windows platforms, a lot of unsuspecting computer users are being victimized by this rogue defragmenter.

Characteristics of the Fake System Restore

PCHubs malware researchers have noted that some rogue defragmenters that are known to behave in a similar fashion as Fake System Restore. Some of these similar rogue security programs that may be in the same family as Fake System Restore are Data Restore, Data Recovery, OpenCloud Antivirus, Security Sphere 2012, System Diagnostic, Windows Diagnostic, Windows Tool and WinScan. Be aware that the real System Restore from Windows serves as a special utility or function in restoring your computer back to a more stable state. However, the Fake System Restore behaves like a malware, but appears to look like a real defragmenter application.

Fake System Restore gets installed on your computer when your PC is infected with a Trojan acquired from a fake online system scan or system exploit. It usually starts with a Windows Diagnostic message, which says that your operating system has detected an error in your hard disk and that there are problems with your hard drive sectors. It would then prompt you to download their recommended software, which is actually the Fake System Restore application. Once installed, Fake System Restore will make you believe that there are a number of system errors on your computer. Some of these include hard drive problems, inability to access your registry, unreadable hard disk space, and other fake alerts that would scare the computer user. This would initially scare you into thinking that your computer has a lot of system errors, so that you would purchase the full version of Fake System Restore. Don’t fall into this scam as the Fake System Restore has no capability at all in detecting and removing computer system errors.

Removing Fake System Restore from your Computer

Removing Fake System Restore is a must, especially after being detected on your computer. As confirmed time and again by PCHubs security analysts, rogue security applications do nothing good in increasing your computer’s security. Therefore, it is a must to remove Fake System Restore without delay.

You would need to run your computer in Safe Mode in order to be successful in completely removing Fake System Restore from your computer. This would prevent Fake System Restore from launching automatically. It would also make removing this fake defragmentation application easy with the use of a strong, reliable, and genuine anti-malware program. Your anti-malware application must be updated with the latest signature database. This is to ensure that all traces of Fake System Restore will be completely removed from your computer.

Are you getting popups from Fake System Restore? Have you identified that you have Fake System Restore installed on your computer? Do you wish to remove Fake System Restore completely from your computer?

Why should you remove Fake System Restore?

If Fake System Restore resides on your computer, it can potentially damage your personal files or you may end up losing data stored on your system. Research has shown that Fake System Restore may have the ability to make your computer vulnerable to remote attacks which could result, initially, in loss of money, possibly identity theft, and, eventually, a painstaking Fake System Restore removal process.

How can you manually remove Fake System Restore

Manual removal of Fake System Restore may not be for everyone. Each manual Fake System Restore removal step must be followed delicately to completely remove all related files and registry entries from your computer. If you are unsure or have doubts about editing your system registry, then we recommend that you use the automatic Fake System Restore removal process.

Fake System Restore can be removed manually by following the steps below.

1. With all programs closed, click the Start Menu and go to the Control Panel.
2. Locate the Add/Remove Programs icon and double click it.
3. Locate Fake System Restore in the list of programs. If you find it, select it and remove it. If you cannot find Fake System Restore, you can continue to step 5.
4. Restart your computer.
5. Close all open programs and windows on your desktop.
6. Open your registry editor (regedit) program by going to Start Menu, type in regedit, and click OK.
7. Find all of the following registry entries and delete them. If you do not know how to do this, then you can read how to edit the registry in Windows.
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"

   HKCU\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"

   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'

   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'

   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'

   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'

8. You may need to return to this removal process for removing Fake System Restore. You can do this easily by bookmarking or adding a favorite to this page by clicking here. If you are using the FireFox web browser you can press the keys Ctrl and D simultaneously to bookmark this page.

   Image 1. Bookmark PCHubs removal process

   

9. Delete all of the following files that are associated with Fake System Restore from your computer.

   %Desktop%\System Restore.lnk

   %Programs%\System Restore

   %Programs%\System Restore\System Restore.lnk

   %TempDir%\dfrg

   %TempDir%\dfrgr

   %TempDir%\[RANDOM CHARACTERS]

   %TempDir%\[RANDOM CHARACTERS].exe

   If you need a better understanding on how to search for these files then you can read how to find and search for files and folders here.

   If you have issues deleting any of the previously listed files that are associated with Fake System Restore, you can try rebooting your computer into safe mode. Booting into safe mode may allow certain malicious files to be deleted. If you are wondering how to boot into safe mode, you can read our process for starting a computer in safe mode here.

   Image 2. Select "Safe Mode with Networking"

   

10. After locating and deleting the previous files you must remove all directories associated with Fake System Restore by going to the C:\ProgramFiles\Fake System Restore folder, select it, and delete it. In some cases you may not be able to find this directory. You can still continue to the next step.

11. Restart your computer. You do not need to boot into safe mode at this point. You should have removed Fake System Restore completely from your computer. If you find that Fake System Restore is still on your computer, you can repeat the steps again or go to the automatic Fake System Restore removal process.