How to remove Windows 7 Restore (Uninstall Guide)

What is Windows 7 Restore?

Windows 7 Restore is a fake system security software that is considered as a Rogue.
Rogues are malicious programs that cyber criminals use to trick users by displaying false threats and problems that it claims to have detected. In reality, none of the issues are real and are only used to convince the user into buying their software and stealing their personal financial information
As this program is a scam do not be scared into purchasing the program when you see its alerts. You are strongly advised to follow our removal instructions below.

Am I infected?
This is how the main screen of the rogue application looks:

[Image: AffcY.jpg]

Removal Instructions
(If you experience any problems completing these instructions, please start a new thread here)

STEP 1 : Start your computer in Safe Mode with Networking

  1. Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
  2. Do one of the following:
    • If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
    • If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press F8.
  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER. For more information about options, see Advanced startup options (including safe mode).
    [Image: I6J8P.jpg]
  4. Log on to your computer with a user account that has administrator rights.


STEP 2: Fix your internet connection

This rogue adds a proxy server which prevents the user from accessing the internet. Follow the below instruction in order to remove this proxy server

  1. Open Internet Explorer.
    • For Internet Explorer 9 : Click on the gear icon [Image: NzFkB.jpg] at the top (far right) and click again on Internet Options.
    • For Internet Explorer 8 : Click on Tools, select Internet Options.

    [Image: gdC4r.jpg]

  2. Go to the tab Connections.At the bottom, click on LAN settings.
    [Image: uWqpA.jpg]
  3. Uncheck the option Use a proxy server for your LAN. This will remove the proxy server and allow you to use the internet again.
    [Image: w5PI9.jpg]

For Firefox users, go to Tools > Options > Advanced tab > Network > Settings > Select No Proxy

STEP 3 : Download and run RKill to terminate known malware processes.

RKill is a program that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools.

As RKill only terminates a program’s running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again.

  1. Download RKill
    Below are a list of RKill download links using different filenames. We offer RKill under different filenames because some malware will not allow processes to run unless they have a certain filename. Therefore when attempting to run RKill, if a malware terminates it please try a different filename offered below.




  2. Double-click on the RKill icon in order to automatically attempt to stop any processes associated with this rouge.
    [Image: ZnT7s.png]
  3. Now RKill will start working in the background, please be patient while the program looks for various malware programs and tries to ends them.
    [Image: gATdF.png]

    • If you receive a message that RKill is an infection, that is a fake warning given by the rogue. As a possible solution we advise you to leave the warning on the screen and then try to run RKill again.Run RKill until the fake program is not visible but not more than ten times.
    • If you continue having problems running RKill, you can download the other renamed versions of RKill from the above links.
  4. When Rkill has completed its task, it will generate a log. You can then proceed with the rest of the guide.

Note: Do not reboot your computer after running RKill as the malware programs will start again.


STEP 4 : Download and run TDSSKiller.

  1. Please download the latest official version of TDSSKiller.
    [Image: 0aTRt.gif]]
  2. Before you can run TDSSKiller, you first need to rename it so that
    you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, iexplorer.com or qwerty.com.
    [Image: ZXhAz.png]
  3. Once the file is renamed, double-click on it to launch it.
  4. TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the ‘Start Scan’ button.
    [Image: wmoCi.png]
  5. TDSSKiller will now scan your computer for the TDSS infection.
    [Image: C5myc.png]
  6. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
    [Image: 7zchO.png]
  7. To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.
  8. A reboot might require to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.


STEP 5: Download and scan with Hitman Pro

  1. Please download the latest official version of Hitman Pro.
    [Image: 0aTRt.gif]
  2. Once downloaded click on it to run it.
    NOTE : If you have problems starting Hitman Pro, use the “Force Breach” mode. Hold down the left CTRL-key when you start Hitman Pro and all non-essential processes are terminated, including the malware process. (How to start Hitman Pro in Force Breach mode – video)

    [Image: hmp-welcome.jpg]

  3. Click Settings to proceed to the application scan options. Note that Hitman Pro 3 is free to use for the first 30 days, after which time it will prompt you to purchase a licence key.
    In the Settings menu, ensure that the options “Create Restore Point Before Removing Files” is checked, and click OK. Click Next to continue to the scan.

    [Image: hmp-settings.jpg]

  4. The Setup screen is displayed. Here, you can decide whether or not you wish to install Hitman Pro 3 on your system. To proceed with installation, select Yes,create a copy of Hitman Pro so I can regularly scan this computer .Click Next to continue.

    [Image: hylc2.png]

  5. Hitman Pro will start scanning your system for malicious software. Depending on the size of your hard drive, and the performance of your computer, this step will take several minutes.

    [Image: ptCoy.png]

  6. Once the scan is complete, a summary of detected malicious files is displayed.
    [Image: hmp-scanresults.jpg]
  7. Click Next to start removing the infected files.Hitman Pro 3 will now cleanse the infected files, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.


STEP 6 :Download and scan with Malwarebytes Anti-Malware

  1. Please download the latest official version of Malwarebytes’ Anti-Malware. [Image: 1208__malwarebytes.png]

  2. Install Malwarebytes’ Anti-Malware by double clicking on mbam-setup.
    [Image: AxE4f.png]
  3. Follow the prompts. Make sure that Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware are checked. Then click Finish.
    [Image: EFk1d.png]
  4. On the Scanner tab, make sure the Perform full scan option is selected and then click on the Scan button to start scanning your computer for malicious files.
    [Image: Yomki.png]
  5. Malwarebytes’ Anti-Malware will now start scanning your computer for infected files .When the scan is complete, click OK, then Show Results to view the results.
    [Image: dVY31.png]
  6. You will now be presented with a screen showing you the malware infections that the program found.
    Please note that the infections found may be different than what is shown in the image.
    Make sure that everything is Checked (ticked) and click on Remove Selected.
    [Image: ZqRnb.png]
  7. Malwarebytes’ Anti-Malware will start now removing the malicious files.
    If during the removal process Malwarebytes will displays a message stating that it needs to reboot, please allow this request.
    [Image: kY6jB.png]

As an addition step it’s highly recommended that you download other free anti-malware software from the list below and run a full system scan to make sure that your computer is clean :

If you are still experiencing problems on your machine, please start a new thread here.


STEP 7 : Unhide the files and folders
This rogue modifies your file system in such a way that all files and folders become hidden. Follow the bellow instruction in order to unhide the files and folders.

  • Please download Unhide.exe
    [Image: 0aTRt.gif]
  • Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.
    [Image: Qbo9D.png]

STEP 8.: Remove the residual damage

As this infection changes your desktop background to a solid black color,you should change it back to default one.

  • Windows XP : Click on the Start button and then select Control Panel. When the Control Panel opens, please click on the Display icon. From this screen you can now change your Theme and desktop background.
  • Windows 7 : Click on the Start button and then select Control Panel. When the Control Panel opens, please click on the Appearance and Personalization category. Then select Change the Theme or Change Desktop Background to revert back to your original Theme and colors.

(If you experience any problems completing these instructions, please start a new thread here)



How was I infected?

  • Rogues can get on to computers without the user’s consent through Drive-by downloads. When a user visits a compromised or infected website, the site immediately checks for any security vulnerabilities on the machine to inject the malicious code.
  • Peer-to-peer (P2P) programs utorrent, Limewire, and Kazaa are frequently used by hackers to distribute malware
  • Hackers can also trick the user into downloading a file, saying it is a legitimate file needed to view a video or pictures.

How can I prevent these infections?

1. Keep Your System Updated

  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities. Please ensure you update your system regularly.

    To update Windows and Office

    1. Go to Start > Control Panel > Automatic Updates
    2. Select Automatic (recommended) if you want the updates to be downloaded and installed without prompting you.
    3. Select Download updates for me, but let me choose when to install them button if you want the updates to be downloaded automatically but to be installed at another time.

To manually update Windows,

    Start Internet Explorer. Go to Tools > Windows Update

2. Keep your Antivirus up-to-date

Make sure that you update your antivirus, firewall and anti-spyware programs regularly. If you don’t have an antivirus, download any one of the following:

You can build a solid security configuration for your system with our help by starting a thread in this forum.
3. Avoid Peer-to-peer programs

  • Peer-to-peer programs are legitimate but the files shared are extremely dangerous. Hackers often use fake file names to trick users into downloading malware.

4. Switch your browser

  • Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads.
  • Google Chrome is another good browser that is faster and more secure than Internet Explorer.

5. Read our other “Security Tips”
Tehnical details :

Code:
Associated files and registry values:

Files:
==========================
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4
%LocalAppData%\
%LocalAppData%\.exe
%LocalAppData%\~
%LocalAppData%\~
%StartMenu%\Programs\ Windows 7 Restore
%StartMenu%\Programs\ Windows 7 Restore\ Windows 7 Restore.lnk
%StartMenu%\Programs\ Windows 7 Restore\Uninstall  Windows 7 Restore.lnk

Registry values:
================================
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDeskt​op "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Association​s "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments​ "SaveZoneInformation" = '1'

How to Stay Safe Online

Here are 10 basic security tips to help you avoid malware and protect your device:

  1. Use a good antivirus and keep it up-to-date.

    Shield Guide

    It's essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.

  2. Keep software and operating systems up-to-date.

    updates-guide

    Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.

  3. Be careful when installing programs and apps.

    install guide

    Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you're agreeing to before you click "Next."

  4. Install an ad blocker.

    Ad Blocker

    Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.

  5. Be careful what you download.

    Trojan Horse

    A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.

  6. Be alert for people trying to trick you.

    warning sign

    Whether it's your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it's easy to spoof phone numbers, so a familiar name or number doesn't make messages more trustworthy.

  7. Back up your data.

    backup sign

    Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.

  8. Choose strong passwords.

    lock sign

    Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.

  9. Be careful where you click.

    cursor sign

    Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.

  10. Don't use pirated software.

    Shady Guide

    Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.

To avoid potential dangers on the internet, it's important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.