Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, June 14, 2011

Remove Windows XP Restore (Uninstall Guide)

Tell your friends:
Windows XP Restore is a fake computer optimization tool that pretends to scan your computer for registry and system errors. It may look like legitimate computer analysis and optimization software, but it actually gives you fabricated reports of threats on the computer. This fake program, which also goes by the name of Windows XP Recovery, began circulating in early May and has steadily racked up victims. I have to admit that Windows XP Restore is probably the most annoying scareware I've encountered this year so far. There are two primary factors that make such malware profitable: fear and annoyance. Windows XP Restore not only urges users to pay for the "full version" of the rogue application to fix non-existent Windows registry and other errors, but it also hides your files, folders, desktop shortcuts and icons. It changes file attributes and disables Windows tools, e.g., Task Manager. So if you are grappling with this malware, please follow the removal instructions below to remove Windows XP Restore and to make your files visible again.



While Windows XP Restore is running, it displays fake hard drive error warnings to make you think that your computer is really going to explode. Here's an example of the fake Windows XP Restore security alert:
Critical Error
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
Hard drive critical error. Run a system diagnostic utility to
check your hard disk drive for errors.


As I said, it blocks Task Manager and other Windows utilities. Windows XP Restore claims that it was disabled by your administrator; that's bloody rude.
Task Manager has been disabled by your admininstrator.


You can remove Windows XP Restore manually but honestly this is not something that novice computer users may be able to deal with on their own. Instead of that, you should scan your computer with anti-malware software. Additionally, you can activate the rogue program by entering this registration code 8475082234984902023718742058948 and any email as shown in the image below.



Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly. Besides, Windows XP Restore makes your files visible again automatically. This will save you a lot of time, trust me. If you have any further questions, please leave a comment below. Good luck and be safe online!


Windows XP Restore removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



If you still can't see any of your files, Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter explorer and hit Enter or click OK.



2. Open Internet Explorer. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alertane Windows XP Restore removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\16506660.exe
C:\Documents and Settings\All Users\Application Data\nmqkFApeDId.exe

Example Windows Vista/7:
C:\ProgramData\16506660.exe
C:\ProgramData\nmqkFApeDId.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename those files to 16506660.vir, nmqkFApeDId.vir etc. For example:



It should be: C:\Documents and Settings\All Users\Application Data\16506660.vir

Instead of: C:\Documents and Settings\All Users\Application Data\16506660.exe

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Windows XP Restore files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
  • %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Recovery.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:

4 comments:

Anonymous said...

Thank you, Sir! This thing was kickin my @ss until I found your page. I've got 25 years in IT and you just tightened me up! You are the MAN. Thanks Bro. I have bookmarked your site.

Anonymous said...

Thank you!

Anonymous said...

Excellent tutorial- THANKS!!!!

Anonymous said...

Activating the rogue program to un-hide the programs is genius, but the activation code listed above is no longer valid. Is there a new one that might work?