• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Malware removal › Rogue Anti Spyware › How to remove Windows Recovery virus

How to remove Windows Recovery virus

Myantispyware team March 23, 2011     6 Comments    

Windows Recovery is a malicious program that pretends to be a computer defragmenter and system analysis software. It hijacks your computer, blocks Windows legitimate applications from running, presents various fake critical errors alerts that the computer’s hard drive is corrupt in order to frighten you into purchasing this useless application. Do not pay for the bogus software! Simply ignore all that it will display you and remove Windows Recovery from your computer as quickly as possible!

Windows Recovery from same family of malware as Windows Diagnostic, Windows Disk, etc which has already caused much damage to many computes. It is promoted and installed itself on your computer without your permission and knowledge through the use of trojans or other malicious software. Moreover, the scammers may also distribute this malware on Twitter, My Space, Facebook, and other social networks. Remember, “Windows Recovery” name is only a trick. Cyber criminals uses legitimate names in order to get trust from computer users as most of them do not pay attention to what they download from the Internet. Thus, please be careful when opening attachments and downloading files or otherwise you can end up with a rogue program on your PC.

When Windows Recovery is installed, it will state that your computer has some critical problems. It will imitate a scan computer`s hard disks, Windows registry and computer memory for errors. The rogue will report that “Read time of hard drive clusters less than 500 ms”, “32% of HDD space is unreadable”, “Bad sectors on hard drive or damaged file allocation table”, etc. The scan look legitimate, but you should never trust anything that the fake diagnostic tool will display you. Remember, all of these errors are a fake! So, simply ignore the false scan results.

Windows Recovery will block legitimate Windows applications on your computer and won’t let you download anything from the Internet. Last, but not least, the rogue will display numerous fake warnings and nag screens. Some of the warnings are:

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

Windows – No Disk
Exception Processing Message 0×0000013

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

Of course, all of these warnings are a fake. This is an attempt to make you think your computer in danger. Like false scan results you can safely ignore them.

As you can see, Windows Recovery is a totally scam, which created with one purpose to scare you into purchasing so-called “full” version of the program. Most important do not purchase it! Please use the removal guide below in order to remove Windows Recovery and any associated malware from your computer for free. If you have already purchase the program, contact your credit card company and tell them what has happened.

Automated Removal Instructions for Windows Recovery

Step 1. Reboot your computer in Safe mode with networking

Restart your computer.

After hearing your computer beep once during startup, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.

Instead of Windows loading as normal, Windows Advanced Options menu appears similar to the one below.

safe-mode-how-to
Windows Advanced Options menu

When the Windows Advanced Options menu appears, select Safe mode with networking and then press ENTER.

Step 2. Stop Windows Recovery from running

Download HijackThis from here. Run HijackThis and click Scan button to perform a system scan. Place a checkmark against each of lines:

O4 – HKCU\..\Run: [{RANDOM}.exe] %CommonAppData%\{RANDOM}.exe
O4 – HKCU\..\Run: [{RANDOM}] %CommonAppData%\{RANDOM}.exe

Example:

O4 – HKCU\..\Run: [CvdCEPoYRb.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CvdCEPoYRb.exe
O4 – HKCU\..\Run: [SaMFLunm] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SaMFLunm.exe

Note: list of infected items may be different. Template of the malicious entries:
Variant 1: O4 – HKCU\..\Run: [{random string}] %CommonAppData%\{random string}.exe;
Variant 2: O4 – HKCU\..\Run: [{random string}.exe] %CommonAppData%\{random string}.exe;
%CommonAppData% is C:\Documents and Settings\All Users\Application Data (for Windows XP/2000) or C:\ProgramData (for Windows 7/Vista).
If you unsure, then check it in Google. Skip this step, if you does not find any malicious lines.

Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.

Step 3. Remove Windows Recovery associated malware

Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.

Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded you will see window similar to the one below.

malwarebytes-antimalware1
Malwarebytes Anti-Malware Window

Select Perform Quick Scan, then click Scan, it will start scanning your computer for Windows Recovery infection. This procedure can take some time, so please be patient.

When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.

WindowsRecovery remover
Malwarebytes Anti-malware, list of infected items

Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Windows Recovery. MalwareBytes Anti-malware will now remove all of associated WindowsRecovery files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.

Windows Recovery removal notes

Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.

Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.

Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.

Windows Recovery creates the following files and folders

%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%CommonAppData%\{RANDOM}.exe
%CommonAppData%\{RANDOM}
%CommonAppData%\{RANDOM}.dat

Note: %CommonAppData% is C:\Documents and Settings\All Users\Application Data (for Windows XP/2000) or C:\ProgramData (for Windows 7/Vista)

Windows Recovery creates the following registry keys and values

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}.exe

Malware removal Rogue Anti Spyware

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

6 Comments

  1. George B
    ― April 19, 2011 - 12:46 pm  Reply

    Your instructions worked beautifully. They were easy to understand and apply even for a guy that doesn’t work with computers all day.
    The only glitch happened when I restarted my computer. All the program icons in the Start>All Programs menu were missing as well as most of the icons I had on my desktop. It seems as though Windows Recovery changed the Documents and Settings folder by making all the files hidden. It did the same with the Desktop. I opened My Computer, right clicked on C:\ drive and changed any folders such as Documents and Settings to read only.

  2. Guy
    ― April 23, 2011 - 10:51 am  Reply

    Thanks to your great instructions I’ve got reid of Windows Recovery. However, I’ve lost the internet explorer favorites somewhere in the process. I’ve taken some advice and have made the hidden files “viewable” with the result that I can move see the files that I had “lost”. However this has not effected the favorites in the Internet Explorer. Any ideas guys?

  3. Kary
    ― May 2, 2011 - 12:34 am  Reply

    Guy, windows recovery hides all of ur docs, pics, favorites, everything that u downloaded or installed. So what you need to do is to go to download.bleepingcomputer.com/grinler/unhide.exe << that will replace ur icons and files 🙂

    Happy PC!

  4. Kary
    ― May 2, 2011 - 12:35 am  Reply

    sorry forgot….download that file as well ^^ its safe.

  5. Daniel Anindhito
    ― May 7, 2011 - 12:07 am  Reply

    I did install the mbam and sucessfuly remove the windows recovery virus but i stil couldn’t access my folders ( documents,my picture,my music,etc)under my user name and it’s seems to be hidden,…could you plese tell what should I do ,thank you very much.

  6. Clive
    ― September 19, 2012 - 8:43 pm  Reply

    Great job. Saved my bacon with this advice – also the unhide instructions. Clear and concise. Many thanks.

Leave a Reply Cancel reply




New Guides

unwanted ads
How to uninstall OpticalUpdater app/extension from Mac
Rviewatyour.biz
How to remove Rviewatyour.biz pop-ups (Virus removal guide)
Device Infected After Visiting An Adult Website
How to remove Device infected after visiting an adult website POP-UP SCAM
unwanted ads
How to uninstall DefaultTool app/extension from Mac
click allow - scam website
How to remove Allowlucks.com pop-ups (Virus removal guide)

Follow Us

Search

Useful Guides

How to reset Mozilla Firefox (Updated Apr. 2018)
Malwarebytes won’t install, run or update – How to fix it
Best free malware removal tools
Best Free Malware Removal Tools 2020
adwcleaner
AdwCleaner – Review, How to use, Comments
How to reset Internet Explorer settings to default

Recent Posts

How to remove Windows Lowlevel Solution virus
How to remove Windows Support System virus
How to remove CleanThis virus
How to remove Windows Emergency System virus
How to remove Windows Threats Removing virus

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2020 My AntiSpyware - Free antispyware programs and Spyware Removal Instructions.