"Windows Recovery" virus has borked my computer

[kissinger]

Hey guys, for the past 6 hours I've been dealing with this bogus virus which I picked up while surfing the web.

It causes a popup window to display a fake antivirus-type programme called "WindowsRecovery". It also apparently deletes all my files (although they are actually just hidden), and it keeps giving me messages saying my HD has a "critical error" and stuff like that. It is really messing my system up.

I followed the instructions on this page to remove it:

http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

But it didn't work. The virus is still messing up my computer. I first scanned my system with Avast (boot scan). That didn't work. Then I used Rkill followed by MalwareBytes. That didn't work.

Anyone have experience with this virus? How can I get rid of it?

P.s. system restore is not an option because that useless programme deleted all of the save points I created because my HD was low on space.

[essexboy]

Hi try this

Download RogueKiller to your desktop
 

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 2 and validate
  
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[Pondus]

P.s. system restore is not an option because that useless programme deleted all of the save points I created because my HD was low on space.

If only it was that easy to remove malware...then all computer would come with a restore button....click and virus gone 

[GrandPrixGXP]

There is such a button.................Its called system image. Mount new image with just one button and your as good as new.

[DavidR]

There is such a button.................Its called system image. Mount new image with just one button and your as good as new.

Oh if only it were that easy (again)

People still don't get the value of disk imaging software, most people don't get religion until they have a near death experience. The same is true of system failures for whatever reason (hard disk failure, conflict, corruption, virus, etc.) forcing a format and reinstall of everything.

Some people still don't even do basic file backup, so no backup or recovery strategy at all, until the dark brown smelly stuff hits the fan; then the monumental realisation hits them of just how long this is going to take to resolve.

Instead of a weekly image backup and daily data backup and about 20 minutes to have your system up and running. Other than an HDD failure when you have to get a replacement and clone that from your backup images which you happened to have on another drive or disc of course

[GrandPrixGXP]

Exactly David............I love when you have to tell someone that they need a new hard drive and they say "Ok so what about my data?". Then you say "Don't you have it backed up?"...............The reply goes something like..............."No". Oh well. Every pc owner should understand the value of data backup.

[DavidR]

Yes, if you fail to plan, then you plan to fail.

[1Serrid]

I spent 5 hours earlier today battling the new Windows Recovery malware and I want to share the solution.  The worst part is that I am running the full McAfee Security Center and it DID NOT block this malware.  It did try to remove a few of the files after they had been installed, but it wasn't complete and I couldn't correct the problem nor could I run Windows Restore.  My computer was virtually useless and my files inaccessible.
 
 
"Windows Recovery" first appears as a series of pop up warnings with messages like "Critical Error", "the system has detected a problem with . . .",  "Hard drive failure", and others. These are all scary warnings that look very real.  Here's a link to some examples of what it looks like when it takes over your computer: http://forums.malwarebytes.org/index.php?showtopic=79287
 
 
If you click on any of those windows -- to close them, minimize or even move them -- they install further malware on your computer and completely take it over.  
 
 
In my case, the malware eventually shut down and restarted my computer and virtually all my desktop icons disappeared.  When I went to the start menu, all my programs had disappeared from the folders.  When I tried Control-Alt-Delete -- it told me I was not authorized to access the Windows Task Manager.  Only 3 icons remained on my desktop: Internet Explorer , My Computer and (in my case) AOL.  When I opened My Computer, all the icons and folders were grayed out and were listed as "read only" files.
 
 
If this sounds like the problem you're having, follow these simple steps which worked for me and you'll save a lot of heartache:
 
 
1) download the free Malwarebytes from Download.com:  http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1  or directly here: http://www.malwarebytes.org/
 
 
2) allow it to update the definitions then run the scan
 
 
3) after it finds the malware, instruct it to delete the malware files and restart your computer
 
 
4) when you computer restarts don't be dismayed to find that your files and desktop are still missing. That's because this Windows Recovery malware "hides" your original files as part of its nastiness.   
 
 
5) now go and download Trojan-Killer's free "unhider" here: http://trojan-killer.net/how-to-restore-missing-files-and-folders-after-virus-attack/#more-2706  or directly here: http://trojan-killer.net/download/unhider.exe
 
 
6) double-click the downloaded file to run it and wait as it "unhides" all your files and folders on your computer.  It takes about 10 minutes to complete (with no progress indicator), but you'll see your desktop icons slowly reappear, though your original desktop background image will probably still be missing and some files still may not be accessible.
 
 
7) you've now removed the Windows Recovery malware and "unhided" the files, folders and links
 
 
Now to need to Restore your system to a point prior to the malware attack. You will now see that most of your programs have been restored to your start menu.  Follow this method to restore your system:  on Windows XP (may be similar for Vista or 7?), click Start >> All Programs >> accessories >> System Tools >> System Restore.  From there you can restore you computer to a time before the malware attack.
 
 
9) Once System Restore completes, your computer will be restarted and will be restored to it's prior operating norms.  Note that it could take a long while for your computer to fully restart and there may be a window or two which will need your attention throughout the process.  In my case, it took nearly 1/2 hour to fully restore my files and operating system to their prior format.
 
 
I hope this brief tutorial helps you avoid the headaches I experienced and extra hours I spent earlier today.
 
 
Good luck!
 
 
 
 
 

 

[july suu]

  I just find this video guide is cool http://www.youtube.com/watch?v=QeksTbQVAKk
any one is interested how to remove fake windows recovery should have a look

[Blingling]

1. Go to safe mode, remove windows recovery manually

2. Go to your infected profile and remove all the files:
%AppData%\Microsoft\[random].exe
%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk

3. Go to Registry Editor and remove all the registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
check out details here:
http://www.removemalwarespyware.com/windows-recovery-how-to-remove-windows-recovery/

[argus]

There is a little trick

Download MBAM to your desktop

Start >> Run (search)

Code: [Select]

%UserProfile%\desktop
enter

rename mbam-setup.exe in the iexplore.exe

run iexplore.exe

[southernCAsun]

I followed part of 1Serrid's instructions and it seems to have helped me but the part i'm stuck on is after unhiding, why do I need to restore system if most things seem to be working normally? And when i went to system tools, there is no option for system recovery. It seems even icons I think i deleted months ago and emptied from the recycle bin is there and I can't be sure if all icons that were there before today's crash is all there unless I happen to remember and look for it.

It was a total nightmare. I was surfing the web earlier today when I got the message that I had a serious hard disk failure and then a window popped up and started doing scans and told me that I had to purchase advanced modules and another message to restart my computer. upon doing so, all I had was a black screen with the scan again telling me to click on the button to purchase the advanced module. I couldn't access anything else but I was able to access the computer through the guest login option I had created long ago (although it seemed to have a lot less icons on the desktop than I remembered) and i thought buying and downloading the Avast internet security would fix whatever problems I had but it didn't help. The full scans found no errors and the boot scan was unuccessful when I tried to select the Repair option and it said it failed.

Anyway, I started the computer in safe mode a number of times and did a system restore (all before following 1Serrid's steps) but all I saw on my desk top was like 3 icons after it was "restored" and found this site and decided to try 1Serrid's steps. I have lost count of how many times I tried doing what and in what order.

So although everything appears almost "normal", I am confused as to how/why to do system restore when things look normal. And I'm worried I could have a future hard disk failure ( I spent hours and hours turning on/off, restarting, absolutely panicked) and found some relief with the above steps but want to take precaution to protect my computer). I'm dissapointed avast has not worked.

Do they have money back guarantee?

I am not computer savvy so it's really a trial and error for me.

If 1serrid reads this,

[Stang]

Do they have money back guarantee?

I am not computer savvy so it's really a trial and error for me.

If 1serrid reads this,

NO AV will ever find and catch all problems.... thousands are invented every day.

Not sure where you spent any money..... everything is free.   I would not have recommended the 'system restore'

Stick with Avast and MBAM (free) and dont click any bad places.