Windows Recovery (WindowsRecovery) Virus Removal Guide

Virus Type: Rogue Security Application
Threat Level: 8 / 10

Windows Recovery, also known as WindowsRecovery, is a new fake disk and system optimization application; Windows Recovery claims to offer a variety of services including checking the system status of the user’s system (computer hard drives, ram memory, system health, etc.), diagnostics, and the ability to fix any errors. Like many other fake programs, Windows Recovery also displays in the right hand area of the program the operating system, installed memory, and hard drive information of the user’s computer. Windows Recovery was recently introduced around late March 2011 and is generally installed without user permission through the use of a trojan horse, which is downloaded generally through a security flaw. It has also been reported that Windows Recovery is spreading through a PDF exploit (essentially, there is a security flaw in the PDF file which is allowing the virus to be downloaded through it). Windows Recovery is a clone of previous fake computer optimization programs and a new version of this virus is generally introduced on a weekly basis; the look generally stays the same but the name changes as new clones are created. Generally, fake antivirus programs create new versions in order to make it harder to be found by antivirus software. Windows Recovery main executable is generally a series of random characters. Previous versions of Windows Recovery include HDD Fix, Quick Defrag, and HDD Low.

Below is our recommended removal tool for Windows Recovery. The removal tool has been rated 5 cows out of 5 by Tucows and was previously CNET’s Editor’s Choice. Feel free to download it below.

download

If you are unable to run the removal tool, or are unable to run any programs in general, you may need to stop the processes associated with Windows Recovery with task manager. If task manager has been blocked by Windows Recovery, try using Process Explorer.

Windows Recovery, like many other fake fake programs, will create a series of warnings and pop ups in order to scare the user into purchasing the fake program. Windows Recovery may also create these warnings in an attempt to make it look legitimate to the user. Some of these warnings which are created by Windows Recovery can be found below.

“Hard Drive Failure

The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system.”

“System Error

An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.”

Windows Recovery, like many other fake fake programs, will also claim that there are many issues with the user’s computer. Some of these issues can be found below.

Registry Error – Critical Error
Read time of hard drive clusters less than 500 ms – Critical Error
A problem detected while reading boot operating system files
Drive C initializing error
Bad sectors on hard drive or damaged file allocation table – Critical Error
Hard drive doesn’t respond to system commands – Critical Error

It is recommended to use safe mode when removing the virus because Windows Recovery will generally not be able to load in safe mode. To enter safe mode, restart the computer and press F8 multiple times before the Windows screen to bring up the boot options.

Boot Menu

The safe mode with networking option will allow the user to be able to use the internet in safe mode. Windows Recovery can be removed by using the removal tool or by manually removing the virus.

View Windows Recovery Files
View Windows Recovery Keys

Common symptoms and characteristics of Windows Recovery and other rogue security programs include:
1. Windows Recovery is generally installed without user permission.
2. Windows Recovery uses pop ups and fake virus scans to scare the user.
3. Various antivirus and system programs on the user’s computer will stop functioning.

The user comments for ThinkPoint may provide insight into removing Windows Recovery since the viruses are similar.

Manual Windows Recovery Removal – In order to manually remove Windows Recovery, the processes associated with Windows Recovery must be stopped, the files associated with the processes must be removed, and the registry entries must be corrected to the previous state before Windows Recovery entered the computer.

Important: Before attempting to manually remove Windows Recovery, we recommend that the user read through comments posted by other users on how they removed specific fake antivirus programs since many fake antivirus programs are similar. These comments can be found by clicking here. These comments may provide additional information which may be useful in removing Windows Recovery. However, please use discretion since these specific comments pertain to other fake antivirus programs.

Stop Windows Recovery Processes (Learn How To Do This)
[random].exe

Remove Windows Recovery Files (Learn How To Do This)

Windows XP – C:\Documents and Settings\All Users\Application Data\[random].exe

Windows Vista & Windows 7 – C:\ProgramData\[random].exe

Remove Windows Recovery Registry Keys (Learn How To Do This)
HKEY_CURRENT_USER\Software\Windows Recovery
HKEY_LOCAL_MACHINE\SOFTWARE\Windows Recovery
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Recovery

Remove Windows Recovery Startup Entry (Learn How To Do This)
[random].exe

Common Questions -
1. What is a computer virus? (Click Here To View)
2. How did I get this computer virus? (Click Here To View)
3. What common symptoms show that my computer may be infected? (Click Here To View)
4. What is a rogue security application? (Click Here To View)
5. What are some antivirus and antispyware programs which I can use to remove viruses and spyware? (Click Here To View)

If you have any questions or comments, please don’t hesitate to comment below. If you need any help with any of the steps, please don’t hesitate to comment below. We recommend that you follow our safety tips so that you can keep your computer clean Please Click Here to View Our Safety Tips.

Your feedback is very highly valued by others so please feel free to comment below. Please feel free to share a solution that you may have used to remove Windows Recovery.

This entry was posted on Wednesday, March 23rd, 2011 at 12:33 pm and is filed under Malware Removal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

19 Responses to “Windows Recovery (WindowsRecovery) Virus Removal Guide”

claud March 24th, 2011 at 3:26 pm

I copped this virus today and it scared the daylights out of me all the pop up errors and stuff, but i was still puzzled as to why i could run the system, but after reading this it makes sense … so in a nutshell is my computer fine after i remove it or does it actually do some harm to your hard drive? so annoying though, do you think its the big companys? … i’m in safemode trying to sort it out other wise ill go mad

KurzeSache March 26th, 2011 at 3:10 pm

Hey Guys,

If anybody knows – how exactly does this program spread? My roommate and me got it almost at the same time BUT WITHOUT SHARING USBs, emails or hard disks.
We only share a LAN-router.

How do we prevent future virus attacks?
Thanks for answering.

KurzeSache

Jon April 22nd, 2011 at 12:31 am

Great stuff, very helpful. However, even after removing the trojan/virus and using an unhider program, my favorites and ‘all programs’ remain missing. Any suggestions?

Burleyfish April 23rd, 2011 at 1:16 am

I woke up with the blue screen of death on my computer. I did a reboot after seeing the windows recovery virus icon. I figured it must be a virus so I ran malwarebytes and it detected it but in order to clean the computer it had to shut down. When I shut down the computer gives the blue screen of death so Malwarebytes wont remove it. I tried safemode but it can’t find any traces in task manager. All programs on start menu are gone. Any suggestions on how to stop the blue screen? Please reply thanks.

tj April 27th, 2011 at 2:44 am

I tried all of this but i can’t seem to find any of the files that were mentioned to be deleted. I have been able to locate the registry entries but that is it. There isn’t even a [random].exe running in processes when the virus is still popping up. Please help!

Justin May 12th, 2011 at 2:59 am

I am in the same boat as Jon. I got the virus removed but now there are still no programs in my programs and nothing on the desktop. All documents and pictures are gone. Only thing I can do is go to my computer and navigate that way. So if all that stuff is on there where did my documents go?

kevin May 13th, 2011 at 2:45 am

Careful with this virus. It also sets your internet connection to go through a proxy. Make sure to go to tools / internet options / connections in internet explorer and uncheck go through proxy.

Also to above guy [random].exe is not the name, what this is saying is that it creates a random executable.

Also to the guy having problems with nothing listed under start/programs. This is because it sets all these files to hidden. You have to go set them to not hidden.

Andreas May 14th, 2011 at 8:05 pm

Hi. I have the same problem. What do I do? The desktop is black with no programs. When I am searching on the Windows start menu it comes up that the file doesn’t exist. Help me please.

Andreas

Ethan Wong May 15th, 2011 at 1:09 am

Hi guys. I just got this somehow. I have booted into safe mode with networking and i downloaded a malware scanner which is scanning now. Does anyone know whether this does permanent damage to the computer?

Jeff May 17th, 2011 at 12:12 pm

The missing start / programs were hidden by the virus. If you search your computer for the program folder you will find copies of your original programs and shortcuts. They cleverly hid them.

Andy m May 19th, 2011 at 10:53 pm

The virus changes your folder settings so you can’t see your files, don’t worry they are all there. Even your start menu will be back to normal. First, go in to local disk c:. Then click on ‘Tools’ at the top. Then ‘Folder Options. Click the ‘view’ tab then show hidden files and folders. Now you will be able to see a ghostly image of your folders. Right click a folder>properties> then uncheck the ‘hidden’ box and click apply. Do this to all your folders and you will get evrything back. Good luck and have fun… lol

Don May 26th, 2011 at 11:58 am

After removing the virus my keyboard and mouse are frozen. Now what do I do?
Thanks

Sam Thomas May 26th, 2011 at 2:36 pm

I got hit with this thing and it creates a real mess. First, you have to stop it from running, but, it will disable the task manager via a registry edit. You have to go into the registry and reset it. Then you can stop it from running. Once its stopped from running, its possible to remove it. In my case I was not able to find my antivirus and malware removal stuff and had to do a manual removal. Next, it removed all my programs and things on my desktop, turned it black in color. Last, when I went into my computer, 99% of all my folders were gone. However, the computer was still running. Figured out that what the virus does is HIDE everything, and it takes all your program links from the Start menu and buries them in a temp director in Documents Settings. There is a program out called unhide.exe which wil restore all our folders and desktop to visibility again, or you can go in an manually try to unhide each folder and subfolders. As for restoring your program links on the start menu, do not run a registry mechanic program or delete temporary files as thats where they all are hidden. Get them back from there . Total time fixing this was around 8 hours.

louisemessenger June 6th, 2011 at 11:25 am

Hi to Sam Thomas,

How did you find the program links? I’m not sure what they look like to restore them and get them back?

Louise

SinNombre June 7th, 2011 at 8:06 pm

I just booted my comp in safe mode with command prompt and ran system restore (rstrui.exe). Then downloaded malwarebytes and had it clean up my comp. I manually went and unhid the files. It helps if you have your View set so that you can see hidden files.

al go round June 8th, 2011 at 6:54 pm

I was able to remove the virus by

1. Identifing and ending the associated processes in task manager.
2. Deleting the virus files after identifying them.
3. Running a system restore to get to a point prior to infection.
4. Running a free antivirus scan to remove any remaining files.

You may also want or need to do the following.
1. Reconfigure explorer to show hidden files and/or unhide the files that the virus hid, so you can see your data again.
2. Perform a system recovery if you have your data safe to be sure the system is clean.

john June 10th, 2011 at 12:46 am

I got rid of the pop ups from the virus, but me background is all black, over half of my icons are missing, and the start menu is empty. If I type the file I’m looking for in the search box in the start menu I can find everything. How do I get it all back to normal though? Please help.

cjg June 13th, 2011 at 2:43 pm

I got this last thursday, followed all the directions using malwarebytes and cleaning everything. Updated my WebRoot Antivirus (I had let it lapse… bad user bad), ran a complete scan, Un-hid my docs, but didn’t get my menu and desktop back to norm so I ran a system restore to a point back 5 days. Sunday night Boom! Got it again, hadn’t downloaded anything, no wierd mail, only visiting normal news and common sites (cnn, local paper, amazon, noaa.gov, etc) I’m wondering if it lays dormant somewhere and I restored it with my restore point. I cleaned it up again with WebRoot Antivirus, it even grabbed a cookie that was part of the virus. My question is how WebRoot let it through the second time.

Astrozombiechick June 23rd, 2011 at 1:25 am

Ok so I got this a few weeks ago now and my stuff is hidden my icons are gone I have a black desktop but even when i start my comp in safe mode with or without networking the monitor only stays on for a min or two then goes black so I don’t have a chance to run a antivirus program or download one or so a system restore what do I do? Anyone else having this problem? I have spy bot and avg free whig doesn’t even show up anymore.

Leave a Reply