Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

WindowsRecovery Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Windows Recovery is a scareware which masquerades as a system performance optimization tool. Belonging to the FakeSysdef trojan family, it comes in many names including HDD Defragmenter, Check Disk, Windows Repair, Windows Restore, Windows SafeMode, Windows Fix Disk and Windows Recovery. It uses a variety of fake warning alerts about non-existent errors in computer hard drive, memory and Windows registry to try and cheat gullible users. This rogue optimization software disables Windows Task Manager and Quick launch bar. It also hides All Programs, My Documents and Administrative Tools menu items to confuse and scare the victims.

After continuous bogus error messages, the system is forcibly restarted every few minutes. On restart the rogue software runs a scan automatically and declares finding of multiple errors. The desktop background is blanked and the unclose-able Windows Recovery window hogs the focus.

desktop hijacked by windows recovery 590x329 WindowsRecovery Removal and Analysis

Desktop hijacked by WindowsRecovery

Scareware like WindowsRecovery are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

WindowsRecovery Removal (How to remove WindowsRecovery)

  1. Boot in to Windows Safe Mode with networking
  2. Download or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive. MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) and TDSSKiller – often this family of scareware comes bundled with the TDSS rootkit
  3. Right click and save the file Fakesysdef_unhide.txt to your desktop. Rename the file from Fakesysdef_unhide.txt to Fakesysdef_unhide.cmd. This file will help to reveal the files and folders hidden by this rogue optimizer.
  4. Run the TDSSKiller utility to check for the rootkit.
  5. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  6. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  7. To unhide files and folders hidden by this rogue optimizer, double-click and run Fakesysdef_unhide.cmd.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as WindowsRecovery. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

WindowsRecovery Analysis

A rogue security software such as WindowsRecovery belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

This fake software hides the All Programs menu item in the Start menu and My Documents folder by running the following commands in the background:

  • attrib +h “C:\Documents and Settings\malwarehelp.org\*.*
  • attrib +h “C:\Documents and Settings\All Users\Start Menu\*.* ” /s /d

The trojan installer was about 552960 bytes in size. This scareware is detected by 27/ 42 (64.3%) of the antivirus engines available at VirusTotal. It is identified as:

  • Win32:FakeSysdef-EG
  • Trojan.Fakealert.20587
  • Win32/FakeAV.RQY
  • Generic FakeAlert.am
  • Trojan:Win32/FakeSysdef
  • Win32/Kryptik.MQP
  • RogueAntiSpyware.UltraDefraggerFraud!rem
  • TROJ_FAKEAV.SM10

Typical WindowsRecovery Scare Messages

The system has detected a problem with one or more installed IDE/SATA hard disks. It is recommended that your restart the system.

Critical Error
hard drive critical error. Run a system diagnostic utility to check your hard disk drive for error. Windows can’t find hard disk space. Hard drive error.

System Error
An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.

Windows – Delayed write filed
Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.

Critical Error
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
RAM memory usage is critically high. RAM memory failure.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

WindowsRecovery Associated Files and Folders

  • C:\Documents and Settings\All Users\Application Data\17358644
  • C:\Documents and Settings\All Users\Application Data\17358644.exe
  • C:\Documents and Settings\All Users\Application Data\YbUyNeWOvrpYj.exe
  • C:\Documents and Settings\malwarehelp.org\Desktop\Windows Recovery.lnk
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\~DF6CF1.tmp
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\tmp3.tmp

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

WindowsRecovery Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags=0
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures=no
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes=/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YbUyNeWOvrpYj=C:\Documents and Settings\All Users\Application Data\YbUyNeWOvrpYj.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

WindowsRecovery Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • findchalk .org
  • searchfew .org
  • searchbite .org
  • indexperie .org
  • searchmoaning .org
  • findadvertisem .org

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

WindowsRecovery Scareware — Screenshots

Note: The WindowsRecovery installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 2 comments… read them below or add one }

KMaddox October 27, 2011 at 6:30 AM

Thank you for the information to remove and unhide files from the fakesysdef trojan. My parents got this virus (in their 70′s and believe everything that pops up and click i ;-) ) I had a feeling everything was still on their computer, but now I have the tools to fix it. I am saving your site because it was very helpful and I didn’t have to search a ton of topics to find the info.
Thank you!

Reply

Rus Thompson October 27, 2011 at 7:53 AM

now that I was able to remove it, how do I restore my computer again to where it was?

Reply

Leave a Comment

Previous post: